opened 03:19AM - 10 Apr 19 UTC
closed 12:58PM - 30 Apr 19 UTC
enhancement
0. Needs triage
4 Cookies are set before any visitor to the landing page has the ability to read⊠the privacy policy or the terms of service. Some lawyers see this as grounds to send a seize and desist letter. And I must agree - while I do not know too much about the inner workings, why do there need to be cookies set before someone is logging into the service?
Concerning GDPR-Compliance, it is easy to just put the information into the privacy policy, and akin to this: https://github.com/nextcloud/server/issues/9739#issuecomment-412080268 have people read it (set a checkmark) and use an app for it.
But with the e-privacy regulation definitely coming within the next two to three years, it should be made possible to not set any cookies for anyone who just "stumbles" upon the site, until they have read a message that informs them about the cookies being set to login/register/use the site.
It could be as simple as an app, that allows to link to the privacy policy - maybe with a header link - that describes which cookies will be set.
It should then also be possible to say "no" to cookies, and then the site should let the visitor know, that the service can't be accessed because of the missing cookies. In that case, no cookies should be set though!
So I see two possibilities:
- Don't set cookies before login, have checkmarks about privacy policy and/or terms of service.
â This would be less annoying to people then a cookie pop-up message.
â I have no idea about the technical feasability
- Don't set cookies before a cookie message has been displayed (app, see above), and allow to not have cookies set but let the user know that they can now not use the service because the cookies are essential for it.
â This may be more annoying for people, but gives them more information about how the service uses "their" data.
To keep in mind:
· shared links to the service