GDPR and Cookie Law

Hey i got some Questions regarding the new GDPR and the cookie law in Eu.

I read a lot about GDPR in general and I believe nextcloud is a good choice with encryption and so on, but nextcloud uses Cookies too. I didn’t have a documentation about the cookies set and for the reason they are set. I checked the site and there are 4 cookies. Cookiebot told me my site is not compliant. So want to make a cookie bar with informations for users and a way to decline these 4 cookies.

I want to use cookie consent code because it’s free and opensource. But I don’t know where to put the code.

And of course the cookie disable code:

1 Like

Hello @papalapappi,

Given that nobody answered this: The simplest solution would be to introduce a splash/landing page which contains a link to the privacy statement and a notification that by proceeding to the Nextcloud login page (or any other application for that matter), the user consents to the use of technically necessary cookies that are, e.g., required for session management. The same should be mentioned in the privacy statement itself (in more detail, if needed), of course. Technically, you can prevent users from accessing the login page if they have not consented to be above (using a combination of the “referrer” header and a cookie signaling consent).

While you could try to (temporarily) block the cookies that are already sent when opening the login screen (at least until the user has given his/her consent), this is (much) more complicated. Keep in mind that some of these, depending on the application in question, might be essential – this implies that you’d either

  • need to modify some parts of the application and keep those modifications in sync with the upstream project as long as you intend to install upgrades or your changes get merged or
  • use a proxy which basically implements the first alternative without introducing a separate landing page to temporarily “buffer” the cookies to be forwarded after the user gives his/her consent

As long as you use a separate flash/landing page, inserting the code generated by the “cookieconsent” solution ( into the header should not be a problem. If you simply want to include the code on every page delivered by the web server instead, you could, e.g., use the apache2 “mod_substitution” module and insert the code before the closing “header” tag. While this approach might look crude on first sight, it ensures that you do not need to touch a single line of code/configuration setting of the application in question, be it Nextcloud, Seafile, WordPress, …