chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

legal: implement EU/UK cookie + analytics consent (or document geo-gate) #177

New Issue
Open
opened 2026-05-14 15:57:03 +00:00 by chihlasm · 0 comments
chihlasm commented 2026-05-14 15:57:03 +00:00
Owner
Copy Link

Source: /legal/attorney-review-checklist.md item A3.

Problem. PostHog is initialized unconditionally at app start with persistence: 'localStorage+cookie' (frontend/src/main.tsx:17-23). Google Fonts loads on every public page from fonts.googleapis.com and fonts.gstatic.com (frontend/index.html:11-13) — both before any consent is obtained.

Why it matters. For EU/UK visitors, ePrivacy Directive Art. 5(3) and UK PECR require prior consent before non-essential cookies and tracking-grade storage are set. The generated Cookie Policy already references a consent mechanism that doesn't exist in code.

Two acceptable paths:

  1. Implement consent management (recommended for a B2B SaaS reachable globally):

    • Add a consent banner that appears for EU/UK visitors (or all visitors — simpler)
    • Gate PostHog init() behind affirmative consent; pre-consent, only essential storage (auth tokens, theme preference) may be set
    • Self-host Google Fonts (Bunny Fonts mirror or local font bundling via @fontsource) to eliminate the IP-exposure-to-Google disclosure entirely
    • Persist the consent state in a first-party cookie/localStorage key with category granularity (essential / functional / analytics)
    • Expose a 'Cookie Preferences' link in the footer to revisit choices

  2. Geo-gate the product from EU/UK and document the decision. (Not recommended — kills enterprise expansion.)

Acceptance criteria.

  • Decision recorded: implement vs. geo-gate
  • If implement: PostHog does not fire before consent is recorded for EU/UK visitors
  • Google Fonts replaced with self-hosted fonts OR consent-gated
  • Cookie Policy §2.3 and §3.1 reference a real, working consent mechanism
  • /legal/cookie-policy.md 'Consent mechanism for EU/UK' row in implementation-verification.md flips from

Blocker for: publishing legal docs and accepting EU/UK signups in good faith.

Companion files:

  • /legal/attorney-review-checklist.md (item A3)
  • /legal/cookie-policy.md
**Source:** `/legal/attorney-review-checklist.md` item A3. **Problem.** PostHog is initialized unconditionally at app start with `persistence: 'localStorage+cookie'` ([frontend/src/main.tsx:17-23](https://gitea.resolutionflow.com/chihlasm/resolutionflow/src/branch/main/frontend/src/main.tsx#L17-L23)). Google Fonts loads on every public page from `fonts.googleapis.com` and `fonts.gstatic.com` ([frontend/index.html:11-13](https://gitea.resolutionflow.com/chihlasm/resolutionflow/src/branch/main/frontend/index.html#L11-L13)) — both before any consent is obtained. **Why it matters.** For EU/UK visitors, ePrivacy Directive Art. 5(3) and UK PECR require prior consent before non-essential cookies and tracking-grade storage are set. The generated Cookie Policy already references a consent mechanism that doesn't exist in code. **Two acceptable paths:** 1. **Implement consent management** (recommended for a B2B SaaS reachable globally): - Add a consent banner that appears for EU/UK visitors (or all visitors — simpler) - Gate PostHog `init()` behind affirmative consent; pre-consent, only essential storage (auth tokens, theme preference) may be set - Self-host Google Fonts (Bunny Fonts mirror or local font bundling via `@fontsource`) to eliminate the IP-exposure-to-Google disclosure entirely - Persist the consent state in a first-party cookie/localStorage key with category granularity (essential / functional / analytics) - Expose a 'Cookie Preferences' link in the footer to revisit choices 2. **Geo-gate the product from EU/UK** and document the decision. (Not recommended — kills enterprise expansion.) **Acceptance criteria.** - [ ] Decision recorded: implement vs. geo-gate - [ ] If implement: PostHog does not fire before consent is recorded for EU/UK visitors - [ ] Google Fonts replaced with self-hosted fonts OR consent-gated - [ ] Cookie Policy §2.3 and §3.1 reference a real, working consent mechanism - [ ] `/legal/cookie-policy.md` 'Consent mechanism for EU/UK' row in implementation-verification.md flips from ❌ → ✅ **Blocker for:** publishing legal docs and accepting EU/UK signups in good faith. **Companion files:** - `/legal/attorney-review-checklist.md` (item A3) - `/legal/cookie-policy.md`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
10x-analysis
From 10x product analysis
 backend
FastAPI/Python work
 bug
Something isn't working
 collaboration
Team sharing, escalation, notifications
 database
PostgreSQL/schema changes
 documentation
Documentation updates
 duplicate
This issue or pull request already exists
 enhancement
Improvement to existing feature
 feature
New functionality
 frontend
React work
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 integration
PSA, external service integrations
 intelligence
Analytics, AI, data-driven features
 invalid
This doesn't seem right
 priority: high
Do this soon
 priority: low
Nice to have
 priority: medium
Important but not urgent
 question
Further information is requested
 quick-win
Low effort, high value
 strategic
Long-term strategic bet
 ux
User experience improvements
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
chihlasm
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: chihlasm/resolutionflow#177
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?