Hey,
On the Moodle.org homepage theres a nice little cookie consent and privacy notice bar
Is this a specific plugin thats reeadily available or posisbly buried in the core features somewhere? If so... where?
Many thanks!
Hi Alan,
it's part of the new features to support the GDPR reqs: you'll find it in those versions where the new Moodle Privacy API is available.
It is based on https://github.com/wimagguc/jquery-eu-cookie-law-popup and Moodle will keep track of the version of the policies you've agreed to.
HTH,
Matteo
That's super thanks for the info!
Will check it out.
Thanks. I missed that, where is it in the Admin settings?
I have two questions about Cookie consent and privacy pop up:
1) It doesn't seem a duplicate, for moodle 3.5, where a user is asked to give his consent in order to proceed the site navigation? Or maybe the pop up is an alternative method to the one built in?
2) I tried to install the pop up, but it doesnìt disappear , the instruction are not so clear to me, for example i don't know where to put the jquery and the two plugn files ..... js and css.
Thank you
sorry for my english
Patrizia
I can't seem to locate the setting in Moodle 3.6
Please help.
You need to start by going to 'Policy settings' in the Site administration and setting the Site policy handler (sitepolicyhandler) to 'Policies (tool_policy)'. Please see the documentation Policies for further information.
Hi Helen
I am looking as to how/where I can change the text in the pop-up: "If you continue browsing this website, you agree to our policies" as this statement is not compatible with EU Data Protection Law. Where can I change this text? Is it within the language pack or...?
Hi Gary,
You can change the text using the Language customisation feature. The string is guestconsentmessage in tool_policy.
What are you going to change it to?
Thanks Helen.
I'll post the change of text here once done as the legal issue is with 'by continuing to use you agree...' as consent must be freely given, an affirmative action, etc.
Cheers.
This Cookie Consent is not required.. EU regulations defines clearly that technically required cookies don' t need a consent. Moodle cookies are technical required.
Hi Ralf, thank you for that. You are quite correct that ePrivacy Directive 2002-58-EC, ePrivacy Directive 2009-136-EC (amending 2002-58-EC), coupled with UK legislation Privacy and Electronic Communications Regulations 2003 No. 2426 (PECR) and the EU GDPR 2016/97 combine to permit organisations to run functional/necessary cookies without the consent of the data subject under the lawful purpose of legitimate interest. However... there is a 'however' and the need to alter the text as I will explain in two parts as follows:
Part 1: Organisations as stated, are permitted under the laws identified above to place cookies on terminal devices (PCs, laptops, tables, phones, etc.) without the explicit consent of data subjects where they are required and necessary for the functioning of the website (technical needs). As the lawful purpose is not consent, it is wrong to inform data subjects 'If you continue browsing this website, you agree to our policies', as that implies their consent by silence (a non-explicit acceptance of consent in the form of not giving formal, informed, explicit consent by an affirmative action just simply continuing to use) and, as neither consent is needed and the correct lawful purpose is legitimate interest of the organisation (assuming the organisation has completed a legitimate interest assessment (LIA)). In addition, although consent is not required from the data subject for the placing of the MoodleSession cookie specifically, the other requirements of the combination of the laws above remain. These include the compliance with the transparency requirements to inform data subjects that cookies are being used, why, for what purpose, how long they last, etc. whether these cookies are necessary or not. The text in the cookie notice should invite data subjects to learn more by following the links to the various policies where they may be asked for their agreement to the policies, which is not consent.
Part 2: In the case of Moodle, the software can place a minimum of two cookies. 1) MoodleSession and 2) MOODLEID. This second cookie is not necessary for the functioning of the website as 'It remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you'. The laws above require that for non-necessary cookies such as MOODLEID, that data subjects shall be given the right to refuse this cookie although if properly informed about its function and that it is a non-tracking, non-analytical cookie, data subjects are unlikely to refuse its function. Websites and organisations cannot assume this and must explain how it can be refused along with the transparency information above. The refusal of any cookie by the way, should be managed within the website and not by the browser settings.
If an organisation adds tracking and analytical cookies such as Google Analytics (which are used by Moodle on this website as explained in their Cookies Policy), data subjects shall be given the opportunity to refuse such cookies where they are not functional/necessary for the running of the website, and these are not necessary.
Our organisation are therefore, re-wording the cookie notice to comply with the law and have chosen not to use tracking or analytical cookies as there are other methods without using cookies, that we can deploy legally to provide similar information.
Hope this helps explain the reason why I sought how to change the text.
Hi Gary,
hope that I understood you correct.
Part 1: is covered by tool_policy. Its not done by cookies. By the way in several cases its not required to get a consent by the user, because as employee or student they have contracts. This is the reason why we translated in German 'consent' by 'information'. German lawyer argues that institutions will be in conflicts if they have legitimate interest based on a contract AND additionally a consent. GDPR defines that its possible to reject a consent at any time. If there is also a contract the institution sometimes can't fulfill the contract if the consent was rejected seperately.
Part 2: The MoodleID cookie is based on users browser settings. You discuss here questions that architects of GDPR never thought about. The ePrivacy directive is never integrated in German laws and regulations. This is a unclear situation here. But there are plans to set up a new directive in the next years.
Ralf
Hi Ralf
Part 1 may be covered by tool-policy but it is not correctly worded or operated as mentioned. The best example of clear consent, with an affirmative action is to look at the way the European Data Protection Board (EDPB) (https://edpb.europa.eu/) deals with consent for cookies the first time you visit. Note, the new ePrivacy law when it arrives later this year or early in 2020 (it is supposed to be here this year) is a Regulation and not a Directive as before and as such, it will apply with effect from the date of coming into force in all members states without the need for further local member state legislation. The requirements of the ePrivacy Regulation will tighten existing requirements (clear, informed consent with an affirmative action), and increase the administrative penalties (fines, actions, etc.) in line with the EU GDPR. The model for Consent will be explicitly aligned to that of the EU GDPR.
Part 2: The MoodleID cookie must not be based on the data subject's browser settings although those settings can overrule the website, consent/refusal must be demonstrated/offered on a site by site basis not relying on the data subject to change global settings.
On your point about: 'GDPR defines that its possible to reject a consent at any time. If there is also a contract the institution sometimes can't fulfill the contract if the consent was rejected seperately'. If there's a contract in place then you do not need consent, you are relying on the wrong lawful basis. Consent is the weakest lawful basis as it can be simply removed and the organisation must comply however, if you have a contract in place then this is a stronger lawful basis and processing under the contractual basis can continue even where the data subject exercises the 'right to be forgotten', which is not an absolute right.
As you may gather, data protection law, EU and UK is my field. If outside of this forum you want to chat about a particular matter via Business Skype or a phone call, I'm happy to assist.
Part 1 may be covered by tool-policy but it is not correctly worded or operated as mentioned. The best example of clear consent, with an affirmative action is to look at the way the European Data Protection Board (EDPB) (https://edpb.europa.eu/) deals with consent for cookies the first time you visit. Note, the new ePrivacy law when it arrives later this year or early in 2020 (it is supposed to be here this year) is a Regulation and not a Directive as before and as such, it will apply with effect from the date of coming into force in all members states without the need for further local member state legislation. The requirements of the ePrivacy Regulation will tighten existing requirements (clear, informed consent with an affirmative action), and increase the administrative penalties (fines, actions, etc.) in line with the EU GDPR. The model for Consent will be explicitly aligned to that of the EU GDPR.
Part 2: The MoodleID cookie must not be based on the data subject's browser settings although those settings can overrule the website, consent/refusal must be demonstrated/offered on a site by site basis not relying on the data subject to change global settings.
On your point about: 'GDPR defines that its possible to reject a consent at any time. If there is also a contract the institution sometimes can't fulfill the contract if the consent was rejected seperately'. If there's a contract in place then you do not need consent, you are relying on the wrong lawful basis. Consent is the weakest lawful basis as it can be simply removed and the organisation must comply however, if you have a contract in place then this is a stronger lawful basis and processing under the contractual basis can continue even where the data subject exercises the 'right to be forgotten', which is not an absolute right.
As you may gather, data protection law, EU and UK is my field. If outside of this forum you want to chat about a particular matter via Business Skype or a phone call, I'm happy to assist.
Regards, Gary
Hi Alan,
This answer might come up a bit late, but none the less Cookiebot has such as generator: https://www.cookiebot.com/en/privacy-policy-generator-gdpr/
It allows users to become fully GDPR and CCPA compliant by ensuring that it lives up to EU's standards as well as other regulatory rules around the world.
Besides Cookiebot there are a few others, but Cookiebot is very informational and allows for users to read about the specific products and elements on their website. I would recommend reading up on GDPR, CCPA on their website, but afterwards you can make your on decision on what to choose.
I've been reading a lot about Cookiebot lately so that's just my biased opinion.
Cheers! - Mathias
This answer might come up a bit late, but none the less Cookiebot has such as generator: https://www.cookiebot.com/en/privacy-policy-generator-gdpr/
It allows users to become fully GDPR and CCPA compliant by ensuring that it lives up to EU's standards as well as other regulatory rules around the world.
Besides Cookiebot there are a few others, but Cookiebot is very informational and allows for users to read about the specific products and elements on their website. I would recommend reading up on GDPR, CCPA on their website, but afterwards you can make your on decision on what to choose.
I've been reading a lot about Cookiebot lately so that's just my biased opinion.
Cheers! - Mathias
Hi Mathias,
I know cookiebot, and use on several website. Is there any way to use it in Moodle? Thank you, Agnes
I know cookiebot, and use on several website. Is there any way to use it in Moodle? Thank you, Agnes
In reply to Agnes Beleznai
Re: Tárgy: Ang: Cookie Consent and Privacy Notice Popup
by Randy Thornton -
Agnes,
Yes, there is. See my comments in this discussion: https://moodle.org/mod/forum/discuss.php?d=416945 especially how to replace the Moodle notices.
Yes, there is. See my comments in this discussion: https://moodle.org/mod/forum/discuss.php?d=416945 especially how to replace the Moodle notices.
In reply to Randy Thornton
Tárgy: Re: Tárgy: Ang: Cookie Consent and Privacy Notice Popup
by Agnes Beleznai -
Thank you!