Activity

Background

From PR #37 review - the cookie consent implementation currently stores preferences in localStorage and a browser cookie, but there's no server-side persistence.

Problem

GDPR guidelines typically require server-side storage for audit purposes. If we need to prove consent was given at a specific time, we currently have no server-side record.

Suggested Implementation

1. Create a cookie_consents migration and model
2. When user gives/updates consent, POST to server to store:
   • user_id (nullable for guests)
   • session_id or ip_hash for anonymous users
   • preferences (JSON of what was consented to)
   • consented_at timestamp
   • user_agent for context
3. Keep the client-side storage for UX (immediate banner hiding)
4. Server storage provides the audit trail

Priority

Medium - Current implementation works functionally but may not meet strict GDPR audit requirements.

Labels

enhancement, gdpr