Update Cookie Consent for GDPR

[Cleop]

As a user I want to have the freedom to consent or decline from the use of Cookies So that I know how my personal data is being used and that the EU law is being followed.

• [ ] Cookies are switched off by default
• [ ] A modal appears on every page which offers two options:
  • Option 1 - Grant consent
  • Option 2 - Do not grant consent
• [ ] If a user clicks to consent the modal no longer appears.
• [ ] If a user who previously consented wishes to withdraw their consent they can click a link in the footer called 'Cookies' which takes them to a page where they can change their consent to none.
• [ ] When a user who gave consent then withdraws it all of the cookies already created for them is cleared.
• [ ] If a user clicks to decline consent the modal no longer appears (for a given time period when it will reappear again, say 30 days?)
• [ ] All cookies on the site check whether cookie consent has been granted before being set
• [ ] The cookie banner does not appear on the 'manage cookies' page

Questions:

• Is it ok to use a cookie to record when a user has declined cookie consent? Ie. cookieConsent = false? @nelsonic do you have any thoughts on this?

Here is an example of a cookie modal's UI:

[nelsonic]

@Cleop I feel that we don't need cookies on the website except for for Google Analytics and we can easily "initialise" GA after cookie consent is given. The way you have done this for "CI" is roughly what we need for the dwyl site. But we need a detailed write-up of how it works (think technical blog post) because this is highly re-useable content. Thanks! 👍

[Cleop]

@nelsonic I totally agree, dwyl site doesn't need many cookies which makes life easier!

I was wondering more specifically whether you had any thoughts on if it's GDPR compliant to use a cookie to remember if someone chose actively not to give cookie consent? As in, once you say you don't want cookies, can a cookie still be used if it's not storing identifiable personal data?

This is a question I have for both CI and dwyl site.

[nelsonic]

@Cleop good question! 🤔 kinda by definition it's not kosher to use a cookie to store the user's opt-out of cookies ... For CI we should put the cookie preference in the Elm Model so that the person will not be "nagged" for the remainder of their current session. cookie prefs question/banner should be delayed e.g: onLoad setTimeout(function () { checkGDPRCookieConsent() }, 3000 )

If people are going to reject use of Cookies they are basically not going to get a great experience of using the CI app, but we shouldn't "nag" people on every page when they are just browsing ...

[Cleop]

Thanks @nelsonic, interesting.

In the case of CI, we have multiple elm apps running and therefore if a user were to navigate to another page which is running a different elm app then the information regarding their preferences would be lost.

Can you think of a way to overcome this?

Or do you think we should pursue a different route altogether with this in mind?

[nelsonic]

@Cleop in the case of having multiple Elm apps running on the same website, we need to get creative ... First question before we dive into trying to solve a complex problem is: do we need to have multiple Elm apps? (or can we initialise the same app with different "flags" depending on the page being loaded? i.e. can we solve a simpler problem instead?)

[Cleop]

@nelsonic I like the idea of that approach, I think in these specific circumstances the time/budget constraint of the client and the scale of the app would make that unfeasible.

Can you think of any faster options or do you think that is realistically the fastest solution?

[nelsonic]

@Cleop as you say, budget/time is constrained for the Client Project, therefore we should "accept" the cookie "nag" in the Client App as "undesirable UX" but by no means a "deal breaker" for the users.

From our experience of user-testing, people who are motivated to use something but who still want to avoid cookies, usually know about "incognito" or "private browsing". We have tested apps with users who's default behaviour is to open an Incognito Tab whenever they are searching for or trying something new precisely because they don't want to be tracked and then "spammed" by Ads.

Giving people a "nudge" to accept cookies to give them the best experience while using the (Web) App is good long-term UX because it gives the actual customers the client is trying to reach a way of seeing which products they have previously searched for.

So, in conclusion, for the specific Client Project my recommendation is:

• Check for a Cookie Consent on each page Load (but re-use as much Elm/JS code as you can)
• When the user has accepted cookies for the session we no longer need to "nag" them.
• Inform the Client/Product owner that this does not result in a material increase in "bounce rate" and prioritises people who are actually going to "buy" the product over those who are "just browsing".

Please let me know if this answers your question ("un-blocks" your progress). Thanks!

[Cleop]

Awesome, thanks for the insight @nelsonic, I've been able to implement this 👍 😊