Concerning the second part: Why again? Everything is said.

It would be good enough to state in the privacy policy that there is no data collected and that there are no cookies stored for public visitors.

1. It's sufficient to state in the privacy policy that you're site stores session cookies. session cookies do not require consent. These cookies are needed by Joomla at some places even if a user is NOT logged in (just by the way). A technical requirement.

2. You do NOT need to state in the privacy policy what your site does NOT do.

Therefore my question: You have a privacy policy. You like to have a new setting in Joomla just to avoid 1 additional standard sentence or paragraph in the privacy policy????

I think that that would be a stupid idea! What comes next?

By the way: There is already a setting "Track Session Metadata" in Joomla configuration. This reduces stored session data to a minimum.

if you are able to create a pr please make a concept how it should work (step by step) and share it with us. If it's conceptional good and possible maintainers will discuss it and give you feedback if we would merge such a pr. (that way would solve you time creating a PR which is not accepted).

Beside that the issue tracker is not broken, the old issue has been locked by robert.

@ReLater wrote:

It's sufficient to state in the privacy policy that you're site stores session cookies. session cookies do not require consent. These cookies are needed by Joomla at some places even if a user is NOT logged in (just by the way). A technical requirement.

Sorry, but this statement is not correct!

I do understand that Joomla! is using session cookies. But I do not see that it is a technical requirement. I do not see that it is impossiple to program a website in a way that it might be viewed without sessions and cookies. Any simple webserver is able to show pages without session cookies.

To make it clear: I understand that Joomla is using sessions (and session cookies to identify users) as a core feature. This means Joomla! is processing personal data. But that it works like this is a desicion of the developers. It does not mean that it cannot be done without.

Further

The GDPR (in German DSGVO) applies whenever personal data is processed for someone called the controller (in German "Verantwortlicher") (article 4 §7) living in the Europe Union or if a website is aiming at European people (it does not matter if it is paid for or not).

If you read the GDPR Recital 32 Conditions for Consent (in German DSGVO Erwägungsgrund 32 Einwilligung) it says:

Consent should be given by a clear affirmative act ...
This could include ticking a box when visiting an internet website ...
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

This means, that if the end user is not actively confirming that he accepts that he is identified through a session, it is not allowed to do so. And that concludes that Joomla! is violating European law, beause Joomla! starts the session and sets a cookie before the end user has a chance to accept or deny it!

To make clear what we are talking about

GDPR Article 83 §5 states that:

Administrative fines shall ... be given to the following:
Infringements of the following provisions shall ...
be subject to administrative fines up to 20 000 000 EUR ...
the basic principles for processing, including conditions for consent

@HLeithner

Sorry I do not know what a pr is and I also do not know what a PR is.

Can you please explain what you want me to explain step by step? If I can, I certainly will. Thanks.

You wrote:

Beside that the issue tracker is not broken, the old issue has been locked by robert.

Robert wrote, that he wants to lock it for one person, not for everyone. And after that there was no comment form visible. Two days later the comment form is visible again, but after long writing, trying to submit gives a error message without hint what happened.

sorry I think I mixed up 2 comment from 2 different persons, I thought you can write php code.

About the session cookie, there is so much discussion which I don't do anymore because if you ask 3 lawyers you get 5 answers. So until due EUGH says what's fact everything else is talk between blind people.

Never the less I would really like to see joomla without session cookie (at some point I already wrote a proof of concept which does 0 database queries, means no session loading). But to be honest it's not so easy, most of the extensions (core and 3rd party) depend on a "user object" which maybe empty but they require it and maybe safe information in the session store. It's hard to detect if it's really needed.

So if some one find all the caveats and remove the user session for public access I'm full in favor for it.

The only thing worse than a joomla user talking about node is a joomla user talking about the law.

1. The session cookie does not contain any personal identifiable information
2. Joomla isn't breaking any law. If you think the session cookie requires consent then it is your site that is breaking the law
3. The session cookie plays an important role in securing your site. (no I wont discuss it here but it is obvious if you read the code)

@HLeithner
No problem, I learned so many languages PHP is just not one of them.
There is enough I can do to help. Even without coding. :-)

Well its simply reading the document. Just 99 articles and only the first half is important for this discussion. Lucky that it is not eaten as hot as cooked. (Gives some time to discuss and work on it)

If anybody is interested, this GDPR version is easy to read, switch between German and English and has links to the original papers.

Having no session and no cookies (meaning no personal data at all) would not only simplify the privacy statement but also all the provisions about documenting, processing and handling of personal data.

Maybe the following is an approach to simplify the technical problem

• Have a global configuration switch to disable all cookies.
• Have a fake session (lets name it public).
• As long as there is no session cookie in the end users browser connect the user object to a copy of this fake session.
• Just add a flag in the session table that it is a copy of the fake session.
• Do not allow to log on as long as this flag is set.
• All the other parts could work as they are used to because the copy of the fake session looks like a real session to them. Only without cookie.

If a user identifies himself, then create the session cookie and a real session without the public flag, as Joomla! is used to.

Of cause no other cookies.

moving in a better place