New European Cookie Laws

[Tony Reid]

Incidentally - if anyone is using adsense, then they need to consider turning off behavioural 'Interest based ads'.

This can be done via Adsense > Allow and Block Ads > Advanced Settings > Interest Based Ads Preference.

The reason I mention this is because googles policy states that the cookies they drop for the site belong to the site, so they are our responsibility.

So, its just a precaution.

[CircleDock]

Looks like the ICO might relax the analytics's side... in terms of action at least - I guess this is possibly due to the fact that the UK government's digital advisory committee is saying the the government websites use of analytics is a necessity and essential.

http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/

And that is possibly why the ICO is requiring owners to display a single "opt-in" as a blanket for all cookies. However I dispute the need for Google Analytics because the same information - but in a less presentable way I agree - is available by inspecting the server logs using a tool such as WebStats or Awstats.

Elsewhere I read a comment made by a well-known SMF "luminary" in which he said that anyone who is truly concerned about protecting privacy should not be using Google Analytics. I agree with him.

[JohnS]

Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.

People are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.

What the UK government or ICO may say, may not be enforcable, both of them could be taken to the EU courts for failing up uphold the directive or if they fail to prosecute those who break the directive, those owners could be taken to the EU courts. As I have said before, I don't think there will be prosecution of thousands of small websites, the system could just not handle it and until they have thier own back yards sorted out they are unlikely to do so. But I still think  that were it is possible to comply you should and you must definitely know exactly what your site is doing and have an explanation of that somewhere on your site and some policy statement of how you are trying to comply.

Also do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.

Many may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.

[JohnS]

But there's one very important aspect that's not addressed at all and that relates to shared computers.

This is a whole new minefield, what as far as I can see has no solution under the current law.

You can not legally check whether a cookie is set without getting advance permission, despite the fact the cookie information is freely available in the header you are not allowed to check it without advance permission.

You do not know whether that person has visited the site before until you check for cookies, but you can not do that without permission and as you do not know until you read the cookie you have a catch 22 situation.

So you must always take everyone to a log in page to get that permission before doing anything else. The ICO do not do this, they rely on setting a permanent cookie and reading that to let you in the next time.

There is no request for permission the second time you visit and there is no opt out facility, at least none I can find.

Then on to shared computers and computers used by people who do not own them (example in the workplace). It can be argued under the law you require the permission of the user or the subscriber (that being the person who pays the bill for the service provided). So you could get a situation where the user has agreed but the subscriber specifically disagrees, the law does not seem to allow for this and it is not known who will take precedence. For example a user who uses thier PC at work may give permission, but thier company who is the subscriber may have a policy banning the use of your website in the workplace.

What happens if two people share a PC, the one who does not pay the bill gives permission, then the person who does pay the bill uses the PC and finds cookies set which they do not agree to.

The only way I can see to comply with the law is to use session cookies only so they do not move from user to user and to require log in every time someone visits the site before a cookie is set.

I don't think there will be any answers to these questions until there have been some prosecutions to set case law.

[CircleDock]

Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.

Firstly - and in my view - Google Analytics is completely unnecessary unless you're using its secondary purpose, coupled with the Adsense script, which is to provide targeted advertisements. That Adsense script does not itself set cookies but relies on one or more of the "__utm?" cookies for that purpose. In fact disabling it will make your site load faster particularly at times of high traffic volumes.

People are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.

This would imply separate opt-ins for first and third party cookies which is not currently required by the ICO who clearly state that a single positive "opt-in" for all cookies is necessary. Of course that could all change at any time - and probably without notice!

Also do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.

My UK Host hasn't mentioned this but it is entirely possible that they will have a part to play in enforcement. The ICO could simply instruct hosting companies to suspend the accounts of any site owners for whom the ICO has received complaints. Cheaper and much easier than the ICO itself taking action.

And you're quite right about the privacy groups who will, I'm sure, be quite indiscriminate in who they report. Since they are the ones from whom the ICO will receive the most complaints, it rather reinforces the view that I believe the ICO will get the ISPs to act as enforcers, especially in the case of the smaller sites which probably aren't worth the effort in prosecuting.

Many may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.

That's very true.

[CircleDock]

But there's one very important aspect that's not addressed at all and that relates to shared computers.

This is a whole new minefield, what as far as I can see has no solution under the current law.

You can not legally check whether a cookie is set without getting advance permission, despite the fact the cookie information is freely available in the header you are not allowed to check it without advance permission.

You do not know whether that person has visited the site before until you check for cookies, but you can not do that without permission and as you do not know until you read the cookie you have a catch 22 situation.

Checking for the existence of a cookie is considered a "strictly necessary process" and so is most certainly permitted - at least, that is the (legal) advice I have been given. If it weren't the ICO is in violation and I rather doubt that's true.

There is no request for permission the second time you visit and there is no opt out facility, at least none I can find.

The required process is a one-time positive action by the visitor to accept cookies (an "opt-in"). There is no requirement to offer an "opt-out" to someone who (apparently) already has opted-in.

Then on to shared computers and computers used by people who do not own them (example in the workplace). It can be argued under the law you require the permission of the user or the subscriber (that being the person who pays the bill for the service provided). So you could get a situation where the user has agreed but the subscriber specifically disagrees, the law does not seem to allow for this and it is not known who will take precedence. For example a user who uses thier PC at work may give permission, but thier company who is the subscriber may have a policy banning the use of your website in the workplace.

What happens if two people share a PC, the one who does not pay the bill gives permission, then the person who does pay the bill uses the PC and finds cookies set which they do not agree to.

This is my point exactly. If I were so inclined, if someone uses one of my computers and accepts cookies for a site that I have never visited, nor likely to ever visit, I would, I believe, have a legitimate complaint. Problem is, however, that this facet has not been considered or addressed by either the law-makers in Europe or by the ICO as Britain's regulator.

The only way I can see to comply with the law is to use session cookies only so they do not move from user to user and to require log in every time someone visits the site before a cookie is set.

You can not use "login" as an implicit acceptance of cookies. The problem is compounded by the fact that none of the browsers I've checked are removing session or expired cookies.

I don't think there will be any answers to these questions until there have been some prosecutions to set case law.

That fact alone is likely to disadvantage the first few owners who come under ICO's spotlight.

[Antechinus]

Has anyone yet sought an opinion from the ICO as to how these laws will apply to the specific case of a discussion board?

[CircleDock]

Has anyone yet sought an opinion from the ICO as to how these laws will apply to the specific case of a discussion board?

The law doesn't discriminate between different types of web site, if they're owned, registered or hosted in the EU then their owners and admins really need to comply.

The first step is to do a cookie audit, that step is fairly straight forward and simply involves finding and identifying first and third party cookies that are set by the Forum software and any mods thereto. We know the cookies SMF itself uses and the (up to) four cookies Google Analytics deploys and they can be listed in an information panel and visitor acceptance prompted for. So far, so good.

Unfortunately that isn't the whole story. What is not at all clear is where the responsibility lies in the case of injected third-party cookies such as those AdSense, Facebook and others use to track users and their preferences. ICO does not appear to offer any specific guidance here but may take the view that as these cookies are passed in pages served by sites (that use AdSense, Facebook etc), those sites are responsible. I am aware, however, that the ICO is in discussions with these companies and, possibly, we will suddenly find pop-ups appearing from AdSense etc., requesting a specific "opt-in" to allow their cookies to be injected. On the other hand, we may not on the grounds that we have laid the conditions for those companies - by subscribing to AdSense, for example - therefore it is up to us to seek permission. That view is reinforced by the actions taken by a site that the ICO recommends as a provider of information about cookies:

Code Select Expand

http://www.allaboutcookies.orgwhich specifically asks permission to use AdSense.

That site, allaboutcookies.org, is using a small plug-in developed by a British software company, Wolf Software, which is available under a GPLv3 license and is attached to this message. As it was developed in consultation with ICO - and has been updated to reflect more recent guidance - I believe I can safely say that it is in full compliance. In fact, this package is far easier to implement than Emanuele's mod as it only requires two minor edits - in Load.php and Index.template.php to add it (plus some edits to its configuration files to customize it). It also has the benefit of being very configurable and can optionally use geoIP so that only EU visitors are required to "opt-in". A visitor can "opt-in" for that one visit only in which case cookie information is passed in headers but the cookies themselves are not stored.

[Tony Reid]

. ICO does not appear to offer any specific guidance here but may take the view that as these cookies are passed in pages served by sites (that use AdSense, Facebook etc), those sites are responsible.

That is my understanding after reading the new google privacy agreement.

As for analytics and adsense,

I've switched my google analytic's  to servers side php, without using cookies (ref:  http://techpad.co.uk/content.php?sid=205 )

I dont really care about the behavioural side of analytics, I only need basic stats - nothing that tracks individuals - only events.

In addition I have turned off Behavioural tracking in Adsense. Just need to tweak it.

So from googles perspective, I'm 'nearly' cookie-less but I still have js analytics on a couple of other pages that need to be upgraded to server side code.

I've only got to worry about my coppermine bridge and the smf cookie and skimlinks on my forum (I still have js analytics on other pages that still need to be upgraded to server side code).

Hopefully I should have the remaining cookies cleaned up soon.

[Norv]

FYI,

http://nocookielaw.com/

[Roph]

I'm beginning to think CircleDock is just an elaborate troll.

[feline]

http://nocookielaw.com/

Well .. much interest 

But in fact .. the EU have the ECL and it's easy to implement that.
For the coming release of our Portal we have a option implemented to enable the ECL Mode. In this case any visitor (except spiders) must accept the storage of cookies before he/she can browse the site.
That (I think) is the best option and it's need only one Click more if you enter the site ...

[Tony Reid]

I'm beginning to think CircleDock is just an elaborate troll.

That's a bit unfair. I think he is pretty accurate, and you could adopt a strict approach like his suggestions. The wolf software he recommends is a good way to become compliant too.

My personal view is to work towards the guidance, and be open an honest to your users about everything. Including warn users about cookies and more importantly stop any third parties from using behavioural tricks on our users. As it stands currently, we have to do what they say - and if not then we have to prove that we are trying to be compliant.

I think the bit that gets people emotional is the fines. Yes there are fines 'UP TO' 500,000GBP, but even then you would have an enforcement notice to comply within x amount of time. Unless it is of an extremely serious nature(such as health records, mass credit card leakage etc) and then you get a 'stop now' enforcement.

And the 500k isn't specifically for the cookie law - as some would have you think. It's the max penalty the ICO can impose for breaches in all data protection related areas.

Monetary penalty notices
A monetary penalty will only be appropriate in the most serious situations. When deciding the amount of a monetary penalty, the Commissioner not only takes into account the seriousness of the breach but also other factors including the size, financial and other resources of a data controller. It is not the purpose of a monetary penalty to impose undue financial hardship. The amount must not exceed £500,000 and is not kept by the Commissioner, but paid into the Consolidated Fund owned by HM Treasury.

[CircleDock]

Incidentally - if anyone is using adsense, then they need to consider turning off behavioural 'Interest based ads'.

This can be done via Adsense > Allow and Block Ads > Advanced Settings > Interest Based Ads Preference.

The reason I mention this is because googles policy states that the cookies they drop for the site belong to the site, so they are our responsibility.

So, its just a precaution.

Regardless of that setting, Google Adsense will still inject cookies but their content may be different.

Neither Adsense nor Analytics cookies the ICO categorise as being "essential" so one may need to consider allowing people to reject either or both - and that's one good reason for using the Wolf Software solution since it permits users to make a(n informed) choice.

To he who suggests I'm trolling: you are entitled to your opinion and, for all we know, the ECL may not even apply to you and your site. So maybe your comment was itself troll-like.

And as far as the "NoCookieLaw" website is concerned, its effectiveness can be demonstrated by the fact that the law will still be enforced as of May 26. The law is on the Statute books and it's far too late to protest against it. And those who do obviously care little for the privacy of those who visit websites.

[CircleDock]

I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post.

[nend]

This is what I think of the new European cookie law,

LOL, it don't apply to me. 

But I will fight for your rights against it, because I am not found of it.

Everything I have coded that required cookies, have been out of necessity. If the cookie wasn't present the script will not work.

Take 2-SI Chat for instance, now SA Chat, if the cookie wasn't there. On every load windows would overlap because no position data is stored via the JavaScript. Multiple windows will cause sync data to be unavailable causing messages or no messages to spit out to certain windows. Basically the server side script will loose most communication with the possible multiple client side script. It is a mess and will break the script, which isn't tracking just trying to figure out what is going on with its JS counter part.

On a side note, maybe banks shouldn't keep transaction records, because they show where you have been, they are tracking also. This is how they are looking at the internet world and it is unsafe for future development of it.

[Thantos]

I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post.

I would be careful with using geo-location in such a way.  You could get false negatives and end up serving cookies to someone who was in the EU.  Plus there is the issue of a UK citizen traveling outside of the EU, can you serve them a cookie without violating the law?

IMO, if you are going to comply with it then do it for everyone, makes things easier.

[emanuele]

IMO, if you are going to comply with it then do it for everyone, makes things easier.

QFTW

[CircleDock]

I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post.

I would be careful with using geo-location in such a way.  You could get false negatives and end up serving cookies to someone who was in the EU.  Plus there is the issue of a UK citizen traveling outside of the EU, can you serve them a cookie without violating the law?

IMO, if you are going to comply with it then do it for everyone, makes things easier.

The MaxMind database used by my changes - and used by Spuds' geoIP mod - is claimed to be over 98% accurate. That will be degraded slightly by the appearance of IPv6 Addresses but I've erred on the side of caution by assuming that they are all in the European Union (which of course won't be the case). In fact my changes assume the visitor is within the EU unless their IP Address shows otherwise.

[JohnS]

It is my impression that if your server or your data controller is in the EU then you need to observe the rules even if the visitor is outside the EU, if you and your server are totally outside the EU then you do not need to observe the rules even if the visitor is from the EU. The law is applied to the person providing the service not to the end user. If you or your data controller is in the UK and your server is outside the UK then you need to seek permission to keep your data outside the UK under the data protection act.
That is just my impression from reading the various laws and guidelines, but I can not offer a legal opinion. It would therefore seem that using an IP locator is irrelevant and just slowing things down.