Cookie compliance under GDPR

How to turn it on/off ?

And basically, what does it depend on whether a website is directed to eu? if I make it clear that the website is only for Taiwanese users, what then? do I also have to have a cookie policy ?

1 Like

Grave digging an old topic, but this is starting to get very relevant for EU instances:

Non-essential cookies must be deployed only after getting the users’ consent. A notification banner does not make a site GDPR compliant.

This is an issue if the site uses the official advertising plugin to serve AdSense or similar ads - their script is executed whether or not the user gives the consent. Same goes for GAnalytics.

Anyone got any ideas how to tackle this? I can live without GAnalytics, but without AdSense we will most likely need to close the shop.


I am also interested


I also would like to have a solution for that.

It is neccessary that users have the choice to accept or decline and also can choose which cookies they will allow and which not.

I am new to the discourse world. Is there realy no plugin which does this job?

1 Like

Ok, so next week I go live with my new discourse forum.

As far as I know here in Germany, and at least to my knowledge in the whole EU, it is the law to have such a cookie consent possibility. You need to ask first, if the visitor is willing to accept cookie or which cookies they will accept and have to bring in their choise by clicking the button for it. Also they has to be a option to configure which cookie they want or a option to decline cookies at all (except these who are necessary to use the basic functionality of the site).

If I have a look into the wordpress world, there are a lot of solutions for that und the good one are taking money for it.

So I am wondering if there is no developer who is interesstest to take this market? Is the user base in the EU this small? How many discourse communities are running in the EU? How do they soilved the problem? Can @team give an answer to that?

Are there any admins of the communities in the EU here? How do you set it up?

This is an important legal issue and I do not understand why there is no solution. :frowning:


The obvious solution is to use essential cookies only.

Since both Google Fonts and Google Analytics appear to be illegal in Europe regardless of your cookie settings it’s better to stay on the safe side nowadays.

It would be nice if the Discourse Advertising plugin could accomodate for this though.


Not yet. The situation is… a mess.

There is few different things, as what Google does all that data or is those cookies counted as essential ones.

And again — GDPR doesn’t apply when a forum/site/what ever is handled by a private person.

But there is another solution: Matomo

1 Like

As far as I understand there are no cookie issues by using the basic functionality of discourse.

But I will use the discourse subscription (there are a connection to stripe and I do not know if this counts under necessary) and I also would use the adsense plugin.

For analytics I do not plan any external service.

1 Like

That is true. But quite common ways to follow statistics can be counted sort of basic functionality of Discourse even it will be happend by third party, because Discourse is serving those cookies. Same-same as with WordPress.

1 Like

As I said, analytics aren’t my concern. :slight_smile: The subscription and the adsense are.
And maybe the WP Discourse which I think about to use as well.

You both are based in Europe, right? How do you do your discourse community with GDPR? You are not using adsense or something like that?

1 Like

I don’t need to testify against myself :smile:

Well… I’m just telling everything and if an user will continue he/she/one shall accept the situation. And I’m using GA and Adsense, but I’m not allowing personal things at Google’s side, so I’m loosing demografic data.

It is against GDPR but… I’m walking against red trafic lights too and that is counted fellony in Finland, so I’m kind of bad guy :rofl:

My forum isn’t under GDPR, though. Owner/high admin is private person Jakke Lehtonen, not my business.

Those are three different things:

  • what small fishes do
  • what real business does
  • what platforms like Discourse must do

Dear @Jagster, where did you get this from? I work as a data protection expert and in my view websites fall into the scope of the GDPR independently of the publisher being a private/natural/legal person.

Indeed, there is a household exemption. If a Discourse forum provider limits the access to the own household and family members/friends, then GDPR does not apply. Check GDPR Recital 18 for this:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. […]

If the Discourse forum provider limits the access to a foreign household and their family members/friends, then the forum is again subject to GDPR.

Hence, I conclude that in my view your forum is likely in the scope of the GDPR and so is the forum of other people that allow access (read or write) to people outside their househould/family/friends.

Can you please be elaborate on what you mean precisely?

Relevant here is ePrivacy Directive Article 5(3):

  1. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

I do not see how processing of personal data or storage of cookies for the purpose of statistics would be “strictly necessary” in the sense of the exemption provided in Article 5(3) above.

For those interested in using behaviour-based/targetted ads, I recommend to follow the recent decision of the Belgium data protection authority:


Then I am a really confused because is has been so all the time. GDPR doesn’t regulate john does. That is one reason for sanctions. How much I have to pay fines or do jail time when I’m breaking GDPR :wink:

No, I’m not allowed to build unlegal database, but that is totally different thing and not regulated by GDPR.

Yes, you don’t see. Someone else sees. That’s why I said ”common”. You know very well that cookies from GA are way over just technical demands. And even then every cookie use and storage time must be telled to an user — but there is no demand for consent in the meaning an user may choose.

Can you please elaborate on that, and give a source for it?

Yes it does, the authorities just focus on the big corporations right now. Your forum is subject to the GDPR if it goes beyond the scope of a household activity.


Moro Jakke,

Is there a case or an expert article that you refer to? Yes, the spirit of the GDPR is to target corporations and tech giants and it has actually done some good for the EU citizens (for exp. Whatsapp data practices). But to my knowlege small organizarions or individuals are not excluded from the law.

In our case we rely 100% on Google AdSense driven income. GAnalytics I could basically ditch, even though the historical data is interesting and useful to admins.


Dear @Discourse Team,

is there by any case a chance you will offer a oppertunity for discourse admins in the EU to handle the discourse community with the rules of the law? To be persice: offer a cookie choice box where visitors can choose their priorities for the cookies? (like cookie bot or borlabs cookie for Wordpress)

Just a box which says “we use cookies” isn’t enough.

I know, in the US nobody cares, but there are also some discourse communities which are in the EU and the EU law is a bit different and there are a lot of laywers which will write bills if you do not follow the law. I think it will be really necessary!



Did you see Discourse Cookie Consent Banner? Looks like it’s a start, but perhaps not quite enough?


Indeed, under EU ePrivacy Directive and GDPR, cookies other then for login, security and others necessary for the specific service requested by the user need user consent that is specific, informed and affirmative.

“We use Cookies” doesn’t inform about the purpose, is vague, unspecific and doesn’t offer an affirmative choice.


I do know it and I use it already. But you are right, it isn’t enough. You have to inform specificly to all cookies you use, if there are essentiall, for marketing, for statistic etc. And the users must have the ability to chose, which of them they will accept and which not, except for these which are essential.

1 Like

Has anyone else enabled Google Adsense’s consent feature? We are now trying, as it should be a legally GDPR compliant solution for Adsense and Analytics, but the UX is less than stellar.

The consent popup is half way decent, but even after the consent you get a randomly appearing floating element at the bottom of the screen.

See it live at