[META] Track 8: Create "Data privacy / compliance (GDPR, CCPA, cookie consent)" recipe

This is a track we are interested to collaborate on as Dropsolid.

The main solution we currently implement uses https://www.drupal.org/project/eu_cookie_compliance, but I feel the module might be too bloated for inclusion in Starshot. You do need something similar for current EU regulations where you can have categories (optionally) with the option of only required categories being accepted easily.

We're EU based, but there should definitely be people involved from other continents where the restrictions might not be there to make sure the recipe has the correct setup for Starshot.

Thanks @pameeela for creating this issue, and it sounds great that Dropsolid can contribute to this @daften.

About module choice, here's @roromedia's (from Austria) opinion about GDPR from the mentioned Github issue:

Currently I am favouring COOKiES over eu_cookie_compliance, I like the usability of it and it is easily stylable.

@JPustkuchen, from the maintainers Drowl from Germany, later commented:

[...] we were coming from the eu_cookie_compliance module that we used in Drupal 7 but had many issues with that, COOKiES was the successor for us.

I am adding Starshot GDPR issues on Github and related MR in the Issue Summary, and a few related Drupal GDPR issues.

I've just applied as a track lead.

Congrats @Jürgen, to be the Tracklead! 🎉🍾
I think this is a big step and a lot to discuss and plan :)
Looking forward to a great recipe to tackle gdpr in starshot!

Thank you @grienauer, this is indeed a big one but with the help of all the experienced people in the community we will get a great standard defined and implemented. As a starting point, there is a great map and legislation overview that I just received from @kgertz: https://www.dlapiperdataprotection.com

Welcome to @pameeela, @daften, @ressa, @phenaproxima, @thejimbirch here too. I'm really looking forward to all the collaboration ahead of us.

Let's kick off the actual work of this track. As I wanted to keep this meta issue in line with all the other track's meta issues, I've created a new planning issue #3467856: Scope and guideline for privacy and compliance to break down the tasks and provide guidelines that should assist us while discussing and developing our deliverables. It also contains a list of next steps where I'm laying out my proposal on how we should go about all of this.

Of course, that issue is a draft and currently mainly driven by my own perspective and knowledge about the subject. This is open for discussion and improvements, and I'd like to encourage everyone to participate in that issue. Our goal should be to get to a consensus about it by the end of August, so just about 2 weeks from now.

In parallel, we can collect what I coined as the "Super-set feature set for privacy compliance" in #3467855: Prioritized feature list: Roadmap. The idea is to get the global requirements into one list. That will result in features that will be too many for any single country, but it gives us the layout to do more research with Drupal agencies and target persona of Starshot. More about that strategy in the guideline issue's next steps. The "feature" list should not necessarily go into technical detail, it's more about high-level bullet points. I'm saying this as I believe that we need to raise awareness first before we should break this into technical tasks.

Please get engaged in those 2 issues, and invite others in your network to participate, too. We need as many perspectives as possible here.

There will be 2 recipes in the next couple of days that will provide the required functionality for this track. Their issues are #3483392: Build privacy base recipe and #3483394: Build privacy advanced recipe.

We recently had some basic discussions at COOKiES, which I'd like to inform you about:
COOKiES 2.x Vanilla JS rewrite: #3491096: [META][2.x] Rewrite in Twig templates & Vanilla JS / TS
or deprecate COOKiES in favor of Klaro: #3491495: Review Klaro module as alternative (and maybe join forces)

We're not yet sure, how we'll continue, but we'd love to get some feedback from the community! I think this might be relevant here, especially re #4

PS: Just saw that #3483392: Build privacy base recipe also chose Klaro! Nice, that's another point for #3491495: Review Klaro module as alternative (and maybe join forces) - would be great to get some feedback in the issue with pro / cons! (And maybe things that should make their way into Klaro)

Thanks @anybody for youre input. We've decided to go with Klaro for Drupal CMS and here is our ADR that explains the decision process: https://git.drupalcode.org/project/drupal_cms/-/wikis/Architecture-Decis...

The other options have been ruled out for reasons also explained in that ADR. In short:

• Cookies module: the external library is not open source and the maintainer was unwilling to talk to us, despite huge effort to get in touch
• EU Cookie Compliance: big module, most users, but growing out of its scope and would have required a major rewrite of the module, according to the maintainers. Instead, they have been happy to change direction and provide a migration path from EU CC to Klaro for all existing users.

Thank you very very much @jurgenhaas! That underlines our plan to eventually join forces with Klaro! Great! (And sad I never recognized that project before)

That underlines our plan to eventually join forces with Klaro!

This is great news. Imagine we have all privacy experts of the Drupal community behind one global solution, well maintained.

And sad I never recognized that project before

A lot of us can relate to that. Klaro has been a well hidden champion. Looking at the usage statistics for the module, our decision already makes a difference and we should see a great future, not only for the module but also for all its users.