GDPR 2018 Data Protection

Have you planned a RGPD plugin?
Is there any development for Grav compliance on Data Protection?

In this regard I’ve looked into solutions and my conclusions are diverse.

The Cookie Consent Plugin (BTW sorry for this link but there seems to be no proper permalink to plugins in the Download section of the Grav website) could be modified to work with the “Opt-in” method. This is what I did locally a couple of days ago and it’s working.

However the requirements go way beyond that and I’m unsure about to what extent such a plugin should and can help.

For instance at a first visit not a single tracking or third party cookie should be set by a website. I think this can not be handled by a generic plugin. Also, at least the Cookie Consent code works on cookies that can be accessed by javascript. That leaves out so called httponly cookies.

When I reached about this point in my reasoning I threw in the towel. It’s beyond my knowledge about GDPR legislation, information security and programming. After all I’m just a GIS guy trying to bolt things together. You can ask me pretty much anything about spatial data and GIS though :wink:

It would be cool if we could team up and see how far we can get with this. Grav surely deserves to keep propelling websites that get European visitors from next Friday onwards.

I’m going to look at this Cookie Consent plugin but it does not go far enough for GPDR.

I’m no expert but I’ve been reading up on GDPR lately and would like to throw out a couple of ideas.

The ePrivacy Regulation isn’t coming into effect with GDPR - probably not until 2019 (at least in the UK) so there’s still time prepare.

"…consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user. " So consent for actions such as remembering which language a user prefers is not required.

Take a look at this random site I ran across yesterday - their cookie notice is about 1/4 of the site when expanded and is super technical looking, That looks really cumbersome to build and to use! also I wonder if its even legal since it ticks to accept all the boxes by default.

It’s clear to me that things aren’t clear regarding cookies yet. The ePrivacy Regulation will bring that clarity hopefully. Either way if I understand what is said about the changes needed by May 25th I think the so called soft opt-in needs to be replaced by an explicit opt-in for tracking and third party cookies. Also this consent must be logged and the user who has agreed must later be able to opt-out again just as easy as he or she was tempted to opt-in.

The site you are referring to is using the commercial tool CookieInfo. They have it configured the old way so users need to opt-out. In three days time that won’t do anymore. I assume that behaviour is a setting. What disturbs me more is that the (66!) unclassified cookies can not be disabled.

Even after searching for alternatives Cookie Consent still appeals to me. Unfortunately it has not been updated for a while now and issues reported on GitHub remain unanswered. I’ve found one fork which aims for GDPR compliance and is recently updated. It’s appropriately named GDPR Consent.

Perhaps anyone knows other good candidates?

We just made a simple javascript which opens a modal on your first page visit, where you can set your cookie preferences. tracking is disabled on default and only works after your agreed.
It’s similar to the way it works at

In addition to cookies, you have to do form level changes with acceptance checkboxes and explicit text.
Give the ability to view, edit and delete profiles.
To make appear the document of the protection of the personal data.

Sounds good. Are you willing to share that solution with the Grav community?

GDPR has almost nothing to do with the EU Cookie Law.
Only cookies that collects users data needs an explicit opt-in.
For sites that allow user registration or are collecting any data (also via plugins), Grav/plugins should be compliant to GDPR rights of users to be informed (what data are collect, by who, where, why, security, ecc…) and allow them access/edit/download/delete datas and change consents

So, because user can delete his cookies in browser, does that make it good enough for GDPR?

Ideally the GDPR plugin should be able to first check if IP address is from EU, and only then set cookies and proceed with page loading.

In my case I use Google Analytics and Adsense and it looks like I should now show popups before even loading analytics and Adsense code. I don’t really know for sure, but I see now some websites are already doing this.

I don’t want to complicate my blog even more with opt-in popups and loading different versions of code depending on user choice.
I’m also sick of showing popups in general (including pointless cookie consent).
The EU is putting users into a “helpless dummy” position, where the user has no responsibility for taking care of his own privacy on web (e.g., by disabling cookies in browser, or using VPN). I don’t want to support this (sorry for this disrespectful attitude towards user privacy).

Therefore, it would be nice if the plugin could automatically redirect users from EU to a static page (which would show for example - “This site is not available to EU users”), before loading any javascript and setting cookies. This way you don’t impair browsing experience of users outside of EU.


I made plugin for Grav to help comply with GDPR.


Thank you for this plugin, I will watch.

can you explain better how it works? I’ve installed the plugin, setup the privacy information string with all the checkboxes but it show me everytime the same “test page” created for the config “Url to site policy page”. I tried to remove the page in the configuration but it give me everytime a 404 error and nothing else