Archived Boards and Threads... > SMF Feedback and Discussion
New European Cookie Laws
Tony Reid:
Incidentally - if anyone is using adsense, then they need to consider turning off behavioural 'Interest based ads'.
This can be done via Adsense > Allow and Block Ads > Advanced Settings > Interest Based Ads Preference.
The reason I mention this is because googles policy states that the cookies they drop for the site belong to the site, so they are our responsibility.
So, its just a precaution.
CircleDock:
--- Quote from: Tony Reid on April 24, 2012, 04:03:47 AM ---Looks like the ICO might relax the analytics's side... in terms of action at least - I guess this is possibly due to the fact that the UK government's digital advisory committee is saying the the government websites use of analytics is a necessity and essential.
http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/
--- End quote ---
And that is possibly why the ICO is requiring owners to display a single "opt-in" as a blanket for all cookies. However I dispute the need for Google Analytics because the same information - but in a less presentable way I agree - is available by inspecting the server logs using a tool such as WebStats or Awstats.
Elsewhere I read a comment made by a well-known SMF "luminary" in which he said that anyone who is truly concerned about protecting privacy should not be using Google Analytics. I agree with him.
JohnS:
Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.
People are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.
What the UK government or ICO may say, may not be enforcable, both of them could be taken to the EU courts for failing up uphold the directive or if they fail to prosecute those who break the directive, those owners could be taken to the EU courts. As I have said before, I don't think there will be prosecution of thousands of small websites, the system could just not handle it and until they have thier own back yards sorted out they are unlikely to do so. But I still think that were it is possible to comply you should and you must definitely know exactly what your site is doing and have an explanation of that somewhere on your site and some policy statement of how you are trying to comply.
Also do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.
Many may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.
JohnS:
--- Quote ---But there's one very important aspect that's not addressed at all and that relates to shared computers.
--- End quote ---
This is a whole new minefield, what as far as I can see has no solution under the current law.
You can not legally check whether a cookie is set without getting advance permission, despite the fact the cookie information is freely available in the header you are not allowed to check it without advance permission.
You do not know whether that person has visited the site before until you check for cookies, but you can not do that without permission and as you do not know until you read the cookie you have a catch 22 situation.
So you must always take everyone to a log in page to get that permission before doing anything else. The ICO do not do this, they rely on setting a permanent cookie and reading that to let you in the next time.
There is no request for permission the second time you visit and there is no opt out facility, at least none I can find.
Then on to shared computers and computers used by people who do not own them (example in the workplace). It can be argued under the law you require the permission of the user or the subscriber (that being the person who pays the bill for the service provided). So you could get a situation where the user has agreed but the subscriber specifically disagrees, the law does not seem to allow for this and it is not known who will take precedence. For example a user who uses thier PC at work may give permission, but thier company who is the subscriber may have a policy banning the use of your website in the workplace.
What happens if two people share a PC, the one who does not pay the bill gives permission, then the person who does pay the bill uses the PC and finds cookies set which they do not agree to.
The only way I can see to comply with the law is to use session cookies only so they do not move from user to user and to require log in every time someone visits the site before a cookie is set.
I don't think there will be any answers to these questions until there have been some prosecutions to set case law.
CircleDock:
--- Quote from: JohnS on April 24, 2012, 04:55:02 AM ---Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.
--- End quote ---
Firstly - and in my view - Google Analytics is completely unnecessary unless you're using its secondary purpose, coupled with the Adsense script, which is to provide targeted advertisements. That Adsense script does not itself set cookies but relies on one or more of the "__utm?" cookies for that purpose. In fact disabling it will make your site load faster particularly at times of high traffic volumes.
--- Quote ---People are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.
--- End quote ---
This would imply separate opt-ins for first and third party cookies which is not currently required by the ICO who clearly state that a single positive "opt-in" for all cookies is necessary. Of course that could all change at any time - and probably without notice!
--- Quote ---Also do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.
--- End quote ---
My UK Host hasn't mentioned this but it is entirely possible that they will have a part to play in enforcement. The ICO could simply instruct hosting companies to suspend the accounts of any site owners for whom the ICO has received complaints. Cheaper and much easier than the ICO itself taking action.
And you're quite right about the privacy groups who will, I'm sure, be quite indiscriminate in who they report. Since they are the ones from whom the ICO will receive the most complaints, it rather reinforces the view that I believe the ICO will get the ISPs to act as enforcers, especially in the case of the smaller sites which probably aren't worth the effort in prosecuting.
--- Quote ---Many may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.
--- End quote ---
That's very true.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version