A Natively Integrated, GDPR & GCMv2-Compliant Consent Extension

FullThrottle83

Flarum Complaint Consent Extension

Summary

This proposal outlines the creation of a new Flarum extension to provide robust, legally compliant consent management. Built to first-party quality standards to ensure deep integration and future compatibility, it would replace the outdated fof/cookie-consent with a modern solution featuring prior-consent script blocking, granular controls, auditable server-side logging, and native Google Consent Mode v2 (GCMv2) integration. This is essential for any Flarum admin serving EU users.

The Problem: A Critical Compliance Gap

The current fof/cookie-consent extension is architecturally obsolete and exposes Flarum administrators to significant legal and financial risk. Its core failures are:

No Prior Consent (ePrivacy Directive, Art. 5(3)): It cannot block non-essential scripts (e.g., from an analytics extension) from loading before a user gives consent.
Invalid Consent UI (GDPR, Art. 7): It lacks an equally prominent "Reject" option and granular controls, rendering any consent collected invalid.
No Audit Trail (GDPR, Art. 5(2)): It provides no server-side logging, making it impossible for an admin to demonstrate compliance to a supervisory authority.
No GCMv2 Support: It cannot communicate consent signals to Google's APIs, a technical requirement since March 2024. This cripples Google Analytics and Ads functionality for all EEA traffic, leading to lost insights and ad revenue.

This isn't just an inconvenience; it's a critical gap that makes it difficult to operate a Flarum forum legally and effectively in the EU.

Core Goals (The MVP)

The primary goal is to create a Minimum Viable Product (MVP) that solves the core legal requirements elegantly and reliably.

Block By Default: Actively block all non-essential scripts from executing until explicit, affirmative consent is granted.
Provide Valid UI: Present "Accept All" and "Reject All" buttons with equal prominence on the first layer, with a clear link to "Manage Preferences."
Granular Control: Offer opt-in toggles for distinct categories (e.g., Analytics, Marketing). These must be unchecked by default.
Integrate GCMv2: Natively implement the Google Consent Mode v2 API.
Log Consent: Securely store each consent event on the server, including an anonymized ID, a timestamp, the user's choices, and the active policy version.
Enable Withdrawal: Provide a persistent, easily accessible UI for users to review and change their consent preferences at any time.

Non-Goals (To Maintain Focus)

To ensure a focused and achievable MVP, this extension will not initially include:

Automated cookie scanning.
Advanced GCMv2 features like "Advanced Implementation" (cookieless pings).
Geolocation-based banner display.
IAB TCF Certification: This extension will not pursue IAB TCF certification itself due to the significant annual fees (e.g., €1,575 for IAB Europe). For publishers requiring IAB TCF compliance (e.g., for AdSense, Ad Manager, AdMob), this extension is designed to work alongside a separate, Google-certified, IAB TCF-compliant third-party CMP, providing Flarum-native functionality while leveraging the external CMP for ad-tech specific compliance.

Proposed Technical Solution

This describes a potential implementation path using standard Flarum patterns.

1. Extension Scaffolding

Proposed Name: fof/consent (to align with the FriendsOfFlarum ecosystem)
Dependencies: flarum/core (latest stable), PHP (latest stable)

2. Relationship to `flarum/gdpr`

This extension is designed to be complementary to, not a replacement for, the official flarum/gdpr extension. They address two different, but equally critical, areas of compliance:

fof/consent (this proposal): Manages cookie consent, script blocking, and GCMv2, fulfilling requirements from the ePrivacy Directive and GDPR Art. 7 (Conditions for consent).
flarum/gdpr: Manages user data rights, such as the Right to Access (Art. 15) and the Right to Erasure (Art. 17).

A fully compliant forum will need both extensions working together.

3. Front-End Implementation (Mithril.js)

A new ConsentBanner component will be injected into the main App layout.
The banner's state (isVisible, preferences) will be managed by a global app.consent state object.
Script Management: The proposed solution is to use Flarum's Formatter extender to parse the final HTML output. Scripts identified as non-essential will have their type attribute changed to text/plain, effectively disabling them.
- Example: A script tagged with <script data-consent-category="analytics" ...> would be transformed into <script type="text/plain" data-consent-category="analytics" ...>.
When consent is granted, the front-end logic will find these scripts and switch their type back to text/javascript, allowing them to execute.

4. Back-End Implementation (PHP Extender)

Database Migration: A new consent_events table will be created to log consent actions, deliberately avoiding storing any personal data like IP addresses.

// In extend.php
(new Extend\Migration())
    ->add(__DIR__.'/migrations/2025_07_13_000000_create_consent_events_table.php');

// In the migration file
use Illuminate\Database\Schema\Blueprint;
use Flarum\Database\Migration;

return Migration::createTable('consent_events', function (Blueprint $table) {
    $table->increments('id');
    $table->string('user_token', 255)->index(); // Anonymized identifier
    $table->timestamp('created_at')->useCurrent();
    $table->json('choices'); // Stores { "analytics": true, "marketing": false }
    $table->string('policy_version', 50);
});

API Endpoints: A controller will expose endpoints for managing consent.
- POST /api/consent: Receives the consent payload.
- GET /api/consent: Retrieves the current user's consent state.

backend-admin-panel

5. Admin Panel Configuration

A settings page in the admin dashboard will allow administrators to:

Customize all banner text via Flarum's localization system.
Define the URL for the Privacy/Cookie Policy.
Set the current policy_version string (e.g., "1.1").
Provide a simple interface to define which scripts belong to which category by specifying CSS selectors (e.g., script[src*="google-analytics"] for the Analytics category).

6. User Experience

The banner will be styled to match the forum's theme out of the box.
The "Accept All" button will use the primary theme color; "Reject All" will use a secondary/neutral color.
A "Manage Preferences" link will open a Mithril-based modal with toggles for each category.
A persistent floating icon or a link in the footer will allow users to re-open the preferences modal.

→ Try the Interactive Demo
(mockup only)

Benefits

Legal Compliance: Provides a robust, defensible solution for GDPR and the ePrivacy Directive.
Restored Functionality: Enables the legal use of Google Analytics and Ads for EEA traffic.
Trust & Transparency: Builds user trust by offering clear, honest choices.
Future-Proof: Aligns with the direction of EU privacy law.
Platform Value: Makes Flarum a more attractive platform for professional and commercial use cases.

Should this be a priority for the Flarum ecosystem?

If you believe GDPR-compliant consent management is critical for Flarum's future, please share your thoughts below. Your feedback will help determine if this extension should move forward and what features matter most to the community.

Particularly valuable input:

Forum administrators serving EU users
Extension developers familiar with consent management
Anyone who has struggled with the current fof/cookie-consent limitations

Let's make Flarum the most privacy-compliant forum platform available! 🚀

Walid

This is really needed.
I understand (and agree) we can't have everything right away but I think in the medium to long term, fof/consent should be the one and only extension for everything GDPR & cookie consent (it should include flarum/gdpr functionality). Flarum's extension system is great but I'm on the team that want to limit the number of extensions and have more comprehensive extensions for each aspect of managing/improving a forum's features.

But anyways, this is great and hope to see it come to fruition.

FullThrottle83

Walid Thanks for the great feedback and your support! I'm glad you see the need for this.

That's an excellent point, and I share your long-term vision. In an ideal world, fof/consent would absolutely evolve to become the single, all-in-one extension for GDPR compliance, incorporating the features from flarum/gdpr (or the other way around).

FullThrottle83

Current Consent Management Options for Flarum

What's Possible Today and Why We Still Need a Native Extension

Following up on my previous proposal for a Flarum-native consent extension, I want to address the immediate question many of you have: "What can I do right now to achieve GDPR compliance while we wait for a proper Flarum solution?"

Based on extensive research, here's what's actually possible today, what the limitations are, and why a Flarum-specific extension remains essential for complete compliance.

The Current Reality: Third-Party CMPs Are Your Only Option

Since the existing fof/cookie-consent extension fails to meet modern GDPR and Google Consent Mode v2 requirements, you must use a third-party Consent Management Platform (CMP) integrated via JavaScript. Here's what's available:

Free Options That Actually Work

Silktide Consent Manager

Link

Cost: 100% free forever (open source)
Google Consent Mode v2: Full support
GDPR Compliance: Complete with prior script blocking
Integration: Copy-paste JavaScript into Flarum's Custom Header
Limitations: No server-side audit trail, requires manual configuration
Best for: Privacy-focused forums, developers comfortable with manual setup

CookieYes Free Tier

Link

Cost: Free for 1 domain, 100 pages, 300 consent logs/month
Google Consent Mode v2: Certified Google partner
GDPR Compliance: Full compliance with audit trails
Integration: JavaScript snippet in Custom Header
Limitations: Low usage limits, basic customization
Best for: Small forums getting started with compliance

Consentmanager Free Tier

Link

Cost: Free for up to 5,000 page views/month
Google Consent Mode v2: Gold-tier Google certified partner
GDPR Compliance: Complete with Legal Shield coverage
Integration: JavaScript snippet in Custom Header
Limitations: Page view restrictions
Best for: Growing forums with moderate traffic

Paid Options for Serious Compliance

Cookiebot

Link

Cost: From €12/month (free tier: 50 subpages)
Features: Automatic cookie scanning, comprehensive audit trails, legal indemnification
Why consider: Most popular choice, excellent WordPress integration (relevant for hybrid setups)

Osano

Link

Cost: From $20/month (free tier: 5K visitors)
Features: Blockchain-based consent storage, legal coverage up to $200K
Why consider: Maximum legal protection, advanced compliance features

How to Implement These Solutions

Choose Your CMP
For most Flarum forums, I recommend starting with Consentmanager's free tier if you're under 5K pageviews, or Silktide if you want unlimited free usage and don't mind manual configuration.

Basic Integration

Go to Administration → Appearance → Edit Custom Header
Add your chosen CMP's JavaScript code at the very top

Configure Google Consent Mode v2 default settings:

        <script>
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('consent', 'default', {
          ad_storage: 'denied',
          analytics_storage: 'denied',
          ad_user_data: 'denied',
          ad_personalization: 'denied'
        });
        </script>
        <!-- Your CMP script goes here -->

Configure Script Blocking
The CMP must identify and block all non-essential scripts. For Flarum, this typically includes:
- Google Analytics from any analytics extensions
- Social media widgets and embeds
- Advertising scripts
- Third-party comment systems
- Marketing pixels

What These Solutions CAN Achieve

✅ Legal Compliance:

Valid "Accept All" and "Reject All" buttons with equal prominence
Granular category control (Analytics, Marketing, Functional)
Prior consent script blocking
Google Consent Mode v2 integration
Basic consent logging (varies by provider)

✅ Immediate Implementation:

No extension development required
Works with current Flarum versions
Professional-grade compliance
Certified Google partnerships (for paid options)

Critical Limitations: Why a Flarum Extension is Still Needed

No Server-Side Audit Trail
- The Problem: GDPR Article 5(2) requires you to prove compliance to authorities. Free solutions like Silktide only store consent in the user's browser. Paid solutions offer limited audit trails.
- The Flarum Extension Solution: Deep integration with Flarum's database to log every consent event with anonymized user IDs, timestamps, specific choices, and policy versions.
No Admin Panel Integration
- The Problem: All configuration happens in external dashboards. No integration with Flarum's permission system, localization, or theming.
- The Flarum Extension Solution: Native admin panel with Flarum-style settings, automatic detection of extension scripts, and seamless theme integration.
Limited Policy Version Management
- The Problem: When you update your privacy policy, there's no automatic way to force existing users to re-consent within Flarum's user system.
- The Flarum Extension Solution: Automatic detection of policy updates with forced re-consent flows tied to Flarum user accounts.
Extension Ecosystem Blind Spots
- The Problem: Third-party CMPs can't automatically detect when you install a new Flarum extension that adds tracking scripts. You must manually configure each new script.
- The Flarum Extension Solution: Automatic detection and categorization of scripts from Flarum extensions, with developers able to declare their scripts' consent requirements.
User Experience Gaps
- The Problem: Generic consent banners don't integrate with Flarum's user preferences, notification systems, or account settings.
- The Flarum Extension Solution: Consent preferences integrated into user account settings, notification of policy changes, and consistent UI/UX with the forum theme.

Practical Recommendations by Forum Size

Small Forums (< 1,000 monthly visitors)
- Use: Silktide (completely free) or Consentmanager free tier
- Why: Covers all legal requirements without cost
- Migration path: Easy to switch to native extension when available
Medium Forums (1,000-10,000 monthly visitors)
- Use: Consentmanager paid plan or CookieYes
- Why: Professional support, automated scanning, audit trails
- Cost: €9-15/month for comprehensive compliance
Large Forums (10,000+ monthly visitors)
- Use: Cookiebot or Osano with legal coverage
- Why: Maximum protection, comprehensive audit trails, legal indemnification
- Future: Strong candidates for native Flarum extension when available

The Bottom Line

Yes, you can achieve GDPR compliance today using the solutions above. They will protect you legally and restore Google Analytics/Ads functionality for EU users.

However, a native Flarum extension remains essential for:

Complete integration with Flarum's admin and user systems
Comprehensive audit trails for regulatory compliance
Automatic handling of the Flarum extension ecosystem
Seamless user experience that matches your forum's design
Long-term sustainability without vendor lock-in

Next Steps

Immediate action: Implement one of the recommended CMPs based on your forum size
Monitor: Keep track of consent rates and user experience
Prepare: Be ready to migrate to a native Flarum extension when available
Feedback: Share your experiences with these solutions to help prioritize the native extension development

The goal isn't perfect; it's compliant and practical. These solutions will get you there while we hope for the ideal native integration.

Questions? Share your experiences with these CMPs or specific challenges you're facing with Flarum consent management.

Walid

Thank you very much for all those details! very helpful (until we have a full Flarum extension).

damuji

A must have for EU forums.
Thanks for the feedback.

KBExit

Would be nice to have natively for sure. My forum is US based, but the nature of my forum, would have U.S. Citizens trying to reach out in European Nations. This could possibly be troublesome as rules still apply in the legal front, regardless of nationality.

Darkle

FullThrottle83 To give my bit on this, I definitely agree that Flarum needs a better consent solution, for GCMv2-only scenarios what is mentioned here is alright.

My main concern, though, is how this fits with the strict Google requirements for publishers. Anyone using AdSense, Ad Manager, or AdMob has to use a Google certified CMP that's also compliant with the IAB TCF.

I looked into the IAB Europe registration, and it's a formal process with a 1575€ annual fee just to get listed as a certified CMP (https://iabeurope.eu/join-the-tcf/). That's the deal breaker, and the reason why many great cookie consent OSS projects are unfortunately falling into disuse (I personally had to move on from some of them because of this).

So I think the proposal should mention that it won't be a full CMP and won't be able to handle the whole Ads stuff...

FullThrottle83

Darkle That's an absolutely critical point, and I really appreciate you bringing it up. You're spot on about Google's strict requirements for publishers using AdSense, Ad Manager, or AdMob - they absolutely mandate the use of a Google-certified CMP that's also compliant with the IAB TCF, and that €1,575 annual registration fee for IAB Europe is indeed a significant barrier for open-source projects.

You've hit on precisely why the proposed Flarum-native extension isn't aiming to be a full, IAB TCF-certified CMP in itself. The goal with this proposed extension is to address the fundamental gaps within Flarum's core consent management capabilities. This means providing the essential features like robust prior-consent script blocking, granular controls, auditable server-side logging, and native Google Consent Mode v2 integration.

For forums that need to leverage Google's advertising products and require full IAB TCF compliance, the Flarum extension would actually complement an existing Google-certified, third-party CMP (like the ones mentioned in the follow-up post, such as CookieYes or Consentmanager. These commercial CMPs already handle the complex IAB TCF certification and the intricacies of ad-tech integrations. The Flarum extension would then provide the deep, native integration, server-side audit trails, and seamless admin/user experience that these external CMPs simply can't offer on their own.

As noted in the "Non-Goals" section of the proposal, intentionally not including automated cookie scanning or advanced GCMv2 features like cookieless pings in the MVP. This focus helps ensure the extension is achievable and addresses the core Flarum-specific compliance needs, rather than trying to replicate the entire functionality of a commercial, IAB-certified CMP.

Thanks again for highlighting this important distinction. It's crucial for everyone to understand the different layers of compliance involved!

Edit: I've updated the orginal post now mentioning IAB TCF Certification