GDPR: No cookie notice upon opening Mattermost

Mattermost uses Cookies. The European data security laws require that the user is informed about cookies that are required for the website to work (e.g. session cookies).
Also, a user must agree to all other kinds of Cookies before they are set. Neither is done on the Mattermost Login page or when logged in. There is also no Admin option to change this.

Mattermost praises its GDPR compliance. This part is not compliant though.

While it is unfortunate that this is not a current feature included in Mattermost, I do suggest opening a new Feature Request so that it may be added to future releases.

In the meantime, if you happen to be using Cloudflare as your DNS provider/for web security, as I do, you might find this free Cloudflare app useful - this allows you to add a customized cookie usage notification to your webpage, or specific pages on a website, in a fully customizable manner, which it seems (to me at least) may be able to help you become GDPR compliant while an official feature implementation is developed and discussed.

Cloudflare Cookie Consent App

You can additionally preview this app here before installing it on your webpage with Cloudflare, to make sure it will perform the way you desire it, and see how it would function.

Does this help?

1 Like

Hi @AgileParent,
could you elaborate on your source stating that every cookie must be agreed to. AFAIK this is only true for tracking/marketing/advertising cookies & not for cookies just storing session data. Using an on-premise based Mattermost server I only see three cookies used for security & authorization usage. Pretty sure no consent is needed for these cookies.
This certainly is only true for a self-hosted Mattermost. Not sure about the cloud version.

1 Like

Opened a Feature Request: GDPR: Cookie notice configuration

I did not analyze each and every cookie, I just noticed that there were cookies set. If these are strictly functional, the user still has to be notified about them which currently does not happen.

1 Like

Have you got a reference for me on the need for an active notification of a user? IMHO it’s enough to state the use of functional session cookies in the general data protection / privacy guidelines, which can be configured per URL within the Mattermost configuration.

I have put long hours into researching this and did not save the exact article where this was stated. So I am sorry, I cannot help you here with the answer.

There is the ability to set a banner to be displayed with custom text to a user on login, would changing the text of this banner to have a statement about the presence of cookies in use be enough to bring you to compliance?

This is not the most user-friendly solution but I would believe it would suffice.

Can you in turn assure me that the cookies set by Mattermost are strictly necessary for Mattermost to work properly and do not include tracking or marketing of any kind?

1 Like

I personally have never seen any use of cookies in any of my Mattermost installations for advertising. It’s open-source software, provided for free, and as such, Mattermost doesn’t track each installation.
@ahmaddanial can you confirm?

Hello, @AgileParent

While most information on how Mattermost deals with cookies are included in the Mattermost Cookie Policy, Mattermost mentioned the following:

We use cookies (both session and persistent) and similar technologies (collectively, “ Cookies ”). We use Cookies on the websites operated by Mattermost, Inc., and our affiliates (collectively, the “ Sites ”) and in the products and services we provide (collectively, the “ Service ”). We also use trusted third party cookies.

If you are referring to your Mattermost Server, this should not be the case.

For Mattermost Cloud on the other hand, I am clarifying this with the team internally and will get back to you as soon as I get an answer.

1 Like