Minimal-mistakes: Make theme GDPR Compiliant

Created on 3 Oct 2018  路  11Comments  路  Source: mmistakes/minimal-mistakes

Theres #1662 in stale state

How I think could be done

  • Add to the theme a new hook for custom cookies scripts like this
  • Adding the modal included in theme and the respective tutorial to add term and conditions and other policies (legal things)

Motivation

I think europeans could use this template or even people for other countries want to target this market.
My case is that I want to target european users but my current website is using google analytics (included in the theme) and other things that uses cookies

Drawbacks

Implement this is a pain (Europeans and theirs laws)

A workaround is not using Google analytics at all, looks like a bad idea :sweat_smile:

Enhancement

Most helpful comment

@mmistakes cannot know your specific use case and build a wonder machine that write and activates/deactivates things on your behalf miraculously understanding the context on which the theme has been used.

:+1:

I believe the theme provides the mechanisms to make your site GDPR compliant. There are enough cookie consent generators out there that will guide you through the process and give you some JS/CSS you can embed to your page. I'm really not interested in taking a stab at my own as it will never meet the needs of everyone.

Best advice I can offer is:

  1. Use something like Cookie Consent.
  2. Configure your cookie consent.
  3. Copy/paste the code they provide into _includes/footer/custom.html (create if you're using remote_theme or Ruby gem to override the default).
  4. Create a Privacy Policy page and give it layout: single, here's a sample .md file the demo site uses.
  5. Add a footer link to your privacy policy page.

All 11 comments

are there other current workarounds to have a compliant site without the enhancements implemented yet?

If you don't use google analytics, you may be no need cookies

This issue has been automatically marked as stale because it has not had recent activity.

If this is a bug and you can still reproduce this error on the master branch, please reply with any additional information you have about it in order to keep the issue open.

If this is a feature request, please consider whether it can be accomplished in another way. If it cannot, please elaborate on why it is core to this project and why you feel more than 80% of users would find this beneficial.

This issue will automatically be closed in 7 days if no further activity occurs. Thank you for all your contributions.

What is the risk of not being compliant, as a small site owner?

@maxime-michel the gdpr is backed up by laws, so if you infringe those laws, a tribunal may fines and/or shutdown your web site, depending on where is hosted, and which agreements there are between your country and Europe.
As soon as I'll have time, I'll investigate further on this as we're impacted as well with remmina.org

Don't get me wrong, I'm happy to join the effort if there's a subtask that I could help with. But it's hard to make it a priority for me as well, when I still routinely see national-level companies that send email without any sort of opt-out.

For everybody.

To better explain my previous message...

As soon as you, directly with scripts or through logs, or indirectly with third parties scripts (like GA), track the user of your web site, you need a privacy policy stating what, why and how to opt-out and/or opt-in, including how to get their data back and so forth.

If you use scripts/functionalities that may be used by external entities to track your users, you should state it clearly, and theoretically provide a functionality that enable/disable it.

This could become quite complex, as Google, for instance, may track(s) your users even with fonts, if they are hosted on their premises.

I think it's quite easy to get nuts...

First of all you all have to consider what's your audience and use of your website, if you directly track your users, for example with GA, you have to take some actions, there's no way you can avoid it.

A privacy policy page that details everything and than based on the user residence, opt-in/opt-out functions. It's strongly advised, in these cases, to seek legal help.

If you do not track your user, you should not worry that much, except for that cookies that are used by third parties. You can just disable GA, for example and use old school log analysis like awstats.

Now, Minimal Mistakes, doesn't track their users (us) and as soon as you install and configure it, it becomes your responsibility how you use the theme.

It could be nice if Minimal Mistakes would includes:

  • a coockie-consent like functionality, that turn off by default all the tracking features.
  • Template GDPR page

Honestly, for the latter we could do ourself, as it's just a page at the end and the privacy policy content should be tailored to your needs and cannot, therefore, be a general template. Minimal Mistakes makes quite easy to customise the footer, so you can add a privacy policy page link in the footer.

Regarding the cookie consent feature, it's quite important and the bare minimum needed to respect (partly) the GDPR. So this, at least should be the only things we should ask to @mmistakes

Everything else would be just nice to have, but again, @mmistakes cannot know your specific use case and build a wonder machine that write and activates/deactivates things on your behalf miraculously understanding the context on which the theme has been used.

My 2(000000000) cents

As soon as I'll come up with a solution on our site I'll post back

@mmistakes cannot know your specific use case and build a wonder machine that write and activates/deactivates things on your behalf miraculously understanding the context on which the theme has been used.

:+1:

I believe the theme provides the mechanisms to make your site GDPR compliant. There are enough cookie consent generators out there that will guide you through the process and give you some JS/CSS you can embed to your page. I'm really not interested in taking a stab at my own as it will never meet the needs of everyone.

Best advice I can offer is:

  1. Use something like Cookie Consent.
  2. Configure your cookie consent.
  3. Copy/paste the code they provide into _includes/footer/custom.html (create if you're using remote_theme or Ruby gem to override the default).
  4. Create a Privacy Policy page and give it layout: single, here's a sample .md file the demo site uses.
  5. Add a footer link to your privacy policy page.

That's helpful, thanks. Another suggestion could be to use the youtube-nocookie.com domain as well as the ?dnt=true flag for Vimeo embeds in the video include.

@maxime-michel I'd be on board if someone wanted to submit a PR to do both of these.

I'll take care of it.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ashleyconnor picture ashleyconnor  路  4Comments

svoner picture svoner  路  3Comments

alkamid picture alkamid  路  4Comments

z0ph picture z0ph  路  3Comments

lgyjg picture lgyjg  路  5Comments