Address GDPR compliance requirements

[chalin]

I'd suggest implementing this using a bottom offcanvas modal dialog from Bootstrap 5.2+. If we go this route, we might want to wait for Docsy to migrate. In the meantime, maybe we can use a plain Bootstrap 4 modal dialog (4.x)?

Resources:

• CNCF: https://github.com/cncf/cncf.io/blob/main/web/wp-content/themes/cncf-twenty-two/components/cookie-banner.php
• https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

Tasks:

• Add cookie- / privacy-consent dialog
• Address CDN issues -- some countries have regulations relative to the use of resources outside of the host domain.

[chalin]

@svrnm @cartermp - how about something like this as a starting point?

I'm linking to the Linux Foundation Cookie policy, which covers the websites of all its projects.

/cc @caniszczyk

[chalin]

I'll reply to #1653 (comment) here.

If I understand correctly, you (@svrnm) would be ok with the following:

• Assume opt-in, like cncf.io does
• Support do-not-track for GA and OTel
• Have the dialog be non-modal and a bit more discrete, like cncf.io

Is that right?

[svrnm]

• Assume opt-in, like cncf.io does

cncf.io neither provides an Opt-In, nor an Opt-Out, it implicitly sets the cookies and only provides an "Accept" button to acknowledge the cookies & tracking. Per my understanding, the following is required:

• Do not set (non-functional) cookies or enable any tracking without the consent of the user (which is equivalent to the user clicking on decline)
• There needs to be an "accept" and a "decline" button
• If and only if the user clicks on accept the tracking & setting the non-functional cookies is allowed
• If the user clicks "decline", it's okay to set a cookie that stores that information, since this can be declared as a functional cookie.

I have no legal expertise on that, so please do not assume that this is correct.

• Support do-not-track for GA and OTel

As "nice to have", yes.

• Have the dialog be non-modal and a bit more discrete, like cncf.io

As "nice to have, yes

[chalin]

FYI, @caniszczyk confirmed on 08/24 that we have a thumbs-up to go with the cncf.io approach for now. So I'll codify that as a first step and we can take it from there.

[svrnm]

FYI, @caniszczyk confirmed on 08/24 that we have a thumbs-up to go with the cncf.io approach for now. So I'll codify that as a first step and we can take it from there.

then let's do that :)

[cartermp]

Hmmmm. What if we just didn't use google analytics? I don't personally feel I'll ever need it for the site (users by geo-region doesn't change things, user journeys are nice in theory but I never look at 'em, etc.) And we already capture anonymized requests by http route which is a more accurate count (even if it's a blunt instrument that can be spoofed).

[chalin]

LF/CNCF requires access to analytics, and GA is it for now.

[cartermp]

aha, gotcha. Bummer!

[chalin]

Reference from @svrnm: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

Excerpt:

When authorities were asked whether they would consider that a banner which does not provide for accept and refuse/reject/not consent options on any layer with a consent button is an infringement of the ePrivacy Directive, a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.