Oliviero: Violation of data protection regulations

Created MR. Please review.

Thanks for reporting, we could use a test case showing this as a problem.

Thank for your comment. I added the test.

Please review.

As far as stickyHeaderState is entirely client-processed and is not collected/processed by the server (who should it be?), I'd argue it's not a subject to GDPR or similar regulations.
GDPR, as it states in the very first article, is about

...rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

since there is no processing of personal data, I'd say there is no need to get user consent

+1 to #9. GDPR is only relevant to the processing of personal data, this is kept entirely client side and cannot be used to track or identify a user so I believe this usage of localStorage is exempt.

@valthebald and @longwave are right, that this is not a violation of the GDPR - but of the EU ePrivacy Directive and national laws in european countries (since 2002!).

The ePrivacy Directive Art. 5 (3) says, that you need users’ consent before you "store information" (cookies, localStorage etc.) "in the terminal equipment of a subscriber or user" (e.g. browser) except "strictly necessary" data. This EU directive is not a direct law, but is implemented by national laws, in Germany the TDDDG and in Spain the LSSI for example.

The new EU e-Privacy Regulation is currently being drafted; this will replace the directive and will then become direct law (in the same way as the GDPR). According to the current status, it contains an analogous passage, see Article 8 "Protection of information stored in and related to end-users’ terminal equipment":

It is not about which data is processed, but about the protection of the visitor's end device - so it does not matter whether it is a tracking, 1st or 3rd party cookie.

It is a violation in all european countries.

@jan kellermann I'm equally amazed by your knowledge of the EU laws as I am disappointed by implied restrictions to deliver meaningful functionality to our clients...

@valthebald My MR does not cause any disadvantages for the users: LocalStorage is only used when it is needed. This is a responsible approach in terms of the law. For example, the theme writes the entry in the LocalStorage for mobile users who never get to see the menu switch - you can't talk about “technically necessary” here.

Should we just change setStickyHeaderStorage() to delete the localStorage entry if the passed value is false?

Great idea, @longwave!

Since there's no reason to save the wrong state, I'll remove it now.

I added this to javascript and also to the test.

Works as expected. Maybe this needs a Drupal CMS Release tag, I will ping @pameeela about it.

Would be great to get this into our initial release if possible.

I added diff file https://git.drupalcode.org/project/drupal/-/merge_requests/10208.diff of MR https://git.drupalcode.org/project/drupal/-/merge_requests/10208 as a patch and it could be applied properly. Also, the expected result worked fine.

Patch:

Before:

After:

My local setup settings:

• Drupal 11.1.0
• Web Server: nginx/1.26.1
• PHP: 8.3.10
• Database: MariaDB 10.11.8

Committed and pushed 5e89fa50893 to 11.x and 7ba9c1951c7 to 11.1.x. Thanks!

longwave → closed merge request !10208