Hey,
On the Moodle.org homepage theres a nice little cookie consent and privacy notice bar
Is this a specific plugin thats reeadily available or posisbly buried in the core features somewhere? If so... where?
Many thanks!
Hi Alan,
it's part of the new features to support the GDPR reqs: you'll find it in those versions where the new Moodle Privacy API is available.
It is based on https://github.com/wimagguc/jquery-eu-cookie-law-popup and Moodle will keep track of the version of the policies you've agreed to.
HTH,
Matteo
Will check it out.
Thanks. I missed that, where is it in the Admin settings?
I have two questions about Cookie consent and privacy pop up:
1) It doesn't seem a duplicate, for moodle 3.5, where a user is asked to give his consent in order to proceed the site navigation? Or maybe the pop up is an alternative method to the one built in?
2) I tried to install the pop up, but it doesnìt disappear , the instruction are not so clear to me, for example i don't know where to put the jquery and the two plugn files ..... js and css.
Thank you
sorry for my english
Patrizia
I can't seem to locate the setting in Moodle 3.6
Please help.
You need to start by going to 'Policy settings' in the Site administration and setting the Site policy handler (sitepolicyhandler) to 'Policies (tool_policy)'. Please see the documentation Policies for further information.
Hi Helen
I am looking as to how/where I can change the text in the pop-up: "If you continue browsing this website, you agree to our policies" as this statement is not compatible with EU Data Protection Law. Where can I change this text? Is it within the language pack or...?
Hi Gary,
You can change the text using the Language customisation feature. The string is guestconsentmessage in tool_policy.
What are you going to change it to?
Thanks Helen.
I'll post the change of text here once done as the legal issue is with 'by continuing to use you agree...' as consent must be freely given, an affirmative action, etc.
Cheers.
This Cookie Consent is not required.. EU regulations defines clearly that technically required cookies don' t need a consent. Moodle cookies are technical required.
Hi Ralf, thank you for that. You are quite correct that ePrivacy Directive 2002-58-EC, ePrivacy Directive 2009-136-EC (amending 2002-58-EC), coupled with UK legislation Privacy and Electronic Communications Regulations 2003 No. 2426 (PECR) and the EU GDPR 2016/97 combine to permit organisations to run functional/necessary cookies without the consent of the data subject under the lawful purpose of legitimate interest. However... there is a 'however' and the need to alter the text as I will explain in two parts as follows:
Part 1: Organisations as stated, are permitted under the laws identified above to place cookies on terminal devices (PCs, laptops, tables, phones, etc.) without the explicit consent of data subjects where they are required and necessary for the functioning of the website (technical needs). As the lawful purpose is not consent, it is wrong to inform data subjects 'If you continue browsing this website, you agree to our policies', as that implies their consent by silence (a non-explicit acceptance of consent in the form of not giving formal, informed, explicit consent by an affirmative action just simply continuing to use) and, as neither consent is needed and the correct lawful purpose is legitimate interest of the organisation (assuming the organisation has completed a legitimate interest assessment (LIA)). In addition, although consent is not required from the data subject for the placing of the MoodleSession cookie specifically, the other requirements of the combination of the laws above remain. These include the compliance with the transparency requirements to inform data subjects that cookies are being used, why, for what purpose, how long they last, etc. whether these cookies are necessary or not. The text in the cookie notice should invite data subjects to learn more by following the links to the various policies where they may be asked for their agreement to the policies, which is not consent.
Part 2: In the case of Moodle, the software can place a minimum of two cookies. 1) MoodleSession and 2) MOODLEID. This second cookie is not necessary for the functioning of the website as 'It remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you'. The laws above require that for non-necessary cookies such as MOODLEID, that data subjects shall be given the right to refuse this cookie although if properly informed about its function and that it is a non-tracking, non-analytical cookie, data subjects are unlikely to refuse its function. Websites and organisations cannot assume this and must explain how it can be refused along with the transparency information above. The refusal of any cookie by the way, should be managed within the website and not by the browser settings.
If an organisation adds tracking and analytical cookies such as Google Analytics (which are used by Moodle on this website as explained in their Cookies Policy), data subjects shall be given the opportunity to refuse such cookies where they are not functional/necessary for the running of the website, and these are not necessary.
Our organisation are therefore, re-wording the cookie notice to comply with the law and have chosen not to use tracking or analytical cookies as there are other methods without using cookies, that we can deploy legally to provide similar information.
Hope this helps explain the reason why I sought how to change the text.
Hi Gary,
hope that I understood you correct.
Part 1: is covered by tool_policy. Its not done by cookies. By the way in several cases its not required to get a consent by the user, because as employee or student they have contracts. This is the reason why we translated in German 'consent' by 'information'. German lawyer argues that institutions will be in conflicts if they have legitimate interest based on a contract AND additionally a consent. GDPR defines that its possible to reject a consent at any time. If there is also a contract the institution sometimes can't fulfill the contract if the consent was rejected seperately.
Part 2: The MoodleID cookie is based on users browser settings. You discuss here questions that architects of GDPR never thought about. The ePrivacy directive is never integrated in German laws and regulations. This is a unclear situation here. But there are plans to set up a new directive in the next years.
Ralf