klaro-org / klaro-js

Klaro Privacy Manager. An open-source, privacy-friendly & compliant consent manager for your website.
https://klaro.org
Other
1.19k stars 254 forks source link

mustConsent prevents reading of privacy policy #155

Closed klfman closed 4 years ago

klfman commented 4 years ago

Using the mustConsent option makes the consent-modal stay open until the user accepts the apps by clicking the accept-button.

There is a logical problem though, because to accept the apps they might want to look into the privacy statement, before consenting. But as mustConsent is set, the modal hides the privacy statement behind itself.

I'm not sure how to solve this logical problem other than not including klaro.js on a specific privacy statement page. This, however, prevents me from placing a button that revokes the consent there (which in my opinion belongs exactly there) that calls klaro.show(), because klaro is not initialized on that page.

Any ideas on how to tackle this? Could the modal be configured to not show on the url set by {privacyStatement}? Would this still work with hash-links?

jaller94 commented 4 years ago

I find it odd that clicking the privacy policy completely hides Klaro, whether mustConsent is true or false. If no choice has been made, it should go back to the smaller consent notice.

Would that also solve your issue?

klfman commented 4 years ago

Nope, clicking the link does not hide klaro when mustConsent is on and the user has never consented. Then they still need to choose from the list of apps, switch them on or off and click "agree". In this case (modal for the first time open) clicking outside of the modal does not close it either, so that's consistent. The automatic hiding logic (on click on the privacyPolicy or the outside part of the modal) starts when the modal is revisited, because the user reopened it to change their choice of apps. It behaves like a "cancel" logic, because no changes are made and a choice is not necessary. So this behavior is actually perfect like it is right now.

Going back to the smaller notice is not what I want, I never want to show it, because it can be ignored meaning that no opt-in consents are ever given. I'm a fan of opt-in logic, I think that data should be in the hand of the users and at the same time I'm explicitly trying to balance the business interests of my customer (collecting data for knowledge) with the interests of the users (having full control). So I want the popup to be in the way until a choice was made and never close and go to the small version because there the user could indefinitely delay the choice.

I love that klaro has the mustConsent-option that allows me to block the user from advancing and I proposed this library to my customer because of that synergy between data protection and business interests.

Is there no technical way to "identify" the privacy policy page at runtime (by the configured url) and just skip the logic to show the notice automatically there (but in my opinion it should be shown on klaro.show(), because the "open cookie seetings"-button or however you want to name it should actually be there, because users would expect it there)

adewes commented 4 years ago

For this, you can simply add data-no-auto-load="true" to the script tag that loads Klaro on your privacy page, it will then not automatically pop up when the page is loaded. If you need to use the same script tag on all pages you can just show Klaro manually on other pages by calling klaro.show().

If this doesn't solve your problem please re-open this issue!