Managing Data Privacy and Concent
Managing Data Privacy and Consent¶
Please see the internal Confluence page on Mozilla's overall approach to handling data privacy and cookie consent management on www.mozilla.org. This page will include detailed legal guidance and FAQs on the permitted use of tracking technologies.
Here we will cover bedrock's technical approach to implementing data consent per that legal guidance, whilst also balancing UX considerations and input from other teams.
In EU and EAA countries where explicit consent to cookies and analytics is required, there are certain web page URLs where bedrock will display a cookie consent banner. These URLs are stored in a strict allow-list. URLs that are not in this list will neither show a banner, nor load any non-necessary cookies / analytics in the EU/EAA. The intent here is to provide as little disruption for our website visitors as possible, whilst still allowing opt-in to analytics URLs such as campaign pages. It is also possible to force the banner to show on any EU page by adding a query parameter ?mozcb=y (used for specific campaign traffic sources such as advertisements).
Visitors in the EU/EAA countries can also send an opt-out signal by enabling either Global Privacy Control (GPC) and Do Not Track (DNT) in their browser. If either of these signals are enabled then we do not show a banner. Individual cookie preferences can also be updated via a dedicated cookie settings page linked in the main footer.
In non-EU/EAA countries, non-necessary cookies and analytics are loaded by default. Visitors can still opt out via the cookie settings page. Enabling GPC / DNT will also act as an opt-out signal where needed.
There is a Figma flowchart detailing the general flow of logic. The code that implements this logic can be found in the media/js/base/consent directory.
Related dependencies¶
For more detail documentation on dependencies used for consent management, see their respective GitHub repositories.