Cookie banner and privacy notice flow need improvement

The cookie notice on Fedora Discussion needs improvements for clarity. This happened to align with some privacy work I’m reviewing so I went a little deeper.

Issue 1. Acknowledgement != consent

The current "Fine” cookie banner is not consent-grade under EU rules if any non-essential cookies are set. It is closer to a notice/acknowledgment banner. CA similarly has regulation against dark patterns and symmetry of choice for users.

To be fair, “Fine” would be acceptable only if the forum sets strictly necessary cookies only before opt-in but that’s not clear because …

Issue 2. The explanation path is difficult for users to follow

Banner → Fedora Discussion notice → Fedora general privacy/cookie policy → old Discourse cookie post → newer Discourse privacy page. Too many indirections, it’s hard to know which cookies, processors, and data uses actually apply to Fedora Discussion.

Issue 3. Notice isn’t clear

The current notice says:

This site uses cookies in a narrow way, as explained by this Discourse software site post.
(…)
We only use cookies essential to the site’s operation — mostly to get you logged in — and do not enable Google Analytics.

This has the following problems

• It takes you to Discourse’s broader privacy/cookie page. That page describes cookies being used in a much broader way than just login cookies, including third-party cookies, marketing-related services, advertising-related cookies in some contexts, and multiple processors/subprocessors.
• “mostly” is ambiguous
• This only rules out Google Analytics; not other analytics, marketing, advertising, anti-spam, CDN/security, hosting, or support processors.

Solution

1. Please avoid so many indirections/links around this. Have a single authoritative source that stands by itself in simple language.

2. At that place, publish a Fedora Discussion-specific cookie and processor notice. It should list each cookie name, purpose, category, duration, whether it is essential, and whether it comes from Fedora, Discourse/CDCK, a plugin, or another processor/subprocessor and if it has any PII inside it.

A side-comment on PII within existing cookies. In my browser dev tools, I did see the _t (remembers who you are when you log in) and _forum_session (associates an ID, and other security-related information, with your browsing session). Those are indeed identifiers but it’s unclear if those identifiers are personally identifiable identifiers (PII) that warrant additional care.

@moderators : is one of us responsible for the banner etc., could you please take a look? (my assumption was that this was vetted by various people at Red Hat when it was set up)

Nope.

That was created by @mattdm a long time ago, he was suggested by the legal team to do something like that. He wrote a post about it back then, but to be honest, I am not sure in which category it was nor if it was before or after the merge of the Discourse instances. So it might be lost.

In any case, this is a site admin case: Making sure you're not a bot!

That said, and being not a lawyer by myself, I expect this to be compliant, because on every page I need to accept the necessary cookies, or leave the page before clicking on any acceptance/confirmation, and so it is here → I cannot choose to not accept the necessary cookies (due to the meaning of necessary ). Afaik (and this is an assumption, not knowledge!), we only have necessary cookies, which is why nothing more complicated was necessary. At least back then it was said we only have the necessary ones.

But feel free to open a ticket about this in the site admin area to get a review. Or at the legal team (maybe they have a ticket repo too or so?)

I also posted this to the legal Matrix channel, so that they can consider a review if they want. But I don’t know who is monitoring there. So if someone is convinced there is a compliance issue, they might open a ticket. In any case, only site admins can adjust something here

Just in case, CC @admins