EU law banning cookies...

Web Help Forums · April 03, 2011, 08:07:19 PM

Each country is going to specify their own cookie laws, but generally speaking people have to consent before cookies are used from the 25th May.

I *think* a login into a forum would automatically be considered consent...

So my question is: Will SMF on it's own under any circumstances store cookies before login is made? If so, any chance for an option of disabling this?

I am trying to slowly work my way through it all before May 25th

butchs · April 03, 2011, 08:19:43 PM

This link says:

QuoteDutch law requires an opt-out regime for cookies: users need to be informed about the placement of tracking cookies, and they need to have an option to opt-out of having these cookies placed on their computers.

As far as I know SMF does not install tracking cookies.

Illori · April 03, 2011, 08:25:11 PM

you might be interested in http://www.simplemachines.org/community/index.php?topic=425349

flapjack · April 03, 2011, 08:27:49 PM

However if the data being stored in the cookie is a requirement to provide the service (which would include cookies relating to shopping basket, logging in etc.), consent is not required. The key point of the law appears to be to control 'behavioural' tracking, which is used to target adverts to a user based on what they have looked at or how they have interacted with websites.

http://www.f2b.co.uk/blog/2011/3/14/new-eu-cookie-law-what-does-it-mean-for-uk-websites/

Web Help Forums · April 04, 2011, 05:53:19 PM

Are any cookies set before user logs in into forum? If so, I am 99% sure that it's not legal from 25t May. (I followed quite a few discussions, but I am not a lawyer, so my opinion is not any better than anyone else's!)

It's true cookies can be set if/when consent is implied. I guess that a login into a forum would be consent.
It is also true I have seen shopping carts listed as exception. (Not anything else though)

The purpose of the cookie as such does not matter AFAIK. (Even if the intent was to target tracking cookies, the law got much broader)

Aleksi "Lex" Kilpinen · May 03, 2011, 09:19:27 AM

The directive is first and foremost about ADVERTISING, and it is a directive - Directive is not law.
The directive is not a law, does not ban cookies and does not apply to cookies during log-ins or cookies issued as part of a shopping cart.

sawz · May 03, 2011, 09:32:19 AM

i like chocolate chip and pecan sandies.

live627 · May 04, 2011, 01:53:08 AM

if my cookies are banished I'd go hungry O_o

青山素子 · May 04, 2011, 11:35:35 AM

Based on what I've read on the law:

It only covers cookies used to track users
It only applies to 3rd party cookies (those not coming from your site directly, but through something like an advertising network)
Exceptions are given for cookies "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service"

This means that SMF by itself wouldn't run into any problems. Any cookies set are used to provide service, such as marking you as banned (this prevents an expensive database lookup) or keeping your session ID.

Any cookies added by an owner directly or indirectly, such as through an advertising service, would possibly need to be disclaimed. That is the responsibility of the site owner as they added such a thing.

Aleksi "Lex" Kilpinen · May 04, 2011, 11:38:44 AM

Also - Please, remember that EU directives are not law. EU directives are something that most EU countries use as recommendations to write local law, but are not bound to accept directives as law 1:1.

SlammedDime · May 04, 2011, 12:11:22 PM

And also note that Simple Machines is a United States based company and is not bound by other countries laws or directives (yes, the project should do what it can to accommodate, but is not required to do so)

青山素子 · May 04, 2011, 12:16:57 PM

Even if the directive did have the force of law, the SMF software wouldn't be in violation.

It's really the responsibility of the site owner to ensure that all software they use on their site is in line with local regulations.

Also, agreed with SlammedDime.

As a note, simplemachines.org the site wouldn't have to follow the directive anyway with this site, as it's hosted in the US by a US-based company.

Tony Reid · May 26, 2012, 11:56:45 AM

Cookies law changed at 11th hour to introduce 'implied consent'

http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

Arantor · May 26, 2012, 12:04:44 PM

That's even more unhelpful information than anything provided before. What does 'implied consent' actually mean for forums?

Aleksi "Lex" Kilpinen · May 26, 2012, 12:05:21 PM

I was fairly certain this would happen - the law would not have worked at all otherwise, and would have ended up like so many other crappy EU directives - pointless, and never forced...

Tony Reid · May 26, 2012, 12:26:40 PM

Quote from: Arantor on May 26, 2012, 12:04:44 PM
That's even more unhelpful information than anything provided before. What does 'implied consent' actually mean for forums?

Essentially it puts the onus back on the user rather than the website.

Hopefully more information will follow shortly.

Arantor · May 26, 2012, 12:38:36 PM

I realise that the onus is put on the user - but at the same time I also note that comment in that advice that it should not be taken as 'we don't have to do anything'.

And actually, the law would have worked as intended, since the intention was not to make compliance onerous - the 'strictly necessary' exception would have worked had it not been so badly defined.

CircleDock · May 27, 2012, 06:47:09 AM

Quote from: Tony Reid on May 26, 2012, 11:56:45 AM
Cookies law changed at 11th hour to introduce 'implied consent'

http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

I have the feeling that the ICO had to modify its advice and requirements in view of the fact that its own site is still not fully-compliant with the law and neither are many public sector web sites in the UK; saves them some embarrassment. However there is a EU draft designed to strengthen the data privacy regulations and once that becomes a Directive, the ICO may well have to state that implied consent is no longer acceptable.

As Arantor has said many times, SMF's own cookies do have a tracking element albeit restricted to the forum site but stripping those out completely would result in an apparent loss of real time tracking of site visitors, even though the results are often misleading.

Into this mix we also have the "Do Not Track" initiative which is a settable browser option (for all modern browsers) and it's easy to test for its existence. If a visitor has that option set - and it's off by default - then we should assume that the user has already made an informed decision and not set any cookie that can be classed as a tracking cookie - and that arguably includes SMF's PHPSESSID.

Arantor · May 27, 2012, 08:50:53 AM

I have to admit, having read some more of the discussions on it, I'm actually even less convinced 'implied consent' is applicable to us.

Yes, I get that it covers the sign-up cookie, and I could probably be content with the view that the statement in the registration agreement to the effect of cookies, that to me is a bit better than implied consent but it falls far short of what the law mandates should be done with cookies.

The problem comes back to the session cookie. There is nothing to indicate that session cookies are applicable, so I fail to see how 'implied consent' is applicable.

feline · May 27, 2012, 11:12:30 AM

My meaning/interpretation .. the session cookie is not stringent required .. so we do this create not until the ECL is accepted. handicap .. you see no guests and can't track these on your site.
But .. the possible tracking is the critical point to have accept the ECL .. (I think)

News:

EU law banning cookies...