Cookie banner not compliant with EU law

[bkimminich]

I'm not a lawyer, but I think we might be making fools of ourselves with this cookie banner (see screenshot) that doesn't even meet current EU legislation demanding an "opt in" to all tracking and non-essential cookies and not accepting plain "Accept"-banners any longer...

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

I ran an automated conformity test, and the _ga and _gid cookies (Google Analytics) need to be locked until explicitly accepted by the user in an opt-in fashion. The website I used marked the other cookies from CloudFlare and Stripe as essential and therefore compliant.

Report can be found in the corresponding Slack discussion: https://owasp.slack.com/files/U1S23SNE7/F016556FB61/report-owasporg-4183554.pdf

Sent from my Pixel 3 XL using FastHub

[hblankenship]

This should be corrected now as we only apply ga cookies once the Accept is clicked.

[kingthorin]

@bkimminich is the current implementation compliant?

[bkimminich]

This website uses cookies to analyze our traffic and only share that information with our analytics partners.

Accept

I am not a lawyer, but I don't think this is sufficient per GDPR/EU cookie law. You have to have the option to turn off unessential cookies, and GA falls into that category imho. I think it even needs to be opt-in instead of opt-out.

[hblankenship]

It doesn't seem that much different than the one on https://gdpr.eu/ ?