dmind-gmbh / extension-cookieman

A GDPR tracking consent popup for the content management system TYPO3. It asks for approval to include tracking objects (cookies, images or any HTML) and includes the objects when consented.
https://extensions.typo3.org/extension/cookieman
GNU General Public License v2.0
35 stars 18 forks source link

make it configurable to let the cookie consent popup stay in focus when the user clicks outside the popup #96

Closed medarob closed 3 years ago

medarob commented 4 years ago

Feature Request

Currently, if the user clicks anywhere else than on the "use all cookie"-button or the "settings"-button the cookie popup disappears. Which means the user hasn't given any consent to use cookies at all. If the user navigates to another page, the popup appears again which is good.

Let's say that the user doesn't want to give any consent again, so he clicks again somewhere else to make the popup go away. The user navigates to a fe-login form and now wants to log-in. He fills out the form with username and password, clicks on the "login"-button and now the fe_typo_user cookie is automatically set without consent. That is a problem, I would say.

Describe the solution you'd like The solution would be that the user does not has the option to make the cookie consent popup go away without any consent (which is not so user friendly) or you have to to disallow TYPO3 from creating the fe_typo3_user cookie (and I don't know if that is possible). If the consent for the fe_typo3_user cookie isn't given, the login form shouldn't work. There has to be a message like "You first need to accept the mendatory cookies/fe_typo3_user".

Therefore a selection of cookie consent is mandatory and the user shouldn't have the option to make the popup go away. Either the user chooses only to accept the necessary cookies or he accepts all cookies. Either way, he has to accept the group where the fe_typo_user cookie is included.

Additionally thoughts: Maybe it's also enough to change the consent text so that the user accepts the mendatory cookies if he clicks anywhere else (to make the consent popup go away). Better would be one of the other solutions...

medarob commented 4 years ago

On the other hand, it seems that there needs to be no consent for cookies which are necessary to make the website work without problems, for example login cookies. https://www.it-recht-kanzlei.de/notwendige-nicht-notwendige-cookies.html (german)

So, the current behaviour of the popup window seems to be ok. Any thoughts on that?

ghost commented 4 years ago

The current default is that the user can close but no consent is saved. No managed-by-cookieman tracking objects will be included.

This is not a cookieman core functionality but rather just implemented like that by the default themes. For the Bootstrap default themes it can be changed by setting the backdrop to backdrop = 'static' here https://github.com/dmind-gmbh/extension-cookieman/blob/master/Resources/Public/Themes/bootstrap4-modal/cookieman-theme.js#L4 and keyboard:false here: https://github.com/dmind-gmbh/extension-cookieman/blob/master/Resources/Public/Themes/bootstrap4-modal/cookieman-theme.js#L11

The fe_typo_user is not managed by cookieman and I agree that legally there is no consent required.

I think the current default is a good middle ground between legally correct and being the least annoying to users.

I personally often just want to scan the homepage of a company without dealing with a cookie banner so I am happy if can just close it.

Anyways, we should mention in the docs that this behaviour can be changed by adapting the theme JS: https://docs.typo3.org/p/dmind/cookieman/master/en-us/Introduction/Index.html#when-is-the-popup-shown-to-users

References: BS3 https://getbootstrap.com/docs/3.3/javascript/#modals-options BS4 https://getbootstrap.com/docs/4.3/components/modal/#options

So I'll keep this open as a task. Together with your other recommendation to show how default theme JS can be changed without creating an own theme I think this would benefit integrators.

ghost commented 4 years ago

Should be documented together with #91 (just to have a cross-reference here)

ghost commented 4 years ago

Just found a sentence here in the docs, too: https://docs.typo3.org/p/dmind/cookieman/2.4/en-us/Introduction/Index.html#when-is-the-popup-shown-to-users ... which would need to be changed

jonaseberle commented 4 years ago

I understand the clariifications by the European Data Protection Board (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf - bullet point 82.) regarding "consent should not be unnecessarily disruptive" in a way that the pop-up should easily be closable. Yet it shall not be too undisturbing as this "would result in ambiguity".

I'll just leave it here. I'd like to have this document linked in our docs.

herzogkienast commented 4 years ago

I would like to have a TS constant or something in TS setup to add the backdrop static only for cookieman. Will there be any workaround at the moment?

jonaseberle commented 4 years ago

@herzogkienast I wouldn't want to add configuration for something that is theme specific.

You can adapt the cookieman-theme.js in your theme like mentioned in https://github.com/dmind-gmbh/extension-cookieman/issues/96#issuecomment-589603156