The Open edX platform currently doesn’t have a proper cookie-consent screen that allows users to choose whether optional cookies and external scripts are used (for marketing, performance, etc.) This means it’s not compliant with some EU regulations (GDPR, Cookie Law, etc.) and I believe the CCPA as well (a California law). I’m part of a group working on implementing the enforcement side of things, but for 2U’s deployment, I think we’re likely going with a commercial vendor for the frontend components that actually show the consent screen. We’ll have to make that pluggable one way or another. But I’d also like to get in touch with other community members who want to implement this. It would be great to have an open-source option for the frontend so that Open edX deployments can be fully compliant from the get-go.
(In particular I’d love to hear from California or EU deployments that have already tackled this.)
More generally, the work is going to involve:
- Presenting a UI that allows users to choose which types of cookies they’re OK with
- Setting a cookie that encodes the categories the user consented to in a standardized way
- Adding conditionals around code (frontend and backend) that sets or reads cookies or brings in third-party scripts or tracking pixels so that those actions are only done when the relevant category is consented to
- Categorization of existing necessary and optional cookies set by the IDAs
- Adding monitoring and enforcement code for continued maintenance of cookie categorizations
The work done in the last three steps will be usable by all deployments; the only question is how that code learns what categories the user has consented to. Off-the-shelf UIs probably each have their own cookie format, so there needs to either be A) a translation step where a second cookie is set that contains the same information, but in an edX-standard format, or B) a slot for a plugin for each of frontend and backend that can read the cookie format of the deployment’s chosen consent solution.
I don’t think 2U can commit resources at the moment to evaluating and implementing an open-source option for the consent screen UI, so I’m hoping another deployer can pick up that work. I’d also like to hear opinions on how to do that translation of implementation-specific cookies to category checks.