Skip to content

Add GDPR-compliant cookie consent and Privacy Policy#3

Merged
paulpv merged 6 commits into
mainfrom
copilot/add-professionalism-to-site
Mar 29, 2026
Merged

Add GDPR-compliant cookie consent and Privacy Policy#3
paulpv merged 6 commits into
mainfrom
copilot/add-professionalism-to-site

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 28, 2026
edited
Loading

  • Move inline <style> block from public/privacy.html into public/css/style.css
  • Wrap localStorage reads/writes in try/catch; set window.analyticsConsented flag
  • Fix: enableAnalytics() now only fires if localStorage.setItem succeeded — analytics is never enabled when consent can't be persisted
  • Refactor: consolidate consent+gtag guard into a single canTrack() helper in app.js; all four event tracking call-sites use it

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 28, 2026
edited
Loading

Visit the preview URL for this PR (updated for commit 80574cc):

https://lookatwhataicando-1337--pr3-copilot-add-professi-mryos4lz.web.app

(expires Sun, 05 Apr 2026 03:02:21 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: b998005ea2794ad052d0fefa06ef6d4567c1e52a

@paulpv paulpv marked this pull request as ready for review March 28, 2026 22:19
Copilot AI review requested due to automatic review settings March 28, 2026 22:19
paulpv
paulpv requested changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@paulpv paulpv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Is this enough to be GDPR compliant, or does the confirmation need customizations fields for necessary, performance, marketing, etc?

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 28, 2026

@copilot Is this enough to be GDPR compliant, or does the confirmation need customizations fields for necessary, performance, marketing, etc?

For this site's actual data processing activities, the current single accept/decline is sufficient for GDPR/ePrivacy compliance. Here's why:

Granular category checkboxes (necessary / performance / marketing) are only required when you have multiple distinct non-essential processing purposes. This site currently only has one non-essential purpose: Google Analytics. So there's nothing to split into separate categories.

What the current implementation does satisfy:

  • Default deny — no cookies are set before consent
  • Informed consent — the banner describes what GA is used for and links to the Privacy Policy
  • No pre-ticked boxes — the choice is actively made
  • Persistent, revocable — decision is stored and documented opt-out instructions are in the Privacy Policy
  • No bundled consent — analytics is the only non-essential activity being consented to

If/when granular categories would be needed:
Adding marketing pixels (Meta, LinkedIn), retargeting/ad networks, social embeds, or third-party A/B testing tools — any combination of meaningfully different processing purposes would warrant a category-based consent UI.

One remaining grey area worth noting: Google Fonts is loaded from Google's CDN on every page load, which transmits the visitor's IP to Google regardless of consent. German DPAs in particular have flagged this. Self-hosting the fonts (downloading and serving from /public/fonts/) would close that gap entirely, but that's a separate change from the consent banner categories.

Copilot AI requested a review from paulpv March 28, 2026 22:22
Copilot AI reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GDPR/ePrivacy-oriented analytics consent gating and introduces a standalone Privacy Policy page for this static marketing site, aiming to prevent GA4 from running before user consent.

Changes:

  • Gate GA4 by defaulting analytics_storage to denied and only enabling GA4 config after explicit acceptance.
  • Add a persistent cookie consent banner and supporting JS (public/js/consent.js) using localStorage.
  • Add public/privacy.html and link it from the site footer.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
public/index.html Sets GA consent default to denied, adds cookie banner markup, loads consent script, adds Privacy Policy footer link.
public/js/consent.js Implements consent persistence and enables GA4 only after acceptance.
public/css/style.css Styles the cookie banner and adjusts footer layout/link styling.
public/privacy.html Adds a new Privacy Policy page and footer link.

Comment thread public/js/consent.js
Comment thread public/index.html
Comment thread public/index.html Outdated
Comment thread public/privacy.html Outdated
Comment thread public/privacy.html Outdated
@paulpv
Copy link
Copy Markdown
Contributor

paulpv commented Mar 28, 2026

One remaining grey area worth noting: Google Fonts is loaded from Google's CDN on every page load, which transmits the visitor's IP to Google regardless of consent. German DPAs in particular have flagged this. Self-hosting the fonts (downloading and serving from /public/fonts/) would close that gap entirely, but that's a separate change from the consent banner categories.

@copilot Create a PR to implement self-hosting the font

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 28, 2026

@paulpv I've opened a new pull request, #4, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Mar 28, 2026
Draft
paulpv and others added 3 commits March 28, 2026 16:56
@paulpv
Update public/privacy.html
57a29b2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@paulpv
Update public/index.html
c573eaa 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@paulpv
Move privacy.html inline styles to style.css
402c82e 
Agent-Logs-Url: https://github.com/LookAtWhatAiCanDo/www/sessions/4798a675-8dd7-47be-b5a4-dd16e585ddfa

Co-authored-by: paulpv <1393897+paulpv@users.noreply.github.com>
paulpv
paulpv requested changes Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@paulpv paulpv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

Comment thread public/js/app.js Outdated
Comment thread public/js/consent.js Outdated
Copilot AI requested a review from paulpv March 29, 2026 02:57
@paulpv paulpv merged commit 4948e17 into main Mar 29, 2026
5 checks passed
@paulpv paulpv deleted the copilot/add-professionalism-to-site branch March 29, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@paulpv paulpv paulpv approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@paulpv paulpv

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paulpv