[META] Remove Barriers to GDPR Compliance & Establish Good Defaults in Core

[klonos]

This is the respective ticket in d.org #2971786: [meta] Remove Barriers to GDPR Compliance & Establish Good Defaults in Core (which was filed in favour of the now closed/outdated #2848974: Privacy Concerns as GDPR Compliance).

Lets see follow these d.org issues and see if there is anything that needs to or can be done in Backdrop core.

More info on GDPR: https://www.eugdpr.org

PS: Those in EU or with EU sites would greatly benefit if the following contrib modules were ported over:

https://www.drupal.org/project/gdpr https://www.drupal.org/project/gdpr_consent https://www.drupal.org/project/gdpr_export

[ghost]

More information that might be helpful...

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en https://www.privacyshield.gov/

[laryn]

I'm listening to some #TCDrupal presentations while I'm working today. Currently listening to this GDPR presentation and it makes me wonder if some of the functionality from the few GDPR-related modules that are available for Drupal 7 should be integrated into core to help with Backdrop GDPR compliance out of the box.

These modules are highlighted in particular (around 40:30):

• https://www.drupal.org/project/cryptolog
• https://www.drupal.org/project/ip_anon
• https://www.drupal.org/project/blizz_vanisher

[ghost]

From my understanding, websites must not set any cookies without the visitors active consent. I'd therefore like to know what cookies Backdrop uses and how we can make it so that they're not set before getting consent?

[Graham-72]

I recommend reading https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

where it says: This means you are unlikely to need consent for:

• cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
• session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
• load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

[ghost]

Ok, good to know. So then my question becomes; does Backdrop set any cookies that fall outside of those exceptions?

I know certain contrib modules would (like Google Analytics, etc.), so as site builders we'd need to take note of what additional modules are in use and what (if any) cookies they provide.

But it'd be good to get a list of Backdrop core's cookies and whether or not they're essential and therefore don't require consent.

[Graham-72]

It would be nice if someone could identify the minimum changes necessary to meet GDPR requirements. As far as I can tell the requirements do not spell out the technical solutions that make a system compliant, e.g. they do not specify a level of encryption.

[Graham-72]

I have now listened to the presentation referenced by @laryn above- 'The GDPR is here - at Twin Cities Drupal' https://www.youtube.com/watch?v=CyIFNsSHPxQ and I find it very useful and clear. I would think we could identify specific issues for Backdrop from this.