ToggleDarkTheme could lead to GDPR issues

[kerkmann]

tldr; DO NOT use the ToogleDarkTheme script, DO NOT use the SidebarToggle script from the bought template, DO NOT use the DarkMode script from the website; otherwise you're risking getting a 50,000 euro GDPR-fine

Describe the bug
The Flowbite library, website and purchased templates are not compliant with the General Data Protection Regulation (GDPR). If they are used, there is a risk that the person or company will have to pay a fine of 50,000 euros. The background of the problem is that the setting for the light/dark mode is stored in the browser's local storage. According to § 25 (1) of the German Telemedia Act (TTDSG), it is NOT permitted to store data without consent, both as a cookie and in local storage. However, there is no prior explicit consent. Both the toggle button and the sidebar (in the purchased template) write directly to local storage without the user having to agree to the storage of data beforehand. However, according to the German Telemedia Act, only the necessary storage without consent is permitted. I have contacted my lawyer and asked for legal advice. He confirmed that this would be a violation of the GDPR because both the theme and the sidebar are not necessary for transmitting the data. My suggestion would be to only allow the storage to be used if there has been prior approval. This applies not only to German customers, but also to all other countries. There have already been many incidents of this, often known as "cookie compliance". However, as already mentioned, the law does not only apply to cookies, but also to local storage. It would be safer to remove this incorrect information from the documentation or at least provide a disclaimer and fix all libraries as soon as possible. In my opinion, at least the direct customers should also be contacted. Otherwise, there is a risk that they will be fined for high amounts of money due to ignorance.

To Reproduce

1. Include the <DarkThemeToggle /> button
2. Press the Toggle Theme button
3. See that there is a property theme in the local-storage

Expected behavior
There need to be a consent screen BEFORE it's allowed to store the theme.
Without any permissions, it's PROHIBITED to store any data.

Project information:

• Tailwind: 3.0.0
• Flowbite: 1.4.7
• Flowbite React: 0.1.2
• Type: CRA

Additional context
This is also related to the documentation because there is no disclaimer.
And I'm sure it's also causing other libraries, like VUE (TBD;).

[rluders]

I would definitely remove the user preference storage. Mostly 'cause if the user has to accept cookies or allow localstorage to be written, it can be done easily from the application/website that is using flowbite-react. Let's remove this feature from the component.

[zoltanszogyenyi]

Hey @kerkmann,

Thanks for bringing up this issue especially after taking this case to a lawyer.

After our initial discussion on Discord I've taken some time to document myself on the possibility of storing the dark or light mode preference in the local storage of the browser without showing a cookie consent component with an explicit yes or no confirmation.

First of all, I would like to point out that after checking out some other libraries and open-source projects that are arguably much more widely used and adopted than Flowbite have been using the dark mode switcher component and using localStorage to store this preference inside the browser for a long time, without an explicit cookie consent modal showing up.

Some examples would be Tailwind CSS (which Flowbite relies on as a library), Chakra UI, Material UI and even Bootstrap.

Some screenshots to to confirm this:

That being said, as long as other larger libraries are not taking action in this regard and noticeably affect the experience of users browsing the website, meaning we would have to show a cookie consent just for storing trivial information such as dark mode or light mode, would most definitely be unfair.

Furthermore, as I've researched this topic I have found some more information regarding this:

“Receive users’ consent before you use any cookies except strictly necessary cookies.

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies.

Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.”

So you would have to ask for consent for “preferences” but you don’t need to ask for those as soon as someone enters a site like you need to ask for marketing/tracking cookies. You can for instance have a “remember me” box and let users check it in case they want to save settings such as dark mode or they try to login.

Source: https://gdpr.eu/cookies/ and discussion quote from here.

So most definitely in this case storing the dark or light mode theme should be regarded as a "Preference cookie". But we do not set this in the localStorage, unless the user explicitly clicks on the dark mode switcher which inherently gives consent to use either the dark or light mode as they browse the website.

@kerkmann I would appreciate if you could ask your lawyer if as long as the user clicks on the dark mode switcher, knowing they are choosing either light or dark mode if we still have to show a cookie banner/modal to ask for permission - because I am sure that anyone who reads this knows that it is absurd to do that.

It is not the effort that takes us to change this functionality across the Flowbite ecosystem that makes us question the possibility of a 50,000 EUR fine for storing the dark or light mode functionality (even if the user performed a clear action) that makes me think it's absurd, but also the fact that seemingly 99% of the open-source projects that use a dark mode switcher does this without showing the cookie modal.

In any case, I can confirm that we will update our documentations and products to recommend showing a cookie consent modal (for which we actually have components created for) to completely reduce the risk of a ridiculous reason to give a GDPR fine for.

@kerkmann I'm willing to cooperate on this one, but let's first check things out with other communities and libraries as well such as Tailwind CSS/Bootstrap/Material UI and as I've mentioned earlier, can you please confirm with your lawyer that the user actually clicks on the theme switcher before storing it?

Additionally, it would probably be a great idea to create an issue on the repositories of the libraries that I've mentioned as they are doing the same thing as what happens with Flowbite and we would be a lot more willing to make this change if the other OSS libraries cooperate to - if indeed we cannot store this information even if the user chooses the dark or light mode theme via click.

I would definitely remove the user preference storage. Mostly 'cause if the user has to accept cookies or allow localstorage to be written, it can be done easily from the application/website that is using flowbite-react. Let's remove this feature from the component.

@rluders that makes a lot of sense from an architecture point of view, but I would first also check in with other libraries and see what @kerkmann responds related to the user click from his lawyer before also removing the LS storage completely (not on an application level, but also on our documentation).

Much appreciated!

Zoltan

[kerkmann]

unless the user explicitly clicks on the dark mode switcher which inherently gives consent to use either the dark or light mode as they browse the website.

But that consent is as far as I understood, not clear for the user.
With a consent screen, you agree that there will be data stored, you "can read it and know what is happening". But without a consent screen, the user doesn't know that he is storing data, the user doesn't know that the theme will be stored, by pressing the theme toggle button. ^^"

@kerkmann I'm willing to cooperate on this one, but let's first check things out first with other communities and libraries as well such as Tailwind CSS and as I've mentioned earlier, can you please confirm with your lawyer that the user actually click on the theme switcher before storing it?

I'll ask them about that and inform you, can take some time. :)

[zoltanszogyenyi]

I'll ask them about that and inform you, can take some time. :)

Thanks a lot for that! Alternatively, what if we show a popover component or tooltip showing that if the user clicks on the dark mode switcher they agree that this will be stored in LS?

I mean it's just so hard to imagine that we will have to show a cookie consent across all our apps for the dark mode switcher AND every other open-source library would also just ignore that :(

Cheers,
Zoltan

[oliviertassinari]

I don't think that consent is required. The two exceptions apply:

Without this storage, the site doesn't work in the initial load:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

And for the subsequent theme changes, this one apply as well:

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The German exceptions match with the UK guidances and exceptions shared in https://law.stackexchange.com/questions/30739/do-the-gdpr-and-cookie-law-regulations-apply-to-localstorage.

[oliviertassinari]

This issue can definitely be closed https://github.blog/2020-12-17-no-cookie-for-you/

[rluders]

It seems that we are good with this one. So, I'm closing it, but I created a follow up task for it.

[porg]

I came here after a web search for storing user preference in local storage gdpr compliant and found this great legal/technical discourse here — which clearly shows that saving a harmless user preference such as "color-theme: dark" or "accessability-contrast: high" in local storage is GDPR compliant:

1. as it stores no user identifiable data,
2. and is covered by the clear exception that no consent is necessary if the stored data is necessary for the website to function properly (e.g. keep your color preference for the next subsequent clicks).

[Alan-FGR]

Unfortunately there's quite a lot of misinformation here.

What we are discussing here is whether as european entities we can be in trouble for GDPR non-compliance by keeping the state of a theme toggle switch in cookies.

I insist you should get proper legal advice for this, but clearly the OP is right, and it just takes actually reading the links you post here to have that clarified: GitHub removed all "non-essential" cookies, what means cookies without which the website can't possibly work at all. Is keeping the state of a theme switcher absolutely required for a website to work? Clearly it's not, and if we were to get fined for non-compliance, chances are, whoever is deciding on our punishments has the same mentality of the people who made these absolutely archaic and uninformed laws, and we probably won't have the same army of lawyers GitHub has at their disposal.

@zoltanszogyenyi if we disregard the theme state, only one of these liked websites would be GDPR compliant, just take a look at your browser developer console (might take a scrolldown) and you can clearly see these set tracking cookies, even from 3rd parties. If we consider the theme state a "strictly necessary" cookie (which it's not), then the Tailwind website would be compliant, the others wouldn't.

@porg the law very clearly states that you can't store that data in the browser without prior consent. The law is not at all concerned on whether it's "harmless" or not, or its purpose. Don't take any word from this thread, but ask your lawyer. Chances are, if you only have a theme switch, and don't want to bother your users with the cookie banner, your lawyer will tell you not to risk it and either not store the cookie or ask for consent.

I find it very irresponsible what some people said here. I absolutely loathe the cookie law, but it is what it is, I know this is going to be downvoted like there's no tomorrow because a lot of people don't want to hear the truth; they want to hear that they can do whatever they want. But this needs to be said.

The terminology used in the law is not whether it's "core site functionality", "harmless", "used for tracking" or any opinions people are voicing in these linked pages. The terminology in the law is "strictly necessary" and "preferences". The state of a theme switch is so very clearly a "preference" that it's not even worth discussing that, and for those you need the user's consent. This is what the law says. I don't like it as well, but this thread is not about opinions or what we like.

[porg]

Thanks for the expertise!