September 19, 2018

Drupal GDPR help from the EU Cookie Compliance module

In 2012 a European Commission was tasked with planning data protection reform across the European Union to make Europe ‘fit for the digital age’. Out of this came General Data Protection Regulations that were put into place in May of this year. It requires that any company within the EU or that collects data from EU users follow it’s set of guidelines for data protection and data security. This basically consolidates the various data privacy laws that exist across all 28 member states of the EU.

The aim of this is to give European citizens more control over their personal data and to update the laws to reflect the world we live in now. This includes laws around personal data and privacy and consent across Europe.

With GDPR organizations will have to ensure personal data is gathered legally and under strict conditions. Organizations will also be tasked with protecting it from misuse and exploitation, as well as to respect the rights of data owners. This will ultimately place legal obligations on a company to maintain records of personal data and how it is used, placing higher level of legal liability should they be breached.

What is considered personal data?

Whether you’re based in Europe or a global organization that is potentially collecting data from European users you should be aware of the data you’re collecting that fall under the scope of GDPR. Under existing legislation names, addresses, and photos are considered personal data but with GDPR this extends to IP addresses, genetic data, and biometric data which could be processed to uniquely identify an individual.

How can I update my site to comply?

There are plenty of checklists to follow in order to make sure your site is in compliance but we’re going to cover a change you’ve probably already noticed from many of the sites you visit daily. You’ve probably already guessed it, those wonderful cookie acceptance pop-ups!

There are a few modules that strive to make short work of the cookie acceptance process but after testing several, the module I’ve found to be the best in terms of ease of use and support from other modules that create cookies is EU Cookie Compliance  (available for Drupal 7 and 8). This module will provide you with a fully customizable banner that can be displayed at the top or bottom of the window and has full support for responsive and multilingual sites. Consent can be given actively by opt-in or out-out, or inferred automatically by clicking any link on the site. I recommend going with the opt-in option. Optionally you will be able to use this in conjunction with the GeoIP module to display the banner for EU users only.

Before we get the module downloaded and installed you’ll want to identify any other modules that currently set cookies for users on your site and make sure they are updated to the latest release. The most common of these is going to be Google Analytics. There was a bug recently where if a user had previously accepted but had returned and revoked consent the cookie would incorrectly remain, so you’ll want to make sure that one is updated.

Setup

First you’ll want to create a privacy policy for you site which you can later link in your banner.

Download and enable the module from either https://www.drupal.org/project/eu_cookie_compliance or with drush or composer.

- Drush

drush dl eu_cookie_compliance

- Composer

composer require drupal/eu_cookie_complaince

Head over to /admin/settings/eu-cookie-compliance on drupal 7 or /admin/config/system/eu-cookie-compliance on Drupal 8 to setup permissions for displaying the pop-up to certain roles and select the type of consent, for your site to be complaint you will want to use the “opt-in”.

Cookie Compliance

Customize your banner, You can setup the text you want displayed for the initial banner, thank you banner, and withdraw consent banner. You will also be able enter hex values to colour your banner or if you’re on Drupal 7 you can use the colorpicker module to style your banner.

Cookie Complaince

If you’d like to limit the banner to EU users you can download and install GeoIP, once you have GeoIP setup you can simply enable the option on the admin page.

If you  are using Google Analytic you will find a setting on their page that once enabled will only place cookies when the user has accepted.

Once you’ve filled out everything simply save and head to the front page, you will be greeted by you brand new consent banner.

Cookie Consent

For developers who have created modules that set cookies there is a javascript function that will return TRUE if the user has given his consent

Drupal.eu_cookie_compliance.hasAgreed()