GDPR Compliance

[mdmontesinos]

Currently Oqtane is not GDPR compliant by default, as it does not show any cookie consent banner and does not allow rejecting non-functional cookies. This could be implemented by module developers in a variety of ways (js libraries, nuget packages, official guidelines, ...), although it would be interesting to have a in-framework solution.

However, the main issue I'm encountering is blocking third-party scripts before the user allows them. The usual way to achieve this is by adding a data attribute to the script with the category level (i.e. data-category="analytics") so it can be blocked. Currently, this approach is not supported by Oqtane, as the resources declared in ModuleInfo can't add custom attributes. Also, I'm not even sure how this would work with the PageScript and Reload in Static render mode.

Has anyone managed to add a site-level GDPR compliant mechanism? Otherwise, Oqtane can't be used in Europe and be fully compliant.

[sbwalker]

I do think it would be a good idea for Oqtane to have an integrated option to enable GDPR on a site.

[mdmontesinos]

Following this topic, I've tried integrating a Cookie Consent library (https://github.com/orestbida/cookieconsent) which is lightweight, active and has a MIT license.

In my case, I'm using static render mode and I've been able to nicely hook up the library with Blazor Enhanced Navigation. With this, I can show the consent modal and preferences, and allow the user to select which categories to enable/disable (analytics, performance, ...).

Using the callbacks it provides, I could manually write some js to block cookies, but GDPR requires also blocking scripts (they can't never be executed without user consent), which is hard in Oqtane. The approach taken by the library is to make the scripts have a type "text/plain" by default and only change it when the consent is accepted. For example, with Google Analytics:

<script async="" src="https://www.googletagmanager.com/gtag/js?id=X"></script>

Would become:

<script
    async
    src="https://www.googletagmanager.com/gtag/js?id=X"
    type="text/plain"
    data-category="analytics"
    data-service="Google Analytics">
</script>

When the consent status changes, the library finds all the scripts with these data attributes and replaces the type to load it properly.

In Oqtane, this proves to be much harder, as script are added dynamically and it must also take into account static render mode and page-script. Additionally, the Resource class should be adapted to allow the developers to add the category/service that the resource is related to and then be handled by the framework. And by the way, I believe it would be interesting to have different classes for stylesheet and script resources (inheriting from a base class), as they have quite different properties now that don't apply to each other (bundle, level, location, ES6Module, content, reload)