Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data Collect Consent #9

Open
4 tasks
thomas-kl1 opened this issue Nov 27, 2018 · 15 comments
Open
4 tasks

Data Collect Consent #9

thomas-kl1 opened this issue Nov 27, 2018 · 15 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@thomas-kl1
Copy link
Member

thomas-kl1 commented Nov 27, 2018

Each 13 months, customer must give his consentent of personal data processing (cookies).
This value should be configurable in the settings.

@thomas-kl1 thomas-kl1 self-assigned this Nov 27, 2018
@thomas-kl1 thomas-kl1 added the enhancement New feature or request label Nov 27, 2018
@thomas-kl1 thomas-kl1 added this to the First Stable Release milestone Jun 17, 2019
@thomas-kl1 thomas-kl1 removed this from the First Stable Release milestone Jul 4, 2019
@thomas-kl1 thomas-kl1 changed the title Add tarteaucitron.js lib integration Cookie Consent Dec 17, 2019
@SomeGeek
Copy link
Contributor

SomeGeek commented Jan 4, 2020

Important to note: As of 2.3, a reCaptcha module is included by default. In most situations, this will be turned on, at least for the contact form.

However, as this collects lots of personal data, this can't be considered a functional cookie.

So, to comply with the law, people need to opt-in for this. But if they don't it is not an option to present them with a unprotected contact form either, that would be a bad idea.

I see only really 2 ways around this:

  • Use a honeypot. Not a favorite option as it's quite easy to work around it for bots. And if it's not today, it will be tomorrow: spammers innovate, just like us, unfortunately.
  • Prevent submitting the form without reCatpcha consent. Do this by only processing the form if reCaptcha cookies are sent with the form.

The latter one requires fine-grained cookie control, thus having multiple (configurable) groups. Like Marketing, Analytics and reCaptcha.

@SomeGeek
Copy link
Contributor

Another note: We also need to deal with other third-party cookie-enabled extensions which are included by default. Google Analytics and Google Adwords are two of them, which I suspect are used a lot.

Magento 2 has a internal "cookie restriction mode", which gets checked before those are loaded. We could extend that to also look at our cookie settings.

@thomas-kl1
Copy link
Member Author

It might be necessary to achieve this in a specific module, as it can quickly became large. We definitly need to check what is involved in Magento core.

@ioweb-gr
Copy link

I would like to point out for tarteaucitron that it's actually a very good solution regarding the fact that it allows you out of the box to run a script only after the user gives his consent explicitly. However due to it's legacy javascript code, it's very hard to ensure that it's properly loaded before you load your custom scripts.

It's impossible to handle the dependency with requirejs and keep it modular so often it will give issues with uninitialized window objects that google tags need. For example remarketing code in product page/cart etc is not certain that will execute correctly unless you tie it in the custom script code.

It's also loading it's own file for services via the main tarteaucitron.js file so merging usually breaks it. You'd have to load it from a CDN

Basically it's very hard to integrate in asynchronous ways.

@thomas-kl1
Copy link
Member Author

Interesting.. thank you for your feedback, have you proof of concept with Magento 2 or integration tool to achieve this in mind?

@ioweb-gr
Copy link

I've been experimenting with this for a while because I haven't seen a single module offering proper cookie consent integration for Magento 2 but every single one has limitations. You'd be amazed to see that even paid solutions don't adhere to the regulation regarding cookies. For example some just unset the cookies instead of preventing their storage on the user's device in the first place before consent is given. Only tarte was 100% compliant but unreliable for Magento 2.

I've tried with quantcast GDPR too but it relies on external service so I avoided that too. Seems similar to osano mentioned earlier.

I am currently focusing on this library

https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework

I haven't tried it yet since it needs studying but the main idea is that the framework provides a list of purposes and the ability to check if consent is given for them.

So you can wrap scripts and inline scripts with a check for which purpose you need consent for. If consent is given then the code executes

@thomas-kl1 thomas-kl1 added the in progress Work is in progress label Nov 4, 2020
@thomas-kl1 thomas-kl1 added this to the First Stable Release milestone Nov 4, 2020
@thomas-kl1 thomas-kl1 pinned this issue Nov 4, 2020
@thomas-kl1 thomas-kl1 removed the in progress Work is in progress label Dec 9, 2020
@owebia
Copy link
Contributor

owebia commented Jul 2, 2021

@thomas-kl1 anything new on this?

I'm using recaptcha and Google Analytics (Google Tag Manager).
I also use tarteaucitron.js.

Google Analytics can easily be configured with tarteaucitron.js (instead of using the built-in functionality).

What is interesting with tarteaucitron.js is that you can put a placeholder where cookies are required.
It allows the visitor to easily accept additional cookies when he wants to complete some actions (like using the contact form).

Nous-contacter

@owebia
Copy link
Contributor

owebia commented Jul 2, 2021

For recaptcha, maybe vendor/magento/module-re-captcha-frontend-ui/view/frontend/web/js/reCaptchaScriptLoader.js could be overridden.

/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

define([], function () {
    'use strict';

    var scriptTagAdded = false;

    return {
        /**
         * Add script tag. Script tag should be added once
         */
        addReCaptchaScriptTag: function () {
            var element, scriptTag;

            if (!scriptTagAdded) {
                element = document.createElement('script');
                scriptTag = document.getElementsByTagName('script')[0];

                element.async = true;
                element.src = 'https://www.google.com/recaptcha/api.js' +
                    '?onload=globalOnRecaptchaOnLoadCallback&render=explicit';

                scriptTag.parentNode.insertBefore(element, scriptTag);
                scriptTagAdded = true;
            }
        }
    };
});

This code is not part of the public Magento2 repository.

@owebia
Copy link
Contributor

owebia commented Jul 2, 2021

I created a proof of concept on delaying the loading of recaptcha to the cookie consent.

Opengento/Gdpr/view/frontend/requirejs-config.js

 var config = {
    config: {
        mixins: {
            'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
                'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
            }
        }
    }
};

Opengento/Gdpr/view/frontend/web/js/reCaptchaScriptLoader-mixin.js

 define([
    'jquery',
    'mage/utils/wrapper',
    'mage/cookies'
], function (
    $,
    wrapper
) {
    'use strict';

    return function (reCaptchaScriptLoader) {
        reCaptchaScriptLoader.addReCaptchaScriptTag = wrapper.wrapSuper(
            reCaptchaScriptLoader.addReCaptchaScriptTag,
            function () {
                return $.cookie('cookies-policy') === '1' ? this._super() : null;
            }
        );
        if ($.cookie('cookies-policy') !== '1') {
            var interval = setInterval(function () {
                if ($.cookie('cookies-policy') === '1') {
                    reCaptchaScriptLoader.addReCaptchaScriptTag();
                    clearInterval(interval);
                }
            }, 3000);
        }
        return reCaptchaScriptLoader;
    };
});

Tell me if you want me to create a pull request

@owebia
Copy link
Contributor

owebia commented Jul 2, 2021

I looked at how Google Analytics could be delayed and it seems that Magento already implemented something with their cookie notice.

https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/GoogleAnalytics/view/frontend/web/js/google-analytics.js#L21-L33

        if (config.isCookieRestrictionModeEnabled) {
            allowedCookies = $.mage.cookies.get(config.cookieName);

            if (allowedCookies !== null) {
                allowedWebsites = JSON.parse(allowedCookies);

                if (allowedWebsites[config.currentWebsite] === 1) {
                    allowServices = true;
                }
            }
        } else {
            allowServices = true;
        }

Here is the name of the cookie:
https://github.com/magento/magento2/blob/2.4.2/app/code/Magento/Cookie/view/frontend/templates/html/notices.phtml#L40

                    "cookieName": "<?= /* @noEscape */ \Magento\Cookie\Helper\Cookie::IS_USER_ALLOWED_SAVE_COOKIE ?>",

https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/Cookie/Helper/Cookie.php#L18

    /**
     * Cookie name for users who allowed cookie save
     */
    const IS_USER_ALLOWED_SAVE_COOKIE = 'user_allowed_save_cookie';

An event is also triggered (but not used) when the user allows cookies:
https://github.com/magento/magento2/blob/33242e4b19cf207d7b73f7791ef894b48bb41f8a/app/code/Magento/Cookie/view/frontend/web/js/notices.js#L33

                    $(document).trigger('user:allowed:save:cookie');

Should this module override the default behavior of cookie notice or should it be completely separated?

@owebia
Copy link
Contributor

owebia commented Jul 2, 2021

I created a proof of concept on delaying the loading of google analytics to the cookie consent.

Opengento/Gdpr/view/frontend/requirejs-config.js

 var config = {
    config: {
        mixins: {
            'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
                'Opengento_Gdpr/js/reCaptchaScriptLoader-mixin': true
            },
            'Magento_GoogleAnalytics/js/google-analytics': {
                'Opengento_Gdpr/js/google-analytics-mixin': true
            }
        }
    }
};

Opengento/Gdpr/view/frontend/web/js/google-analytics-mixin.js

define([
    'jquery',
    'mage/cookies'
], function (
    $
) {
    'use strict';

    return function (googleAnalytics) {
        return function (config) {
            if ($.cookie('cookies-policy') === '1') {
                googleAnalytics(config);
            } else {
                var interval = setInterval(function () {
                    if ($.cookie('cookies-policy') === '1') {
                        googleAnalytics(config);
                        clearInterval(interval);
                    }
                }, 3000);
            }
        };
    };
});

@thomas-kl1
Copy link
Member Author

Hi @owebia that is really interesting. I've never took attention to the cookie restriction feature available in Magento. It already does better than the "cookie disclosure" added by this module. Actually it could great if our module could extends the native feature, so the consumer is allowed to use an alternative (such as tarteaucitron).

So basically, the current "cookie disclosure" feature, if it's not improved, I'll remove it in favor of the cookie restriction from Magento. So yes, let's extends it, maybe we could add setting in the admin in order to tell which services must subscribes to config.isCookieRestrictionModeEnabled

What's your thoughts?

@owebia
Copy link
Contributor

owebia commented Jul 7, 2021

I agree it would be cleaner to override the default cookie restriction feature available in Magento (same cookie name, use triggered event, etc.).

But some challenges remain: tarteaucitron allows the user to choose the cookies he allows or refuses (he can allow recaptcha and refuse Google Analytics for example).
The default behavior of Magento is only an on/off toggle.
If we want to comply, we need to allow the user to choose which cookie he allows/blocks.
We also need to store and document the consent.

See https://gdpr.eu/cookies/, title "Cookie compliance".

@owebia
Copy link
Contributor

owebia commented Jul 8, 2021

An important question to answer: is consent required for using reCAPTCHA and Google Analytics?

For France, the response is:

@thomas-kl1
Copy link
Member Author

@owebia ok so we definitely need a new entity to store consents. This could be achieved along #85 #86
This is going to be an important amount of work :)

@thomas-kl1 thomas-kl1 changed the title Cookie Consent Data Collect Consent Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants