On Sat, 2019-08-03 at 18:41 +0800, Paul Wise wrote: > The cookie based language codes would be the easiest to implement and > have the least impact on how the site works, but we would need to get > an evaluation of the GDPR and EU cookie law implications. Perhaps we > could rely on a language selection page requesting explicit consent > for setting these lang= cookies. I had a discussion with Debian's Data Protection Team and in summary: * Setting a language cookie in response to an explicit visitor action while having explanatory text next to the button would be fine. * Setting a language cookie wouldn't trigger GDPR. * Having the text "this sets a language cookie" next to the button that sets the language cookie would satisfy the EU cookie law. Here is a copy of the discussion: <pabs> hi folks, on the debian-www list, we were discussing issues with content negotiation via language selection and came to the conclusion that being able to set a language cookie to influence language selection via content negotiation (easy with Apache) would improve the visitor experience on our website. <pabs> the cookie would only ever be set in response to an explicit action by visitors <pabs> the cookie would never be logged anywhere and only be present in the browser data of visitors and in requests/responses <pabs> does this sort of thing sound like it would be GDPR compliant? would we need some explanatory text on the language selection page? anything else? <pabs> the alternatives to cookies is subdomains, that affects the URLs users see so personally I think cookies are better <Mithrandir> unsure if it's something that needs to be documented on https://www.debian.org/legal/privacy or not. I think some explanatory text might be useful; I don't see this as problematic at all wrt GDPR (with the caveat about possibly having to document it.) <pabs> Mithrandir: mind if I quote that on the list? alternately a reply to the thread would be useful https://lists.debian.org/debian-www/2019/08/msg00020.html <Mithrandir> Noodles: ^; do you (broadly) agree with what I wrote above? <Mithrandir> pabs: assuming Noodles don't disagree, I'm fine with you posting what I wrote. <Noodles> I broadly agree; I think generally you need to be explicit about the fact you're going to set a cookie but as long as that's done it's fine. <pabs> ack, I was thinking an explanatory text on /intro/cn and a button to push to set the cookie for the desired language <Noodles> Yeah, I think text around the button that'll actually set the cookie is grand. If all you're doing is setting a language code in the cookie then it's not a GDPR thing, but it is a general EU Cookie law thing. <pabs> ok. I'm not familiar with the cookie law stuff, sounds like the explanatory text is enough to satisfy that? <Noodles> Yeah. You can't set them without permission but a "Pressing this button will set a language cookie" statement is sufficient. <pabs> ok, thanks for the info <pabs> can I quote this on the list? <Noodles> Sure. <pabs> great, thanks. feels good to have this long-standing annoyance closer to being fixed :) -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part