Cookie compliance under GDPR

@team Any response from you? Any solution to this topic direct from discourse?


As long as @Discourse may see no need for work in this topic, I did a bit research and found this: Legal Tools Plugin - plugin - Discourse Meta

@angus Is there any possibility, that you and your team can create a plugin for this topic too, to get a chance to use discourse as a community plattform in the EU if one set a foot outside the basic feature and uses Adsense, Stripe etc.?


Keep in mind that all customers of ours have a direct line of support, you can always email for assistance


I’m auditing websites for a EU data protection authority.

I noticed that when websites embed youtube videos, often times those websites make calls to, which is Google’s advertisement business.

We tell those websites to stop making these calls, because they mean usually:

  1. international data transfers of personal data without a legal basis
  2. lack of transparency and documentation despite legal requirement
  3. if youtube employs cookies or localstorage: lack of user consent required by ePrivacy directive.

You can check out how the court of justice of the EU employs Youtube on their website. That’s the minimum safeguard:

EDIT: Just checked – the current Youtube embed here on this page also causes calls to when played.



So, for who is using the “community” edition, what are the options to be compliant with EU regulation?

The theme component linked earlier is not sufficient by any means. Even using third party frames it’s not really a solution as it doesn’t allow the necessary fine-grained choice that should be provided.

This is something that has to be deeply integrated within discourse and, chats about EU minding its own business or not, it’s basically a good tool to allow control of its own data to every person. It’s not something to just dismiss because only a part of the world is using it.

Edit to also add this:

Anything that OneBox provide that actually brings in further data manipulation/analysis should be asking for permission the first time as well. Even a simple popup that prevent the action after a message in which the user can choose to agree or not would suffice. Looking at the Reddit Enhanced Suite for example, when you expand a content that requires further access, the first time you are asked to confirm that you want to give permission for that.

To further clarify the importance of this topic. It’s not much the matter of the owners of a forum being malicious or not. I assume that anyone that host a forum in 2023 is kind of a better person than the average :stuck_out_tongue: but it takes only a single disgruntled user or someone who wants to cause trouble just because, to open a big can of worms for whoever is hosting the website and even reach the point of having fines to pay and the forum to close down.


Hi All,

I wanted to mention that we recently created a Meta guide covering Cookie Consent, GDPR, and Discourse that might be relevant to some of the discussions that were taking place here.

Specifically, this guide covers a few options for setting up Cookie Consent Banners along with other Content Manager Service Options, and how these can be implemented on a Discourse site.

If you have questions about any of the information covered in that guide, please let us know.


as a brit (with the server hosted over here too) im glad i dont need to deal with this

I don’t know why you would not need to deal with compliance. :person_shrugging:


i thought brexit would’ve eliminated the GDPR

No, afraid not. It is very much still in play.


ffs, good job im moving the servers to 'merica soon

That won’t help either - as long as you’re serving users who are based in the EU, you’ll need to follow GDPR. Your only way ‘out’ is to block such users by IP address.

1 Like

bloody gdpr

cant exactly block EU ips, as that means i will be blocking myself

i thought it didnt apply to “just people” though?

The GDPR applies to everyone “in the European Union”, so even a US citizen visiting Madrid will be subject to the GDPR during their stay.


yeah, i meant that i thought that websites not owned by companies where exempt

Ah sorry, I misunderstood you.

Nope, they’re not exempt.


less likely to be fined tho ryt?

These laws are there for a purpose. It’s not about being fined or not, it’s about protecting people. If someone doesn’t like people, that’s all fine. Just don’t offer services to them.

For comparison:


what can i do to comply with it tho? bc i dont want to block the whole EU

By collecting only that personal data you need and asking consent for anything beyond pure technical needs. And telling what you are collecting amd how long you storing that info.

Really, that isn’t that hard. We all europeans are doing it.

With cookies you should use only technical ones if you don’t get consent.