Cookies not blocked before consent, 500 error when translating blog posts, and navigation bar issues when cookies are rejected in website_cookiebot module

[annikasmadsen]

module: website_cookiebot
version: 17.0

Steps to reproduce

1. Install the module in the database.
2. Activate the module and insert the domain group ID from the Cookiebot account.
3. Request Cookiebot to scan the website for cookies.
4. After scan is finished, test the functionality of the module on the website.

Current behavior

1. The module does not automatically block cookies before the user consents. Facebook/Meta, Hotjar, and LinkedIn cookies are loaded before any choice is made in the cookie banner. Even after selecting "necessary only," these cookies are not blocked. See video here: https://drive.google.com/file/d/1RJSeI4Vtvvplmqd8iSiKtjSCed3bRneG/view?usp=sharing.
2. We receive a "500: Internal Server Error" when trying to translate a blog post into another language. Odoo support has confirmed that this error is caused by the module, and we have verified this by uninstalling the module, which resolves the error. This happens regardless of cookie consent (whether accepting all or rejecting all). See video here: https://github.com/user-attachments/assets/ba93ec7f-9a37-4d2f-940d-11a80756e62c.
3. If cookies are rejected, the navigation bar is affected. On desktop, the navigation bar flickers when loading a new page. On mobile view, the navigation bar sometimes becomes non-functional; it can be opened, but clicking on menu items does nothing. These issues disappear if all cookies are accepted.

Expected behavior

1. Cookies should be blocked until user consent is provided, as per the selection in the cookie banner.
2. No internal server errors should occur when translating blog posts.
3. The navigation bar should function correctly regardless of the cookie consent choice.

[pedrobaeza]

For being blocked, you must configure which cookies to block at CookieBot side AFAIK.

[annikasmadsen]

For being blocked, you must configure which cookies to block at CookieBot side AFAIK.

@pedrobaeza Could you clarify what you mean by needing to configure which cookies to block on CookieBot’s side? As I understand it, cookies are automatically categorized by CookieBot after scanning, and as shown in the video, the mentioned cookies are categorized under statistics and marketing at Cookiebot. They should be blocked before any cookie consent is made, and they should not be triggered unless I select the necessary cookies option

[pedrobaeza]

Well, I don't know the exact procedure, but I know that there's something to be done at CookieBot side to get the scripts blocked. It's not something of the module itself.

[annikasmadsen]

@pedrobaeza I strongly believe that we have configured cookiebot right. We have been in direct contact with Cookiebot multiple times. They belive something is wrong with the module. That is also our experience.

[pedrobaeza]

OK, then I can't help you more. I know that the module is working for on version 16.0. Maybe the migration is indeed incorrect. @adriresu can you check?

[pedrobaeza]

And anyway, Odoo is now handling properly the retention of the scripts thanks to odoo/odoo#180960, so maybe that path is better.

[annikasmadsen]

Sorry, I’m not quite sure I fully understand what you mean. I’m a functional business analyst, so I’m not as strong on the technical side. When you say “maybe that path is better,” are you referring to inserting the Cookiebot script directly into the of the website builder in Odoo instead of using the Cookiebot module?

[pedrobaeza]

No, I'm referring that you don't need CookieBot anymore.

[annikasmadsen]

Most of our clients and ourselves use tracking cookies from Facebook, LinkedIn, Google, and so on. Unfortunately, Odoo's standard solution is not GDPR compliant, and we have not yet found a solution that is both GDPR compliant and fully functional.

[pedrobaeza]

Yes it is with this and overriding the corresponding method for adding the extra scripts.

[annikasmadsen]

How is it complient? In the European Union, the use of cookies is primarily regulated by two key pieces of legislation:

1. The ePrivacy Directive (Directive 2002/58/EC, also known as the "Cookie Directive"):

• Consent Requirement: The directive mandates that websites must obtain informed consent from users before storing or accessing cookies on their devices, except for cookies that are strictly necessary to provide a service explicitly requested by the user.
• Information Provision: Users must be provided with clear and comprehensive information about the purposes of the cookies and the processing of data collected through them.

2. GDPR (Regulation (EU) 2016/679):

• Consent Standards: Under the GDPR, consent must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action from the user.
• Right to Withdraw Consent: Users have the right to withdraw their consent at any time, and it must be as easy to withdraw as it was to give consent.
• Transparency: Companies must be transparent about how they process personal data, including data collected via cookies.

Requirements for Cookie Banners under EU Regulations that Odoo standard cookie banner does not comply with:

1) Clear and Understandable Information:

• Purpose of Cookies: Users must be informed about what types of cookies are used and for what purposes (e.g., analytical, preference, or marketing cookies).
• Third Parties: If third-party cookies are used, this must be disclosed, including the identity of these third parties.

2) Choice:

• Option to Refuse: It should be as easy for users to refuse cookies as it is to accept them. The "Reject" or "Customize Settings" buttons should be as prominent as the "Accept" button.
• Preference Settings: Users should have the option to select which types of cookies they wish to accept or refuse.

3) Withdrawal and Modification of Consent:

• Easy Access: Users must be able to easily change their cookie preferences or withdraw their consent at any time.

4) Documentation and Accountability:

• Proof of Consent: Organizations must be able to demonstrate that valid consent has been obtained.
• Compliance with GDPR Principles: This includes data minimization, purpose limitation, and secure processing of personal data.

[pedrobaeza]

OK, I don't continue with this as I don't have time. The issue is opened for anyone to check.