Default content for privacy requirements

I have created the drupal_cms_legal recipe, which:

1. Creates basic pages Imprint and Privacy Policy, both with default text
2. Links the two pages in the footer menu

The default texts were generated manually using:

• https://www.wbs.legal/it-und-internet-recht/datenschutzrecht/datenschutz...
• https://dartera.ch/en/imprint-generator-switzerland/

IMO these are the two pages really needed from the list on #3467855: Prioritized feature list: Roadmap → . Data collection disclosure, Privacy policy and Data protection declaration seem to be the same, General terms and conditions should be added to a commerce recipe.

There doesn't appear to be an MR here to review...?

Also...is there any reason we need these things to be their own recipe? I think the benefit of that is really dubious; we should just add these things to the base drupal_cms recipe, IMHO, unless there's really a compelling reason not to.

@phenaproxima this is WIP for now, we're prototyping within our track team. You can ignore this for now.

There will be the base privacy recipe which contains the consent management, that also requires the default content from here. I've created an issue to build that base recipe at 📌 Build privacy base recipe Active and will copy the proposed default content from here over to the other MR when it's time for it.

jurgenhaas → changed the visibility of the branch 0.x to hidden.

jurgenhaas → credited ckrina → .

jurgenhaas → credited grienauer → .

jurgenhaas → credited pameela → .

The MR above included in MR !152 of 📌 Build privacy base recipe Active and I'm therefore closing the branch here as we should continue the code related work over there.

However, we still need to discuss and come to a conclusion on if and what default content needs to be delivered. That's not a simple task, as the following summary of different opinions I've collected are showing:

• @boromino provided the comprehensive default content in the MR mentioned above, and he argues that this is important for the target audience
• @grienauer is not convinced that delivering default content is the right way to go as we know from experience that most people will never touch it, but a default will never be legally correct. Therefore, the damage outweighs the benefit.
• @pameela and @ckrina want to have some default content in the product so that we can declare the product ready-to-go out-of-the-box.

Honestly, I don't know how we should bring this to a consent, and therefore ask for further discussions which should help us to get everyone's buy-in.

I added the default content because Pamela and Christina asked for. To help the user understand what the 2 pages are for, we could provide a minimal default content (the privacy policy generator e.g. lets you choose what parts you want to include):

• Some text about storage of personal data (IP) and cookies on privacy policy page
• VAT number and information about responsible person on imprint

However, if we provide default content, we should also make available a few translations of it somewhere (doesn't have to be part of recipe).

I want to raise my concerns about adding default content.
As an example: I was the creator of the Omega3 Logo and back then, we decided, that it is a good idea to ship the theme with a default favicon. It is not :P. still nowadays, the favicon, add to homescreen etc icon is on a lot of Drupal websites visible, as it was never changed.
This will also happen with the default content of gdpr/legal notics texts etc.

It is quite complicated, what has to be visible in a legal notice. even more complex it is on a gdpr page…

I strongly have the feeling, we should only describe, what there should be visible and give some hints, but not prepare some texts with placeholders.
a predefined text will only make the operator of the website feel safe, that they need only to insert/fill in some correct values, and they are save. but it is much more than that.

We can also discuss it in one of our next JF meetings.

i agree with @grinauer, having default content is thin ice. i wonder if an alternative approach might be to still add those two page but make them more or less place holder pages, close to empty and then create a tour for each of those pages with instructions how to properly set them up (plus providing additional links as followup reads). and there could be specific tours for different legal regions (EU, US, and so on).

I see that the privacy recipe is adding the two pages mentioned here: Imprint and Privacy. I mentioned in Slack that 'Imprint' is not a term I am familiar with so I looked it up and I see it is a requirement for EU sites.

It's not clear to me that the page must be called 'Imprint' -- this isn't a commonly used term in English as far as I'm aware. Is there another term we could use? Or can we just include this info in the privacy page?

As to the default content, I totally understand that there's no way for us to provide default content that works for everyone. What might be better is some basic instructions, or an outline? (Currently the privacy page contains too much information, it's totally overwhelming!) And the pages should be unpublished by default, this way we won't clutter the internet with dummy privacy content :)

We should include some info in the user guide as well, similar to:
https://www.wix.com/blog/how-to-write-website-privacy-policy
https://support.squarespace.com/hc/en-us/articles/360033411331-Creating-...

I somewhat share the default content concerns, although I believe it would be nice to have a way to automatically generate a default legal notice to start working with. However the current default content designates "Drupal CMS" as the responsible legal entity and is full of mentions of Drupal being responsible for stuff, so that is a no-go to ship with I think :) (On top of the grammatical issues in the text).

Data protection is of a particularly high priority for the management of the Drupal. The use of the Internet pages of the Drupal is possible without any indication of personal data; however, if a data subject wants to use special enterprise services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.

the current default content designates "Drupal CMS" as the responsible legal entity and is full of mentions of Drupal being responsible for stuff, so that is a no-go to ship with I think

Yes, agreed!

I think it would be useful for any default content to explicitly highlight where the site owner needs to update and tailor the privacy policy wording. For example:

Data protection is of a particularly high priority for the management of [add your organization name/ website address]

This could also be referenced in the user guide information to i.e.

We should include some info in the user guide as well, similar to:
https://www.wix.com/blog/how-to-write-website-privacy-policy
https://support.squarespace.com/hc/en-us/articles/360033411331-Creating-...

Actually, it's surprising that the text quality is as it is because it comes from a fairly widely used text generator and wasn't redacted yet. So, yes, this needs more work - if we even go to the length that we even provide default content.

Before going further into the content itself, it feels like we should first come to a conclusion of what has been summarised in #13: the pros and cons of providing any default content.

Yes, having some default that highlights where it needs to be completed by the site owner, seems to be what we want. On the other hand, Nico's argument that plenty of site owners won't touch it, no matter how hard we try, is what we see in so many areas of life. Of course, that's not our fault then, but still, we would be made accountable and Drupal receives the bad news if anything goes wrong some time down the road.

Could the default content be a collection of headings, indicating what topics need to be covered, but no content as such underneath? Instead, providing links to sources where users could find guidelines on how to go about each chapter. If site owners left such templates unchanged, so it'll be and nobody should ever believe that Drupal provided some false content - although even that is uncertain nowadays ;-)

Clearly there needs to be a provision for these pages – and from the point of view of CMS we should be obliged to let site owners know they should include this detail before their sites go live. I agree with earlier comments we should try and make the content on these as universal and jargon-free as possible. If we provide dummy/sample content we run the risk of site owners just keeping that as part of their site whereas what they clearly need to do is to write the content which is specific to their own site. For that reason I think the content needs to be instructional, telling them what points to include (like the links Pam has shared) rather than be example. On the page names, I would regard ‘Privacy’ as mainstream enough but agree Imprint is not that clear. Perhaps ‘About’ is better?

Imprint is not a familiar term in the UK. I don't think there is a realistic proposition of a one size fits all solution to content for these pages. Depending on how an organisation processes data the wording will vary even within the UK.

I think that oftentimes default content will not be changed, so I think we should offer guidance and tools. Worst case scenario I believe is that well meaning individuals think they are compliant because they have generic content when it is not relevant to their case.

For UK websites, I would recommend people read and follow the guidance on the Information Commissioner's Office website and to use the privacy notice generator.

If we do have any desire to generate content that ICO generator would be a great resource to look at.

https://ico.org.uk/for-organisations/advice-for-small-organisations/crea...

https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-el...

jurgenhaas → credited l_vandamme → .

Thanks everybody for your feedback. We've discussed all this in our today's weekly meeting in the team and suggest the following steps forward:

• Less is more: we should provide some default content but that should not make any impression of being usable in production. Just the opposite, make it so "ugly" that nobody can ever assume this would be good to go.
• As we have different sets of required content, we should provide almost empty nodes for "Privacy Policy", "Imprint" and "Coookie Policy", but only publish the first one and keep the other 2 unpublished. That way, the site owner can enable them when required in their context.
• Use tours to guide the user through the steps we recommend them to take for each of the 3 documents.

How does that sound?

Do we definitely need a separate "Imprint" page? My understanding is the contact details just need to be somewhere, and this could be on the privacy page. I am very strongly opposed to shipping with a node called "Imprint" when this terminology is not familiar to any English speaking audience.

Speaking from a North American perspective as well, "imprint" is a total head-scratcher. If I saw this on a website, I would have no idea what the hell it meant.

Normally I would expect contact details to appear in a block in the footer. Can we not just ship something like that?

I can see those concerns and wonder if we should provide separate recipes instead that would be discoverable through Project Browser with labels that indicate who's gonna need what.

Normally I would expect contact details to appear in a block in the footer. Can we not just ship something like that?

That's probably something for the base recipe, not necessarily a privacy topic, if approached that way. And it would require some mechanics to capture that information that should be displayed.

Re#25:

but only publish the first one and keep the other 2 unpublished. That way, the site owner can enable them when required in their context.

Is there any reason why we need to publish anything by default? This content will be incomplete / "ugly". Every published content is visible to everyone, indexed by bots and affects SEO. I suggest that we do not publish any such content without explicitely doing so by the site admin.

Other points looks good to me.

Agree we shouldn't publish any content by default, especially if we know it is incomplete and requires action.