Data Collect Consent

[thomas-kl1]

• [ ] Built-in pop-in
• [ ] https://github.com/osano/cookieconsent
• [ ] https://github.com/phpro/phpro-mage2-module-cookie-consent
• [ ] https://github.com/AmauriC/tarteaucitron.js

Each 13 months, customer must give his consentent of personal data processing (cookies). This value should be configurable in the settings.

[SomeGeek]

Important to note: As of 2.3, a reCaptcha module is included by default. In most situations, this will be turned on, at least for the contact form.

However, as this collects lots of personal data, this can't be considered a functional cookie.

So, to comply with the law, people need to opt-in for this. But if they don't it is not an option to present them with a unprotected contact form either, that would be a bad idea.

I see only really 2 ways around this:

• Use a honeypot. Not a favorite option as it's quite easy to work around it for bots. And if it's not today, it will be tomorrow: spammers innovate, just like us, unfortunately.
• Prevent submitting the form without reCatpcha consent. Do this by only processing the form if reCaptcha cookies are sent with the form.

The latter one requires fine-grained cookie control, thus having multiple (configurable) groups. Like Marketing, Analytics and reCaptcha.

[SomeGeek]

Another note: We also need to deal with other third-party cookie-enabled extensions which are included by default. Google Analytics and Google Adwords are two of them, which I suspect are used a lot.

Magento 2 has a internal "cookie restriction mode", which gets checked before those are loaded. We could extend that to also look at our cookie settings.

[thomas-kl1]

It might be necessary to achieve this in a specific module, as it can quickly became large. We definitly need to check what is involved in Magento core.

[ioweb-gr]

I would like to point out for tarteaucitron that it's actually a very good solution regarding the fact that it allows you out of the box to run a script only after the user gives his consent explicitly. However due to it's legacy javascript code, it's very hard to ensure that it's properly loaded before you load your custom scripts.

It's impossible to handle the dependency with requirejs and keep it modular so often it will give issues with uninitialized window objects that google tags need. For example remarketing code in product page/cart etc is not certain that will execute correctly unless you tie it in the custom script code.

It's also loading it's own file for services via the main tarteaucitron.js file so merging usually breaks it. You'd have to load it from a CDN

Basically it's very hard to integrate in asynchronous ways.

[thomas-kl1]

Interesting.. thank you for your feedback, have you proof of concept with Magento 2 or integration tool to achieve this in mind?

[ioweb-gr]

I've been experimenting with this for a while because I haven't seen a single module offering proper cookie consent integration for Magento 2 but every single one has limitations. You'd be amazed to see that even paid solutions don't adhere to the regulation regarding cookies. For example some just unset the cookies instead of preventing their storage on the user's device in the first place before consent is given. Only tarte was 100% compliant but unreliable for Magento 2.

I've tried with quantcast GDPR too but it relies on external service so I avoided that too. Seems similar to osano mentioned earlier.

I am currently focusing on this library

https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework

I haven't tried it yet since it needs studying but the main idea is that the framework provides a list of purposes and the ability to check if consent is given for them.

So you can wrap scripts and inline scripts with a check for which purpose you need consent for. If consent is given then the code executes

[owebia]

@thomas-kl1 anything new on this?

I'm using recaptcha and Google Analytics (Google Tag Manager). I also use tarteaucitron.js.

Google Analytics can easily be configured with tarteaucitron.js (instead of using the built-in functionality).

What is interesting with tarteaucitron.js is that you can put a placeholder where cookies are required. It allows the visitor to easily accept additional cookies when he wants to complete some actions (like using the contact form).

[owebia]

For recaptcha, maybe vendor/magento/module-re-captcha-frontend-ui/view/frontend/web/js/reCaptchaScriptLoader.js could be overridden.

/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

define([], function () {
    'use strict';

    var scriptTagAdded = false;

    return {
        /**
         * Add script tag. Script tag should be added once
         */
        addReCaptchaScriptTag: function () {
            var element, scriptTag;

            if (!scriptTagAdded) {
                element = document.createElement('script');
                scriptTag = document.getElementsByTagName('script')[0];

                element.async = true;
                element.src = 'https://www.google.com/recaptcha/api.js' +
                    '?onload=globalOnRecaptchaOnLoadCallback&render=explicit';

                scriptTag.parentNode.insertBefore(element, scriptTag);
                scriptTagAdded = true;
            }
        }
    };
});

This code is not part of the public Magento2 repository.

[owebia]

I created a proof of concept on delaying the loading of recaptcha to the cookie consent.

Opengento/Gdpr/view/frontend/requirejs-config.js

 var config = {
    config: {
        mixins: {
            'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
                'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
            }
        }
    }
};

Opengento/Gdpr/view/frontend/web/js/reCaptchaScriptLoader-mixin.js

 define([
    'jquery',
    'mage/utils/wrapper',
    'mage/cookies'
], function (
    $,
    wrapper
) {
    'use strict';

    return function (reCaptchaScriptLoader) {
        reCaptchaScriptLoader.addReCaptchaScriptTag = wrapper.wrapSuper(
            reCaptchaScriptLoader.addReCaptchaScriptTag,
            function () {
                return $.cookie('cookies-policy') === '1' ? this._super() : null;
            }
        );
        if ($.cookie('cookies-policy') !== '1') {
            var interval = setInterval(function () {
                if ($.cookie('cookies-policy') === '1') {
                    reCaptchaScriptLoader.addReCaptchaScriptTag();
                    clearInterval(interval);
                }
            }, 3000);
        }
        return reCaptchaScriptLoader;
    };
});

Tell me if you want me to create a pull request

[owebia]

I looked at how Google Analytics could be delayed and it seems that Magento already implemented something with their cookie notice.

https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/GoogleAnalytics/view/frontend/web/js/google-analytics.js#L21-L33

        if (config.isCookieRestrictionModeEnabled) {
            allowedCookies = $.mage.cookies.get(config.cookieName);

            if (allowedCookies !== null) {
                allowedWebsites = JSON.parse(allowedCookies);

                if (allowedWebsites[config.currentWebsite] === 1) {
                    allowServices = true;
                }
            }
        } else {
            allowServices = true;
        }

Here is the name of the cookie: https://github.com/magento/magento2/blob/2.4.2/app/code/Magento/Cookie/view/frontend/templates/html/notices.phtml#L40

                    "cookieName": "<?= /* @noEscape */ \Magento\Cookie\Helper\Cookie::IS_USER_ALLOWED_SAVE_COOKIE ?>",

https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/Cookie/Helper/Cookie.php#L18

    /**
     * Cookie name for users who allowed cookie save
     */
    const IS_USER_ALLOWED_SAVE_COOKIE = 'user_allowed_save_cookie';

An event is also triggered (but not used) when the user allows cookies: https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/Cookie/view/frontend/web/js/notices.js#L33

                    $(document).trigger('user:allowed:save:cookie');

Should this module override the default behavior of cookie notice or should it be completely separated?

[owebia]

I created a proof of concept on delaying the loading of google analytics to the cookie consent.

Opengento/Gdpr/view/frontend/requirejs-config.js

 var config = {
    config: {
        mixins: {
            'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
                'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
            },
            'Magento_GoogleAnalytics/js/google-analytics': {
                'Opengento_Gdpr/js/google-analytics-mixin': true
            }
        }
    }
};

Opengento/Gdpr/view/frontend/web/js/google-analytics-mixin.js

define([
    'jquery',
    'mage/cookies'
], function (
    $
) {
    'use strict';

    return function (googleAnalytics) {
        return function (config) {
            if ($.cookie('cookies-policy') === '1') {
                googleAnalytics(config);
            } else {
                var interval = setInterval(function () {
                    if ($.cookie('cookies-policy') === '1') {
                        googleAnalytics(config);
                        clearInterval(interval);
                    }
                }, 3000);
            }
        };
    };
});

[thomas-kl1]

Hi @owebia that is really interesting. I've never took attention to the cookie restriction feature available in Magento. It already does better than the "cookie disclosure" added by this module. Actually it could great if our module could extends the native feature, so the consumer is allowed to use an alternative (such as tarteaucitron).

So basically, the current "cookie disclosure" feature, if it's not improved, I'll remove it in favor of the cookie restriction from Magento. So yes, let's extends it, maybe we could add setting in the admin in order to tell which services must subscribes to config.isCookieRestrictionModeEnabled

What's your thoughts?

[owebia]

I agree it would be cleaner to override the default cookie restriction feature available in Magento (same cookie name, use triggered event, etc.).

But some challenges remain: tarteaucitron allows the user to choose the cookies he allows or refuses (he can allow recaptcha and refuse Google Analytics for example).
The default behavior of Magento is only an on/off toggle.
If we want to comply, we need to allow the user to choose which cookie he allows/blocks. We also need to store and document the consent.

See https://gdpr.eu/cookies/, title "Cookie compliance".

[owebia]

An important question to answer: is consent required for using reCAPTCHA and Google Analytics?

For France, the response is:

• reCAPTCHA : yes https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042125452 « veiller, le cas échéant, à informer et recueillir le consentement des personnes concernées aux actions de lecture et d’écriture des informations présentes sur les terminaux de communication électronique par la société GOOGLE dans le cadre de la technologie reCaptcha, conformément aux dispositions de l’article 82 de la loi Informatique et Libertés. »
• Google Analytics : yes https://www.cnil.fr/fr/mesurer-la-frequentation-de-vos-sites-web-et-de-vos-applications « Les offres de mesure d’audience n’entrent pas dans le périmètre de l’exemption notamment lorsque les fournisseurs indiquent réutiliser les données pour leur propre compte. C’est le cas notamment de plusieurs grandes offres de mesure d’audience disponibles sur le marché (voir notamment les politiques de confidentialité de Google Analytics, de Quantcast Analytics ou encore de Facebook Analytics). »

[thomas-kl1]

@owebia ok so we definitely need a new entity to store consents. This could be achieved along #85 #86 This is going to be an important amount of work :)