There was an old topic on EU cookie compliance here,
…but GDPR is a completely different requirement. While EU cookie compliance only required a statement placed at the bottom or at the top of the website, that lets the user know cookies are being used, GDPR requires giving the user a real and informed choice.
Cookies can be used to uniquely identify a person, therefore they should be treated as personal data. The legal basis for storing cookies will typically be consent. The requirements are:
- The users must have a choice. The fact that they use a website does not mean they agree to all cookies.
- Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. An example is clicking through an opt-in box (no pre-ticked boxes).
- The data subject should be able to withdraw consent as easily as they gave it.
Searching around a little, I found some possible building blocks, for example this one:
Pros: OS / free
Cons: Mainly geared torwards old EU cookie law, doesn’t seem to support selective opt in/out. It seems to support withdrawing support, but it is not clear to me how this would integrate with Discourse. Maybe someone with good front-end skills can comment on that question.
Another choice I found was this one:
Pros: Appears to be fully GDPR compliant, with granular control, easy withdrawal/change of settings at any time.
Cons: Costs between EUR 39 for one (sub)domain, up to EUR 199 for multiple (sub)domains (per year). I don’t really feel like spending those sums for cookie control. If I am going to spend money, I would much rather donate towards a open source Discourse plugin.
How are other Discourse “data controllers” planning to deal with cookies under GDPR? I am surprised that there isn’t more discussion going on about this, which leads me to think that I may have fundamentally misunderstood something.