GDPR and cookies
This page explains how you can use the Magnolia GDPR features to manage your cookies on your website.
Under GDPR, you must inform visitors that your website is using cookies, and, if your cookies store personal data, ask visitors to consent to their data being collected.
This is an overview of how to handle cookies:
-
Let the website visitor know that your website is using cookies.
-
Ask the website visitor to grant permission for the cookies to be used and store the website visitor’s decision. The website visitor can accept or reject cookies. See managing consent for cookies.
-
Configure your cookies in the Cookies app according to your cookie consent decision strategy.
-
Before setting a cookie, Magnolia checks the Cookies app for the value of the cookie consent decision and the configuration of the cookie to decide if the cookie may be set. See Understanding whether a cookie is set or not.
-
We recommend you inform your website visitors about what cookies you are using and about the purpose of the used cookies.
Magnolia helps you to implement cookies in compliance with GDPR. It nonetheless remains the responsibility of the website owner to manage cookies properly. Features explained on this page are provided by the Magnolia Privacy module.
Inform the website visitor
You must inform website visitors that you are using cookies.
List all the cookies and for what they are used for.
Example:
Types of cookie in Magnolia
Cookies can be set on the server-side using Servlet cookie API, or on the client side using JavaScript cookie API. Since Magnolia is server-sided software, server-side cookies can be controlled completely using Magnolia. Magnolia also enables you to have some control over client-side cookies.
Cookies set on the server-side
Magnolia uses cookies for different features and functions for instance the visitor trait to serve personalized content.
To set a cookie on the server side, Magnolia uses CookieManager, which always checks the website visitor’s cookie consent decision before the cookie is set.
Cookies set on the client-side - Marketing tags
Many third-party services, such as Google Analytics, Eloqua, Clicky and others, require cookies to work properly. Such third-party cookies are set on the client-side using JavaScript.
Generally you cannot control cookies set on the client-side with Magnolia. However, the code snippet containing the JavaScript code, which sets the cookie, is added by Magnolia on the server-side. By adding or not adding the code snippet you can control whether the cookie is set or not.
By using the Marketing Tags app to manage the code snippets for these third-party services and defining a cookie in the Cookies app and linking it to the marketing tags item, you control whether the third-party cookie is set based on the website visitor’s cookie consent decision.
Managing consent for cookies
When using the Magnolia GDPR cookie features, Magnolia cookies and even third-party cookies managed via Marketing Tags app are never set unless the website visitor has given their consent.
Visitor consent for cookie usage must therefore be collected and stored.
In Magnolia, the consent itself is stored in a cookie named
cookieConsent_status.
The stored value, if there is one, is used to decide whether other cookies are set or not.
Variations of the cookie consent interaction
The simplest cookie consent interaction strategy is to offers visitors the choice between accepting or rejecting cookies. More complex strategies can be implemented depending on your requirements.
Basic accept or reject consent
In this strategy, you inform visitors that cookies exist on your website and ask them to accept.
For example, display a message such as: `This website uses cookies to
ensure you get the best experience on our website''; and a button such
as `Got it! so that visitors can accept the usage of cookies.
In this case, you store a simple value such as accepted or OK as
value of the cookie.
Consent for different groups of cookies
In this strategy, you give the website visitor the possibility to give consent for different groups of cookies:
In this case, you store cookie values such as the following based on which options the user consent to:
-
features -
features,marketing -
features,marketing,statistics -
marketing,statistics
Storing the cookieConsent_status
You can set the cookieConsent cookie via JavaScript. The Magnolia
Travel Demo uses a third-party JavaScript library that was built
specifically to deal with cookie consent. See
Osano Cookie Consent and their
Git repository for more
information.
Alternatively, you also can use the Magnolia CookieManager to add the cookie on the server side.
private static final String COOKIECONSENTCOOKIE_ID = "cookiesConsent";
/**
* Set the consent cookie.
*/
public void setCookieConsentCookie(String cookieConsentStatusValue) {
if (cookieManager.getCookieDefinition(COOKIECONSENTCOOKIE_ID).isPresent()) {
CookieDefinition cookieDefinition = cookieManager.getCookieDefinition(COOKIECONSENTCOOKIE_ID).get();
cookieDefinition.setValue(cookieConsentStatusValue);
cookieManager.addCookie(cookieDefinition);
}
}
For more information, see GDPR API - Managing cookies.
Configuring cookies to set cookies depending on visitor consent
The Privacy module comes with the Cookies app. Make sure you add a cookie definition for all your cookies.
Configuring a cookie
Open the Cookies app from the app launcher.
|
Search for apps or for content across all your apps using the
Find Bar. Open an app directly from the Find
Bar using the command |
To add a new cookie, click Add cookie. New nodes can only be added to
the root node (no nested cookies). The properties id (cookie’s unique
ID) and cookieName (cookie’s name as seen in the browser) are
mandatory.
Cookie properties
You must set the properties id and cookieName which are mandatory.
You may want to set a specific value for the requiredConsentRegexp
property.
You may want to set a specific value for the requiredConsentRegexp property. The value of the requiredConsentRegexp property is interpreted as a regular expression. The default value is .+.
| See Cookie properties for all possible properties. |
Understanding when cookies are set
Every cookie definition has the requiredConsentRegexp property. If
this property is not set explicitly, its default value .+ is used.
The value of the requiredConsentRegexp is interpreted as a
regular expression.
Cookies are set when the regular expression matches the value stored in
the cookieConsent_status cookie.
|
If you use the default value If you use |
Examples:
| cookieConsent_status value | requiredConsentRegexp property(regular expression) | Cookie is set |
|---|---|---|
|
|
✓ |
|
|
:x: |
|
|
:x: |
|
no value* |
✓ |
*) Remember that no value defaults to .+.
Example: Adding a marketing tag cookie and linking it to the Marketing Tags app
You usually set third-party cookies using a code snippet managed in the Marketing Tags app. To control whether this kind of cookie is set, you must add a cookie definition to the Cookies app and link it to the marketing tag.
If you do not link a cookie definition to a marketing tag, the marketing tag is always set following the marketing tag definition only without checking cookie consent.
