Consent plugin for GDPR compliance and being nice in general :) #12370
Comments
|
How do you envision this being used? As a developer, you'd add gatsby-plugin-google-analytics and then something is set that indicates you need to display a GDPR compliance notice? Generally - the amount of plugins that access/track user data are fairly known, e.g. something like Google Analytics, Cookie Hub, etc. so I'm not really sold on the general purpose utility of internal APIs that set up some piece of data. I'd think a more general purpose solution would be some type of React component that could be added to your application/any application that can be used to display the notice like you'd expect. I don't think this necessarily needs to live in Gatsby, nor should it, but am I off base here? Happy to continue this discussion! |
|
@DSchau ideally, there would be support for dependencies built into Gatsby, such that it would require an implementation of a dialog to be shown informing the visitor about the intention to collect, store and analyze their data as soon as you add one of the plugins for it. There is no point in showing a compliance notice; that is not the point of GDPR. You are compliant as soon as you ask for consent prior to actually activating such plugins and you declare the full scope of data use. Coming back to the implementation: For the functionality, you'd have to have a backend that can manage all the plugins dealing with data. Since we are generating static pages, you need to store the user's choices in their browser (e.g., in a cookie or in the local storage; there are existing React components for both). I propose adding this to Gatsby because that is where the plugins live and you cannot control them at runtime. One would need an API for that at least. Yes, it is just a few plugins, but since compliance is a general requirement, at least the functionality around it as described above should live within Gatsby itself, possibly through another plugin, to make it simple for developers, because the tracking and data collection plugins would be entirely useless otherwise. I call them "tracking and data collection plugins" for the time being so they are easier to reference. |
|
I am currently bootstrapping something. Any feedback is welcome. See https://github.com/orangecms/gatsby-plugin-tracking-consent :) |
|
@orangecms like @DSchau mentioned GDPR is an implementation detail and is not mandatory for websites. Even if you use google analytics, tagmanagers, .... This won't live in core as we're no gdpr experts and probably never will 😛. Upgrading our plugins like analytics, gtag manager, ... to something like #11379 might be a good thing so it can be disabled at runtime. We're happy to accept your plugin into our plugins section. You can learn how to publish your plugin at https://www.gatsbyjs.org/docs/source-plugin-tutorial/#publishing-a-plugin |
|
This is a law. It is mandatory. If the upstream Gatsby plugin doesn't implement this detail, it cannot be used by anyone. See https://www.welivesecurity.com/2017/03/24/gdpr-an-explainer/ |
|
Would love to see your plugin published! It definitely sounds useful. But as others have said, we're not going to try to enforce various states' laws in our software. That's the responsibility of individuals and organizations implementing sites. The community can help out a lot as well as you're doing. |
|
This is international law, applying to the entire universe. |
|
@orangecms GDPR is a complex beast and it's hard to completely understand what is mandatory and what is not. GDPR only applies to personal information. You can use google analytics freely as long as you set options like Why not try something like |
|
Hi, I use Google Analytics on my Gatsby sites and was just wondering - is it enough to add |
|
Hello! Is there any news on the plugin you are working on @orangecms? I agree with you that GDPR is not a choice but a requirement for anyone running a site, so it should be tackled. |
|
Thanks for the bump! So here's what happened: https://github.com/orangecms/gatsby-plugin-tracking-consent https://github.com/orangecms/gatsby-plugin-hubspot https://github.com/orangecms/gatsby-plugin-google-analytics I created tags, so you can use them for tracking the dependencies through npm quite easily. Eventually the patcues could be upstreamed. I don't mind anyone picking it up, which the licenses allow anyway. Feel free to use everything! If you like the work, we can also move the discussion to the tracking consent repository and exchange there, discuss the design and additional needs etc.. Thank you for your interest! |
|
I will definitely check out your plugins @orangecms. For my site, I ended up adding a plugin called react-cookie-consent which turns off cookies, but adding gatsby-plugin-tracking-consent and gatsby-plugin-google-analytics couldn't hurt for sure. Thanks for sharing! |
|
@interglobalmedia yes it's enough to just add @orangecms we aren't against the plugin, feel free to create your own plugins with your gdpr consent enabled. If you publish them to your own namespace, we just don't want to add it to the official ones as it's not mandatory. |
|
Just putting my two cents in here. GatsbyJS, @KyleAMathews, @wardpeet and every other contributor are not and should not be under any obligation to provide anything for free. It the onus to abide by GDPR stands at the users of GatsbyJS and website publishers. It is insane to say otherwise. As @wardpeet mentioned, GDPR is very complex, and in all fairness, it is neither complete nor explicit in most ways. However, to clarify from the little understanding, I've obtained throughout the past 18 months; Website owners should not store (on their property or the property of 3rd parties) any identifiable information of their visitors without the explicit consent of the said visitor. Please note that identifiable is a keyword here as you would need to store other cookies to know if the visitor opted in or not. GDPR failed to mention any details, and it does not detail any use of cookies. Tracking cookies carry identification of the user, person or device. Storing cookies is not covered in GDPR; previous policies cover them but not GDPR. However, using the session, clients, etc.. IDs from these cookies to send them to non-technical resources such as GA or Facebook without consent is a violation of GDPR. There is no way any OS contributor can manage this compliance. The Onus is on the user of the OS software - in this case, the person using GatsbJS, not the creators nor the end-users of the website created by it. |
|
@orangecms I came across this thread while searching for a suitable cookie control solution for a client site that works for GDPR / PECR and the cookies law (which are all separate things we have to comply with). The ICO in the UK use Cookie Control by Civic which is a JavaScript based solution that looks pretty configurable and can be dropped into any website. I'm likely going to use this as a solution, not just for Gatsby sites - if it's good enough for the ICO, then it should be a decent solution for clients. Full disclosure, I haven't used this before but it looks pretty robust. Posting this here in case it helps anyone else. |
|
Thanks for the hint! Unfortunately, prematurely opting in is not compliant with GDPR, which is why such additions do not suffice (and are misleading by design, mostly). Due to lack of interest in consent across many parties, I cannot propose any other solution myself than forking and fixing the issues oneself to fully comply with both laws and consumer interest. |
|
No worries! Not sure if I've missed something within this, but as far as I can see this solution doesn't allow any cookies to be set that aren't enabled in the "necessary" grouping, i.e. cookies that are required for the application to work such as session cookies. You are only opted in to cookies that are necessary for the website to work; GDPR and other regulations are not concerned with functionality cookies - however under the cookie law here in the UK you are obligated to inform users of functionality cookies. That's my understanding anyway. Visiting the ICO website, which is running this, in Firefox I can see that no trackers are detected unless I opt in, so only the necessary cookies are being set by default; is this not the desired functionality? |
Yes, that is what I meant by misleading. The intent of the law is not to look at specific technologies - albeit doing so in some instances -, but to forbid collecting data without explicit consent. In specific, necessary, but not satisfactory terms, that means that no script must be loaded from third parties and no data collected before having said explicit consent.
That is what sales and business people mostly say as a distraction from my experience, and we wouldn't even have any mess or confusion if jurisdiction was absolutely strict about the whole thing. To gain a different perspective, I believe it makes sense to step away from technologies completely and think about it on a process level and rethink the order of events.
You can check in the browser's dev tools / network tab whether requests are sent out to third parties in any way, shape or form. Try accessing a website with Privacy Badger, uBlock Origin and uMatrix to assess it. They exist because browsers are at best checking roughly. |
|
I think a large part of the problem with GDPR / PECR / cookie law and others is that they are vague and open to interpretation. That being said, here in the UK the ICO is one of the official bodies that enforce data privacy laws & compliance and their solution to managing cookies is the Civic one I listed above. I would imagine they have done their due diligence in looking at that solution before implementing it. So I think in my situation at least, this is probably a good fit. I can see in the browser that they are using some third party scripts on initial load, however none of them appear to be for tracking or gathering personally identifiable information (PII), which is the only focus of GDPR and the other regulations. As far as I'm aware, none of these laws or regulations forbid the use of scripts or cookies or any specific technology. They are only concerned with protecting individual's privacy and data. But again, these are open to interpretation and different geographic enforcement. It does sound as though you have more specific requirements than me so your custom solution is probably the best. Hopefully this discussion can help others looking for solutions in this area too! |
Summary
A general plugin to ask for a user's consent before storing their data instead of infringing their privacy by default would be very beneficial for every website.
Please note to mitigate misunderstandings: In order to be GDPR compliant, you have to ask for consent regardless of whether the person is browsing from the EU or anywhere else, even space. What matters is whether the person is from the EU, which you can never tell. This point was missed in
Current ideas
#11075 is not feasible because it means people would not be able to use plugins
#4976 misses the note above and suggests potentially paying for an extra service ( https://www.gatsbyjs.org/packages/gatsby-plugin-cookiehub/ ) unless you want to have additional ads for said service plus adding even more tracking, which is exactly the opposite of the goal here.
Basic example
Every Gatsby plugin that stores/sends sensitive information could either provide some hook or Gatsby would need to wrap API calls to anything that is capable of tracking. The first solution should be easier imho and could be guarded by a plugin submission policy. Maybe there is another option. This is just what came to my mind.
Motivation
The goal is to respect the privacy of people visiting your website, i.e., only do with a person's data what they consent to.
The text was updated successfully, but these errors were encountered: