To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive sites must:
- Receive users' consent before you use any cookies except strictly necessary cookies.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
- Documentation of cookies by purpose. Some resources document the cookies, but it is not clear if they are strictly necessary or not. See https://help.liferay.com/hc/en-us/articles/360049373272
- Clean-up of unused cookies: some uses such as SCREEN_NAME are added but not used.
- Out-of-the-box opt-in solution: site admins should be able to disable non-strictly necessary cookies, and configure an opt-in form that will be displayed when the user browsers the site. This form describes the cookies used by the site (by default only Liferay's, but should be extensible to contain other custom cookies) and only if the user accepts their use, it will be added to the browser.
This epic aims to cover the above described aspects, to facilitate the compliance of Liferay-based sites with data protection regulations.
- Admin:A site settings to manage cookies:
- Option to enable/disable consent panel.
- A panel to admin consent options, and support 3rd party extension :
- Purpose (strictly necessary, performance...)
- Variable (what will be set if checked)
- If the option is enabled, then first time the user accesses the site will be prompted with the banner and the consent panel
- These will provide:
- Accept All,
- Decline All (with the exception of strictly necessary cookies) and
- Customize Options
- Customize options:
- Contain information about each tracking/collecting mechanism (cookies, etc), both strictly and non-strictly necessary, their purpose and - if not strict - with disabled toggle by default. REMEMBER: DEFAULT IS NO-TRACK/COLLECT FOR EVERYTHING
- Liferay tracking (cookies, etc) will be disabled for that user unless they have been expressly opted-in. However, this can be changed through the admin config.
- Read the variable to disable/enable 3rd party integrations