Cookie compliance under GDPR

Yours seems like the reasonable and safe route to take for now, at least until the proposed e-Privacy regulation will come into effect (it appears that it will not be ready by May 25). I understand that it may bring some more clarity to things like web analytics. In any case, I am also considering dumping GA, in favor of something like Matomo (ex PIWIK). As discussed earlier, it appears that one needs to have GA turned off by default for EU users, leaving it up to them to turn on tracking. Probably not many users are going to do that, rendering GA web analytics pretty useless.

As stated at the beginning of the topic, I also was considering consent support for my site because of GA. The solution I liked most was Civic Cookie Control, though the community edition lacks geolocation. Geolocation would be important to at least enable GA for non-EU users by default.

Even though I will probably rather self-host my analytics (and thereby not have to worry about consent), I would still like to share some details about my test setup with Cookie Control. If someone wants to use the paid version with geolocation, I think it’s not a bad solution, though it sends the IP of your visitors to a third party.

This is what it could look like on Discourse:

The user can change his preferences at any time by clicking on gear (opens up the panel again):

This is my config (put this in under Customize > Themes):

<script src=""></script>
    var config = {
        apiKey: 'put-in-your-api-key-here',
        product: 'COMMUNITY',
        optionalCookies: [
            name : 'analytics',
            label: 'Analytical Cookies',
            description: 'Analytical cookies help us to improve our website by collecting and reporting information on its usage. Even if set to On, your IP address is anonymized.',
            cookies: ['_ga', '_gid', '_gat', '__utma', '__utmt', '__utmb', '__utmc', '__utmz', '__utmv'],
            onAccept : function(){
              // Add Google Analytics
                (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
              ga('create', 'UA-123456789-1', 'auto');
	      	  ga('set', 'anonymizeIP', true);  // very important
              ga('send', 'pageview');
              // End Google Analytics
            onRevoke: function(){
              // Disable Google Analytics
              window['ga-disable-UA-123456789-1'] = true;
              // End Google Analytics
			initialConsentState : 'off'  // this pretty much kills analytics, better would be to differentiate between EU and non-EU 
        position: 'LEFT',
        theme: 'LIGHT'
    CookieControl.load( config );

The api key you need to get here (community edition is free for one domain)


There is no point in hashing IP(v4) addresses – there’s not enough of them to prevent reversing the hashes through brute-force. The only way to anonymise IPv4 data is to not store it. Which makes a real mess of pretty much every anti-abuse measure in existence (not just in Discourse – when the only non-spoofable information is L3/L4, to decide whether or not something is abuse, what else are you going to key off, other than source IP address?)

How so? Do EU residents not travel outside the EU? Or does the GDPR not apply to EU residents when they’re not accessing the Internet via an IP address which is identified as being within the EU? That seems… unlikely.


Given that we’re dealing with Eurocrats here, a box-ticking measure will probably suffice :wink:

Let’s please refrain from pejorative names here. Intentionally using a negative name for something leads to corrosion of the discussion.


This is another major point of confusion with regards to GDPR. It doesn’t mention EU citizens or residents. Instead, GDPR uses the term “Data Subject”. Article 3 (2) defines the territorial scope as follows: “This Regulation applies to the processing of personal data of data subjects who are in the Union “. By this definition, the data subject could even only be on transit through the EU. Residency, or indeed citizenship, are not a criteria. In other words, Article 3 (2) says that the data processing has to take place in the territory of the EU for GDPR to be applicable. By this definition alone, if the data subject travels outside of the EU, then GDPR will not apply, even if the data subject is an EU resident (or even citizen).

However, under certain circumstances, you’re right when you state that it doesn’t matter if the data subject is located in the EU or not. Article 3 (1) expands the definition of the Data Subject even wider to include almost anyone in the world: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not .” In other words, if the controller or processor are (established) in the EU, GDPR will apply, no matter where the processing (or data subject) is located.

Back to the original point: If both processor + controller are located/established outside the EU, then geolocation of where the processing is going on may work as criteria for determining the need for consent in the case of GA. If not, it’s probably best to work with consent, no matter where the user is located. What I am not sure about though, is if it is possible to use GA with IP anonymization turned on, without the need for consent, even if GDPR applies. Maybe someone has some solid info on that one.

Further reading: GDPR – The Data Subject , Citizen or Resident? | CYBER COUNSEL
GDPR Article 3: Article 3 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy according to plan.

How to turn it on/off ?

And basically, what does it depend on whether a website is directed to eu? if I make it clear that the website is only for Taiwanese users, what then? do I also have to have a cookie policy ?

1 Like

Grave digging an old topic, but this is starting to get very relevant for EU instances:

Non-essential cookies must be deployed only after getting the users’ consent. A notification banner does not make a site GDPR compliant.

This is an issue if the site uses the official advertising plugin to serve AdSense or similar ads - their script is executed whether or not the user gives the consent. Same goes for GAnalytics.

Anyone got any ideas how to tackle this? I can live without GAnalytics, but without AdSense we will most likely need to close the shop.


I am also interested


I also would like to have a solution for that.

It is neccessary that users have the choice to accept or decline and also can choose which cookies they will allow and which not.

I am new to the discourse world. Is there realy no plugin which does this job?

1 Like

Ok, so next week I go live with my new discourse forum.

As far as I know here in Germany, and at least to my knowledge in the whole EU, it is the law to have such a cookie consent possibility. You need to ask first, if the visitor is willing to accept cookie or which cookies they will accept and have to bring in their choise by clicking the button for it. Also they has to be a option to configure which cookie they want or a option to decline cookies at all (except these who are necessary to use the basic functionality of the site).

If I have a look into the wordpress world, there are a lot of solutions for that und the good one are taking money for it.

So I am wondering if there is no developer who is interesstest to take this market? Is the user base in the EU this small? How many discourse communities are running in the EU? How do they soilved the problem? Can @team give an answer to that?

Are there any admins of the communities in the EU here? How do you set it up?

This is an important legal issue and I do not understand why there is no solution. :frowning:


The obvious solution is to use essential cookies only.

Since both Google Fonts and Google Analytics appear to be illegal in Europe regardless of your cookie settings it’s better to stay on the safe side nowadays.

It would be nice if the Discourse Advertising plugin could accomodate for this though.


Not yet. The situation is… a mess.

There is few different things, as what Google does all that data or is those cookies counted as essential ones.

And again — GDPR doesn’t apply when a forum/site/what ever is handled by a private person.

But there is another solution: Matomo

1 Like

As far as I understand there are no cookie issues by using the basic functionality of discourse.

But I will use the discourse subscription (there are a connection to stripe and I do not know if this counts under necessary) and I also would use the adsense plugin.

For analytics I do not plan any external service.

1 Like

That is true. But quite common ways to follow statistics can be counted sort of basic functionality of Discourse even it will be happend by third party, because Discourse is serving those cookies. Same-same as with WordPress.

1 Like

As I said, analytics aren’t my concern. :slight_smile: The subscription and the adsense are.
And maybe the WP Discourse which I think about to use as well.

You both are based in Europe, right? How do you do your discourse community with GDPR? You are not using adsense or something like that?

1 Like

I don’t need to testify against myself :smile:

Well… I’m just telling everything and if an user will continue he/she/one shall accept the situation. And I’m using GA and Adsense, but I’m not allowing personal things at Google’s side, so I’m loosing demografic data.

It is against GDPR but… I’m walking against red trafic lights too and that is counted fellony in Finland, so I’m kind of bad guy :rofl:

My forum isn’t under GDPR, though. Owner/high admin is private person Jakke Lehtonen, not my business.

Those are three different things:

  • what small fishes do
  • what real business does
  • what platforms like Discourse must do

Dear @Jagster, where did you get this from? I work as a data protection expert and in my view websites fall into the scope of the GDPR independently of the publisher being a private/natural/legal person.

Indeed, there is a household exemption. If a Discourse forum provider limits the access to the own household and family members/friends, then GDPR does not apply. Check GDPR Recital 18 for this:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. […]

If the Discourse forum provider limits the access to a foreign household and their family members/friends, then the forum is again subject to GDPR.

Hence, I conclude that in my view your forum is likely in the scope of the GDPR and so is the forum of other people that allow access (read or write) to people outside their househould/family/friends.

Can you please be elaborate on what you mean precisely?

Relevant here is ePrivacy Directive Article 5(3):

  1. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

I do not see how processing of personal data or storage of cookies for the purpose of statistics would be “strictly necessary” in the sense of the exemption provided in Article 5(3) above.

For those interested in using behaviour-based/targetted ads, I recommend to follow the recent decision of the Belgium data protection authority:


Then I am a really confused because is has been so all the time. GDPR doesn’t regulate john does. That is one reason for sanctions. How much I have to pay fines or do jail time when I’m breaking GDPR :wink:

No, I’m not allowed to build unlegal database, but that is totally different thing and not regulated by GDPR.

Yes, you don’t see. Someone else sees. That’s why I said ”common”. You know very well that cookies from GA are way over just technical demands. And even then every cookie use and storage time must be telled to an user — but there is no demand for consent in the meaning an user may choose.

Can you please elaborate on that, and give a source for it?

Yes it does, the authorities just focus on the big corporations right now. Your forum is subject to the GDPR if it goes beyond the scope of a household activity.


Moro Jakke,

Is there a case or an expert article that you refer to? Yes, the spirit of the GDPR is to target corporations and tech giants and it has actually done some good for the EU citizens (for exp. Whatsapp data practices). But to my knowlege small organizarions or individuals are not excluded from the law.

In our case we rely 100% on Google AdSense driven income. GAnalytics I could basically ditch, even though the historical data is interesting and useful to admins.