adityatelange / hugo-PaperMod

A fast, clean, responsive Hugo theme.
https://adityatelange.github.io/hugo-PaperMod/
MIT License
10.37k stars 2.75k forks source link

Option to make theme legal in Europe/Germany #720

Closed stefan-scholl closed 2 years ago

stefan-scholl commented 2 years ago

layouts/partials/header.html and layouts/partials/footer.html are accessing localStorage which isn't allowed in Europe and Germany without asking the visitor first. See the (in)famous cookie banners.

I suggest an option gdpr_compliance (GDPR = General Data Protection Regulation) that changes localStorage to sessionStorage or simply removes the affected features.

Yes, I can (and do) overwrite this by my own version of the partials but an explicit option could be warning to users of the theme.

adityatelange commented 2 years ago

layouts/partials/header.html and layouts/partials/footer.html are accessing localStorage which isn't allowed in Europe and Germany without asking the visitor first. See the (in)famous cookie banners.

I suggest an option gdpr_compliance (GDPR = General Data Protection Regulation) that changes localStorage to sessionStorage or simply removes the affected features.

Yes, I can (and do) overwrite this by my own version of the partials but an explicit option could be warning to users of the theme.

Hi @stefan-scholl,

We are not sending the data stored in localstorage such as theme preference and scroll position in menu anywhere. Also the data stored is more of a user preference data and are not trackers.

Using sessionStorage to store this data is of no use as it would only remain for that particular session and won't be persistent.

stefan-scholl commented 2 years ago

It doesn't matter what you are doing with the data. In the EU we need to ask for consent before storing anything on the visitor's device. That's the so called EU cookie law (ePrivacy Directive) and why we have these annoying cookie consent banners everywhere.

But IANAL. It was just a suggestion and warning.

nicfab commented 2 years ago

IMHO - I am a lawyer - it would be preferable to avoid storing any data on the user device, apart from the session cookies always allowed. I published, on my website, a disclaimer on the session cookies (https://www.fabiano.law).

nicfab commented 2 years ago

GDPR and ePrivacy are different things, that may have caused some confusion, because the former does not prohibit such cookies. The first is EU regulation, and therefore directly applicable to you, the second is a EU directive implemented in national law. For you according to the Marktortprinzip probably the German TTDSG Telekommunikation-Telemedien-Datenschutz-Gesetz.

If this is the case I recommend you to read the Orientierungshilfe für Anbieter or the national equivalent.

You are right that storing cookies and LocalStorage (but also SessionStorage!) falls under the law.

The question remains whether darkmode falls under § 25 TTDSG (2), or 5(3) ePrivacy. According to my interpretation, it is both explicitly desired (the storage is only written to when the button is clicked), and technically necessary. I really do think this is fine but IANAL either.

GDPR and ePrivacy are two different legal instruments, indeed. Currently, in Europe, it applies Directive 2002/58/CE until the proposal on ePrivacy comes into force (maybe it will be approved in 2023 and applied in 2025). Directive 2002/58/CE refers mainly to cookies, but the proposal on ePrivacy will provide for more restrictive measures. The documents you are posted are in German, which I don't know. Anyway, no data should be stored on the users' devices.

larshei commented 2 years ago

I think with disabled theme toggling, nothing will be written to the local storage. So that could be a workaround.

breard-r commented 2 years ago

IMHO - I am a lawyer - it would be preferable to avoid storing any data on the user device, apart from the session cookies always allowed. I published, on my website, a disclaimer on the session cookies (https://www.fabiano.law).

This is superfluous. Session data as well as user interface customization data and other technical data, either stored in cookies, local storage or anything else, does not fall under neither the GDPR nor the ePrivacy directive.

As far as I know, this issue refers exclusively to the use of local storage in order to store theme customization (whether to use the light or dark one). Hence, there is no problem doing so, European legislation does not restrict it in any way.

For the example, the french data protection authority published (deliberation no 2020-091 of September 17, 2020, in french) a non-exhaustive list of tracker that does not require the user's consent (the deliberation is based on the GDPR, ePrivacy, the french law and an European text about competition law):

If the data protection authority of an European country explicitly list such use of local storage as exempt of user consent, you can safely assume there is no need for the suggested gdpr_compliance parameter.

adityatelange commented 2 years ago

IMHO - I am a lawyer - it would be preferable to avoid storing any data on the user device, apart from the session cookies always allowed. I published, on my website, a disclaimer on the session cookies (https://www.fabiano.law).

This is superfluous. Session data as well as user interface customization data and other technical data, either stored in cookies, local storage or anything else, does not fall under neither the GDPR nor the ePrivacy directive.

As far as I know, this issue refers exclusively to the use of local storage in order to store theme customization (whether to use the light or dark one). Hence, there is no problem doing so, European legislation does not restrict it in any way.

For the example, the french data protection authority published (deliberation no 2020-091 of September 17, 2020, in french) a non-exhaustive list of tracker that does not require the user's consent (the deliberation is based on the GDPR, ePrivacy, the french law and an European text about competition law):

  • trackers saving the user's choice concerning the use of trackers
  • authentication trackers
  • on merchants sites, trackers saving the content of a shopping basket or equivalents
  • trackers saving the user interface customization
  • load-balancing trackers
  • trackers managing the limited free-use of selection of content
  • some audience tracking (with strict limitations)

If the data protection authority of an European country explicitly list such use of local storage as exempt of user consent, you can safely assume there is no need for the suggested gdpr_compliance parameter.

@breard-r Thanks for the excellent explanation :handshake: Closing this..