Users know clearly which cookies are used and can refuse them

What is the need / problem

The European regulation enforced from May 2018 request all websites using cookies to inform user about the cookies used and for all cookies not strickly necessary for the service (that the user has deliberatly chosen to use) let them the possibility to refuse them.
Not doing it make us out of law and we could be fine (pretty high fine) for not respecting that.
Also beyond the law, we do want to be honest and transparent with our users about what data we collect from them and what we do with it.

Who does it impact

All EU users

What is the current impact of this problem

Users don’t clearly know which of their data we collect and use through cookies.
OFN in EU countries incur financial risk if not applying that rule.

What is the benefit in focusing on this

Leveraging the risk + build a 100% trustful relationship with our users regarding their data.

Links to more details

Potential solutions that will solve this problem

I propose one feature candidate which is “instance create a page explaining cookies, can toggle-on/off pop-in/banner requiring user to accept cookies and can link his own page into it” the 4 stories below

  • list and understand which cookies we use, which data we collect and for what to be able to communicate it
  • create a page in the “user guide” (at the end like “info on your data”, where we explain all the thing): exemple in France
  • display pop-up when first connexion with explanation in short of data we collect and for what and ask to click on “ok” + link to precedent page to explain more in detail. (if no click on ok redirect on some support page / forum page explaining that it’s not possible to use the service if doesn’t accept cookie and for which reason. Else if those cookies are not necessary can just keep going on his navigation)
  • create toggle off-in to allow instance to activate or not AND enable instance to link the url that the user need to review before accepting the cookie (so each instance can have the page they want to explain what they need given their local constraints)

Just got a feedback from an activist/opensource/lawyer I asked some advice on his opinion on emergency of the different legal compliance issues we have, and he really said this one we should play too much with it. He said it’s critical, if we get cut by CNIL (in France) but then same with GDPR will be for any local EU instance same issue, we can have a pretty heavy sanction. Especially as he said if we use google analytics because we do collect data but google as well so he also warmly suggested to switch to Piwik.
For Google analytics we need to do a specific declaration to our users on this use, he is going to send me a model. ping @enricostn @NickWeir @lin_d_hop @sauloperez @CynthiaReynolds that info might be useful in your roadmap dot voting :slight_smile:

GDPR is high on the dot voting for us :wink:
ping @sigmundpetersen