Implement Cookie Consent banner

[geropl]

Internal thread: https://gitpod.slack.com/archives/C02EN94AEPL/p1646071841755889

We should align with @mikenikles on a implementation. Suggestions:

• https://www.osano.com/cookieconsent
• https://brainsum.github.io/cookieconsent/
• https://github.com/beyonk-adventures/gdpr-cookie-consent-banner (example: https://beyonk.com/)

[geropl]

• RFC: https://www.notion.so/gitpod/835214fc21224ba78c3a2d1df95f4faf?v=c3e0899e034040fd889db011241e4733&p=525099227a8d4cb0974032c8232d7af9
• Data Privacy Guideline: https://www.notion.so/gitpod/Data-Privacy-Guideline-42e96258e7594841a1706ba832c5ac16
• List of Cookies and Categories: https://www.notion.so/gitpod/a8f22878433e4c00a98dc5affe08f42d?v=2ec614009b1749c2a16401300ed1208d

[geropl]

things we need:

• banner to ask (should be as slick as possible)
• page to get back, review and change settings

[securitymirco]

• We need to allow our users to go back to the cookie consent settings, this could be done with a link inside our website footer

[geropl]

• Cookies to check: Chargebee

[gtsiolis]

Re-posting from a relevant discussion (internal):

Is this for the product (dashboard) or the website? For the website we already have a cookie consent banner.

[geropl]

@gtsiolis This is the issue for the webapp parts, but we aim for a single solution for both, website and webapp.
I was not aware that website already has one, do you have a pointer? We just talked with @mikenikles , and he agreed that we need a (new/better?) one.

[gtsiolis]

@geropl I could be missing something but:

1. Here's a screenshot below of the cookie consent banner we already have on the website, implemented in https://github.com/gitpod-io/website/pull/298. Cc @mikenikles
2. We also recently changed the footnote when logging in the dashboard so that you also accept terms of service and privacy policy, see relevant PR in Link to privacy policy from login page #8546. Cc @jldec

Existing cookine consent banner in www.gitpod.io	Terms and privacy policy linked in dashboard login

[geropl]

@gtsiolis Thx for the reference! The motivation to touch this is that the current impl/footnote is not GDPR compliant as we learned from @MircoatGitpod . But the current banner looks like sth we could easily use and extend. WDYT @mikenikles ?

[laushinka]

It does look like we can extend the website's cookie banner. Maybe something like this?

[securitymirco]

@laushinka Yes we could implement it like this, great suggestion!

@gtsiolis fyi - I published a description of basic and advanced cookie consent here

[laushinka]

@MircoatGitpod I guess we still need design and wording ideas for the cookie settings?
Also, what does the user see when they click "Reject all"? Currently when they click "Accept Cookies", the banner just disappears slowly.

Looking forward to hearing what @mikenikles thinks too, in case extending the existing banner has limitations.

[securitymirco]

@laushinka Good point!

• "Reject all" should just disregard the banner and only run with strictly necessary cookies.

• "Modify settings" would bring you into an additional dialog, displaying the categories of cookies we have (Strictly necessary, Functional, Analytics / Performance, Targeting / Marketing) which you can then opt-in to (except strictly necessary). Including descriptions ... I added some wording we can use inside our list of cookies here

[laushinka]

@MircoatGitpod Thanks for the settings wording suggestion!
Should we also still incorporate the terms of service that is in the original wording of the gitpod.io app? It's currently "By signing in, you agree to our terms of service and privacy policy."

[securitymirco]

@laushinka In this case we wouldn't need to add a reference to our terms of service.

[laushinka]

@jakobhero @MircoatGitpod How do we want this reflected in or sent to our analytics?

[securitymirco]

@jakobhero do you see a good use-case for that?

We definitely need to make sure a user won't get tracked inside our analytics if an opt-out was provided.

[laushinka]

After trying out both creating our own and external solutions, @nisarhassan12 and I decided to develop our own solution. Reasons:

1. Implementing an external solution only helps us with the initial design, but the functionality will cost the same effort.
2. This will also reduce the effort in understanding the implementation of an external library and trying to adjust it to our usecase.

Therefore, it would be great to also involve the help of product design @gtsiolis 🙏🏽
cc: @MircoatGitpod

[laushinka]

Rough idea:

BANNER	COOKIE SETTINGS

[laushinka]

After a realignment sync among @MircoatGitpod @geropl @gtsiolis and I, it was decided that since the Dashboard doesn't store any non-necessary cookies, we do not need a cookie banner or settings there.

Next steps:

1. @MircoatGitpod will create a privacy policy page that will be linked in the Dashboard and website.
2. The banner and settings will only be implemented in the website. cc @nisarhassan12