European directive that prohibits business’ websites downloading cookies without permisson
Apparently there is a new European directive coming into force on 25 May that prohibits business’ websites downloading cookies onto people’s computers without first getting their permission.
More info here:
Hope someone can help advise please.
You should be fine :-)
To be clear, this is something that's going to affect just about every other CMS out there, which is why I'm surprised by it. I don't think it's going to be the biggest problem on Earth (just click Accept for the site that you use concrete5 on), but if you don't accept the cookie you won't be able to login to make changes. That's all.
It'll be a one time opt-out option. If you don't check the box. you can't sign up, but can browse around the guest areas 'till your hearts content.
Sure it affects all CMSs and BB and the counless others. But a slight change from the default shouldn't be too hard. CC5 could then promote the fact that it is compliant and that others are not - get a jump on the competition.
> trying to login.
The most important bits:
"If a cookie forms an integral part of a website’s functionality – for example, a shopping basket or the storage of a user’s personal preferences – no consent need be obtained and life, for both the website owner and the user, goes on as normal."
The issue here is that no guidelines have been published by ICO as yet and each member state has some freedom in how they implement/interpret the directive in that countrys laws.
The salient point here is statement from the council
Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.
No definitive stance can be taken until ICO releases the guidance notes that should stipulate what is considered as "explicitly requested" and "strictly necessary". This is why there is so much confusion.
" limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user."
well we are storing stuff that is necessary for legitimate purposes... so nah. ;)
Could things be built in other ways? sure.
Does it make sense for us to put ourselves out there on the bleeding edge of this stuff? I don't think so.
My prospective on this is: changes = pain. Changing something this deep almost surely will get us lots of unexpected use cases that break things. Can we do that if there's a good reason? Sure. We change stuff all the time. But we only do it after having a very honest conversation about the inevitable down side.
Here it seems like what needs to happen is someone needs to sue google or some other ad network for actually tracking the type of data this law is about, and then, however many years from now, there may be some new clear standard that we all really will need to worry about.
In the meantime, I don't see any advantage in worrying about this, just pain.
By all means correct me if my vision is blurry.
1. Absolutely essential. See Synonyms at indispensable.
2. Needed to achieve a certain result or effect; requisite: the necessary tools.
a. Unavoidably determined by prior conditions or circumstances; inevitable: the necessary results of overindulgence.
b. Logically inevitable.
4. Required by obligation, compulsion, or convention: made the necessary apologies.
n. pl. nec·es·sar·ies
So no. It is not "necessary" just to view a site (the service). Even so. It is definitely not "explicitly requested". But we can argue semantics all year. The guidelines will be the measure of the law.
This isn't just a pain. This (as of the 26th May) will be LAW. And it won't be Goggles in the dock. It will be the Hardware or the Jeans Shop Owner and not some faceless corporate entity.
I think even if you gave a "How-To" on making CC5 compliant (even if it meant some things wouldn't work) people would be a lot less worried. At the moment, there seems no way out IF they decide to be draconian about it (remember these are beaurocrats, not programmers) Apart from specifying that no CMS can be used and hiring programmers to produce the sites (you gotta feel sorry for European web-builders ;) ) there seems very few options.
Regardless, if Wordpress with all their funding and clout is going to sit on this, so are we. I promise you we won't be last to address this, but we certainly aren't going to be first either.
Apparently (only read a little bit so may be wrong) Joomla only fires a cookie on login. So just some text on the login page is needed.
But how's it being used, if at all, for those not logged in? And doesn't the answer to that question kind of get to the heart of the issue anyway?
number, we're looking into ways to sniff your home address too.
Seriously... omg guys.
to me reads like this only applies to 3rd party cookies. The only
actual research anyone has shown me to say otherwise is Phallanx
quoting the original law in PDF form, which he admits is rather
lengthy and difficult to interpret. Moreover the statement there is
beyond vague. Frankly I know what "necessary" means and my bet is most
of the eff'n web isn't it. "Necessary" and the web don't really go
hand in hand, and certainly wouldn't hold up very far in court. This
reminds me of the infamous ADA requirement at level 1 that "sites have
content with meaning." Good luck on that, I've been asking clients to
do that for years.
Look around gang:
". “As a small self-funded startup we just don’t have the time to
analyze and interpret the legislation, especially when given just over
two weeks’ notice.”"
<-- i liked that one..
"...the new EU law is a shambles."
"The EU is also ignoring the fact that 100% of web software by default
creates a cookie for sessions, with millions of websites built by
amateurs producing just this effect. It will be unfeasible to police
I haven't even left the first page of "cookie europe" on google yet..
(although I did get some great recipes for Christmas cookies as part
of this casual search)
Wordpress does the same thing that we do, along with all sorts of
other solutions out there. I'm betting I'm not the only guy who is
looking at this as a potential nightmare and would rather not run
around changing things that work, potentially making them not work,
just because someone in the EU has their panties in a bunch about
And just to be clear, that is clearly what this law is supposed to be
for. No one likes the idea of advertisers storing information about
you so you see ads you might actually be interested in (for some
reason that escapes me). I don't think anyone knows how this law will
actually pan out, but the goal is to take big advertising companies to
task with it, not to sue Mr. Hardware as Phallanx argues. There's no
money in suing your local church website. There's plenty of political
clout to be won by taking google to court over your privacy. That's
the motivation here. Look at Korea, look at Switzerland.
Given a clean slate and ideal world, I agree. Sure. Being "compliant"
with this nebulous law might win us some new customers. If I were
designing a CMS from scratch tomorrow, I'd argue to not start a
session unless you really had to. But today, that's not how concrete5
works, and changing it is more than simply wrapping it in an If
statement. There's a lot of add-ons and websites already built that
assume that session exists, changing this could break all of them. I
don't want to disappoint, but I have come to learn my job is NOT
saying yes to every potential feature or request that comes down the
pipe but instead weighing which ones have the best potential up side
vs. the inevitable down side. Since no one seems particularly clear on
what this law means, I don't think the up side of being compliant with
something that is likely to change outweighs the potential for
disaster in rushing out a quick change so deep.
Alllll of that being said... I will continue to bring this up in
architecture meetings in the office here. Perhaps this is something we
can make parameter driven from the dashboard and that way we can say
you can run a compliant site with concrete5, but not change the way
things work today for everyone just because of some moronic
I've just read this:
I hope Goggles will take care of that or it gets left out of ICOs guidelines.
source:http://www.dcms.gov.uk/images/publications/FWR_implementation_Gover... (cookies start on page 71)
Looking at the ICO website today they have a a notification which asks you but they also set a cookie which they claim is essential.
So I guess we could just create a similar block for c5 that displays the message.
If someone was to block these cookies on a concrete installation how much of the site would break - on a plain vanilla installation.
on a side note - I also like the fact that when shown the notification you can not click continue unless you accept the cookies. (even if you can then continue to browse the site)
Otherwise next year we will need to try and rush through 100+ sites.
But I agree this is not an immediate problem, but certainly one that when creating new sites we should be considering and maybe even trying various methods.
Hopefully a few of us might be able to find a way to action this.
I shall PM a couple of people I met at the 1st UK C5 meetup who do a lot of work on the C5 backend code to see if they have any ideas to point us in a good direction.
"Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site – at which time they’re informed that the cookie has been set – and is deleted when a user leaves the site."
I've been looking at this in detail and the only real issue (if we accept that a session cookie is OK) is google analytics. Not great because we all use GA but fairly straight forward should we wish to do something about it and Google don't. Even if a session cookie isn't OK; I think we can cope with it.
Since the technical aspect of complying is fairly straight forward (however unpalatable) if we want to comply, what do people think we should do? Just accepting on login won't do if we want to get the visitor to accept our cookies ASAP so we get GA hits regardless if they are a member or not. Neither do we want to plague them with popups.
The ICO have gone for a banner at the top of the page with an accept button. This seems kind-a 1990s to me and doesn't really encourage the user to click apart from the annoying factor and, to be honest, is more alarming than anything else. Whilst that is fairly simple, can anyone think of a better (more fun?) idea? Do we want to be draconian and place a modal dialogue so they have to accept to get to our goodies? Or do we have a timer that counts down and automatically accepts after (say) 20 seconds if they don't press any button (do nothing to opt in). Or maybe they have to chase buttons around the screen to accept or deny. Any other thoughts suggestions etc? Or should we just KISS.
It's all client side but, if you implement Google Analytics in your theme like I do for convenience, it's very simple to implement. If you don't its no biggy to do it that way.
It follows the ICO website's approach, but is just a little more 'in your face'. ICO is seeing a 90% drop in Analytics data (not traffic), purely (I think) because their disclosure is 'TOO' easy to ignore.
It's a trade off, you want opt-in, but don't want to be too intrusive.
This probably won't be right for everyone, but it's perfect for the sites I manage.
Hope it helps.
Miser now can remove the GA code unless a cookie is available. I just have to put the banner on the pages and set the cookie if they accept. Miser does the rest (server side).
- DPA is touted as a reason "not to" do anything helpful, the chances of ever getting prosecuted for breaching it are virtually nil, even if a complaint is made against you because the Information Commssioner (who enforces it) is toothless.
- We have case law as a precedent in the UK. So you won't know what the punishments will be and who will be punished until cases come to court and fines are imposed. This is regardless of what the law actually states, it is not how you interpret it, it is how a judge does when presented with facts.
We have tort law in the UK, which basically means you can only be punished for or caused to repay the harm you caused. So setting a session cookie at the start, causes zero harm, so the punishment could only ever be a nominal fine, if anyting at all. It follows from this it would not be in the public interest to prosecute.
With all these things pay lip service to it, and make some effort to comply, to cover your backside but don't break your balls. Until someone gets "done" you won't know. If you ever get brought to book over it, show that you tried to be compliant, best intentions etc. and there will be no comeback. It is not a case of "I did not know", it is currently a case of "No one knows".
I know in computing we all like a bit of boolean logic to get us through, but this is the LAW and it is always grey. Even if you think you are complying, you might not be. Don't worry about it.