EU law banning cookies...

Arantor · May 27, 2012, 11:14:01 AM

That's what I've been saying for a while but apparently only you and CircleDock seem to listen to me :/

Tell you what though, if you assume users won't accept the ECL but still want to view the site, you can avoid tracking guests - and save yourself a boat load of resources.

feline · May 27, 2012, 11:28:08 AM

Quote from: Arantor on May 27, 2012, 11:14:01 AM
Tell you what though, if you assume users won't accept the ECL but still want to view the site, you can avoid tracking guests - and save yourself a boat load of resources.

Exactly .. and I see that on the server logs since we have ECL enabled for our site

Arantor · May 27, 2012, 11:30:01 AM

How do you know how many guests are online if they don't accept cookies?

feline · May 27, 2012, 11:33:38 AM

not exactly .. but I think .. more the 70% visit the site without accept ecl

I think about a logging for these peoples ...

live627 · May 27, 2012, 01:39:44 PM

Quote from: Arantor on May 27, 2012, 11:30:01 AM
How do you know how many guests are online if they don't accept cookies?

In my experience, a session needs not be started (and so, no cookie) to see a guest on the who area.

EDIT: Wait, I take that back. Once I catch at least two guests on my site, I'll take a screenshot.

Arantor · May 27, 2012, 03:08:01 PM

You do require a session to have been started in order for a guest to show up on the who's online page. If a session hasn't been started until absolutely necessary, you won't get the proper number of guests.

That means when I looked earlier and saw 6 guests, that's a fraction of the number of real guests who've opted in, which means it becomes a meaningless number.

live627 · May 27, 2012, 05:39:01 PM

Hmm... then this _is_ curious!

feline · May 27, 2012, 06:20:08 PM

You have installed any ECL Opt In?

live627 · May 27, 2012, 07:13:08 PM

No, not exactly. Sessions are disabled for guests. Only two lines of code at the beginning of loadSession() were needed

Plus the BB cookie and its injection code are totally gone, another two lines.

Arantor · May 27, 2012, 07:21:59 PM

Interesting, very interesting. I may have been mistaken as to what was used to record state in the online log - guests are logged by IP address, not session ID in there.

But there's a LOT of assumptions in writeLog with respect to sessions being enabled.

Tony Reid · May 28, 2012, 03:50:17 AM

Had to laugh at this blog... so true :

Dear ICO: This Is Why Web Developers Hate You
http://blog.silktide.com/2012/05/dear-ico-this-is-why-web-developers-hate-you/

CircleDock · May 28, 2012, 05:52:49 AM

Quote from: Tony Reid on May 28, 2012, 03:50:17 AM
Had to laugh at this blog... so true :

Dear ICO: This Is Why Web Developers Hate You
http://blog.silktide.com/2012/05/dear-ico-this-is-why-web-developers-hate-you/

That blog has been taken down ....

feline · May 28, 2012, 06:43:43 AM

Quote from: live627 on May 27, 2012, 07:13:08 PM
No, not exactly. Sessions are disabled for guests. Only two lines of code at the beginning of loadSession() were needed Plus the BB cookie and its injection code are totally gone, another two lines.

That is not enough ... in SMF you will find a lot of code they grab the SESSION .. but if none exist, it will give a lot of errors. Same in the WriteLog() .. just after the Spider checking, you have to leave the function ...
if(!checkECL_Cookie() && empty($user_info['possibly_robot']))
return;

feline · May 28, 2012, 06:46:39 AM

@Tony Reid .. you think, that will help anyone? it's polemic .. not more not less

Tony Reid · May 28, 2012, 08:17:01 AM

Implied Consent explained...

ICO Guide - V3

Arantor · May 28, 2012, 08:33:39 AM

I wouldn't call that 'explained'. I call that 'even more confusing than before'.

The key phrase I'm referring to is where it says (as I already said) about how it's not a 'we don't need to do anything' exception. It actually makes things a lot more confusing because I'm not sure how you can argue things like session cookies as having implied consent.

The example they give is a shopping cart, yes, I'm fine with that as having implied consent. Same with SMF logged-in cookies. But there is no way you can convince me that the session cookie is any way implied.

Tony Reid · May 28, 2012, 08:43:24 AM

Yep - I agree confusing.

Interesting how this bank/building society interprets implied consent...

http://www.ibs.co.uk/legal/our-cookie-policy

And these.. http://www.sophus3.com/pulse-and-events/ico-implied-consent-can-be-sufficient-web-analytics-cookies

Still think we need to continue as we were - belt and braces type approach.

I've still got bits to do, but getting there slowly.

Arantor · May 28, 2012, 08:45:11 AM

*nods* Pretty poor piece of wording from the ICO, really, especially given how much confusion 'strictly necessary' caused, and I can bet many will interpret implied consent as 'we don't have to do anything'.

Tony Reid · May 28, 2012, 08:48:36 AM

This magazine, suggests its more opt out than in... and an implied notice is good enough..

http://www.pcpro.co.uk/news/enterprise/374734/ico-no-fines-for-breaking-cookie-rules

Also note its content...

Tony

Arantor · May 28, 2012, 08:54:51 AM

That's not how I read it. It seems to me that it's more a case of 'it's law but the ICO understands that it isn't cleanly enforceable and that it will assess cases on a case by case basis'

Though the term 'distressing' is interesting, at what point does a cookie's use become distressing?

News:

EU law banning cookies...