[2.0.x] Create consent method / categories plugin concept for dependent modules with cookies

Created on 16 June 2020, about 4 years ago

Updated 9 April 2024, 3 months ago

Problem/Motivation

In #3130015: Write & document public JS API for actions & events → a JavaScript API is added which allows to subscribe to acceptance state changes and check for status and accepted categories in the browser.
#3068670: Improve the UX for cookie categories → adds better handling for opt-in with categories which seems to become the new standard of cookie configuration with GDPR.

What's needed aside from that is a standard plugin / API mechanism for related modules to assign their script / cookie initialization logic to the given consent & categories. While they will be able to act on consent state changes and eventually selected categories in the JavaScript, it hat to be defined somewhere, to which group a script / cookie from a cookie setting module belongs.
Other modules currently can't (cleanly) know which eucc consent method is selected, which categories exist and which category their logic should depend on (user selection required).

Let's use some well known and widely used examples:

Google Analytics (google_analytics / ga / analytics modules)
Piwik / Matomo
Facebook Tracking Pixel

We'll call the connection between the modules like "ga" or "piwik" and eu_cookie_compliance "Plugin" in the following text for better understanding. Which kind of mechanism we'll use in the Drupal context has to be discussed. It might be hooks, services or whatever...

The current possibility to block JavaScripts and allow cookies based on categories is not a proper solution for most cases because it's insufficent.

A first UI example as starting point can be seen in euccx → , which implements a similar logic but has a different focus and is only available for Drupal 7:

Proposed resolution

There are at least two strategies we could use:

A) Connector (sub)modules defining plugins - Handling in eu_cookie_compliance

(Sub)modules defining "Plugins" connect cookie setting modules (e.g. ga, piwik, ...) with eu_cookie_compliance and expose their cookie types to eu_cookie_complance through a defined interface.
The modules require eu_cookie_complance and their master module (like "ga"/"google_analytics" for example).
eu_cookie_compliance collects this information and provides a user interface to select their consent category and add further relevant information (see "User interface changes").

eu_cookie_compliance then exposes the information which plugins have been accepted.
Of course the submodule can also be left out and the related module itself defines the interface. Furthermore instead of a submodule there might be glue-modules to act on modules which don't offer an integration themselves. The current part "Disable javascripts" and "Allowed cookies" might be moved into such one.

B) eu_cookie_compliance exposes consent method / categories information - Handling in the related module

As an alternative eu_cookie_compliance could expose information about existing groups and the selected consent method to other modules through an API so that other modules implement their own logic to assign their logic to existing groups.

If someone has an idea how to do that clean and clever, please explain it here. While writing this, I think this is not good practise and has many disadvantages.

Remaining tasks

Discuss strategy (see above)
Refine selected strategy
Implementation
Documentation

User interface changes

Add options to assign plugins to categories (at least technical / if not using categories) to mark them relevant for consent and register their callbacks
Bonus: Add a textarea for each plugin to declare their cookie information (Provider, Purpose, Cookie lifetime, Description) which can be output as block in the privacy policy and is important to GDPR