Question - GDPR compliance

[mdiyoda]

I was wondering if authelia comply with GDPR rules.
For example if I use authelia to hide my personal stuff, like grafana, prometheus etc. and use basic setup with 2FA authentication.
I can see that when i land on the authelia login page, thre are no cookies before login. Is there some other tracking i am not aware of ?
If yes, is it possible to add GDPR consent banner to the login page ?

Thanks in andvance for an answer :)

[james-d-elliott]

Thanks for asking. I will try to explain the process to the best of my ability.

Basically upon login Authelia sets a single session matching cookie. This cookie has a randomly generated string which is unique per login. This cookie is used to match a user against a stored session which contains the users private details. The cookie is not used to track users activity, just to ascertain which restricted areas of a site they are permitted to visit.

As the cookie is used to access secure areas of a site and not for any auxiliary tracking purpose, the cookie is classified under the GDPR in the Strictly necessary cookies section, which makes it exempt from the consent rules.

Potentially we could add something regardless, however it would be a lower priority since the way in which we use cookies complies with the GDPR already I believe.

[mdiyoda]

So there is probably no need for additional banner/popup with GDPR consent information.
Thanks for explaining. Have a nice weekend :)

[james-d-elliott]

As long as my understanding of the GDPR is correct then yes (and I'm 99.9999% certain it is for consent, there may be some stipulation about disclosure which I'll check). I'll leave this open since it wouldn't be a bad idea to add something to the effect of a privacy statement anyway. Also in the event I'm mistaken about the GDPR it would be good to make very specific citations for future queries anyway.

Also as a side note - my understanding of the GDPR should not be understood as legal advice naturally.

[Jotr38487]

Yes there is let me look into it exactly so I don't tell you wrong way

[james-d-elliott]

Here is the official GDPR guidelines: https://gdpr.eu/cookies/

Looks like we should have clear information that we use cookies and what they do:

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

[james-d-elliott]

#4624 adds documentation here; https://www.authelia.com/privacy/#application

#4625 will hopefully allow users affected by GDPR to add their own link to their own relevant GDPR required privacy policy (which we cannot provide as we do not know what they do with the information collected).

[james-d-elliott]

@mdiyoda see https://63ba026f55bef70008339907--authelia-staging.netlify.app/configuration/miscellaneous/privacy-policy/

You can check it out with #4625 which uses the tag feat-links-privacy.