Add optional Privacy Pack with cookie consent message

[pjox]

I was wondering if there should be an addition of a banner regarding the cookies which is compliant with the GDPR which will be enforced starting March 25 2018. Most of the sites using the academic theme have cookies thanks to the Discourse comments, the Google analytics or the Mathjax engine.

Right now I'm using the following github project to address this issue: Insites, but it would be nice to have a native hugo-academic solution which changes according to the theme and the language.

[gcushen]

I agree, it's important for EU sites to be compliant with GDPR. However, I don't believe any cookies are currently set by default - only if the administrator decides to enable certain third party integrations.

For those who decide to enable cookie based integrations, there are probably ways to meet the requirements of GDPR without introducing more code and dependencies in Academic (possibly by placing a notice in a custom widget or footer and creating a Privacy page etc.).

[pjox]

That would be an interesting and convenient solution, yet one would like a message that informs the user about the cookies just when they first connect to the site, but that is hidden in all subsequent connections from the same user. This is how most of these notices work. Is this possible using custom widgets or footers? If yes, please let me know how you'd do that, that would be a more elegant solution to the problem.

I was thinking about using the Hero widget for this, but honestly I have no idea how to hide it after the user accepts the use of cookies (and hide it for further visits from the same user).

[JOduMonT]

actually to meet the requirements you need to approval of the visitor which is made by a click to being over compliant your js and others 3rd parties resources (such as google fonts, and CDN) must be loaded after this click

for the policy you could use this generic generator for the popup you have these js and this one

but personally the most friendly I found is this one : https://cookiesandyou.com/

[JOduMonT]

just to mention the cookiesandyou is already included in bootstrap4-blog theme https://github.com/alanorth/hugo-theme-bootstrap4-blog/blob/master/exampleSite/config.toml#L56

[pjox]

Well I have already invested a lot of time creating my website with the hugo-academic theme, and I've been using it for a lot of time. So I don't really like the idea of changing themes... But thanks anyway for the recommendation, for the moment I think I will add https://cookiesandyou.com/ to my current site.

[pjox]

@gcushen I found that even disabling third party integrations like disqus, MathJax and Google Analytics, there is always a cookie from cloudflare.com (__cfduid) which appears when you connect from a public network. The only way to disable this would be by disabling all icons from font awesome and academicons, which is something that would really hurt the theme.

I really think we should seek a solution to this problem, not addressing this issue technically makes the theme "illegal" in the EU. Which is sad considering this is one of the best hugo themes.

[gcushen]

@pjox Academic does not set any cookies by default unless you enable third party integrations. cdnjs.cloudflare.com does not set any cookies. Also, GDPR will not be enforced across the EU until 25 May 2018.

It's easy to make a website compliant by using a wizard such as this one and pasting the code into Academic's head_custom.html - refer to Academic's documentation website.

[pjox]

@gcushen Thank you for the answer, I was not aware of the head_custom.html method I was pasting the code in the head of the theme, your solution is much much better.

About the cloudflare thing, I'm sorry, but they do set one cookie, and it is mandatory, you can read about it in their documentation here. Even the address cdnjs.cloudflare.com is setting 3 cookies for me.

[gcushen]

@pjox according to CDNJS (https://github.com/cdnjs/cdnjs/issues/8868), and in my experience, they don't set any cookies when a browser attempts to retrieve CDNJS assets from an Academic powered website. Hence, Academic is cookie-free by default. Perhaps, you are directly or indirectly using other Cloudflare services on your site or host.

Although the steps for adding a cookie consent notice in my comment above should be very simple for an admin to follow, I'll consider more seamlessly integrating an option for this kind of feature into Academic.

[vkehayas]

To be GDPR compliant, in addition to alerting the user about cookies, when enabling Google Analytics I believe that an additional option should be set in header.html in order to anonymize IPs:

ga('set', 'anonymizeIp', true);

I guess it is beneficial to have this option set by default when enabling GA.

The GDPR additionally mentions that the user should have the freedom to deny usage of specific cookies, something I wholeheartedly agree with. But it seems to me that it's outside the scope of simple tools such as the one provided by Insights and I see no easy way of implementing something like this.

[gcushen]

An enhanced data privacy option has now been added. To enable, update Academic and set privacy_pack = true in config.toml. Currently, it will:

• Show a cookie consent message to visitors powered by Cookie Consent
• Anonymize IP in Google Analytics (if enabled)

The GDPR additionally mentions that the user should have the freedom to deny usage of specific cookies, something I wholeheartedly agree with. But it seems to me that it's outside the scope of simple tools such as the one provided by Insights and I see no easy way of implementing something like this.

This is partly dependent on Insights adding that functionality - see https://github.com/insites/cookieconsent/issues/242 . Otherwise, there are non-free granular cookie compliance services (e.g. OneTrust) that admins can integrate with Academic.

[JOduMonT]

@pjox sorry if I was'nt clear, but I was mentioning bootstrap4-blog theme as an inspiration and a way to add cookieandyou in academic. As a non developper I always prefer working with an example than from scratch ;)