Review website cookies/analytics/opt-out?

[evankanderson]

This is a Bug Report

Problem:

A few people were having a conversation about the "cookie banner" on knative.dev, and we noticed that https://istio.io/ didn't have such a banner. Digging further, it looks like I'm served Google Analytics javascript and reports are collected even in an incognito window with DNT: 1 cookie.

I'm in the US, so maybe this is okay here, but I suspect that our European friends would be surprised by this.

Proposed Solution:

Add a cookie preference / opt-out for Google Analytics.

Page to Update: All pages with analytics under https://kubernetes.io/ (probably by updating https://github.com/kubernetes/website/blob/main/layouts/partials/head.html#L37 or the included template).

[sftim]

The Linux Foundation (and CNCF) is based in California so I believe that CCPA applies.

https://ccpa-info.com/wp-content/uploads/2019/08/Handbook-of-FAQs-Cookies.pdf suggests that neither cookie opt-in nor opt-out are required by CCPA. With that in mind, I see this as more a feature request. For example, we could choose to only load Google Analytics for visitors that sent DNT: 0 or no header.

/kind feature /remove-kind bug

[evankanderson]

I'm not sure whether that interpretation is correct: GDPR may apply to EU citizens (as it applies to their right to privacy), not to the country of origin of the service provider.

In any case, it might be worth asking CNCF counsel about the applicability of laws, since I'm not a lawyer, and speculating would be irresponsible of me.

[sftim]

BTW, the relevant EU legislation about cookies that don't identify an individual is PECD, transposed into UK law as PECR. GDPR is relevant only where the tracking can identify a specific individual.

I'm reasonably confident that the website is legal. It would take a lawyer to provide an official opinion.

[sftim]

I propose we accept this and prioritize it as important-longterm.

[sftim]

/lifecycle frozen Let's not miss this one.

[divya-mohan0209]

@sftim Just for my understanding, does #28865 solve this completely? Or would there be further actions required from our side?

[sftim]

Even handling Do Not Track may not cover everything we need to do. A review is as much about lawyers as it is about HTTP headers.

[natalisucks]

/triage accepted /priority important-longterm

I wonder if its worth consulting with Joanna Lee, VP of Strategic Programs and Legal at CNCF for this?

[a-mccarthy]

I spoke with @chalin and @nate-double-u, and they shared that the best way to ask about compliance around analytics on the kubernetes.io site this is through a support desk ticket to the LF for folks there to review and provide guidance.

From Nate in a slack message,

it actually looks like access to the service desk goes through the steering committee -- so i think the sig-docs chairs would have to escalate internally

I feel like this is something that might have already been checked or reviewed for the website, but I'm not sure where to look for that information and i unfortunately likely don't have access to search for it.

@natalisucks @reylejano and @divya-mohan0209, I would be interested in know your thoughts on this

[divya-mohan0209]

I haven't escalated it internally and there have been no records on this particular issue about any contact with the LF. Given this context, I think, we can raise a support ticket for this via Steering. @natalisucks @reylejano : Please chime in.

[natalisucks]

Yup, I'm in agreement. Our steering liaison is Stephen, so I can chat to him next week once he's back from vacation

[a-mccarthy]

@natalisucks any update on this? Happy to help with any next steps :)

[natalisucks]

@a-mccarthy Thanks Abbie! I'll let you know once Stephen and I have been able to figure out next steps – very appreciated that you'll help here (apologies, our chat has been delayed due to work/illnes, but we're in the midst of chatting re: several docs initiatives)

[natalisucks]

Update: I checked-in with @justaugustus on this a while back and have asked him to bring this up with Steering to see if we as Docs can go ahead and liaise with Joanna or if it needs to come from Steering itself. Tagging him here as a reminder, but I will follow-up again once he's back from KubeCon, as I believe he's still travelling