Omnichannel/Livechat widget sets cookies and related storage before widget activation (EU ePrivacy conformity)

[cg-papoo]

Description:

The livechat widget currently sets cookies and stores data in LocalStorage and SessionStorage when the script is loaded into the website.

According to the EU ePrivacy directive (2009/136/EC) only technical storage that is “strictly necessary in order for the provider of an information society service explicitly requested by the sub­scriber or user to provide the service” is allowed without explicit consent by the user.

The German Datenschutzkonferenz recently clarified in an orientation guideline that additional services like chat boxes only count as an explicitly requested service when the user interacts with it, e.g. by clicking on the widget. This interpretation currently only applies to the German market but other EU countries might follow the interpretation.

This means that currently for German websites the livechat widget script may only be legally included after getting the users consent, even if the Rocketchat instance is self-hosted.

If the browser storages were only initialized after the first user interaction with the widget this restriction would no longer apply for many cases.

Steps to reproduce:

1. Clear the cookies in the browser (including LocalStorage, etc.)
2. Open a website using the livechat script
3. View the browser storage in the browsers developer tools

Expected behavior:

No cookies, LocalStorage, SessionStorage, or IndexedDB data should be set until the user activated the livechat widget.

Actual behavior:

Multiple cookies and other storage data is set on page load:

Cookies:

• rc_room_type
• rc_is_widget

LocalStorage:

• store

SessionStorage:

• sessionId

Server Setup Information:

• Version of Rocket.Chat Server: 4.2.2
• Operating System: Ubuntu 20.04.3 LTS
• Deployment Method: tar
• Number of Running Instances: 1

Client Setup Information

• Browser: any browser (tested with Firefox 95.0.1 and Chrome 93.0.4577.82)