search

michnhokn / kirby-cookie-banner

A Cookie Consent Modal for Kirby
MIT License
67 stars 9 forks source link

Cookie consent proof #6

Closed iamlinkus closed 3 years ago

iamlinkus commented 3 years ago

Hey! Awesome plugin! However, GDPR requires to be able to provide proof of consent and i don't seem to find any functionality for that. Are there any plans for something like that?

michnhokn commented 3 years ago

Hey, thanks for your positive feedback! What do you think such a function would look like? As I understand it, an info on the user's end device is sufficient as proof of which cookies were agreed to. Please send me a link or something similar where such a regulation is explained in more detail. Then I look very happy to see how something like this can be implemented.

iamlinkus commented 3 years ago

I'm actually struggling to find an easy to understand a document properly explaining this issue, but maybe this can shed some light on it: https://www.iubenda.com/en/help/5428-gdpr-guide#records-of-consent

Also, found a thread in law stackexchange: https://law.stackexchange.com/questions/42055/proof-of-consent-under-gdpr-how-to

Seems like if there should arise a situation where a business is requested for proof of specific consent given by a user, the business will have to be able to provide a record proof (as I understand, a cookie on the users device would not suffice. Also, the user could easily remove the single cookie responsible for consent and leave all of the other tracking cookies).

michnhokn commented 3 years ago

Okay, I think that's a difficult topic in general. After all, visitors to a website must agree to cookies, but not all visitors are registered users. Accordingly, it is almost impossible to store to a random visitor whether he has agreed to the cookies or not. This works only on his device or at most in the access logs of the server. However, an IP is not necessarily assigned to a single user. I do not think that there is a case where a website operator has to prove that an unregistered user has agreed to cookies. After all, when you give cookie consent, you do not store any personal data. According to GDPR Article 7, the existence of consent should be sufficient to prove that a visitor has the ability to consent to cookies in the first place. However, I am not a lawyer and cannot make any reliable statements.

Nevertheless, I'm grateful for suggestions and ideas and if you have a plan how to include such a feature, feel free to let me know. Or feel free to make a pull request.