To help EU website operators comply with EU privacy regulations on cookies in effect from 26 May 2011 can this module include a feature that explicitly requests permission from the user to store cookies?

There are examples of such a script in use on the following websites:

http://www.ico.gov.uk/
http://www.wolf-software.com/

Wolf Software also provides the script they use as a free download if this can be of help.

If it is not possible or considered worthwhile to include a similar feature in this module, please change this issue to a support request and perhaps some advice can be offered from the Drupal community on how to make the Wolf Software script or similar script work in conjunction with this module.

Thank you very much.

Comments

hass’s picture

Status: Active » Closed (works as designed)

This wolf software code is gpl 3 code and cannot added to d.o. But i would also never do this. GA has several privacy features implemented. You can use them. If someone don't like ga he wouldn't be so braindead to rely his privacy on such scripts from a campany where i also cannot scroll their website with an iphone. This speaks themself about their software quality.

I recommend you to install google analytics blocker from google into your browser or force google to support DNT or use Piwik and not GA. Or just turn off your website and go out of the internet as this is the only solution that will really work and prevent you from being tracked by statistic tools.

I'm in germany and in oposite of the UK we do not have video cameras everywhere. I would recommend to start there for not getting tracked... They record your face and can find you personally anywhere... Something that ga cannot.

LGLC’s picture

Version: 7.x-1.x-dev » 6.x-3.x-dev
Status: Closed (works as designed) » Active

Hi hass,

I very much doubt that the original poster was worried about using cookies for their own web surfing. Rather, I believe that they were wondering whether it would be possible to modify this module so that sites could comply with the soon-to-be-enforced EU Privacy Directive. I'd imagine this is relevant in Germany as well as the UK; it also seems that it's not where the site is hosted, but where your visitors are coming from that counts. Regardless as to how ridiculous the directive is (and I really do think it is ridiculous), it's something that will have to be followed.

There seem to be a few scripts out there to help compliance, some of which simply display a message to the user. I'm sure they vary in quality, too. I'd agree that the wolf software site isn't the most elegantly designed site I've seen but there are others.

A few that spring to mind are:
http://cookiesdirective.com/
http://civicuk.com/cookie-law/index (This even has a Drupal 7 release at http://drupal.org/project/cookiecontrol)
http://www.cookielaw.org/

Anyway, it seems that this issue is one that a lot of people care about (see the post at http://drupal.org/node/1153064). One poster has actually managed to allow the Google Analytics module to have an option for cookie opt-outs: http://drupal.org/sandbox/thetoast/1414160.

As a potential solution for D7 is already being developed, I wonder whether you'd consider integrating a cookie opt-out within the Google Analytics module itself, especially for D6. I appreciate that this may well be outside the scope of the current module, but perhaps a few tweaks could be made to enable other modules could handle the opt-out without having to hacking the Google Analytics module.

I hope that the information I've provided helps and that some kind of integration is possible. If not, then I hope this post acts as a resource for those facing a similar issue.

Thanks for your time.

hass’s picture

Status: Active » Closed (works as designed)

I really care a lot about privacy and force anonymizip for Germany as one example. As i do not belive the internet will work well without cookies i don't think this dumb law will have any relevance in real life. If it will - I'm 100% sure that google *will* make this part of GA and provide solutions as millions of users may affected.

It makes no sense to speculate about something that is stupid, may get implement or not. There is a google analytics blocker for bowsers and this may the only backdoor that these users can use. Websites save sessions in cookies and hell - this is difficult to change. The UK island is not able to force anyone to do this. I will not clutter this module with stupid code. I strongly suggest to shutdown your servers. This make sure you don't see your viditors mac/IP that makes them personally identifyable.

This being said, I care most about this and will implement anything that need to be implemented, but not with any non google "certified" libs.

Showing any setting before entering a website destroys the internet. Nobody will accept or implement this, but we has these these dumb discussions in Germany, too. This discussions have no future. And I thought only some of the German privacy officers are crazy...

dagomar’s picture

Although I can understand how Hass feels, I think his stance is very counter productive. The fact is, this law has been eu law since May 2011, the UK has implemented their own version, the Netherlands will implement it's own on July first. Germany will have to sooner or later too: http://www.vzbv.de/8699.htm (link in German).

This means that ALL European webmasters will HAVE to get prior consent when placing non-essential cookies. And for this law, that sadly means also Google Analytics (even though to us it seems essential). I would have welcomed a good discussion about solutions to this problem. As a solution will not be discussed for this module however, I would like to point out 2 modules for those who are looking:
http://drupal.org/project/cookiecontrol (D7)
http://drupal.org/project/eu-cookie-compliance (D5/6/7)

I think cookiecontrol works out of the box with Google Analytics (you'll have to verify that yourself as I haven't tried it yet, I have a full month untill it becomes law here), for eu-cookie-compliance you'll find how to implement it for google analytics here: http://drupal.org/node/1568590#comment-6033170

And the reason I came to look here in the first place was to see if a solution based on PHP-GA was being researched: http://code.google.com/p/php-ga/. I am kind of affraid to even ask now :-/

matt b’s picture

What would it take to enable php-ga? Could the Google Analytics module offer an option to use cookies or php-ga?

matt b’s picture

Looks like it can... http://drupal.org/node/1615768

hass’s picture

Do you guys really think Google can stay away from DNT since MS published IE 10 notes last week? I don't think so... It may only a question of time.

MHLut’s picture

Regardless of whether this is a 'stupid' law or not, it's a law. Here in the Netherlands the law will be implemented and therefore, I don't doubt the rest of the EU will as well. Hass, I am shocked by your tone, this language and attitude I do not expect from the maintainer of a module, that needs to be adapted to a new law. mt3ch's request is not unreasonable.

We use the GA module and it's not acceptable that we break the law by not asking people for permission. I am hoping Google will build the permission into GA, so the module itself does not need modification. However, until we know how this is going to work out, I want to be certain that this is fixed before the law is enabled.

hass’s picture

I strongly suggest to ignore laws that destroy the internet. They will never enforced nor do they have any future! If there is any technical solution, Google will implement it and we can integrate. It makes no sense to discuss anything that will never happen. Cool down.

MHLut’s picture

I'm just as not-amused as you are from a developer perspective (as an end-user, always blocking GA anyway, I love this though), but I'm not going to drag customers down in a personal feud, just saying.

mt3ch’s picture

Thanks LGLC, dagomar and MHLut.

Yes I was not asking to block Google Analytics code for myself because I am worried about privacy but I am a website operator in an EU-controlled country.

Hass, I do appreciate your feelings on this matter. I also think the law is stupid and would rather it didn't exist. Furthermore, it interferes greatly with my ability to run my website effectively as I wish; but the law is the law and we have to comply or possibly face the consequences. As a website owner in the EU, I can be fined a lot of money for not complying with ICO directives so, as I use this module, I hoped to be able to continue in some way that without fear of prosecution and bankruptcy while allowing others to ignore such concerns if they don't need to worry about them.

As for the issue I opened, I found the anonymizing of IP addresses to be suitable enough for now, though an imperfect solution in my view (to an imperfect law). I will continue to use this for now but obviously will need to look elsewhere for what I wanted.

Now, with respect, I think you should tone down the political rhetoric in this venue and avoid the insulting language. I shall assume the "braindead" comment wasn't meant for me or anyone here but, even so, it is still inappropriate in this venue.

Though you are the maintainer of this module, you are on Drupal.org, not your own website where such feelings can be expressed as freely as you like. Drupal.org is not a venue for venting political beliefs or strong opinions particularly in such a way that could alienate other members of the community. Module maintenance here is still a privilege even if you wrote the code. So, if necessary, please express your views in a less confrontational way. Many thanks.

dagomar’s picture

People running Piwik 1.8 can turn of cookies, as described here:
http://drupal.org/node/1699382

Piwik has less features as GA, but may be a decent alternative for the more adventurous geeks.

hanno’s picture

Hi, we got a letter of our Dutch national government to implement a warning for users when we use Google Analytics or we can expect to pay € 450.000 for not implementing this feature before end of this year.
Is there any progress on this issue to implement that in this module? Is it an idea to implement a Drupal common way that modules know if it is allowed to set cookies?

dagomar’s picture

@Hanno

Take a look at
http://drupal.org/project/cookiecontrol (D7)
http://drupal.org/project/eu-cookie-compliance (D5/6/7)

Both offer ways of letting the user know about your cookies, and optionally only set the cookies when a user has accepted them, some custom coding may be required.

I am very curious about what site got this warning. I maintain a couple of dozen websites in the Netherlands and I was hoping that only the bigger sites would get this warning. I imagine we're talking a big website here?

achton’s picture

For the EU Cookie Compliance module, we are working on a plugin approach that will allow other modules to conditionally block cookies, see #1779878: Add support for cookie blocking submodules/plugins. The first plugin will be for GA.

I am not sure about Cookie Control.

hanno’s picture

Dagomar Yes, this one of sites of the Dutch government (www.nationaalarchief.nl). The telecom agency OPTA wrote previous month a warning letter to 121 maintainers of governmental websites (http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3647). As they haven't implemented this law yet. Other websites will receiving warnings later this year.
Thanks for mentioning this modules. I tried eu-cookie-compliance for a D6 website. This one is not accepted as it doesn't the ability to users to deny cookies. Furthermore, we have to block third party cookies. Google Analytics and AddtoAny should only set cookies after giving permission.
I don't think a seperate module should hack another module. Instead, every module could have an extra permission or check (function if cookie allowed, set cookie).

hanno’s picture

achton, that is an interesting discussion in that issue you mentioned. Integrating cookie check in every module, or use special modules to override that. I think we should opt for the first option. But i can imagine that module maintainers wants to wait to see if the EU cookie law is here to stay (well, it is EU law and yes, that's very sticky).
Note that the EU cookie law has different implementations in each member state. In the UK google analytics is allowed, in the Netherlands not.

dagomar’s picture

Sadly an automatic solution doesn't exist, therefore some custom work has to be done to make this happen. But I am sure it isn't necessary to hack any modules. One could write one's own module and interject the output as needed. For GA it's not even needed as this module allows custom GA code, allowing you to add a condition by utilizing Drupal.eu_cookie_compliance.hasAgreed(). (If using eu_cookie_compliance).

hass’s picture

@Hanno: Just wait for this joke invoice and don't pay it. Wait for a court to decide if, it's ok to destroy the internet. We have seen the same in Germany and the highest data privacy officers have not enforced it on the end of the day, but they also send such letters out to all government websites and their owners have refused publicly to change their websites. Since these days (1-2 years ago), nothing has changed.

achton’s picture

As cookies can be set arbitrarily by any module, and this little "problem" either concerns certain site owners very much or not at all, I don't think it makes sense to add support individually in modules. Imagine trying to convince every cookie-setting module out there that they need to release a new version of their module with some added plugin or submodule or JS-file included due to a bogus EU directive that may or may not concern certain EU websites under specific conditions. Not going to happen.

That's why I support the current approach with EU Cookie Compliance, which aims to add a plugin framework that others can hook into if they wish, but which we (maintainers of the EUCC module) are going to use to begin with. There has definitely been most requests for blocking GA, so that's what we'll do first. Note that currently we don't directly support the "No, I do not agree"-approach, ie. there is no such button to press. But there should be support for blocking GA as long as the cookie policy is not accepted - the popup will then be shown indefinitely. It all depends on how you configure the module.

TL;DR: don't ask for this kind of support in each cookie-setting module you come across. Endorse a common, centralized approach instead. And this issue should be marked wontfix, IMO :-)

hanno’s picture

I don't like the cookie law how it is implemented in our country, but I'm afraid it is not a joke. It will not be an invoice, but a fine. Note that the European Commission is planning to send fines to the Netherlands for not implementing this law in time (http://www.reuters.com/article/2012/05/29/net-us-eu-telecoms-rules-idUSB...). OPTA announced in the media they will start sending fines by Januari the first. All major sites in the Netherlands are implementing this right now.

I don't know the situation in other member states. The situation may differ by country, because it is an European directive, implemented in national laws.