-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PR#1176 "feat: Refactor GDPR stuff into a more readable consent class" accidentally broke my GDPR compliance #1547
Comments
Hey @grahamc, super sorry for the breaking change. We've decided to have our consent state always be
|
Hi @MarconLP thanks for the response. I know and saw that change to the documentation, but to be clear these functions are not doing what they say they do. A function named This breaking change of these functions, published without release notes and with a PR body that says the author is "fairly sure it works as before and hopefully enough tests to prove it" is giving me pretty low confidence that this was intentional. To be clear, I am unhappy to have discovered that my previously-GDPR compliant code was no longer, and all of a sudden I'm in violation of the law because I upgraded a point release of a library. |
Hey. Chiming in as the author of that original PR. Apologies that this broke things. Part of the changes there were intended to fix other peoples issues surrounding confusing configuration. The PR might sound like we were flippant but I did a lot of customer checking at the time and there was a range of different issues we were trying to overcome, with yours clearly one of the unintended side effects of it. Not trying to excuse, just trying to give the "rock and a hard place" context. Essentially the only change were the exposed top level functions where the underlying posthog functionality stayed the same but with fixes for some incorrect state management. The blind spot is essentially there where I didn't account for the use case you have using the exposed top level methods. In terms of what to actually do here, I now have the new rock of reverting to the old implementation may break people who are now relying on this working the way it currently does 🤔 I need to do a bit of checking to see how bad reverting it would be as we may now create new issues for a bunch more people... As an aside - generally I would never recommend powering your cookie banner off of |
@benjackwhite I appreciate your detailed response (I'm a colleague of @grahamc and was thus also bitten by this). We've all been there and it's no fun and I totally get that. But I do need to express that users who depend on the current behavior are, as they say nowadays, holding it wrong, and I don't think that any inconvenience caused by reverting the behavior should be factored into the decision about how to proceed. As for not using |
In #1176,
has_opted_out_capturing
andhas_opted_in_capturing
changed behavior significantly.Before that PR, those functions called
hasOptedIn
andhasOptedOut
, which were defined as:and:
but after that PR, those functions were redefined:
The difference is subtle, but
getStorageValue
would return null or undefined if the value wasn't set. That meanshasOptedIn
andhasOptedOut
could both returnfalse
. But now,isOptedIn
is explicitly the opposite ofisOptedOut
. If there is no preference,isOptedOut
will return false, andisOptedIn
will return true. This is not correct, and breaks the behavior ofhas_opted_in_capturing()
.Until earlier this year, the recommended way to implement a cookie banner was by checking
!(posthog.has_opted_out_capturing() || posthog.has_opted_in_capturing())
. Now, any site that has implemented this mechanism is accidentally violating the GDPR by not displaying the cookie banner, even when the user has not consented.Further,
has_opted_in_capturing()
has undoubtedly been used in many places to explicitly turn on additional features and behavior that is predicated on the user having opted in.My hope is that
has_opted_in_capturing()
will be corrected to represent the user's actual consent.The text was updated successfully, but these errors were encountered: