New European Cookie Laws

[青山 素子]

The only cookie SMF itself sets is also "essential to the operation" of the software. Namely, it contains session information that enables SMF to function and remember where a user is. When a user is logged in, their account identifier is also stored so that nice things like tracking what has already been viewed will work.

So, yes, to implement a strict opt-in, you would need to have a special page outside SMF that basically asks if the person would like to continue.

[Insight]

Sorry to revive this but since the company I work for is now implementing things on their website to cater for this law it peaked my interest again. Interesting to see the ongoing debate after my initial post albeit somewhat dismayed at the response from the SMF guys concentrating more on arguing whether this applies to them in the US.

I agree it is our responsibility to ensure our websites are legal, but surely SMF could do something to help us to make it so within the framework?

The accepted T's & C's would cover it I think as long as the website places no cookies at all prior to registration but I get the impression that it does.

How hard would it be for the SMF guys to code an admin option to display a warning message similar to that the ICO have used (presumably as an example of what they see as the best way to deal with this)? It can be switched off by default and it would be the responsibility of the installing admin to switch it on if appropriate? I can't imagine it would be a huge piece of work (or even for someone to write a mod for) with the appropriate skill level.

The cookies the ICO are interested in are not just the tracking cookies - see the text from their PDF on the subject:

Session and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies:

Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as Version 2 4
13 December 2011
remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies.

Persistent cookies – are stored on a user's device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users' preferences and choices when using a site or to target advertising.

First and third party cookies – Whether a cookie is 'first' or 'third' party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

[JohnS]

Its not just a cookie law, it is the 'The Privacy and Electronic Communications Regulations'  which  cover all sorts of aspects of electronic communications including advertising emails,  location data and lot of other items. Any web site owner in Europe needs to be familiar with the regulations applying to thier country, whilst there is a common EU  Directive, each country implements laws in  a different way.
These Regulations are separate to the Data Privacy Regulations which you also need to  be familiar with, most forums break the data privacy act in one way or another. Also if you take money in any form there are a host of other regulations that you need to be aware of.
Why to the EU make Directives.... my opinion would probably make me liable for something, lets just say its a benefit of being in the EU!!!!!
In theory it is to protect the privacy of individuals, cookies can track them and identify what they are doing right down to what was on thier last shopping list. Now you can not do this unless you have specific prior approval from them. But what may be a reasonable idea gets hashed by the lawmakers who have no idea of technology into a law that is unworkable.

[CircleDock]

Sorry to revive this but since the company I work for is now implementing things on their website to cater for this law it peaked my interest again. Interesting to see the ongoing debate after my initial post albeit somewhat dismayed at the response from the SMF guys concentrating more on arguing whether this applies to them in the US.

Well yes it does apply if they have visitors to their sites from the European Union. Furthermore a similar law is likely to be enacted federally in the US following discussions between the EU and US on this very issue.

The important thing to understand is that this law requires site visitors to explicitly "opt-in" to allow the storage of cookies and no cookie can be stored otherwise. The law also requires site owners to inform visitors the names, origins, purposes and full details of the information stored for each and every cookie likely to be stored on visitors' computers, regardless of whether they are first-party or third-party cookies.

All European Union member nations are required to enact local legislation to encompass the provisions of the EU Directive known as "The Privacy and Electronic Communications Regulations" and, so far, the UK, Denmark and Latvia have such statutes. In the UK, the law comes into effect next month and it will be enforced by the Information Commissioner who has published information about the  "cookie law" here.

As I have said, visitors must explicitly allow the use of cookies and if visitors do not allow that site to place cookies and one (or more) cookies is essential for that site's operation, then further navigation on that site can be denied to that visitor. You can see that in operation on the Information Commissioner's own web site.

The fine for non-compliance or violation is eye-wateringly high: $750,000 (£500,000) so the "head in the sand" approach by some is not helpful.

It matters not if there's currently no legislation in a given EU nation, so, for example, if a site hosted in (say) Germany doesn't obtain an "opt-in" for cookie storage and a visitor from the UK feels sufficiently aggrieved, he can report the matter to the ICO who then takes up the matter with his German counterpart and that site could then be fined under the Directive.

[CircleDock]

Its not just a cookie law, it is the 'The Privacy and Electronic Communications Regulations'  which  cover all sorts of aspects of electronic communications including advertising emails,  location data and lot of other items. Any web site owner in Europe needs to be familiar with the regulations applying to thier country, whilst there is a common EU  Directive, each country implements laws in  a different way.
These Regulations are separate to the Data Privacy Regulations which you also need to  be familiar with, most forums break the data privacy act in one way or another. Also if you take money in any form there are a host of other regulations that you need to be aware of.
Why to the EU make Directives.... my opinion would probably make me liable for something, lets just say its a benefit of being in the EU!!!!!
In theory it is to protect the privacy of individuals, cookies can track them and identify what they are doing right down to what was on thier last shopping list. Now you can not do this unless you have specific prior approval from them. But what may be a reasonable idea gets hashed by the lawmakers who have no idea of technology into a law that is unworkable.

As far as UK-hosted Forums are concerned, the standard information collected and stored about members is currently not covered by the Data Protection Act - by "standard information" I mean user name, email address and IP Address. As to other personal information supplied by members, that is readily accessible to them and they are free to modify or remove that information at any time. So I'd suggest that (UK-based) Forum operators need not worry too much about the DPA.

The only possible infringement would occur in the case of banned members who had supplied personal information in addition to their user name, email address and IP Address(es). It would be prudent for Admins to delete that additional information when banning a member. (In fact, I don't know why this isn't automatically done by the core software since the US also has Data Protection laws.)

There's a big difference between the scope of the Data Protection Act and PECR and it is this: A member living outside the UK is not covered by the Data Protection Act for information held about him on a UK site. But any member living within the EU is covered by PECR whether or not his country's government has enacted that Directive and since the UK (Denmark and Latvia) have, site owners in those three countries can be held liable for violations reported by (site) members resident in other EU nations. It won't be too long before the US, Australia and New Zealand enact similar legislation.

[JohnS]

I am not a lawyer and can not give a legal opinion but do not believe some of your statements to be correct. If you hold data on someone that personally identifies them in any way, no matter how you hold that data, you have to observe the Data Protection Act. Depending on who you are and what you are doing you may not have to register with the commissioner and have an appointed data controller, but you still must observe the laws of the DPA.
With the DPA it is not a question of where the person resides it is a question of where the information is held and where the data controller is located. I suspect some forum's (or is that fora) would not qualify for the exemptions from the registration required by the DPA. I would  suggest the UK based operators should either ensure they do qualify for the exemptions from registration (there is a check list on the ICO site) or they should register as a data controller. But even  if you do qualify for exemption from registration you must still observe the DPA requirements.

The PECR covers the collection of ANY information from the users computer without the prior approval of the owner. So if the user supplies that information by for example filling in an application form, that covers you for the DPA provided the wording is correct. But unless you get thier permission to set or interrogate a cookie before that cookie is set, you do not meet the PECR. This is where SMF has a problem. Even if you are guest, a tracking cookie is set without the user being aware of it. I doubt you could argue the cookie is 'essential' and no warning of that cookie is given. It could be argued that even looking to see whether a cookie has been set is a breach of the PECR.

To me there seems to be little point in banning a user, they will just register again under a different name anyway, I just remove accounts completely.

[CircleDock]

The information I posted is a combination of my own research combined with that of a Forum software developer based in the UK coupled with legal advice from a London Solicitor. Currently the Data Protection Act permits sites to hold basic information (the user name, email address and IP Address) without the need for that site to register as a Data Controller. But there are two caveats: sites frequently hold other personal information voluntarily supplied by members - which they can add/edit/remove at will. Storing information may well require the site to register as a Data Controller but neither of us (who've researched this) can find any evidence of Forum sites being investigated or action by ICO taken against them; the law is untested therefore. The second caveat is that privacy laws across Europe are being strengthened so what is permissable today, may not be so tomorrow. And, of course, if the ICO is asked to investigate a site that has allegedly flouted the "Cookie Law" there's the risk that the Information Commissioner may look for other violations.

All the foregoing relates to sites that do not offer mailing lists, make personal information available to third-parties or sell personal information to advertisers. That's a whole different ballgame.

[CircleDock]

The PECR covers the collection of ANY information from the users computer without the prior approval of the owner. So if the user supplies that information by for example filling in an application form, that covers you for the DPA provided the wording is correct. But unless you get thier permission to set or interrogate a cookie before that cookie is set, you do not meet the PECR. This is where SMF has a problem. Even if you are guest, a tracking cookie is set without the user being aware of it. I doubt you could argue the cookie is 'essential' and no warning of that cookie is given. It could be argued that even looking to see whether a cookie has been set is a breach of the PECR.

I agree and SMF has been aware of this legislation for a year and during that time has released at least one update. But no provision has been made to accommodate PECR's requirements - why? Because SMF is US-based and the law doesn't apply to them appears to be the reason. Worse than that, the software flouts PECR by virtue of the fact that it doesn't remove its expired session cookies. Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

[JohnS]

There are a  number of issues and as said these largely remain untested in legal terms, but that does not grant permission for anyone to flout the law on the basis they may not get caught.

I would imagine a large number of forum operators have absolutely no idea of the technical implications of running a forum. Or what the various add ons can do to the way the forum works.

With the DPA it is not so much what information you hold but what you use it for. No one is exempt from the DPA but may not have to register. But for example if you advertise on your site that could mean the difference between not having to register and having to register, but there are no clear cut lines and you have to work it out for each case.

At the end of the day SMF is free software and you either take it and use it or not. Requests can be made for modifications, but whether these will be done depends on the developers, thier time and the percieved requirement for the changes. If the majority of developers or users do not fall under the EU directives then I can see why there is no urgency to make changes.

The session cookie is just that and expires at the end of the session (when the browser is closed) and is deleted, so I can not really see why it needs to be specifically deleted. Though there should be some warning before it is set in the first place for guests. I am looking at ways round this, but it is proving tricky.I have already made the necessary changes for registred users, but the problem is the guest visitors.

[Wazza]

Cookie Laws   ...sorry someone had to do it

[JohnS]

Well it is a bit of a Monster....

[青山 素子]

Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

It can't be deleted, not without causing a lot of trouble. Any software that uses PHP's session system will have a cookie of that name (or whatever name is defined in the PHP configuration). This cookie is how PHP retrieves the system state information for the user when it loads. The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

The SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

With SMF's behavior, I think it might be okay. In the UK wording, Regulation 6, section 4 says:

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Sub-section "a" should allow the default PHPSESSID cookie, as it's used only for carrying out the communication requested by the user. The SMF cookie should also be allowed unde sub-section "b" as it is created only on the login of a user account (a "request") and is necessary to "provision" the forum service for that user.

Note that this covers only the SMF software itself. Adding various modifications, services, or advertising  will of course change things. Of course, the people who provide the SMF software really have no influence over cookies set or other information stored due to modifications of the SMF software or due to the environment in which the SMF software is used.


Of course, that's my non-legal review. If you want a real opinion, consult a lawyer. In fact, if you're going to push for mechanisms that would probably cause SMF to be broken to satisfy an ill-defined regulation, you should probably provide the opinion based on a specific review of SMF from a learned legal mind.

My opinions and words are my own. I do not speak for the organization, the software team (I'm no longer part of the project team), or any other person here. I am not a lawyer. Follow the above advice at your own risk.

[CircleDock]

Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

It can't be deleted, not without causing a lot of trouble. Any software that uses PHP's session system will have a cookie of that name (or whatever name is defined in the PHP configuration). This cookie is how PHP retrieves the system state information for the user when it loads. The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

Except that it isn't!

The SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

I believe it's actually 3 years

What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

With SMF's behavior, I think it might be okay. In the UK wording, Regulation 6, section 4 says:

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Sub-section "a" should allow the default PHPSESSID cookie, as it's used only for carrying out the communication requested by the user. The SMF cookie should also be allowed unde sub-section "b" as it is created only on the login of a user account (a "request") and is necessary to "provision" the forum service for that user.

You appear to have quoted from PECR but PECR itself is not being enacted in European Union countries. The Directive requires member states to enact legislation that takes PECR as a minimum framework. The UK (and, I understand, Denmark) have legislation in place that states that a web site may not place ANY cookie on a visitor's PC without getting that visitor's expressed permission beforehand. In addition, the web site must have a page that details each and every cookie, its origin, the information it contains and its use. It is entirely possible that the UK implementation will be the minimum adopted by other EU nations since, under UK law, only a single opt-in to cover all cookies is required. Other countries may require either separate opt-ins for first and third party cookies or an opt-in for each and every cookie.

That SMF's cookies are necessary is actually completely irrelevant. The visitor must agree to them being placed. Of course if he declines, then further navigation of the site is unachievable - take a look at ico.gov.uk where that is exactly what happens.

So in respect of its two cookies, SMF does have an important part to play.

Note that this covers only the SMF software itself. Adding various modifications, services, or advertising  will of course change things. Of course, the people who provide the SMF software really have no influence over cookies set or other information stored due to modifications of the SMF software or due to the environment in which the SMF software is used.

I agree and for that very reason I have had to remove Google Analytics from my UK-hosted Forum.

Of course, that's my non-legal review. If you want a real opinion, consult a lawyer. In fact, if you're going to push for mechanisms that would probably cause SMF to be broken to satisfy an ill-defined regulation, you should probably provide the opinion based on a specific review of SMF from a learned legal mind.

I have consulted a lawyer and indeed much of what I have written in this topic is based on advice I have received. As for it being ill-defined, I beg to differ. The applicable law in the UK has been on the Statute books for 11 months and is clearly explained in layman's terms on the Information Commissioner's web site (ico.gov.uk) and has been mentioned in at least 2 other topics on this web site. The problem is that because this is not part of US law, there is no interest in making the software compliant.

[JohnS]

I can not give a legal opinion, in fact I am not sure at the present time that even a lawyer can until there is some case law to give precedent. However from informed reading I beleive it is the purpose of the cookie that can define whether or not prior permission is required.
At first glance para 4a could seem to apply, but this session cookie is not essential to the carrying of information over a network. Secondly one purpose of this session cookie is to track the user and provide statistics, this definitely requires prior approval, the only reason you need a PHP session cookie is for tracking purposes.
The main member cookie is easier to define, prior to 26th May you should log out everyone, put a disclaimer and link to your cookie policies next to the log in box, and that will meet the requirements for that cookie. But not for the session cookie.
What I am expermenting with is to look for the main member cookie before the session cookie is set and if there is not one then take put up a bar at the top of the screen advising about cookies. There does seem to be some leeway in when you can advise about a cookie, it seems ideally you should ask before setting it, but you may, and I emphasise may, get away with advice provided it is given as early as possible in the chain of events. But there is no doubt the regulations require you to tell people you are setting cookies whatever they are.
I am pretty sure it will require a complaint to initiate anything, i doubt the ICO will be sending out web robots to look at all sites. But I am not sure i would wnat to hide behind that.
The disclaimer of course... use any of the above at your own risk.

[CircleDock]

I can not give a legal opinion, in fact I am not sure at the present time that even a lawyer can until there is some case law to give precedent. However from informed reading I beleive it is the purpose of the cookie that can define whether or not prior permission is required.
At first glance para 4a could seem to apply, but this session cookie is not essential to the carrying of information over a network. Secondly one purpose of this session cookie is to track the user and provide statistics, this definitely requires prior approval, the only reason you need a PHP session cookie is for tracking purposes.
The main member cookie is easier to define, prior to 26th May you should log out everyone, put a disclaimer and link to your cookie policies next to the log in box, and that will meet the requirements for that cookie. But not for the session cookie.
What I am expermenting with is to look for the main member cookie before the session cookie is set and if there is not one then take put up a bar at the top of the screen advising about cookies. There does seem to be some leeway in when you can advise about a cookie, it seems ideally you should ask before setting it, but you may, and I emphasise may, get away with advice provided it is given as early as possible in the chain of events. But there is no doubt the regulations require you to tell people you are setting cookies whatever they are.
I am pretty sure it will require a complaint to initiate anything, i doubt the ICO will be sending out web robots to look at all sites. But I am not sure i would wnat to hide behind that.
The disclaimer of course... use any of the above at your own risk.

I wish that were true, but I'm afraid it's simply isn't. You must obtain opt-in consent before setting any cookie. That advice is on the ICO web site and is exactly what a senior member of his staff advised my solicitor.

[Tony Reid]

Im keeping a keen eye on this issue to.

Just to assist the thread - I've attached the ICO guidance document which is a bit more layman than the actual regulation itself.

[Night09]

Do these bungling bunch of euro braindeads realise the wider implications of this totally useless time wasting piece of ****** law?  There is so much I could say here but will refrain because this forum is for all ages and users.. The amount of small businesses that may be destroyed overnight will only serve to add to the recession and further set us all back when it comes to recovery and prosperity. We are all the accused until proven innocent and have the right to privacy unless its a massive company like Google spy network ,Murdoch phone tapping department or the UK gov and their new bill they should all be shot for even dreaming up.

Im sick to death of laws to protect us really an excuse to spy on every single person without need for a warrant or any kind of permission. This cookie law is a joke, cookies are what makes the net work and without them it will make the storage of basic information toward the user experience a right pain in the ass to implement. I can simply block cookies from sites I dont want to be stored and maybe the idiots should have just learnt people that instead of making a big song and dance causing how much lost revenue?

I pray there is a revolt soon because were sleepwalking into a control state with a world government that dictates everything to us and we subserve and obey....

[Tony Reid]

Your right - its total BS... but working together we can solve this.

[青山 素子]

From the ICO page http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx:

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:

    for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
    where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

If you want to be extra safe, what you'll have to do is this:

• Move your forum to a sub-directory
• Put up an entrance page advising of the cookies that will be set.
• Make a small change on the main SMF index page redirecting anyone who doesn't have an "opt in" cookie set to the entrance page.
• Require a click-through to get to the new forum location, setting a cookie (which was disclosed on that page!) to prevent SMF from kicking them out.

If you put the check right at the start of the SMF execution path, that should avoid a PHP session from being started.

Oh, this solution also prevents search engines from indexing anything since SMF now requires an "opt in" cookie to even show.

I think that would legally work, although it would probably destroy your site since you wouldn't have any results in search so you'd only get new visitors via direct referral.

The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

Except that it isn't!

You must have an odd browser or non-default behavior. I just logged onto an SMF forum I manage. Here are the two cookies set and their expirations:

PHPSESSID: End of session
SMFCookie???: Thur 19 April 2018

The SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

I believe it's actually 3 years

See above. I'm not sure if older versions used a shorter one, but 6 years appears to be the default for 2.0.2.

That SMF's cookies are necessary is actually completely irrelevant. The visitor must agree to them being placed. Of course if he declines, then further navigation of the site is unachievable - take a look at ico.gov.uk where that is exactly what happens.

Oddly, I don't get that. Apparently they don't care if you're from the US. They must be doing IP-based location.

The problem is that because this is not part of US law, there is no interest in making the software compliant.

I think the larger problem is that the law basically makes it near impossible for something like a discussion forum to properly function. That and the fact that there is a lot of confusion over what actually needs to be done, especially like how you mentioned needing opt-in for each individual cookie vs blanket-opt-in depending on country.

[JohnS]

@CircleDock

I wish that were true, but I'm afraid it's simply isn't. You must obtain opt-in consent before setting any cookie. That advice is on the ICO web site and is exactly what a senior member of his staff advised my solicitor.

I agree you have no control over cookies already set and I am not sure how the law treats cookies that were set before the law became effective. But if you log out everyone they must log in again and in doing so will set a new cookie. If there is a notice about cookies at the log in point then I believe you have effectively met the requirements of the law, even though it may not be strictly correct. What I am saying is that the cookie for members is probably not the issue and that can be overcome, the problem is the session cookie.

As 青山 素子 says, there are options but these will block the search engines as well and that is the problem, coming up with a solution that will work but not block robots, but I think that is too deep into the core code to be doable as a modification.

AS said this is going to be a major problem for many websites, especially for small businesses that may not be aware of what they are actually doing. In my view the new law actually makes using the internet illegal as your server can not legally read the packet headers which contain informationf from the users terminal without thier prior permission but how can you get that prior permission if you can't reas the headers.

It is dangerous to read one section of the PECR in isolation, you have to take all the sections together, also to be aware that the UK law and the EU directive are not the same and other countries laws where they exist or are in preparation have taken a different viewpoint and modified things.

From the guidance:

Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.

Which implies you do not have to get prior approval as long as you do it as soon as possible, but this is just guidance by the ICO and they could be challenged on thier interpretation by the courts or the EU. My impression is that the ICO will be looking for website owners to be doing as much as possible and to have a plan to eventually meet the regulations, it is not an option to be doing nothing.