Topic: New European Cookie Laws

[MrMorph]

Thanks

But yes, aimed at the big boys for sure and the abusers of useful technology.

[JohnS]

Aimed at the big boys...maybe, well intentioned .... perhaps, will it affect how we operate in future... almost certainly. There is no doubt the active rights elements will step on the bandwagon after 26th, they have already had some success in other areas, forcing the big boys to change their ways. The effect of this new law should not be underestimated. It may well take several years for it to become an issue, but become an issue it will. You can already get instant fines for speeding, how about instant fines for using cookies, wild theory or possibility I do not know, if it becomes an easy target for revenue (hidden taxation) then it will happen. It would not be totally impossible under the new law to require ISP's to report those using cookies.
Although the ICO has stated they may not take action at first, this may be taken out of thier hands, they must by law implement the law and if they do not then they and those that have websites using cookies could be taken to the EU courts, who would have no alternative but to apply the EU directive. There is no such thing as EU law, only directives, so they would apply the law of the country in which the offence took place.
I don't think there is cause for instant concern, but I certainly will have a plan in place to meet the law, how this will effect applications like SMF I do not know. From the 26th use of SMF in Europe may break the law, in UK at least it depends whether you can convince the ICO that such cookies are 'strictly necessary' for the operation of the site. whether that is immediate cause for concern I do not know, it will take time for rulings to come down in this regard and at the moment there is no clear guidance.

[CoreISP]

As far as I understood, this law only applies to tracking cookies... Cookies that check where you have been on the internet, what you have been doing there, etc.

This does not apply for normal cookies to save your login and that kind of thing o0

On a sidenote, the SMF servers are in the United States. The European laws do not apply.

[JohnS]

The law applies to all cookies (at least the UK law does other countries have a slightly less rigid interpretation of the directive), it also prohibits interrogating for cookies, not only placing cookies, without the express permission of the user. The only exception is for cookies that are 'strictly necessary' to the operation of the website. Though there are some guidelines on this there is no definition of 'strictly necessay' so it is not yet clear whether interrogating every visitor to see if they have a cookie set, or placing a session cookie prior to log in is legal. The only thing you can currently rely on is that shop cookies are OK provided they are not used until after the customer has logged in and there must be a clear warning on the log in page.
The law applies to where the website is used or controlled, not to where it is hosted, though how they would implement anything for non EU hosts sites I do not know, but there are ways and Google in Germany have already found out there are ways. You currently risk a $75,000 fine for using Google Analytics in Germany.
The UK law provides for a fine of up to $750,000 for the use of 'intrusive' cookies (again no definition) and ISP's are required by law to advice the ICO where they are being used. Of course what the law says and what happens may be two different things, but it will take a while before any guidelines become definitive.

[CoreISP]

Yeah if you host your SMF website in Europe, it could affect the owner of the website.
However, SMF does not store any intrusive cookies or cookies that track what you are doing on the internet.

The cookies stored for login *are* stricly necesarry.
This law wont cause trouble for something like this.

The law applies to where the website is used or controlled, not to where it is hosted

That is not true. If people from Europe visit our website and we would store tracking cookies on their computer, they cant do anything about it as long as it is legal in the united states.
The European laws do not apply to us in the United States, same as the DMCA (as example) does not extend beyond the borders of the USA...
*IF* we would store such cookies and someone from Europe (where it is illegal) would visit our website we cannot be punished nor would we be doing anything that's against the law. Servers in the US, the US laws apply. Not the laws of another continent or country.

[JohnS]

I agree that in the case of the SMF site provided it is hosted outside the EU and you have no presence in the EU then you 'may be' exempt and possibly are. Germany has shown that not to be the case as far as they are concerned.
However if your website has any connection with the EU by way of hosting or by way of any data being controlled from the EU, then it is subject to the laws.
So whilst it may not affect SMF directly, it will affect all users of the SMF software if they are based in the EU.
Your definition on 'strictly necessary'  but it has not yet been shown whether this will be the opinion of the UK regulatory body. Whilst a cookie after log in can be shown to be 'strictly necessary' a cookie prior to log in as used by nearly all, if not all forums, shops etc may not be legal. Time will tell.
Note it applies to ALL cookies, it does not matter if they are tracking, intrusive or contain no data at all they require advance opt in permission to be used unless they are 'strictly necessary'.
I don't think this is the place to discuss EU - USA law, suffice it to say that laws are in place that can make a US citizen liable for offences in the EU and liable to extradition, and vice versa, it has already been used against hackers and other offenders. The DCMA is enforceable in the EU even though a US law. Though I doubt a cookie would result in that kind of action.

[青山 素子]

The law applies to all cookies (at least the UK law does other countries have a slightly less rigid interpretation of the directive), it also prohibits interrogating for cookies, not only placing cookies, without the express permission of the user.

That's funny wording since there is no "interrogation" as browsers broadcast the cookie contents willingly.

The only exception is for cookies that are 'strictly necessary' to the operation of the website.

The SMF software will not work properly without the cookie it uses. You will not be able to stay logged in while browsing. I would say that it is quite necessary for the operation of the software.

Do you have a link to the UK law? Last I checked on the directive, it was for 3rd-party cookies only, as I noted earlier in the topic. If the UK has gone beyond that and is also enforcing against first-party cookies, that would be quite interesting.

[Kindred]

BTW:
http://www.bbc.co.uk/news/technology-13541250
http://allthingsd.com/20110524/eat-your-cookies-eu-privacy-directive-takes-effect-wednesday/
http://www.thedrum.co.uk/news/2011/05/25/21754-advice-for-brands-about-new-eu-cookies-directive/
http://www.ico.gov.uk/~/media/documents/pressreleases/2011/enforcement_cookies_rules_news_release_20110525.pdf

It ONLY covers "intrusive" cookies and is designed to protect personal identifiable information. Username and hashed password would not count...



However, it is fairly clear that US-based websites are free to ignore this...
except for:
http://blogs.wsj.com/digits/2011/05/24/california-privacy-politics-makes-strange-bedfellows-facebook-and-google/
http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_761&sess=CUR&house=B&site=sen
but it's not quite the same...

[JohnS]

The full law is at http://www.legislation.gov.uk/uksi/2003/2426/contents/made

The relevant part is regulation 6.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR):
6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Whilst browsers my broadcast the cookies, the law makes it illegal to look at them without prior permission. As you can see the law applies to much more than cookies and it is very generic it does not differentiate between first and third party cookies. Each country will have its own interpretation, some are much looser than the UK one.
This is what happens when bureaucrats try and implement technical solution.

Edit: Just to make it clear the extract above is the ruling from 26th May, the on line law still contains the old version which is not quite so tight.

[CoreISP]

I agree that in the case of the SMF site provided it is hosted outside the EU and you have no presence in the EU then you 'may be' exempt and possibly are. Germany has shown that not to be the case as far as they are concerned.

Not possibly, certainly.
And what Germany is or is not concerned about is not our problem. They cant force their laws upon another country.

I don't think this is the place to discuss EU - USA law, suffice it to say that laws are in place that can make a US citizen liable for offences in the EU and liable to extradition, and vice versa, it has already been used against hackers and other offenders

This is a different situation. For example, in the Netherlands it is allowed to download music for your own use. It is illegal to upload it. But for downloading, it is legal. The US law cannot prosecute a person living in NL for download music, nor can they ask for extradition as the person is simply not doing anything wrong by law. It's not like you are comitting a murder. (Although the music industry wants it to be that way, lol)
A hacker with intent to destroy something is illegal in Europe aswell, hence the possibility to get prosecuted.

The DCMA is enforceable in the EU even though a US law

It is not. We have different types of laws and procedures, the DMCA law does not apply to anyone in Europe. It is a US law, not a EU law. Different country's, different laws. Simple as that.

[JohnS]

CoreISP>> I think we will have to agree to disagree! There is no doubt that the Netherlands Law although based on the same directive is different to the UK Law. In addition the USA and UK have bilateral agreements in place that extend jurisdiction so in some cases it can be different countries same laws. Though meant for the big bad boys and unlikely to be used against the odd cookie, they do exist. Best wishes.

[JohnS]

Just to update this, if anyone is interested I have a re-validation scheme that forces all current users to revalidate accepting new terms and conditions. The code is not what I would call a totally user friendly release, but it is functional with a little care or php knowledge. If there is demand I could consider tidying it all up.
John

[MrMorph]

Has anyone actually seen any sites that have explicitly asked for approval to use cookies yet.  I have not seen one yet myself, but hang on to that code

[Jonathan UK]

I think, understandably, that there is a lot of confusion surrounding these laws (ie the European cookie law, as implemented variously by different European states).

From a UK perspective, I believe that we are actually already subject to the new law. The government has chosen, however, to allow a one year grace period (which we are currently part way through), during which time webmasters should be able to show (if challenged) that they are making demonstrable efforts towards implementing changes to their website(s) such that they will be fully compliant with the law by the time the grace period ends.

Also, I think that discussions about adding a permission statement within a forum's registration Ts and Cs are, with respect, missing the point. It's my belief that the law (as implemented in the UK) requires a user to be given the opportunity to opt out of cookie use at the very moment that they arrive on your site. This applies regardless of whether they are an existing forum member or just an unregistered visitor who is passing through (and wishes to read some of the forum posts before they leave, but has no intention of registering and no need to read your Ts and Cs).

As the enforcer of this law in the UK, the Information Commissioner's Office has implemented a pop-up permission box that appears as soon as you arrive on their site: www. ico. gov. uk (remove spaces).

I have various projects for which I want to use forum software. With the clock ticking down on the grace period, it's imperative for me that whatever forum I use includes an admin option that triggers an automatic permission gatherer like the one on the ICO's site. It also, obviously, needs to allow the user to either continue using the site without cookies (with restricted functionality, if necessary, like not being able to join) and that spells out what any "strictly necessary" cookies are used for and how.

I don't agree any forum can claim it's "strictly necessary" to use cookies because they're needed for logging in - purely and simply because not everyone wants to log in.

As, presumably, a US-based project, I don't know whether Simple Machines is prepared to add this kind of functionality. If not, they will be severely restricting their market as far as law-abiding UK and European webmasters are concerned. In the long run, I could easily see how a lack of interest / willingness to address this issue could easily lead to SM getting a bad reputation and even to forum publishers suffering quality score penalties in natural search rankings.

[Kindred]

Sorry, Jonathan, but I disagree with your interpretation of the need for such an intrusive "warning".

[JohnS]

Jonathan
I think there are differing views on the new law and there is no doubt the UK version is much more restrictive than any other country. But I believe you are spot on with your statements.
I do not believe that SMF in its current form can be totally compliant, it would require a permission prompt prior to setting or interrogating any cookie to be fully compliant. But it does depend on how 'essential for the site operation' is defined and only time will tell on that. My view is that all the cookies initiated by SMF are not strictly necessary, the only one that can be strictly necessary would be the one that shows you have registered. It could be said in fact that there is no way you can now legally operate a website because of this law (it is not just cookies but no information at all can be read without prior permission, so technically reading the HTTP headers is not allowed).
For my own part I have modified the scripts so that all registered users are forced through a re-registration page where they can read the new terms and conditions, I believe this is adequate for the moment, however like you I would like to see the option for all visitors to the site to accept or reject cookies and not be able to use the forum unless they agree to cookies and no cookie to be set before they agree. This is something I will look into later though there is no doubt it is a major task.
But for the moment I think that forcing all users to re-register under new terms displays the intent to comply, but further work may be needed, once guidelines have been set by the ICO, to ensure full compliance.
I have already removed Google tracking and other third party cookies from my web pages as they are definitely non compliant.
I can only hope that the ICO will issue some better guidelines on this law. If nothing comes out by the end of the year I will definitely be contacting them.

[Jonathan UK]

Sorry, Jonathan, but I disagree with your interpretation of the need for such an intrusive "warning".

Whilst I respect your opinion, I can only point out that the example I offered (ico.gov.uk) doesn't illustrate my interpretation that such an intrusive warning is needed, rather it is evidence of how the body that defines and polices this law within the UK interprets it. And for UK webmasters, it is the ICO's view (not mine, not yours) that counts.

We can dislike this as much as we want, but it won't change the facts. This is simply what an active opt-in looks like.

The ICO is practicing (and providing a practical example for others of how to comply with) what the UK has decided the new law requires. In the absence of further guidelines, this can and must surely be regarded as the template that we should all be busy preparing to follow.

[JohnS]

It is interesting that the ICO on thier website are setting two cookies without permission saying they are essential to the site operation. They are setting __utma and __utmz which are Google tracking cookies. I would have hardly thought they are 'Essential to the operation of the website'.

[Jonathan UK]

Jonathan
...For my own part I have modified the scripts so that all registered users are forced through a re-registration page where they can read the new terms and conditions, I believe this is adequate for the moment, however like you I would like to see the option for all visitors to the site to accept or reject cookies and not be able to use the forum unless they agree to cookies and no cookie to be set before they agree. This is something I will look into later though there is no doubt it is a major task...

It sounds like you're making excellent progress, John. The obvious problem with waiting for further guidance is that if / when it comes at all, it may come too late to allow sufficient time for all of the necessary and very time-consuming recoding, testing, rolling out, etc that needs to happen before the grace period runs out.

In an ideal world (and I do appreciate the work this would entail), publishers of forum, blogging and other template-based software packages should already be preparing, testing and rolling out a new "cookie permissions" menu / module, which gives webmasters choices from a range of options (eg full "belt and braces" / highly intrusive, medium intrusion, low intrusion). This kind of approach would help to enable publishers across different European jurisdictions to choose whatever they feel best fits with their own local laws and also their personal comfort factor in complying with them or pushing their luck.

[Jonathan UK]

It is interesting that the ICO on thier website are setting two cookies without permission saying they are essential to the site operation. They are setting __utma and __utmz which are Google tracking cookies. I would have hardly thought they are 'Essential to the operation of the website'.

Perhaps they're experimenting a little. I understand they lost 90% of their Google Analytics tracking data upon introducing the opt-in. Cue the sound of chickens roosting.