Cookie consent mechanism problematic, parts are non-compliant
- Status
- Open
- Subject
- Cookie consent mechanism problematic, parts are non-compliant
- Version
- 18.x
- Category
- Feature request
- Legislative Compliance
- Feature
- Cookie
- Resolution status
- New
- Submitted by
- hman
- Lastmod by
- hman
- Rating
- Description
The cookie consent mechanism has this bold claim:
"Complies with EU Privacy and Electronic Communications Regulations."
First of all, let me express my thanks that someone has undertaken the task of creating a feature that at least tries to adhere to laws and regulations. Many IT systems do not even have that.
But the bold claim is only partially fulfilled. You can make cookie consent compliant with regulations, but it does not tell you how. And some defaults are not compliant.
To elaborate:
There is an option "Cookie consent disabled" with description
"Do not give the option to refuse cookies but still inform the user about cookie usage.". Enabling this would be a clear breach of regulations. In the European Union every user must be given the right to deny setting cookies. Luckily this one is default off.This also implies that the setting "Cookie consent alert" with description "Sorry, cookie consent required" and hint "Alert displayed when user tries to access or use a feature requiring cookies." is non-compliant. The user has a right to refuse, and you cannot block his/her access upon that. It is okay if functionality is reduced (like remembering sessions), but you cannot block access.
There is a "Cookie consent question", "Specific question next to the checkbox for agreement. Leave empty to not display a checkbox." with this default text: "I accept cookies from this site.". That's not a question, that's an answer
"Specific question next to the checkbox for agreement. Leave empty to not display a checkbox." Hm, no checkbox? Ask a clear question, one that users can answer binary "Yes" or "No".
The default label for consent is "Continue", which is not compliant. The label must clearly tell an medium level informed user what it does. Therefore it cannot be labelled "Continue". It can be changed, but this is the default.
Also, any kind of consent checkbox must not be preset!
So, I see the spirit of the devs to help admins be compliant, but this needs some brushing up to really enable admins to be on the right side of the law
I see that for some areas outside the EU one might want to be less adherent to EU laws and therefore might want to force users to accept cookies. But a GUI of a function that claims compliance should not encourage that. So either claim this and offer only compliant options or display advice or even alerts when admins click on settings that would make them breach compliance... Or have one checkbox "compliant settings only" or something like that.
Also, inform admins that by law, site admins must inform their users about what kind of personal data is stored, where it is stored, and for how long. Commercial sites must also tell which persons are to be contacted if users want to get a copy of all that data, or who is to be contacted is someone wants that deleted.
- Importance
- 10 high
- Easy to solve?
- 4
- Priority
- 40
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 7490
- Created
- Friday 14 August, 2020 16:01:04 GMT-0000
by hman - LastModif
- Friday 14 August, 2020 16:02:13 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Kanban plugin; the Swimlane field throw an error if using a category field type
- Kanban plugin: Error if the fields Description and Swimlane are empty
- Race condition: Sessions stored in the database and Cypht
- Tracker, validation; Editing an existing item with a validation option set as distinct failed (considered a new item)
- Helper icons, buttons and short labels should be kept on the same line as the setting widget being edited (don't do wrapping), to avoid looking broken and having uneven row heights
;){kind=link}
;){kind=link}