Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Olivero Theme sets every time the localStorage item Drupal.olivero.stickyHeaderState. Storing data in user's browser (no matter if cookie, localStorage or sessionStorage) requires in many countries the user's consent - e.g. in the countries of the European Union.
Steps to reproduce
Install Drupal with Olivero and open the home page.
Proposed resolution
The aim should be to avoid data protection violations without the need for a consent manager. The use of localStorage is permitted if it is necessary for the provision of the requested service. It would therefore be a step in the right direction if the localStorage were only used after the toggle button has been pressed.
(Ideally, the use of localStorage should only be optional and become a theme setting, but the data protection officers are welcome to discuss this first).
Remaining tasks
Introduce a javascript function updateStickyHeaderStorage() which only sets the expiration time if the item exists.
User interface changes
None.
Introduced terminology
None.
API changes
None.
Data model changes
None.
Release notes snippet
Avoid the unnecessary use of localStorage to comply with data protection regulations.
| Comment | File | Size | Author |
|---|---|---|---|
| #19 | 3487874_after.png | 221.93 KB | filipeabreu |
| #19 | 3487874_before.png | 235.03 KB | filipeabreu |
| #19 | 3487874_patch.png | 30.01 KB | filipeabreu |
Issue fork drupal-3487874
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 11.x
compare - 3487874-oliviero-violation-of changes, plain diff MR !10208
Comments
Comment #3
jan kellermann commentedComment #4
jan kellermann commentedComment #5
jan kellermann commentedCreated MR. Please review.
Comment #6
jan kellermann commentedComment #7
smustgrave commentedThanks for reporting, we could use a test case showing this as a problem.
Comment #8
jan kellermann commentedThank for your comment. I added the test.
Please review.
Comment #9
valthebaldAs far as stickyHeaderState is entirely client-processed and is not collected/processed by the server (who should it be?), I'd argue it's not a subject to GDPR or similar regulations.
GDPR, as it states in the very first article, is about
since there is no processing of personal data, I'd say there is no need to get user consent
Comment #10
longwave+1 to #9. GDPR is only relevant to the processing of personal data, this is kept entirely client side and cannot be used to track or identify a user so I believe this usage of localStorage is exempt.
Comment #11
jan kellermann commented@valthebald and @longwave are right, that this is not a violation of the GDPR - but of the EU ePrivacy Directive and national laws in european countries (since 2002!).
The ePrivacy Directive Art. 5 (3) says, that you need users’ consent before you "store information" (cookies, localStorage etc.) "in the terminal equipment of a subscriber or user" (e.g. browser) except "strictly necessary" data. This EU directive is not a direct law, but is implemented by national laws, in Germany the TDDDG and in Spain the LSSI for example.
The new EU e-Privacy Regulation is currently being drafted; this will replace the directive and will then become direct law (in the same way as the GDPR). According to the current status, it contains an analogous passage, see Article 8 "Protection of information stored in and related to end-users’ terminal equipment":
It is not about which data is processed, but about the protection of the visitor's end device - so it does not matter whether it is a tracking, 1st or 3rd party cookie.
It is a violation in all european countries.
Edit: And for the UK, too, see PECR
Comment #12
valthebald@jan kellermann I'm equally amazed by your knowledge of the EU laws as I am disappointed by implied restrictions to deliver meaningful functionality to our clients...
Comment #13
jan kellermann commented@valthebald My MR does not cause any disadvantages for the users: LocalStorage is only used when it is needed. This is a responsible approach in terms of the law. For example, the theme writes the entry in the LocalStorage for mobile users who never get to see the menu switch - you can't talk about “technically necessary” here.
Comment #14
jan kellermann commentedComment #15
longwaveShould we just change
setStickyHeaderStorage()to delete the localStorage entry if the passed value is false?Comment #16
jan kellermann commentedGreat idea, @longwave!
Since there's no reason to save the false state, I'll remove it now.
I added this to javascript and also to the test.
Comment #17
jurgenhaasWorks as expected. Maybe this needs a Drupal CMS Release tag, I will ping @pameeela about it.
Comment #18
pameeela commentedWould be great to get this into our initial release if possible.
Comment #19
filipeabreuI added diff file https://git.drupalcode.org/project/drupal/-/merge_requests/10208.diff of MR https://git.drupalcode.org/project/drupal/-/merge_requests/10208 as a patch and it could be applied properly. Also, the expected result worked fine.
Patch:
Before:
After:
My local setup settings:
Comment #22
longwaveCommitted and pushed 5e89fa50893 to 11.x and 7ba9c1951c7 to 11.1.x. Thanks!