Dear all,
not sure if this discussion already happens somewhere else, I couldn't find it on MediaWiki.org or by googling.
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if * the user has been informed beforehand in detail * the user has accepted the cookie * this acceptance was given freely, without doubt and through by action (This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen on sourceforge.org or here: * http://ec.europa.eu/justice/cookies/index_en.htm
I checked MediaWiki: * anonymous users don't get a cookie, unless the site owner added something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine
* as soon as I click the "Login" button on the wiki, a cookie is being set -> here we need to work, we need to ask first
So I see two possibilities:
1) catch the click on the "Login" link to show a banner first to ask for the users consent, on acceptance forward the user to the login page
2) modify the login process to set the cookie after the actual login and put an additional text on the login page like "by logging in I accept the usage of cookies by this website" -> as the login is an action which implies the consent, if we inform properly on the login form already
Any thoughts about this?
This issue also concerns all our Wikimedia websites, basically every MediaWiki out there where people may log into.
The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR.
/Manuel
[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:ht...
[2] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion...