European directive that prohibits business’ websites downloading cookies without permisson

Sorry for the bizarre post.

Apparently there is a new European directive coming into force on 25 May that prohibits business’ websites downloading cookies onto people’s computers without first getting their permission.

Most of my C5 sites are just simple themes that don't really use cookies for anything, does C5 do anything that would result in me needing to inform the viewer?

More info here:

Hope someone can help advise please.

View Replies:
ThemeGuru replied on at Permalink Reply
I don't really see any problem with that. The only sites I've seen that have tried to download cookies are spammy sites that send you email updates about their products.

You should be fine :-)
andrew replied on at Permalink Reply
Hmm - think I have disagree with ThemeGuru - unless we're misunderstanding each other here. I think concrete5 (along with every other PHP-based CMS, including Drupal, Wordpress, etc...) will be affected by this. concrete5 uses a session cookie to track whether a user is logged in, etc... Currently, we write that cookie when you visit the site, even if you aren't trying to login. We could potentially change this behavior, but that isn't likely to happen.

To be clear, this is something that's going to affect just about every other CMS out there, which is why I'm surprised by it. I don't think it's going to be the biggest problem on Earth (just click Accept for the site that you use concrete5 on), but if you don't accept the cookie you won't be able to login to make changes. That's all.
Phallanx replied on at Permalink Reply
This is a huge issue in the UK at the moment. It affect 99.9% of websites. But I don't really know if it is enforceable outside of the EU (or even within it).

I'll be modding my site to not use a cookie for guests since I don't need to save any of their info, but on the sign-up page I will have a check box that says they agree for the site to use cookies. That means it shouldn't interfere with the user experience by popping up dialogues every time they visit.

It'll be a one time opt-out option. If you don't check the box. you can't sign up, but can browse around the guest areas 'till your hearts content.

Sure it affects all CMSs and BB and the counless others. But a slight change from the default shouldn't be too hard. CC5 could then promote the fact that it is compliant and that others are not - get a jump on the competition.
Shotster replied on at Permalink Reply
> Currently, we write that cookie when you visit the site, even if you aren't
> trying to login.


andrew replied on at Permalink Reply
Because we track a lot of things in session and at the time it was easier to just call session_start() on every page regardless.
Shotster replied on at Permalink Reply
I see. I was just curious. I'll probably do something similar to Phallanx.

andrew replied on at Permalink Reply
It'd be kind of nice if we didn't have to do that, honestly. Enabling lazy loading sessions only when you actually need to login, etc.. although most other CMSs have sessions auto-start always. We'll check it out.
BHWW replied on at Permalink Reply
Has a solution been found/made to this now?


frz replied on at Permalink Reply
Not really. I imagine we'll do something similar to phallanx's suggestion in the next version of concrete5. I see the value in saying we're compliant with this completely insane law, but I also agree with the above poster that 99% of the web is non-compliant.
andrew replied on at Permalink Reply
Hmm. I'm not sure concrete5 is actually affected by this:

The most important bits:

"If a cookie forms an integral part of a website’s functionality – for example, a shopping basket or the storage of a user’s personal preferences – no consent need be obtained and life, for both the website owner and the user, goes on as normal."
Tony replied on at Permalink Reply
yeah, sounds like it's more for 3rd party cookies too.
Phallanx replied on at Permalink Reply
It does apply.

The issue here is that no guidelines have been published by ICO as yet and each member state has some freedom in how they implement/interpret the directive in that countrys laws.

The salient point here is statement from the council
Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate
purpose of enabling the use of a specific service explicitly requested by the subscriber or user.

So it is saying that the user has to request a service, then you can use cookies without prior consent (from your site or 3rd party) if there is no other way of supplying that service without using them.

No definitive stance can be taken until ICO releases the guidance notes that should stipulate what is considered as "explicitly requested" and "strictly necessary". This is why there is so much confusion.
frz replied on at Permalink Reply
I dunno.. it seems like there are some sound ideas that need a lot of figuring out in these laws.. I mean I'm all for not being stalked by advertisers in ways that don't make sense. I can also tell ya, that's certainly not what we're doing with the session and the verbage here sounds subjective at best....

" limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user."

well we are storing stuff that is necessary for legitimate purposes... so nah. ;)

Could things be built in other ways? sure.
Does it make sense for us to put ourselves out there on the bleeding edge of this stuff? I don't think so.

My prospective on this is: changes = pain. Changing something this deep almost surely will get us lots of unexpected use cases that break things. Can we do that if there's a good reason? Sure. We change stuff all the time. But we only do it after having a very honest conversation about the inevitable down side.

Here it seems like what needs to happen is someone needs to sue google or some other ad network for actually tracking the type of data this law is about, and then, however many years from now, there may be some new clear standard that we all really will need to worry about.

In the meantime, I don't see any advantage in worrying about this, just pain.

By all means correct me if my vision is blurry.
Phallanx replied on at Permalink Reply
"well we are storing stuff that is necessary for legitimate purposes... so nah. ;)"

nec·es·sar·y (ns-sr)
1. Absolutely essential. See Synonyms at indispensable.
2. Needed to achieve a certain result or effect; requisite: the necessary tools.
a. Unavoidably determined by prior conditions or circumstances; inevitable: the necessary results of overindulgence.
b. Logically inevitable.
4. Required by obligation, compulsion, or convention: made the necessary apologies.
n. pl. nec·es·sar·ies
Something indispensable.

So no. It is not "necessary" just to view a site (the service). Even so. It is definitely not "explicitly requested". But we can argue semantics all year. The guidelines will be the measure of the law.

This isn't just a pain. This (as of the 26th May) will be LAW. And it won't be Goggles in the dock. It will be the Hardware or the Jeans Shop Owner and not some faceless corporate entity.

I think even if you gave a "How-To" on making CC5 compliant (even if it meant some things wouldn't work) people would be a lot less worried. At the moment, there seems no way out IF they decide to be draconian about it (remember these are beaurocrats, not programmers) Apart from specifying that no CMS can be used and hiring programmers to produce the sites (you gotta feel sorry for European web-builders ;) ) there seems very few options.
frz replied on at Permalink Reply
my understanding is that we'd actually have to change the way concrete5 works pretty deeply as we do infact open a session for everyone - not just admins logging in. I don't think a how-to and "good luck" is the type of solution we'd offer. Either we see this as a critical problem and we address it, or we don't. Of course I'm happy to approve accurate how-tos that /anyone/ submits.. but... ya know.. lets do it right or not at all.

Regardless, if Wordpress with all their funding and clout is going to sit on this, so are we. I promise you we won't be last to address this, but we certainly aren't going to be first either.
Phallanx replied on at Permalink Reply
A little disappointing. And I thought you wanted a trip to the

Apparently (only read a little bit so may be wrong) Joomla only fires a cookie on login. So just some text on the login page is needed.
Shotster replied on at Permalink Reply
> we do infact open a session for everyone - not just admins logging in

But how's it being used, if at all, for those not logged in? And doesn't the answer to that question kind of get to the heart of the issue anyway?

frz replied on at Permalink Reply
We use it to track your kids birthdays and your mom's social security
number, we're looking into ways to sniff your home address too.

Seriously... omg guys.

to me reads like this only applies to 3rd party cookies. The only
actual research anyone has shown me to say otherwise is Phallanx
quoting the original law in PDF form, which he admits is rather
lengthy and difficult to interpret. Moreover the statement there is
beyond vague. Frankly I know what "necessary" means and my bet is most
of the eff'n web isn't it. "Necessary" and the web don't really go
hand in hand, and certainly wouldn't hold up very far in court. This
reminds me of the infamous ADA requirement at level 1 that "sites have
content with meaning." Good luck on that, I've been asking clients to
do that for years.

Look around gang:

". “As a small self-funded startup we just don’t have the time to
analyze and interpret the legislation, especially when given just over
two weeks’ notice.”"
<-- i liked that one..

"...the new EU law is a shambles."

"The EU is also ignoring the fact that 100% of web software by default
creates a cookie for sessions, with millions of websites built by
amateurs producing just this effect. It will be unfeasible to police

I haven't even left the first page of "cookie europe" on google yet..
(although I did get some great recipes for Christmas cookies as part
of this casual search)

Wordpress does the same thing that we do, along with all sorts of
other solutions out there. I'm betting I'm not the only guy who is
looking at this as a potential nightmare and would rather not run
around changing things that work, potentially making them not work,
just because someone in the EU has their panties in a bunch about
online advertising.

And just to be clear, that is clearly what this law is supposed to be
for. No one likes the idea of advertisers storing information about
you so you see ads you might actually be interested in (for some
reason that escapes me). I don't think anyone knows how this law will
actually pan out, but the goal is to take big advertising companies to
task with it, not to sue Mr. Hardware as Phallanx argues. There's no
money in suing your local church website. There's plenty of political
clout to be won by taking google to court over your privacy. That's
the motivation here. Look at Korea, look at Switzerland.

Given a clean slate and ideal world, I agree. Sure. Being "compliant"
with this nebulous law might win us some new customers. If I were
designing a CMS from scratch tomorrow, I'd argue to not start a
session unless you really had to. But today, that's not how concrete5
works, and changing it is more than simply wrapping it in an If
statement. There's a lot of add-ons and websites already built that
assume that session exists, changing this could break all of them. I
don't want to disappoint, but I have come to learn my job is NOT
saying yes to every potential feature or request that comes down the
pipe but instead weighing which ones have the best potential up side
vs. the inevitable down side. Since no one seems particularly clear on
what this law means, I don't think the up side of being compliant with
something that is likely to change outweighs the potential for
disaster in rushing out a quick change so deep.

Alllll of that being said... I will continue to bring this up in
architecture meetings in the office here. Perhaps this is something we
can make parameter driven from the dashboard and that way we can say
you can run a compliant site with concrete5, but not change the way
things work today for everyone just because of some moronic
Phallanx replied on at Permalink Reply
Ooh err.

I've just read this:

"The Government is also supporting the cross-industry work on third party cookies in behavioural advertising. This industry lead approach will marry the provision of more information on the use of cookies accessed through an easily recognisable internet icon, a privacy policy notice, a single consumer control page, with a self-regulatory compliance and enforcement mechanism. Through clicking on the icon the consumer will be informed about: each specific internet advert; the advertiser; the server; who the advert has customised by; and an option to refuse those and other cookies (including an option to refuse all cookies from that server). Consumers will also be provided with a link to further information on privacy and behavioural advertising."

I hope Goggles will take care of that or it gets left out of ICOs guidelines.

source: (cookies start on page 71)
Shotster replied on at Permalink Reply
I tend to agree with Phallanx on this issue. I would urge you to consider it a marketing opportunity to tout C5's compliance. I know development resources are limited, but ya gotta believe other CMS's are going to be all over this like flies on...uhh, bananas...or whatever.


TheRealSean replied on at Permalink Reply
Looking at the ICO website today they have a a notification which asks you but they also set a cookie which they claim is essential.

So I guess we could just create a similar block for c5 that displays the message.

If someone was to block these cookies on a concrete installation how much of the site would break - on a plain vanilla installation.

on a side note - I also like the fact that when shown the notification you can not click continue unless you accept the cookies. (even if you can then continue to browse the site)

shadowcomputers replied on at Permalink Reply
The ICO have stated that the law will not enforced for another year, so we have until May 2012 to get solutions looked at and implemented.
TheRealSean replied on at Permalink Reply
Yes but we have a big back catalogue of sites to work through so we will have to look at implementing something for the new sites we build.

Otherwise next year we will need to try and rush through 100+ sites.

But I agree this is not an immediate problem, but certainly one that when creating new sites we should be considering and maybe even trying various methods.
shadowcomputers replied on at Permalink Reply
As I stated we have a year to investigate *and implement*, I was not suggesting to wait to the end of this deadline.

Hopefully a few of us might be able to find a way to action this.

I shall PM a couple of people I met at the 1st UK C5 meetup who do a lot of work on the C5 backend code to see if they have any ideas to point us in a good direction.
Phallanx replied on at Permalink Reply
Hmm. It seems that the session ID is classified as "essential"

"Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site – at which time they’re informed that the cookie has been set – and is deleted when a user leaves the site."

Phallanx replied on at Permalink Reply

I've been looking at this in detail and the only real issue (if we accept that a session cookie is OK) is google analytics. Not great because we all use GA but fairly straight forward should we wish to do something about it and Google don't. Even if a session cookie isn't OK; I think we can cope with it.

Since the technical aspect of complying is fairly straight forward (however unpalatable) if we want to comply, what do people think we should do? Just accepting on login won't do if we want to get the visitor to accept our cookies ASAP so we get GA hits regardless if they are a member or not. Neither do we want to plague them with popups.

The ICO have gone for a banner at the top of the page with an accept button. This seems kind-a 1990s to me and doesn't really encourage the user to click apart from the annoying factor and, to be honest, is more alarming than anything else. Whilst that is fairly simple, can anyone think of a better (more fun?) idea? Do we want to be draconian and place a modal dialogue so they have to accept to get to our goodies? Or do we have a timer that counts down and automatically accepts after (say) 20 seconds if they don't press any button (do nothing to opt in). Or maybe they have to chase buttons around the screen to accept or deny. Any other thoughts suggestions etc? Or should we just KISS.
olliephillips replied on at Permalink Reply
This might be useful to you

It's all client side but, if you implement Google Analytics in your theme like I do for convenience, it's very simple to implement. If you don't its no biggy to do it that way.

It follows the ICO website's approach, but is just a little more 'in your face'. ICO is seeing a 90% drop in Analytics data (not traffic), purely (I think) because their disclosure is 'TOO' easy to ignore.

It's a trade off, you want opt-in, but don't want to be too intrusive.
This probably won't be right for everyone, but it's perfect for the sites I manage.

Hope it helps.
Phallanx replied on at Permalink Reply
Miser now can remove the GA code unless a cookie is available. I just have to put the banner on the pages and set the cookie if they accept. Miser does the rest (server side).
Teddie5000 replied on at Permalink Reply
We've had many laws on computing and the Internet in the UK (DPA, EU Directive yadda yadda) and the most important things to note are:

- DPA is touted as a reason "not to" do anything helpful, the chances of ever getting prosecuted for breaching it are virtually nil, even if a complaint is made against you because the Information Commssioner (who enforces it) is toothless.
- We have case law as a precedent in the UK. So you won't know what the punishments will be and who will be punished until cases come to court and fines are imposed. This is regardless of what the law actually states, it is not how you interpret it, it is how a judge does when presented with facts.

We have tort law in the UK, which basically means you can only be punished for or caused to repay the harm you caused. So setting a session cookie at the start, causes zero harm, so the punishment could only ever be a nominal fine, if anyting at all. It follows from this it would not be in the public interest to prosecute.

With all these things pay lip service to it, and make some effort to comply, to cover your backside but don't break your balls. Until someone gets "done" you won't know. If you ever get brought to book over it, show that you tried to be compliant, best intentions etc. and there will be no comeback. It is not a case of "I did not know", it is currently a case of "No one knows".

I know in computing we all like a bit of boolean logic to get us through, but this is the LAW and it is always grey. Even if you think you are complying, you might not be. Don't worry about it.