search

OWASP / www--site-theme

Contains owasp site theme specific items (headers, footers, json, menus)
9 stars 26 forks source link

Cookie banner not compliant with EU law #65

Open bkimminich opened 4 years ago

bkimminich commented 4 years ago

I'm not a lawyer, but I think we might be making fools of ourselves with this cookie banner (see screenshot) that doesn't even meet current EU legislation demanding an "opt in" to all tracking and non-essential cookies and not accepting plain "Accept"-banners any longer...

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

I ran an automated conformity test, and the _ga and _gid cookies (Google Analytics) need to be locked until explicitly accepted by the user in an opt-in fashion. The website I used marked the other cookies from CloudFlare and Stripe as essential and therefore compliant.

Report can be found in the corresponding Slack discussion: https://owasp.slack.com/files/U1S23SNE7/F016556FB61/report-owasporg-4183554.pdf

Sent from my Pixel 3 XL using FastHub

hblankenship commented 4 years ago

This should be corrected now as we only apply ga cookies once the Accept is clicked.

kingthorin commented 3 years ago

@bkimminich is the current implementation compliant?

bkimminich commented 3 years ago

This website uses cookies to analyze our traffic and only share that information with our analytics partners.

Accept

I am not a lawyer, but I don't think this is sufficient per GDPR/EU cookie law. You have to have the option to turn off unessential cookies, and GA falls into that category imho. I think it even needs to be opt-in instead of opt-out.

hblankenship commented 9 months ago

It doesn't seem that much different than the one on https://gdpr.eu/ ?