Quick Note on Quarto Blogs and GDPR

Cookies, but only if you want them

gregers kjerulf dubrow


February 20, 2024

To some minor chagrin, thanks to someone raising an issue in the github repo for the blog, I realised that I was out of compliance with GDPR rules about website cookies.

I was offering people a more onerous opt-out choice (on the left) when I should have been offering them a clear way to decline (on the right).

example of cookie opt-out not compliant with GDPR

not compliant with GDPR

example of cookie opt-out compliant with GDPR

compliant with GDPR

A quick search and I found the correction I needed to make, changing the _quarto.yml file section on cookie consent from the default. A simple fix, in the website: section change type: implied (the default) to type: express.

Simple, right?

Well…after pushing the changes multiple times, the cookie consent pop-up didn’t change.

Some more searching and I came across this helpful thread in the quarto dev github repo that touched on my issue. Declan Naughton who started the issue offered a solution using another privacy option, Cookie Consent.

While looking into that, downloading the files and planning carefully how to implement it without breaking anything, I got distracted and redid a post to add a table of contents on the right, using toc: true in the post yaml. I pushed that, and huh…the GDPR-compliant cookie consent window popped up.

This does beg the question as to why the default in quarto is the non-compliant consent option. Regardless, if you have blog readers in the EU and want to make sure you’re compliant, do the following:

animated gif of the cookie monster eating cookies

nom nom nom

n.b. - cookie image in post header from this wikipedia entry on cookies