Ticket #13099 (confirmed Feature Request)
EU Cookie Directive Support
Reported by: | MatthewWilkes | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | General | Version: | |
Keywords: | Cc: |
Description
WIP
Proposer: Matthew Wilkes
Seconder: not yet
Motivation
The EU requires its member countries to pass laws preventing use of Cookies (and similar technologies like Flash variables and HTML5 storage) without explicit consent of the site's user. Some countries have issued guidance about advisory copy to try and lessen the impact, but for Plone to be indisputably within the letter of the law throughout the EU it needs to obtain the user's permission before setting cookies.
Assumptions
Additionally, there are some technical assumptions, namely that:
- All cookies in the Plone site are set by Python code
- No equivalents to cookies are used
and some legal ones:
- The law is sufficiently enforceable to be worth implementing
- The no-track HTTP extension is insufficient to be compliant
- The text 'we use cookies' is insufficient to be compliant
- Setting a cookie to record if the user allows cookies is allowable (it's probably not, but there are limits)
Proposal & Implementation
This is very fluid at the moment
Proposal is to add a new portal tool, `portal_cookies, that provides a whitelist of cookie names, as well as associations with a service level. The service level idea is in use by a few sites already ( http://www.bt.com/ ) , and generally gives the user the choice between three cookie configurations, 'core functionality', 'full functionality' and 'personalisation'. If the user picks core then only the most basic things will be enabled, for plone this would likely be just the portal status message, or nothing at all.
Full functionality would be all current core cookies, and personalisation would include the site tracking snippet.
The code that sets cookies would be patched to be routed through this tool, which checks the current user's preferences, and decides if it can be set or not.
This needs to go in core so that add-on products can rely on it, as they'd need to register their cookies. It would also need to be customised by pretty much every Plone dev agency that works in the EU.
Risks
Whoo, nelly. Plenty.
Most obviously, it's really annoying to have to agree to these things, which will piss off users, but it's also a legal requirement, so we have to ignore that. At least it should be optional, and off by default.
Participants
Who is signed up to do the work?
- Matthew Wilkes
Progress
Change History
comment:2 Changed 4 years ago by kleist
- Status changed from new to confirmed
- Component changed from Unknown to General
comment:3 Changed 3 years ago by davisagli
- Type changed from PLIP to Feature Request
The framework team recommended building this as an add-on and confirming that it is used by the community before considering adding it to core.