bep
commented
1 year ago I'm in Europe I have to have a legal consent pop-up.
To clarity, if you have a plain Hugo site that does not store any cookies, you don't need to have any legal consent pop-up.
Open GeorgelT opened 1 year ago
bep
commented
1 year ago I'm in Europe I have to have a legal consent pop-up.
To clarity, if you have a plain Hugo site that does not store any cookies, you don't need to have any legal consent pop-up.
GeorgelT
commented
1 year ago Yes, the website itself, hosted on the hosting provider might not need anything, but anything third party your website uses(like embeds or tracking) have to have the consent form.
bep
commented
1 year ago but anything third party your website uses(like embeds or tracking) have to have the consent form.
Assuming the third-party in question requires such consent form.
I'm adding this comment here because is issue's original title implied that Hugo is breaking the law, and that's just not true. Yes, we do have a page about GDPR in the documentation, but I'm pretty sure we don't state any GDPR compliance re. all third-party tools out there.
GeorgelT
commented
1 year ago I'm adding this comment here because is issue's original title implied that Hugo is breaking the law, and that's just not true.
yes, sorry about that. Hugo itself is just a generator and thankfully does have some features for this. While the generated websites themselves are compliant and good for internal usage, I think once it gets public access it needs a good consent mechanism.
Yes, the problem is not with the generated websites, but all the other services that get integrated with the website. Since the "relationship" is between visitor and website owner, the visitor has to be informed somehow that the website also is giving information to some other party.
cansurmeli
commented
1 year ago Hey.
As someone who had to implement a GDPR-compliant Hugo powered website(s) at work, I would like to weight in on this.
By the way, I think this is more of a disccussion rather than an issue but anyways. I don't think Hugo needs to implement a cookie banner. Hugo's purpose is to provide static site generation and that's it. Plus, it does it extremely well. Anything that comes into the theme is the developers responsibility.
What I did at work is based on what's explained here at Hugo Codex. I basically had to improve upon it in terms of functionality and design wise. I already had it in mind to oepn-source whcih I will do now and share later here for future reference to others.
In the meantime, here are some screenshots:
Best.
nternetinspired
commented
1 year ago …but anything third party your website uses(like embeds or tracking)…
Is the responsibility of the developer who added such things.
Hugo does not require you to add any such privacy-violating technology..
traut
commented
2 months ago @cansurmeli did you ever get to open-sourcing your solution?
Hello,
I've been looking through the documentation and through quite a few themes and pages that are generated with Hugo, but I don't seem to find any that have the GDPR pop-up(if one even exists in the first place) in a legal way. I'd like to use Hugo for at least one project, but because I'm in Europe I have to have a legal consent pop-up.
I checked the documentation, I can see that there are available features: https://gohugo.io/about/hugo-and-gdpr/ but I haven't seen anyone actually implement them in any template or productive website. I looked at previous issues regarding GDPR, they also don't seem to touch on the implementation of these features at all.
To clarify, just the "We use cookies, if you continue you're ok with that [OK]" banner is not legal. The pop-up has to have at least 3 buttons [Yes][No][Details], and the details section has to have the option to disable the trackers individually. Also, the privacy policy and ToS sites have to be available without any tracking active. The whole tracking thing has to be optional and opt-in to start with. The default should be no tracking.
So the feature request is any one of the following to start, and hopefully a full implementation built in at some point.
I'd really like to be able to use hugo, but at the moment I can't since people are not capable of opting in or out of tracking. To clarify, technically necessary cookies, like the one you need to track the user that doesn't want to be tracked are perfectly legal. Just as are having your server logs with a hosting company or using google fonts(this one is quite a grey area since google still tracks access to the fonts). But anything optional that involves a third-party transfer of information has to be toggleable. This would also include embeds like youtube/vimeo/tweeter things. Those also have to be disablable. A lot of people seem to think that having matomo or other local tracking is legal, but that also has to be agreed appon by the user.
The whole GDPR issue has been quite problematic to implement correctly and the high number of cases in recent years show that the states are not jocking about enforcing it.
I'll add a screenshot to how a legal GDPR pop-up is supposed to look like from the Vienese Public transport website: