EU Cookie compliance

[myriamboure]

What is the problem we are solving

GDPR and other European local regulations force all European websites to:

• inform visitors / users if you collect personal data and what you do with them.
• request consent from the visitor / users to do so for each type of cookie.

We shouldn't collect and use non-compulsory data through cookies without the explicit consent (default opt-in doesn't work anymore) Today we don't ask any consent and collect and use data through cookies without our users knowing about it. The only cookie I saw through Ghostary is New Relic which I guess is compulsory for the service we give (what it is used for again?) but maybe there are others. Also some instances use Google Analytics, if so there are new trackers from Google that collect data.

Success factors = expected outcome

When a visitor connect for the first time to a local OFN instance, if the instance has toggled on the cookie banner agreement display, they should see the banner and be able to accept all cookies, set up more specifically which cookies they accept, or ignore (in that case all optional cookies should be deactivated by default) When they visit again they should always be able to change their cookies setting and opt-in our out.

Metric

• All new visitor who have neither accepted cookies nor closed the banner should see it when they connect to the local instance URL.
• If a cookie is disabled the users data are not collected.
• If a cookie is enabled the users data are collected and can be used for the specified service.

Useful information for/from inception

A spike has been done by Maikel on which cookies we use: https://github.com/openfoodfoundation/openfoodnetwork/issues/2240 That has enabed Myriam to build a UX proposal based on previous investigations about the law and some examples that seems aligned with the law. https://docs.google.com/presentation/d/1uMWiW6lQhqexAe_uFmjp5QNAM1zLfnIe1bF3-_Nb5xo/edit?usp=sharing

Link to the "Icebox" item in Discourse

https://community.openfoodnetwork.org/t/users-know-clearly-which-cookies-are-used-and-can-refuse-them/1252

First feature candidate to be implemented

Based on first tech inception by Maikel: Implement a toggle on-off banner (instance level) that enable user to accept all cookies or view cookie policy and settings, in that case the only cookie they can be enabled/disabled is google analytics (if instance uses it).

[myriamboure]

We need some dev to take tech lead on that project. I think it can be done in parallel as Spree upgrade as I don't think there is really implications. We have decided to prioritized for Q2. @daniellemoorhead might be good to discuss at next pipeline touchpoint. I only put one story so far as I would like to organize a quick inception session with the tech lead on it to agree on the path we want to take and split that into stories. I have already shared some ideas in the slides document I put in the inception section in this epic.

[myriamboure]

Interesting and pedagogic way of taking about cookies: https://appear.in/information/tos/cookie-policy/

[myriamboure]

Ok so given the work done by @mkllnk on https://github.com/openfoodfoundation/openfoodnetwork/issues/2240 on the tech inception side, I am about to open all the stories, but before I want to make sure we all agree on UX inception side, how it's gonna look for users and what will be the flow.

Here is the proposed UX: (only 5 slildes!) https://docs.google.com/presentation/d/1uMWiW6lQhqexAe_uFmjp5QNAM1zLfnIe1bF3-_Nb5xo/edit#slide=id.g3841ad4459_0_180 It looks pretty simple to me and quite easily understandable, but please share feedbacks and ask any questions you have. @enricostano @sauloperez @NickWeir63 @lin-d-hop @sigmundpetersen @mllocs @luisramos0 are you ok with my analysis and proposal that this will make us legal on cookie side regarding GDPR? Non EU instances might decide to just toogl this off but you will have the possibility to apply it if you want :-)

@mkllnk on slide 6 I have listed 6 stories in the order I think they should be done, the first ones blocking the later ones. Do you agree? Do you suggest any modification?

[mkllnk]

@myriamboure That looks really good. Thank you. Just a note on page three. You reference a Privacy Policy. We don't have one. :-( Last Aussie talk about it: https://github.com/openfoodfoundation/ofnaus-issues/issues/2

And about the story list: I would include story 2 in story 4. It's not a big thing and doesn't make sense on its own.

[myriamboure]

Yes @mkllnk I know we don't have yet a privacy policy but UK has and we are writting one in France so we will want to link it also, but I will open a separate issue for that, it's not in the scope of the cookie policy but very connected as the cookie policy is part of privacy policy so I guess I'll put that story in the epic as well. I'll update the stories with your feedback.

[myriamboure]

@mkllnk yes privacy policy is separate but connected as cookie policy is kind of part of privacy policy, so I propose to add a separate story in the scope of the epic to have something consistent (UK has writte their privacy policy, we are writing our in France, and I guess even if not forced other instances might do it volunteerly as Aus has started to discuss). I also added that the cookie page generation also needs to be powered in/off depending on instance will. Check the new stories set and tell me if it's better or still some unclear things ;-)

[myriamboure]

I added a mobile view on how that would look like. @mkllnk can you just have a last check at the new list of stories after I took into account your feedbacks to make sure it's all good on your side? Would like to avoid misunderstandings. Also please we need more feedbacks on UX I don't want to be the only PO to validate it... especially EU people directly concerned @lin-d-hop @sigmundpetersen @sauloperez @mllocs just give your go if you are happy. @RachL I would like your UX feedback on it as well. https://docs.google.com/presentation/d/1uMWiW6lQhqexAe_uFmjp5QNAM1zLfnIe1bF3-_Nb5xo/edit#slide=id.g3841ad4459_0_180

[sigmundpetersen]

You are way deeper into this than me and I trust you @myriamboure :) All good on my side.

[myriamboure]

Are we missing any issue @luisramos0 on the cookie feature after the discussion we had? I guess the back end selection between Matomo and Analytics (that pilotes the cookie policy page content I guess) is part of cookie policy page issue isn't it? Please if we miss any new issue to cover something we didn't cover, add it to this epic! Do you have everything you need to finish it off?

[luisramos0]

Hey @myriamboure yes, I think I have everything I need.

• The main feature is complete and in Code Review here: #2411
• Basic integration with Matomo is addressed in #2492
• As far as I can see, "delete remember me cookie" #2400 is not applicable as it's already in place.

I am only missing some automated tests around some of these changes.

[myriamboure]

And add the opt-out iframe from Matomo in the cookie policy page. Also is the dynamic adaptation on that page already working @luisramos0 ? Like if instance use GA or Matomo some parts aren't visible?

[luisramos0]

yes, correct. I will use the matomo account setup now to add the Matomo opt-out iframe.

Yes, the cookies policy page is already flexible, I added screenshot here.

[luisramos0]

Quick epic update here, todo list:

• increase font size in #2597
• bug in the banner #2599
• improve policy page #2601
• matomo optout #2518
• user and admin documentation in #2427 and #2428

[luisramos0]

We are all dev done here. We are only missing the super admin guide book #2428

[myriamboure]

That's awesome @luisramos0 !!! We are going to do the last issue (documenting how to use the feature as a super admin user) when we set it up for France, so we need some days before we do the upgrade and then we'll work on it :-) That's on our side now! Cheers

[myriamboure]

This is done and working without any reported issue :-) Closing the epic !