Liferay and European Cookie rules

Is Liferay ready for European compliance?

Every one knows that bringing a website online means to face some challenges to be compliant with the local law. Especially in Europe we face the changes that were introduced in 2018. This blog post is about the Liferay way to deal with cookies and I think it's worth to think about it.

To learn about the rules in Europe you could read this: Ultimate Guide to EU Cookie Laws.

It basically says that a website is NOT ALLOWED to place ANY cookie without the consent of the user!
The only exception to this rule are cookies that are 'necessary' to offer the service at all.
Plus: The user must be able to reject cookies permanently!

And in fact there are a lot of lawyers only waiting to find a page that is not compliant. That way they earn a log of money!

Liferays cookies

That said, if you inspect the cookies that Liferay places into the browser, you'll notice:
Cookies for the Session (JSESSION), the guest language (GUEST_LANGUAGE_ID) and the ability to store cookies (COOKIE_SUPPORT) on every (guest) visit on the page. To argue that the latter two are 'necessary' is at least.... critical.

These cookies are 'httpOnly'. That means that you can not delete them with JavaScript (as I tried at first...) Disabling this via portlet.properties is also not really an option as this is a per user decision!

The cookies that Liferay sets when users logs in are less critical! Assumed that you get the user consent when registering on your portal.

Anyway: The law in Europe requires that you give detailed information to the user. You can read what I tell them here: Indie Smarthome Cookie policy.

I think that Liferay should support European users with this. GUEST_LANGUAGE and COOKIE_SUPPORT are the problem. If I overlooked a simple way to disable them, please let me know.

Google Analytics

At first I was impressed that Liferay supports this out of the box. Just get your GA ID and paste it into the corresponding site setting. Liferay then injects the necessary script into every page.

But in Europe we can't use this. Because of the already mentioned law. GA places cookies and the service provider needs the consent of the user to do so.

By the way: A few years ago Google changed the JavaScript that sends the data and that's why you're better of to inject your own script than just pasting your GA ID anyway. The standard Liferay script is outdated.

And in that script you need to respect the decision of the user if he does not want you to place cookies!

My Solution

For getting the users decision (Accept / Reject Cookies) I used this  Open Source JavaScript Library 'Cookies Enabler'

I adjusted it a little bit to fit into the footer of the portal, I scripted a little bit to keep GA from setting cookies if the user rejects that and I wrote a lot of 'Terms of use', and policies to hopefully get away from the money-hungry European lawyers :-)

If you suffer from the strict law over here as well (I'm not saying that the law is not useful... the opposite is the case...) then you may have a look on my current implementation for this.

Just go to www.indie-smarthome.com and have a look into the page source.

As always: If you have better solutions for the challenges that I faced: Don't hesitate to let me know via the comments!