EU Cookie Law - So what does the C5 Cookie do?
Permalink
EU Cookie Law - So what does the C5 Cookie do?
bump
First of all, I must say that I'm not an expert on this matter so excuse me if I give you faulty details. I know how c5 uses cookies and it is what I'm trying to explain here. Anything that goes into the law specifics, I'm not a lawyer and I really know nothing about the law. I haven't even read it, so this is completely based on the facts I've heard from others.
C5 cookie stores the PHP session id that is needed to be able to acquire your session data on the server-side. Some C5 sites, add-ons or themes might also store additional data but that is specific to that site, theme or add-on because concrete5 itself as a system cannot control how all the developers out there use these techniques.
The default concrete5 installation requires cookies only for functionality when you're logged in so there's really not that much data stored in the session for the normal site visitors who never log in to the site. HOWEVER, I think the law actually requires the site owner to inform their visitors if ANY cookies are stored for them and actually the PHP session id gets stored for non-logged in users although it's not needed for most of the sites out there.
Only thing that c5 uses for "unidentified users" is that it marks those visitors to be part of the "Guest" group which cannot be used to identify them in any sense, it can only be used by developers to manage part of how their sites work for these visitors. But as said above, the law doesn't care what the functionality behind actually does, it only cares about whether the site sets cookies or not.
This problem is not c5 specific, this is for most of the sites that are not plain HTML sites out there. Usually they use cookies.
Also, if you're using Google Analytics on the site, that also uses cookies. I think this was the whole basis for the law in the first place: they would want the user to be aware that some tracking is happening there if it's happening. This is also the reason why e.g. many people doing "headhunting" work block browser's JavaScript because they don't want to be tracked even on that level and they don't want to reveal their search terms (although it is also possible to track those with server-side coding).
My personal prediction is that after the EU officials open their eyes and start listening to someone who actually knows about the issues they are deciding about, this law will be changed at least on some level. I cannot even see how they could get most of the sites to follow this law, it's just stupid and even more so: really stupid. I think only the "big sites" out there are actually strictly following the law.
C5 cookie stores the PHP session id that is needed to be able to acquire your session data on the server-side. Some C5 sites, add-ons or themes might also store additional data but that is specific to that site, theme or add-on because concrete5 itself as a system cannot control how all the developers out there use these techniques.
The default concrete5 installation requires cookies only for functionality when you're logged in so there's really not that much data stored in the session for the normal site visitors who never log in to the site. HOWEVER, I think the law actually requires the site owner to inform their visitors if ANY cookies are stored for them and actually the PHP session id gets stored for non-logged in users although it's not needed for most of the sites out there.
Only thing that c5 uses for "unidentified users" is that it marks those visitors to be part of the "Guest" group which cannot be used to identify them in any sense, it can only be used by developers to manage part of how their sites work for these visitors. But as said above, the law doesn't care what the functionality behind actually does, it only cares about whether the site sets cookies or not.
This problem is not c5 specific, this is for most of the sites that are not plain HTML sites out there. Usually they use cookies.
Also, if you're using Google Analytics on the site, that also uses cookies. I think this was the whole basis for the law in the first place: they would want the user to be aware that some tracking is happening there if it's happening. This is also the reason why e.g. many people doing "headhunting" work block browser's JavaScript because they don't want to be tracked even on that level and they don't want to reveal their search terms (although it is also possible to track those with server-side coding).
My personal prediction is that after the EU officials open their eyes and start listening to someone who actually knows about the issues they are deciding about, this law will be changed at least on some level. I cannot even see how they could get most of the sites to follow this law, it's just stupid and even more so: really stupid. I think only the "big sites" out there are actually strictly following the law.
Thanks for your reply Mainio,
Interesting to know that the cookie sets users to the guest group which'll have the basic permissions anyway. Having no cookie set, would technically mean you're in this group anyway right?
You are correct, the law means that on the landing pages there should be no cookies set. And a user will have to give consent in order for cookies to be turned on.
This basically means that it will break analytics. As nobody is going to click "Sure please track me".
I have been told that not even Microsoft are going to comply because they've said it is so unworkable(though they can afford the £500,000 fine). So hopefully yes someone with minor IT skills can explain to the politicians that cookies are necessary.
Interesting to know that the cookie sets users to the guest group which'll have the basic permissions anyway. Having no cookie set, would technically mean you're in this group anyway right?
You are correct, the law means that on the landing pages there should be no cookies set. And a user will have to give consent in order for cookies to be turned on.
This basically means that it will break analytics. As nobody is going to click "Sure please track me".
I have been told that not even Microsoft are going to comply because they've said it is so unworkable(though they can afford the £500,000 fine). So hopefully yes someone with minor IT skills can explain to the politicians that cookies are necessary.
I seem to remember reading that you didn't need to ask permission for cookies 'essential to operation'. Can anyone confirm this?
If so the C5 session cookie, being integral to the operation of C5, may be allowed. On the other hand, you would need to ask before adding Google analytics.
If so the C5 session cookie, being integral to the operation of C5, may be allowed. On the other hand, you would need to ask before adding Google analytics.
To answer to this question:
"Interesting to know that the cookie sets users to the guest group which'll have the basic permissions anyway. Having no cookie set, would technically mean you're in this group anyway right?"
Well it's not that straight forward. Actually the cookie is not the technical doohickey that is setting the user into that group. With the cookie, C5 identifies the user's session that can basically be used for anything technically speaking. So, that cookie that C5 requires stores the PHP session id which identifies your session. If the user does not have cookies enabled it will probably just generate you different session for each request which is basically the same as being in the "Guest" group but not exactly.
Just one example what you can do with the session data if cookies are enabled:
1. User comes to your site through google, user has cookies enabled
2. C5 identifies your user, no session set and it will create a new session for that user and send user the cookie based on which the session can be identified later on
3. Now, you might have server-side code to do more with this session, e.g. through an add on, for example you might be able to specify what search terms your user used for searching your site
4. If the cookies are enabled client-side, you will still be able to use this information throughout the whole session
5. After coming to a site, your user browses for a while and ends up in "contact" page finally
6. Now on the contact page if you still know what search terms THIS user originally used to end up on your site, this might be valuable information for you, that you accessed thanks to using cookies.
So it is not basically all about what the cookies store but what else can be done with that information. But that said, the exact same thing can also be done if you just keep the session id with the user as a URL attribute throughout the session, e.g. by appending that to each an every link URL you have on your site (this is also doable in c5 context). This is the way e.g. how many mobile specific CMSses (mostly commercial ones) do this because there are thousands of different kinds of mobile browsers of which not all support cookies. So this is how the situation has been "bypassed" in the mobile world for the passed years and it's also doable in web-context.
This is also one of the reasons I called the law stupid: this is how easy it is LEGALLY to do the same what you currently can do with cookies. The only difference is that the user can actually see that they are somehow identified by the site by looking at their URL.
"Interesting to know that the cookie sets users to the guest group which'll have the basic permissions anyway. Having no cookie set, would technically mean you're in this group anyway right?"
Well it's not that straight forward. Actually the cookie is not the technical doohickey that is setting the user into that group. With the cookie, C5 identifies the user's session that can basically be used for anything technically speaking. So, that cookie that C5 requires stores the PHP session id which identifies your session. If the user does not have cookies enabled it will probably just generate you different session for each request which is basically the same as being in the "Guest" group but not exactly.
Just one example what you can do with the session data if cookies are enabled:
1. User comes to your site through google, user has cookies enabled
2. C5 identifies your user, no session set and it will create a new session for that user and send user the cookie based on which the session can be identified later on
3. Now, you might have server-side code to do more with this session, e.g. through an add on, for example you might be able to specify what search terms your user used for searching your site
4. If the cookies are enabled client-side, you will still be able to use this information throughout the whole session
5. After coming to a site, your user browses for a while and ends up in "contact" page finally
6. Now on the contact page if you still know what search terms THIS user originally used to end up on your site, this might be valuable information for you, that you accessed thanks to using cookies.
So it is not basically all about what the cookies store but what else can be done with that information. But that said, the exact same thing can also be done if you just keep the session id with the user as a URL attribute throughout the session, e.g. by appending that to each an every link URL you have on your site (this is also doable in c5 context). This is the way e.g. how many mobile specific CMSses (mostly commercial ones) do this because there are thousands of different kinds of mobile browsers of which not all support cookies. So this is how the situation has been "bypassed" in the mobile world for the passed years and it's also doable in web-context.
This is also one of the reasons I called the law stupid: this is how easy it is LEGALLY to do the same what you currently can do with cookies. The only difference is that the user can actually see that they are somehow identified by the site by looking at their URL.
My understanding is same as @JTF. Though even essential cookies need to be disclosed. Consent needs to be obtained for anything else.
There's an add-on that deals with this fairly effectively here.
https://www.concrete5.org/marketplace/addons/formigo-cookies-disclos...
There's an add-on that deals with this fairly effectively here.
https://www.concrete5.org/marketplace/addons/formigo-cookies-disclos...
Hi Formigo,
Yes I've seen your addon :D
Looks like it will work on front end cookies yes, but what about the "CONCRETE5" cookie? Your demo appears to have that still set on first load without consent.
Also author of the js plugin you've used has said the following onhttp://cookiesdirective.com/ too:
"It's not going to support all scripts. Some scripts weren't designed to be wrapped in, or called from, a function. It's a case of suck it and see.
It's a little flakey in IE when running under certain doc types. I'll look at this when time permits, but any assistance in this respect much appreciated."
Yes I've seen your addon :D
Looks like it will work on front end cookies yes, but what about the "CONCRETE5" cookie? Your demo appears to have that still set on first load without consent.
Also author of the js plugin you've used has said the following onhttp://cookiesdirective.com/ too:
"It's not going to support all scripts. Some scripts weren't designed to be wrapped in, or called from, a function. It's a case of suck it and see.
It's a little flakey in IE when running under certain doc types. I'll look at this when time permits, but any assistance in this respect much appreciated."
Well for me the Concrete5 cookie counts as essential; the CMS uses it amongst other things to manage the login state, in much the same way that a shopping cart uses cookies to maintain basket. I think the obligation here is to disclose that it's being used and that the user could block it at the expense of being able to use some aspects of the site. It does make that disclosure so I don't think there is a problem setting that at first load.
The add-on also runs server side. It means that anything that you would have deployed say in the tracking code section of the website within a <script></script> tags on can be held back by the server until cookies consent is given, rather than be inserted into the DOM dynamically which is the way cookiesDirective.js works (which I'm also the author of). It's that dynamic insertion into the DOM that meant some scripts wouldn't work if they tried to do document.write for example.
You could also go further and get other add-ons honoring cookies consent in conjunction with this add-on using an approach I've detailed here.
http://www.eantics.co.uk/whats-fresh/testing-for-cookies-opt-in-for...
None of this is perfect, but it's a reasonably good stab at compliance, which is all I'm aiming for - and I'm certainly not worried about the C5 session cookie.
Cheers
The add-on also runs server side. It means that anything that you would have deployed say in the tracking code section of the website within a <script></script> tags on can be held back by the server until cookies consent is given, rather than be inserted into the DOM dynamically which is the way cookiesDirective.js works (which I'm also the author of). It's that dynamic insertion into the DOM that meant some scripts wouldn't work if they tried to do document.write for example.
You could also go further and get other add-ons honoring cookies consent in conjunction with this add-on using an approach I've detailed here.
http://www.eantics.co.uk/whats-fresh/testing-for-cookies-opt-in-for...
None of this is perfect, but it's a reasonably good stab at compliance, which is all I'm aiming for - and I'm certainly not worried about the C5 session cookie.
Cheers
I have clients in the EU, none have asked about it, but I thought I read someplace that you could just put a disclaimer on your home page that said the site used cookies.
Unfortunately, you wont be able to get away with that, the ICO have made it clear that just amending your privacy policy is not going to be enough.
What they have said is that they will not be using an iron fist to regulate, they just want to see people making an effort to comply.
I have taken the most basic steps I possibly can, and until someone from the ICO officially tells me I need to do more, thats the way it will stay.
My personal opinion is that this law is pretty un-enforceable, there are just too many sites and too few people to enforce it, relying on joe public to report sites that are not complying is assuming Joe public cares, which I dont think the vast majority of them do, my guess is that once the reality of just how ridiculous this law is, it will be watered down or be amended and disappear, until then though, my advice is do something, just in case.
What they have said is that they will not be using an iron fist to regulate, they just want to see people making an effort to comply.
I have taken the most basic steps I possibly can, and until someone from the ICO officially tells me I need to do more, thats the way it will stay.
My personal opinion is that this law is pretty un-enforceable, there are just too many sites and too few people to enforce it, relying on joe public to report sites that are not complying is assuming Joe public cares, which I dont think the vast majority of them do, my guess is that once the reality of just how ridiculous this law is, it will be watered down or be amended and disappear, until then though, my advice is do something, just in case.
Well I would like to agree that the c5 cookie is essential, but in the eyes of the law, it is not.
The law would see setting a cookie remembering if you've added a product to a cart as essential. Though remembering if you were a guest, probably not.
In the event that it's not we need some functionality to bypass the c5 cookie.
Here is an extract from a government PDF:
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electro...
"Does this consent rule apply to every type of cookie?
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity."
The law would see setting a cookie remembering if you've added a product to a cart as essential. Though remembering if you were a guest, probably not.
In the event that it's not we need some functionality to bypass the c5 cookie.
Here is an extract from a government PDF:
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electro...
"Does this consent rule apply to every type of cookie?
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity."
Take your point, but I'm more glass half full and think probably yes.
If my website CMS has a facility to login it's reasonable that I use a
cookie to maintain that session state - I think. You could say there are
other ways it could be done, but that applies to Shopping carts also; why
not force login and then keep the basket in a temporary table server side
using Ajax? The answer is that's not how most shopping carts work. They
use cookies harmlessly, because this is just the sort of job cookies were
designed for, and are perfect for.
At the end of the day each website owner will have to choose a solution
they are comfortable with. If you've addressed tracking cookies and third
party cookies, I'd be amazed if the ICO said sorry you need to gain
consent for the C5 session cookie.
Some sites in the UK are not even asking for consent in their disclosure,
they're simply drawing attention to all the cookies they use in an
enhanced privacy policy, and telling the user what they can do about them.
John Lewis is a good example. So with so much variance in approach, I
think it better to try and address the intent of the law rather than get
caught up in the letter of it. Obviously we'll all have a clearer idea
how to deal when/if the ICO starts to point out good and bad practice post
26 May 2012.
Cheers
Ollie
On 21/05/2012 15:48, "concrete5 Community" <discussions@concretecms.com>
wrote:
If my website CMS has a facility to login it's reasonable that I use a
cookie to maintain that session state - I think. You could say there are
other ways it could be done, but that applies to Shopping carts also; why
not force login and then keep the basket in a temporary table server side
using Ajax? The answer is that's not how most shopping carts work. They
use cookies harmlessly, because this is just the sort of job cookies were
designed for, and are perfect for.
At the end of the day each website owner will have to choose a solution
they are comfortable with. If you've addressed tracking cookies and third
party cookies, I'd be amazed if the ICO said sorry you need to gain
consent for the C5 session cookie.
Some sites in the UK are not even asking for consent in their disclosure,
they're simply drawing attention to all the cookies they use in an
enhanced privacy policy, and telling the user what they can do about them.
John Lewis is a good example. So with so much variance in approach, I
think it better to try and address the intent of the law rather than get
caught up in the letter of it. Obviously we'll all have a clearer idea
how to deal when/if the ICO starts to point out good and bad practice post
26 May 2012.
Cheers
Ollie
On 21/05/2012 15:48, "concrete5 Community" <discussions@concretecms.com>
wrote:
It's great that you're glass half full, but I am not.
I understand that what you have said is likely to be the case but, I want to know that there is a solution to this issue before the date comes.
I understand that what you have said is likely to be the case but, I want to know that there is a solution to this issue before the date comes.
