-
-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data Collect Consent #9
Comments
Important to note: As of 2.3, a reCaptcha module is included by default. In most situations, this will be turned on, at least for the contact form. However, as this collects lots of personal data, this can't be considered a functional cookie. So, to comply with the law, people need to opt-in for this. But if they don't it is not an option to present them with a unprotected contact form either, that would be a bad idea. I see only really 2 ways around this:
The latter one requires fine-grained cookie control, thus having multiple (configurable) groups. Like Marketing, Analytics and reCaptcha. |
Another note: We also need to deal with other third-party cookie-enabled extensions which are included by default. Google Analytics and Google Adwords are two of them, which I suspect are used a lot. Magento 2 has a internal "cookie restriction mode", which gets checked before those are loaded. We could extend that to also look at our cookie settings. |
It might be necessary to achieve this in a specific module, as it can quickly became large. We definitly need to check what is involved in Magento core. |
I would like to point out for tarteaucitron that it's actually a very good solution regarding the fact that it allows you out of the box to run a script only after the user gives his consent explicitly. However due to it's legacy javascript code, it's very hard to ensure that it's properly loaded before you load your custom scripts. It's impossible to handle the dependency with requirejs and keep it modular so often it will give issues with uninitialized window objects that google tags need. For example remarketing code in product page/cart etc is not certain that will execute correctly unless you tie it in the custom script code. It's also loading it's own file for services via the main tarteaucitron.js file so merging usually breaks it. You'd have to load it from a CDN Basically it's very hard to integrate in asynchronous ways. |
Interesting.. thank you for your feedback, have you proof of concept with Magento 2 or integration tool to achieve this in mind? |
I've been experimenting with this for a while because I haven't seen a single module offering proper cookie consent integration for Magento 2 but every single one has limitations. You'd be amazed to see that even paid solutions don't adhere to the regulation regarding cookies. For example some just unset the cookies instead of preventing their storage on the user's device in the first place before consent is given. Only tarte was 100% compliant but unreliable for Magento 2. I've tried with quantcast GDPR too but it relies on external service so I avoided that too. Seems similar to osano mentioned earlier. I am currently focusing on this library https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework I haven't tried it yet since it needs studying but the main idea is that the framework provides a list of purposes and the ability to check if consent is given for them. So you can wrap scripts and inline scripts with a check for which purpose you need consent for. If consent is given then the code executes |
@thomas-kl1 anything new on this? I'm using recaptcha and Google Analytics (Google Tag Manager). Google Analytics can easily be configured with tarteaucitron.js (instead of using the built-in functionality). What is interesting with tarteaucitron.js is that you can put a placeholder where cookies are required. |
For recaptcha, maybe /**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
define([], function () {
'use strict';
var scriptTagAdded = false;
return {
/**
* Add script tag. Script tag should be added once
*/
addReCaptchaScriptTag: function () {
var element, scriptTag;
if (!scriptTagAdded) {
element = document.createElement('script');
scriptTag = document.getElementsByTagName('script')[0];
element.async = true;
element.src = 'https://www.google.com/recaptcha/api.js' +
'?onload=globalOnRecaptchaOnLoadCallback&render=explicit';
scriptTag.parentNode.insertBefore(element, scriptTag);
scriptTagAdded = true;
}
}
};
}); This code is not part of the public Magento2 repository. |
I created a proof of concept on delaying the loading of recaptcha to the cookie consent. Opengento/Gdpr/view/frontend/requirejs-config.js var config = {
config: {
mixins: {
'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
}
}
}
}; Opengento/Gdpr/view/frontend/web/js/reCaptchaScriptLoader-mixin.js define([
'jquery',
'mage/utils/wrapper',
'mage/cookies'
], function (
$,
wrapper
) {
'use strict';
return function (reCaptchaScriptLoader) {
reCaptchaScriptLoader.addReCaptchaScriptTag = wrapper.wrapSuper(
reCaptchaScriptLoader.addReCaptchaScriptTag,
function () {
return $.cookie('cookies-policy') === '1' ? this._super() : null;
}
);
if ($.cookie('cookies-policy') !== '1') {
var interval = setInterval(function () {
if ($.cookie('cookies-policy') === '1') {
reCaptchaScriptLoader.addReCaptchaScriptTag();
clearInterval(interval);
}
}, 3000);
}
return reCaptchaScriptLoader;
};
}); Tell me if you want me to create a pull request |
I looked at how Google Analytics could be delayed and it seems that Magento already implemented something with their cookie notice. if (config.isCookieRestrictionModeEnabled) {
allowedCookies = $.mage.cookies.get(config.cookieName);
if (allowedCookies !== null) {
allowedWebsites = JSON.parse(allowedCookies);
if (allowedWebsites[config.currentWebsite] === 1) {
allowServices = true;
}
}
} else {
allowServices = true;
} Here is the name of the cookie: "cookieName": "<?= /* @noEscape */ \Magento\Cookie\Helper\Cookie::IS_USER_ALLOWED_SAVE_COOKIE ?>", /**
* Cookie name for users who allowed cookie save
*/
const IS_USER_ALLOWED_SAVE_COOKIE = 'user_allowed_save_cookie'; An event is also triggered (but not used) when the user allows cookies: $(document).trigger('user:allowed:save:cookie'); Should this module override the default behavior of cookie notice or should it be completely separated? |
I created a proof of concept on delaying the loading of google analytics to the cookie consent. Opengento/Gdpr/view/frontend/requirejs-config.js var config = {
config: {
mixins: {
'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
},
'Magento_GoogleAnalytics/js/google-analytics': {
'Opengento_Gdpr/js/google-analytics-mixin': true
}
}
}
}; Opengento/Gdpr/view/frontend/web/js/google-analytics-mixin.js define([
'jquery',
'mage/cookies'
], function (
$
) {
'use strict';
return function (googleAnalytics) {
return function (config) {
if ($.cookie('cookies-policy') === '1') {
googleAnalytics(config);
} else {
var interval = setInterval(function () {
if ($.cookie('cookies-policy') === '1') {
googleAnalytics(config);
clearInterval(interval);
}
}, 3000);
}
};
};
}); |
Hi @owebia that is really interesting. I've never took attention to the cookie restriction feature available in Magento. It already does better than the "cookie disclosure" added by this module. Actually it could great if our module could extends the native feature, so the consumer is allowed to use an alternative (such as tarteaucitron). So basically, the current "cookie disclosure" feature, if it's not improved, I'll remove it in favor of the cookie restriction from Magento. So yes, let's extends it, maybe we could add setting in the admin in order to tell which services must subscribes to What's your thoughts? |
I agree it would be cleaner to override the default cookie restriction feature available in Magento (same cookie name, use triggered event, etc.). But some challenges remain: tarteaucitron allows the user to choose the cookies he allows or refuses (he can allow recaptcha and refuse Google Analytics for example). See https://gdpr.eu/cookies/, title "Cookie compliance". |
An important question to answer: is consent required for using reCAPTCHA and Google Analytics? For France, the response is:
|
Each 13 months, customer must give his consentent of personal data processing (cookies).
This value should be configurable in the settings.
The text was updated successfully, but these errors were encountered: