Implementing a GDPR EULA in a Ruby on Rails Application
As almost everyone has by now heard, the EU has passed some new consumer privacy laws that go into effect later this week. There are a lot of new technical ramifications of this, but this blog post specifically covers having existing and new users accept our new GDPR End User Licence Agreement.
When building a new feature, I like to think backwards from the end result of what we want: At the end of the day, we need all users to accept the new terms. That means we need to display these new terms. If the users donât agree, letâs assume they will no longer be able to use our service.
I solved this by adding an uncloseable Popup modal on our logged-in homepage. You can make a bootstrap modal unable to be closed with:
$(â#myModalâ).modal({backdrop: âstaticâ, keyboard: false}) )
Ok, so users are now locked out of the rest of the application and are forced to make a choice in the modal. So far, so good. The text of the new GDPR EULA is within the modal, as are two buttons: Accept, or Log Out. If they click âLog Outâ, I sent them to the regular Devise âLog Outâ path. So what happens if they click âAcceptâ?
I added a column to our Users table called accepted_gdpr_eula_at that accepts Datetime, and ran the migration. Next, I created a new Controller in the Rails Application called GrprEulaController, and added an action called âaccept_gdpr_eula!â. Then I added my route in the routes.rb file. (Bonus points for making this a proper RESTful action, when I refactor this I will do so thenâ the rest of our app is built in a similar way to this, so it is actually more consistent with everyone elseâs work to name it this way. Donât @ me.)
The user clicks the âAcceptâ button, and the method in the controller updates the current_users gdpr_accepted_at column to Time.now, then redirects them to the home path.
I also added some logic to the Popup Modal - if the current_users gdpr_accepted_at column is nil, show the modal. If it is not nil, donât show the modal (Since logically it means they have already seen and accepted it.)
We can now determine who has and has not accepted our new terms, and have restricted the ability of users who have not accepted the new terms from using our web application. Yes it could be argued that we could have built an entire EULA management system, but implementing it this way has solved the business goal in a reasonable amount of time. For what itâs worth, I wrote this on my lunchbreak because I thought it might be helpful to other developers currently working on the same issue, so donât read too much into any of this or feel you need to break it apart. Have a great Memorial Day Weekend!