My understanding is that, as of 25 May, UK websites which use cookies will be required to be able to prove that users have given informed consent to receive the cookies. This means it is no longer sufficient to mention cookies in your privacy policy, you need to demonstrate that users positively opted in.
So two questions - under what circumstances does Drupal use cookies? I guess when you log in it uses a cookie, but do anonymous users ever get cookies? How long are the cookies stored and what data do they contain?
Any owners of UK websites, what are you planning to do? The law seems pretty stupid and unenforcable, and something which would be better done by the browser. But it appears that individuals can claim compensation, so just because the ICO could probably never enforce it, doesn't stop some anorak taking you to court because the have a grudge.
Any opinions welcomed, I'm not sure what to do myself. If cookies are only used after a user logs in, then presumably a message on the registration page would be sufficient (the fact that they have an account proves they agreed to the message)? IANAL of course.
Comments
not heard this one
Can you provide the legal reference please...
not sure how on earth this could possibly be enforced...
Link
http://www.ico.gov.uk/~/media/documents/pressreleases/2011/cookies_regul...
It looks like they are giving it a bit of time to see how things go (because they probably have no idea how to enforce it either).
Cookies can be exempt if they are "strictly necessary" to a function the user has explicitly requested, they gave the example of a cookie used to carry goods to the checkout. No idea if this applies to, say, a session cookie used to store the fact that you are logged in?
subscribing
subscribing
It seems there are now two
It seems there are now two modules which try to solve the problem:
http://drupal.org/project/cookiecontrol - which is Drupal 7 only
http://drupal.org/project/eu-cookie-compliance - which is for Drupal 6 only
Whether or not these actually are 100% in compliance is hard to say. It's also worth noting that both modules require you to audit your own code that sets cookies and add conditionals around it to prevent setting cookies if the user has opted out.
--
Morris Animal Foundation
http://drupal.org/project/coo
http://drupal.org/project/cookiecontrol has an open issue about a D6 backport (a technical issue needs to be solved)
http://drupal.org/project/eu-cookie-compliance now has releases for D5, D6 and D7
Both modules give you an explicit option to accept cookies but how they handle users who don't want cookies is different. Both have demos which are helpful.
As of the date of writing this (26 May), with eu-cookie-compliance, if you don't want cookies then it looks as if you need to not use the website in question (or, presumably, change your browser settings).
cookiecontrol seems to inhibit the setting of cookies (e.g. from Google Analytics) until you consent, though on the demo site a couple of cookies *are* still set on your first page view. Possibly these are exempt from the restrictions (essential for functioning of site).
gpk
----
www.alexoria.co.uk
I too am looking at this - I
I too am looking at this - I think all CMS systems will need to be aware of and adapt to this because many many modules use cookies as well as the core functionality of systems like Drupal. Ideally what you need is a module that displays a user acceptance box as the user enters the site for the first time and explains what cookies will be placed on their computer and what they're for (and each plugin module will need to feed into this so that the cookies list is generated automatically by the system), and that asks the user to click yes to accepting the use of cookies which is then recorded in the database with their ip address, the date and time and then you have a traceable record of their acceptance if they ever decided to complain to the contrary (plus if they say no, the site can redirect them to where they came from).
I don't think this has been very well publicised until it made it to the news today. I also think it will be un-policable and be done on a reactive basis only - but that does leave all websites potentially vulnerable and liable.
Host your websites abroad !
Host your websites abroad !
Stupid rules
I would really like to understand why you care about so stupid rules...
Because failure to comply
Because failure to comply carries a £500,000 fine. Not something easy to overlook even if it is a stupid law created by ignorant people desperate to look they have are doing something.
Hosting abroad is not a solution
No, I'm afraid hosting your websites abroad won't get you off the hook. If your organization is based in the EU jurisdiction then you are affected by the directive and its implementations, regardless of where your web server is.
Source? I was pretty sure
Source? I was pretty sure your website is principally bound by the legal requirements of where your servers are hosted (ie a site hosted in Canada has to follow Canadian privacy laws, Canadian spam laws, Canadian IP laws, etc). There was a case about Yahoo Auctions! selling Nazi memorabilia a while back that settled that I thought.
In the EU, complaints against somebody online (harassment, etc) have to be filed in the defendant's jurisdiction. That's kindof vague when it comes to corporations though (at least, if they're multi-national).
I believe the way they see it
I believe the way they see it is that if the website can be used by people in Europe then effectively the company owning the website has to comply with EU laws. That goes for cookies but also for anything else like e-commerce, if you target EU citizens then you have to obey the EU laws. And if your company is in the EU you certainly won't escape by saying Amazon US hosts my site.
http://searchsecurity.techtarget.com/tip/For-US-companies-EU-cookie-comp...
A complete mess...
(Here's a link to the actual advice document: http://www.ico.gov.uk/%7E/media/documents/library/Privacy_and_electronic...)
This law is a complete mess in terms of providing adequate compliance instructions. I've been following the news about it for months, waiting for some actual, useful information to emerge. I'm still none the wiser...
As previously mentioned, the ICO document states that the only exception is if "what you are doing is ‘strictly necessary’ for a service requested by the user." The example given is a shopping cart, but that's as far as it goes. There is no specific guidance on whether this exception applies to login sessions. Can that be considered a service requested by the user?
The document does state, "The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website." Perhaps staying logged in is considered to be a user preference. Who knows?
Anyway, with regard to Drupal specifically, it creates a session cookie and a "has_js" cookie at the moment someone hits any page. At that point the user has not specifically requested any service whatsoever, and the cookies are being created before any form of consent can be provided by the user, so as I understand it, Drupal websites break this law by default.
There seems to be a dev module for Drupal 6 to disable anonymous sessions which would give you a chance to get the user's consent before cookies are created. However, it breaks certain things, as mentioned on the project page. See http://drupal.org/project/no_anon
Apparently Drupal 7 has something similar built into core and on my test server I don't get any anonymous session cookies. However, I do still get the "has_js" cookie which means we basically still have the same problem.
As for the suggestion to host sites outside the EU; I can't see that holding water. If a company is based in the UK, it is presumably liable for its websites, regardless of where they are hosted. The authorities couldn't take down the site, but they could still fine you.
urgently required
yes, something is urgently required for EU sites. I run multi Drupal sites and have to conform to the new regulations very shortly. Cookies as morbiD says above (session and has_js) are created for anonymous users so not just logged in users. Other modules create cookies as well for anonymous users e.g. DHTML menu.
By the time a user has entered a site the cookies are already deployed so we need to catch this somehow as a person enters the site.
I think that having a pop-up before entering a site is rather off-putting and looks suspicious to a user. So as a preference it would be better to 'turn off' all cookies for anonymous users. For logged in users we can catch and warn them easily before they log in.
What do we do Drupal?
[to view cookies used by a webpage in firefox i use the web developer tool under: tools->web developer->cookies->view cookie information]
I don't agree with the
I don't agree with the interpretation of the regulations being discussed here. In the advice document referenced above, paragraph (2) talks about the user giving consent for cookies to be set and then...
So I interpret that as saying that if a user has their browser set to accept cookies, they have consented to accept cookies. And if they have blocked cookies in their browser, they have not consented.
So this is not a problem for Drupal IMHO.
Not as simple as that
That paragraph sounds nice in theory, but if you read the rest of the document, you will find a section titled, "I have heard that browser settings can be used to indicate consent – can I rely on that?" That section states:
The section after that (see page 6) goes on to describe various options for gaining consent.
The fact that most browsers default to allowing all cookies doesn't help in this respect. If browsers defaulted to blocking all cookies then you could much more easily assume that the users with cookies enabled have consented.
Subscribe
Subscribe
Even the advisory document
Even the advisory document quoted does not know how to implement this. It makes some suggestions but has no solutions. I can see that telling someone who registers on a Drupal site about cookies may be a requirement - and that is not difficult to implement - but there is no need for anything stronger than that.
ICO update
I see that the Information Commissioner's Office have today updated their website with some further info on this. Also, they've given businesses 12 months to comply, and they've explained how they've made their own website comply with the regulations. You might want to take a look at their website www.ico.org.uk or take a read of their news release from today www.ico.gov.uk/~/media/documents/pressreleases/2011/enforcement_cookies_...
This is my own interpretation (apologies - the first few points state the obvious, but my intended audience was my non-techie clients):
1. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
2. The UK government has revised the Privacy and Electronic Communications Regulations, which come into force in the UK on 26 May 2011, to address new EU requirements.
3. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.
4. Organisations and businesses that run websites aimed at UK consumers are being given up to 12 months from 26 May 2011 to ‘get their house in order’ before enforcement of the new EU cookies law begins.
5. The ICO advises that businesses with websites should:
"a. Check what type of cookies and similar technologies you use and how you use them.
b. Assess how intrusive your use of cookies is.
c. Decide what solution to obtain consent will be best in your circumstances."
6. The ICO state:
"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."
So, so far I've informed my website clients of the above, and I'm leaving the ball in their court as to how or if they want to address this.
For this sites I've got up and running the only cookies I've found (for anonymous users) are:
1. session id cookie - I would class this as 'essential for the running of the site', but I might go into the settings.php file and change the lifetime to zero so that the browser cookie is deleted on browser close:
ini_set('session.cookie_lifetime', 0);
2. 4 cookies set by google analytics
3. 1 cookie called has_js which is deleted on browser close
but I know this number of cookies will be depend on which modules you have installed.
If my clients want full compliance, I'll probably do something similar to the ICO site, detailing these cookies in the privacy statement, and using a tick box for consent (although I think I'll try and avoid putting it into my html content ahead of everything else...). But my gut feeling is that the ICO is giving businesses a year so that browser technology can catch up and this can be dealt with under the catch all of browser settings.
(For any sites with registered users, I think I would add something into the registration process that explains the cookies and obtains consent, as morello80 suggested in the initial question).
Just glad I'm not involved with any cross-site advertising...
I'm inclined to agree
When I first read about this, i did a brick, but the more I think about it, it's seems that for the vast majority of 'legitimate sites' the process of informing users about cookie useage will be pretty straight forward: privacy policy coverage and a few tick boxes. The whole 3rd party cookie thing will be a bit more of a pain.
Sure, it will ruin the look of our uber-clean registration forms and make OpenAuth difficult I guess, but it will also be the norm.
The User's granular control over these cookies could prove problematic since it will obvisouly break certain functionality on the site. In many cases, you may have to assert that the user HAS to accept cookies A, B, C, and D but can disable E (where E is for analytics, for example), and so there are only 2 checkboxes.
I wonder what the default state of the checkboxes should be in this user account example for best practise? Could one assume that since the user is trying to create an account on your site, that you could have the boxes already ticked because the cookies are necessary for what they're trying to do?
You never know, this move might help with moving users with older browsers into the 21st century too. One can only hope.
Subscribing
Subscribing
Thanks for posting the
Thanks for posting the update.
It still doesn't make any specific statement about how session cookies are regarded in the eyes of the law, BUT, the ICO have updated their own website with a consent checkbox and the really interesting thing to note is that their site still sets a session cookie before you give consent. This cookie is set to expire when the browser closes.
I would take that as an indication that Drupal's cookies are fine, especially if you set them to expire when the browser closes.
It also sets a cookie saying
It also sets a cookie saying you've said no to cookies and seen the warning - although both of these seem to be session as they disappeared on browser close! I'd be interested to see how enforcable parts of this are as (for example) I don't want to have to "say no" every time I don't want to store a sites cookies - and if I use a database to store the note that A.N Other has said no to cookies - what happens when their IP changes? And if they aren't using IP what are they using?
Dave
Don't count on an IP
Most of us use service providers who cannot guarantee your IP; you simply "lease" one of the range that they have for, usually, 24 hours. And if you use a laptop, it can vary by your location. And IPV6 makes this even more difficult to track. Forget IPs as any kind of indicator.
NancyDru
ICO 'implementation'
First up - thanks for the information and remarks not really addressed to you!
The ICO seem as confused as anyone - problem is not sure that's a legal defence.
The other obvious ICO issue is presumably they've never read the legacy browser stats on their site - the idea that everyone who visits or may ever visit your website will update to a browser version with this built in which doesn't exist yet within an arbitrary year when most browser development is US based and they don't have this law.... well I'm sure there's a word to describe that idea!
I'm also curious what the mobile device that's reading the website and can accept cookies and isn't a browser is? Isn't that a mobile browser?
Subscribing
Subscribing
Subscribing
Subscribing
I have had my first client
I have had my first client request through now to update this site.
GA is setting some and I have the Has JS cookie and a mobile site plugin sets one as well. Not really sure what I am going to do this. perhaps wait and see but I might try and take these 2 cookies off and just let it run its checks on each page load, slower page times but then its Only GA issues not Drupal and I can't see anyone being that worried about GA.
If Windows is the answer, it must have been a stupid question. -- Filip Van Raemdonck
sub
sub
Subscribe
Subscribe
subscribe
subscribe
London Drupal Developer
This may be helpful:
This may be helpful: http://www.advomatic.com/blogs/marco-carbone/drupal-privacy-configuring-...
CONFIGURING YOUR DRUPAL 6 SITE TO WORK WITHOUT COOKIES FOR ANONYMOUS USERS
As far as I am aware Session
As far as I am aware Session cookies are allowed. This is to allow logins, shopping carts etc. However any cookie that is persistent requires permission. Basically every website in the EU over the next 12 months will be losing the ability to save answers or even logins all for the misguided idea it will stop a handful of advertising companies from not being able to track users. Given than google and pretty much every other type of tracking software already has non cookie versions it's causing us headaches for no gain. Gah!
Subscribe
Subscribe
How about a 'Cookie Opt In' Module?
Is anyone here planning on developing a module to tackle this issue? A pop up form could appear on site load (like ICO) to allow users to opt in/out of cookies on page load. Then based on this decision the site functions with or without cookies. Subscribe!
Changes to session.inc
I believe it may be more than just a simple module install, as you'll need to make changes to session.inc where anonymous cookies are created.
London Drupal Developer
subscribing
subscribing
There is this module
There is this module http://drupal.org/project/no_anon
That said drupal 7 I think already doesn't use cookies for anon users. If you want to do something like GA using this method is rather nice. http://cookies.dev.wolf-software.com/
Subscribing
subscribing
subscribing
subscribing
Google analytics
Just a drop in the ocean but thought this looked quite good for getting users consent for Google Analytics...
http://cookies.dev.wolf-software.com/
subscribing
subscribing
subscribing
subscribing
subscribing
subscribing
The ICO have just released a
The ICO have just released a new guidance report:
http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Pr...
If you don't have a PDF reader, here's a Google docs version:
https://docs.google.com/viewer?url=http%3A%2F%2Fwww.ico.gov.uk%2Fnews%2F...
Universal Cookie Solutions
At Wolf Software we have created a totally compliant plugin for ALL cookies, which will work with javascript and NON javascript web enabled devices, including all mobile devices and smart TV etc.
A demo is available at:
http://jpecr.dev.wolf-software.com
This will be on general release from Monday 19th Dec.
Looks good. Is that a Drupal
Looks good. Is that a Drupal module?
Just wondering if the
Just wondering if the wolf-software pluggin for google analytics should be included with the google analytics module.
I had a look at the google
I had a look at the google analytics module and I don't think it can be adapted to use the wolf-software plugin because the GA module adds the js inline on hook_page_alter, so it's no good for cached pages.
One of the setting in the GA module under the Privacy tab is Universal web tracking opt-out, don't bother looking for it because it says "This feature is currently limited to logged in users and disabled page caching." Probably because of adding the js on hook_page_alter.
So anyway, this has come up on a contract I'm on and I need this functionality, so I'm thinking to bite the bullet and try and make a module out of the wolfs plugin. The challenge will be to get the same admin functionality like the GA module, by that I mean being able to do to stuff like not adding ga on certain pages and user roles and all those other nice settings provided in the GA module. But I've got an idea for that. If I return those kind of admin settings in the Drupal.settings object I can then manipulate them on the client side to do stuff like when to execute the wolfs plugin, which looking at their code that would be somewhere before insertGA(). But there are some unknowns for me on how settings like Tracking links and downloads woud need to be add (I'm unfamiliar with ga because I've always just used the GA module :-) ). It would mean adapting wolfs code but it states in the plugin it's GNU General Public License so we're alright to change it.
That's kind of the theory anyway. It's really down to my employees whether I can develop a module with that functionality or if they're happy with just using the wolfs plugin as is with a bit of customisation.
Thanks to wolf-software for making their plugin public.
btw, I'm referring to the jquery plugin from their site here http://cookies.dev.wolf-software.com/
update....after a fresh look
update....after a fresh look at it again this morning :-) I think the GA module can be patched, I've added some cookie checking code in the hook_page_alter when to execute the ga stuff and it seems to be working, I can't be 100% sure because the proof will be if the statistics have been/or not been added to ga. I'll need to tidy the code up and put an on/off switch in the admin setting, but once I've done that I'll find a suitable place for others to download and review. This isn't using wolfs plugin.
I've got something working
I've got something working for this. There's just 5 lines (or is it 4) that need to be added to the googleanalytics module file (which isn't too bad), and the rest is handled by my module. I'll create a sandbox project for this so others can take a look at it, i'll try and create a patch for googleanalytics, if I can't I'll just add the updated module to the sandbox. Just a little bit of tidying up to do (coder etc).
after using my brain a bit
after using my brain a bit more i realised i can add my cookie check wrapper to the ga javascript with hook_js_alter, which now means I don't need to do any patching to the ga module :-), never did like the idea of having to patch that module.
Will run my module through coder, and just need to do some basic theming on the message, and then I'll create that sandbox project and hopefully get some feedback from those interested.
sounds good. We just ended up
sounds good. We just ended up removing GA since we don't really use it but could be useful in the future :)
So here it is, my sandbox
So here it is, my sandbox module http://drupal.org/sandbox/thetoast/1414160 , there's a dependency on the googleanalytics module for my module to work and when you've installed my module please visit the configuration page. Feedback is more than welcome.
Hi Nikos Just downloaded the
Hi Nikos
Just downloaded the module but saw the install file is named gs_opt_out.install when all the other files are ga_opt_out.xxxx
Not tried it yet, but would there be much work needed to get this working on D6 at all? If you want help with it, let me know.
Formerly SkidNCrashwell. Changed my username to reflect my Twitter handle.
Hey Gideon :-) thanks for
Hey Gideon :-)
thanks for spotting that, I've updated git to reflect the file name change.
As for back porting it to D6 I think I might struggle because one of the key hooks to get this working was hook_js_alter which isn't available in D6.
subscribe
subscribe
subscribe
subscribing
So what cookies are set?
This looks like a great discussion about the general privacy policy, but I'm not sure anyone has answered the original question. What cookies does Drupal set, and what is their purpose? Google has a good description of their cookies online here (http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.ht...). Does anyone know of a similar document for Drupal?
It depends on modules set but
It depends on modules set but as far as I am aware vanilla Drupal only sets the one session cookie. In D7 this is only created when the code requires a session so vanilla Drupal will not set a cookie for anon users at all.
The Information Commissioner's Office has published guidelines
Some additional guidelines have been published in 2012 ahead of the enforcement date.
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communica...
--
Ixis (UK): Drupal support, Drupal hosting.
hmmm.....'Organisations
hmmm.....
But the stats at the start of the document state that 37% of surveyed users know what cookies are. So why would the majority of EU users be expecting information on something they are not aware of?
There were lots more similar contradictions in the pdf, but pointing them out isn't really going to help anyone.
This does have the feel of the accessibility guidelines and what sites 'must' and 'should' adhere too to prevent prosecution under The Equality Act [or the old Disability Discrimination Act (DDA)]. There was a lot of concern over prosecution and confusion as to what some of the guidelines actually meant.
As of 1 February 2012, the RNIB stated: We are not aware of any case which has been brought to court in the United Kingdom to date.
Looking at the section
It looks like if you are targeted, you will be asked to provide information. Based on that information suggestions will be made as to how you will improve the situation on your site. Failing to carry out those improvements will result in an enforcement notice. Ignoring that will lead to court which may lead to a fine. I think you are going to have to try quite hard to get a fine of £500k and those that do get the fine are probably doing something that encouraged it, by...
A little more serious: The site I have in mind requires people to register to use it fully. From my limited understanding of Drupal cookies, the anonymous session cookies should go once the browser is closed?
For those that sign up to the site we can simply add a checkbox to the registration to state they are happy for the use of cookies. It's not checked, then no registration. I think there is a T&C module for D7
But for those who are already signed up... ?? A mailer to each of them asking for their consent? Disable their accounts until they have consented? What would be the best approach to make current users aware that they have to read and accept the new cookies info, before they can carry on with using the site?
Thank you
ice70
subscribe
subscribe
So what's the solution?
So what's the solution? Anyone? Don't have a spare £500K at the moment...
completely depends upon what
completely depends upon what type of website you have, what functionality it has, what version of drupal you have etc. etc. For me it was easy since I use drupal 7 and it's an e-commerce site session cookies are allowed for baskets and that's all I use. Meant dropping GA but the website owner never used it anyway.
What about the has_js cookie
D7 sets a has_js cookie for anonymous users before they've done anything else. Do you deal with this at all?
Potential solution for D7?
I think we have a solution that works well for D7. It's comprised of two parts
1. Wrap the Google Analytics (or other tracking/breaching code) inside Cookie Control (http://civicuk.com/cookie-law/index) which is a neat little widget that you can easily add
2. Deal with the has_js cookie with a custom module which will strip out the offending code unless the user has allowed cookies (or is logged in). The has_js cookie is set in ROOT/misc/drupal.js and so a bit of jiggery-pokery is needed to remove it.
The custom module is almost ready, but has some bugs. If anyone's interested I'll post it here when it's done.
I'll be interested versantus
I'll be interested versantus to have a go with your module, I've come up with another solution which bolts onto the google analytics module and works with page caching http://drupal.org/node/1153064#comment-5508578
My solution...
Thanks, thetoast.
I like the idea of having a bolt-on to Google Analytics, but I'm not sure if your code also addresses the 'has_js' cookie, which is set by Drupal before any modules kick in?
The code below checks whether you've already got a cookie, and if not it removes the line in misc/drupal.js which would set a 'has_js' cookie. It doesn't specifically deal with preventing loading of any other scripts such as GA (that's dealt with by Cookie Control at the moment - this module is specifically intended to clean up the 'has_js' cookie).
I'm sure there are lots of improvements we could make here, not least:
Feedback very welcome!
I'll also have a proper look through your module. This is an impending problem for many of us, so it would be good to work together on a good solution, if you think we can.
This is just a hunch, but
This is just a hunch, but has_js might be used for ajax stuff. But to be honest, I don't know how the has_js cookie has an effect on that privacy law. Ideally, what I'd like to see in the google analytics module is the "Universal web tracking opt-out" option working for anonymous users, that option is found under the Privacy tab on the google analytics config page admin/config/system/googleanalytics .
has_js may be exempt?
Some cookies are exempt from the ruling, and an example given at http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Pr... is:
"Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers."
It might be possible to argue that detecting Javascript is necessary to provide faster page loads through the use of Ajax by distributing the workload between the client and server, and therefore qualifies as an exception.
I think it's just used for the Batch API
"[has_js cookie] is used only by the batch processing API so that it can know when to show a fancy progress bar while processing batch jobs." - source
JS Aggregation
Would it be fair to say that this approach wouldn't work with Page caching and JavaScript aggregation enabled?
There has to be a better way to stop the setting of this cookie without having to overwrite the drupal.js file?
From a quick grep of Drupal core, it seems that this cookie is only used by the Batch API. Administration Menu contrib module seems to use it quite a bit but nothing else that i've come across so far. I thought that Views' ajax bits would, but there's no checks for it that I can find.
subscribe
subscribe
Well this doesn't make sense.
Well this doesn't make sense. I visited the ICO website, ignored the Cookies opt in, and was able to browse all over their site. Yes, the banner remained on view, but didn't stop me viewing (or I assume receiving cookies from the site). The irony of it all is that by opting in, I am guessing that the site must set a cookie to prevent a re-appearance of the banner on subsequent visits! (Apologies if I have missed the point somewhere along the line)
Nevertheless the threat of an up to £500K fine on my charity's website will be enough for me to do much the same.
Essential Cookies
The ICO website cloaks the Google Analytics code unless you accept cookies. If you do accept cookies then one is set that is checked for on each page. If it is present then the GA code is not cloaked and you are tracked.
FWIW and I might be wrong but my interpretation of the EU law is that cookies that are essential to provide functionality to the website such as for shopping carts, navigation, user options etc are allowed without opt in. Cookies that are or may be used by the website owner or others to track or analyse user behaviour or to make changes not requested by the user such as displaying different ads based on behaviour do require opt in.
If you use Google Analytics or a similar service that uses cookies created (in part) by code triggered by a script on your website or web page, or you set other cookies for some none "essential" purpose then you will have to get explicit opt in from that user.
This has extended well beyond
This has extended well beyond D6 but you should read this http://www.ixis.co.uk/blog/european-cookie-issue - there's a module for that!
S
Module for Drupal 6
I need at least a temporary solution as soon as possible for Drupal 6. Unfortunately the Cookie Control module http://drupal.org/project/cookiecontrol is only working with Drupal 7. It requires a minimum of jQuery 1.4.4 which is not supported for Drupal 6.
I created this module for Drupal 6: http://drupal.org/sandbox/marcin_pajdzik/1538032
It needs reviews at: http://drupal.org/node/1538196
Personal Website
Company Website
It can work in D6 and the cookie control module needs work IMHO
You can include a later version of Jquery in your user facing theme. Jquery handles two versions of itself pretty elegantly. As long as your admin theme doesn't have a newer version of jquery there shouldn't be any ill effects, that's been my experience anyway.
But the Cookie Control module still needs some work IMHO.
In any event the Cookie control solution is not hard to impliment without the module.
Cookie Control module dev snapshot update
All issues fixed for Cookie Control (D7). Dev snapshot has all the latest in, and a sub-module for sorting out Google Analytics too.
Needs testing before I roll a full release please.
--
Ixis (UK): Drupal support, Drupal hosting.
Server-Side Google Analytics
Has anyone considered using a server side implementation of Google analytics eg PHP-GA
http://techpad.co.uk/content.php?sid=205
http://code.google.com/p/php-ga/
Seems like it might be a good solution if you're already using Google analytics
@homebrewruss I was wondering
@homebrewruss
I was wondering the exact same thing.
Dagomar Paulides
B.A. Digital Media Design
Partner @ Online Agency
Me three!
Me three! This would mean I was not setting a cookie for Google Analytics, meaning in general my sites only use the session cookie, which I can put a notice on the registration form about.
exactly the reason the cookie
exactly the reason the cookie law is so stupid. It's using a broad weapon to try and tackle a method rather than the actual behaviour itself so everyone just moves to another method and that actually leaves the user under the illusion they are no longer being tracked.
Depends if you tell them or
Depends if you tell them or not. You can put something in the site terms that you are tracking their usage of the site.
Oh of course you could do
Oh of course you could do that but those who are unscrupulously using tracking for whatever reasons the EU has decided is wrong without informing the user of the cookies will still be doing whatever it is that was wrong and still not having to inform the user.
patch submitted to google_analytics module
provides very basic support for php-ga...
http://drupal.org/node/1615768
A module for Drupal 6
A module for Drupal 6 available here: http://drupal.org/project/eu-cookie-compliance. Backport for Drupal 5 will be available soon.
Personal Website
Company Website
Thank you very much, one less
Thank you very much, one less problem in life to deal with. Got to give the heads up to a description of the issue from a respected colleague "just another case of Brussels trying to straighten our bananas" Quite right me thinks!
Implied consent now ok
ICO have updated their guidance to say that implied consent is going to be OK.
From http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-priva...
http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-imp...
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communica...
Thanks for update
Thanks for that update - that's a pretty last minute climb down.
Having followed the link to the Guardian's site, I see that that's the approach that they adopted. Has anyone come across a module that implements a similar solution to the Guardian? (i.e. displays something like "This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more about our use of cookies here", which you can then hide).
Try the eu-cookie-compliance
Try the eu-cookie-compliance module. See comment by greggles near the top of this page.
I must say that the Guardian's notice was so unobtrusive I didn't see it...
gpk
----
www.alexoria.co.uk
The bbc is doing the same
The bbc is doing the same thing although you will definitely notice that one. I believe however putting it in say a privacy page that is linked in a footer menu wouldn't count.
HSBC is even more subtle
I've just been to the HSBC site, at the time of writing this comment, they just have a small text block on their business homepage and nothing on their Personal homepage.
See: HSBC business cookie notice
Common Interface
Hi All,
In my opinion this is a dumb law, however it is here and we have to follow it. I like the look of the Cookie Control Module, but most of my sites are D6 and hence am using the EU Cookie Compliance module.
Not a problem, what I do worry about is that there is no common methodology/interface. So for example to see if the user has accepted cookies or not there are different variables/settings/functions between the two modules.
Here comes why that is an issue:
The problem is if there are multiple modules for checking for authorisation, then you have to check which module is installed, run the correct code, etc. Soon every module with cookies will be bloated.
This may already be there and I and others have missed it, but what I think we need is a common way to add cookies, a hook or something similar (in JS) where by they can be controlled by another script. Can anyone tell me if that has been done, or is being done? Would make life a lot simpler especially if it got into core for 8.x.
------------oOo----------------------
Nick Young (www.nickbits.co.uk)
subscribe
subscribe
Just wondering...
Sorry for the really basic question...
Am I right in thinking that the module eu-cookie-compliance just informs you the first time you visit the site that it uses cookies?
So, if I don't agree to allow cookies, I would simply have to go away and not use the website. But if I happen to go to the site again (not remembering that I visited it before), there is no cookie alert.
Does that count as an acceptable warning of cookies? (I really hope so)
That is a question probably
That is a question probably better asked on the eu-cookie-compliance issue queue. That is my understanding of both the eu-cookie-compliance and cookiecontrol modules. From my understanding, and I am by no means an expert, if you have explicitly said okay, then if you come back to a site then you have already acknowledged you are happy with cookies. The latter module, cookie control, does at least keep a permanent visible box (a diamond or triangle) that let's you change your mind. It is Drupal 7 although there is a Drupal 6 patch in the issue queue.
It is worth noting that neither module, as far as I am aware, actually does anything other than display a warning, you still have to use the code to disable or enable cookies as appropriate.
Hope that helps.
------------oOo----------------------
Nick Young (www.nickbits.co.uk)
Thanks, but..
Thanks for your reply.
I do think, though, that my question is relevant to the whole cookie law debate & how to comply...
I was asking - If you leave the site because you don't agree to cookies, when you next return there is no longer a cookie warning notice. Is that OK, or should you be warned again because you hadn't given any response?
EDIT - Sorry, I was wrong - the popup is still there if you re-visit the site.