Welcome to WebmasterWorld Guest from 23.22.250.113

Forum Moderators: IanTurner & engine

Message Too Old, No Replies

UK and EU Cookie Permissions Compliance

     

engine

6:02 pm on Mar 5, 2012 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



So, this new law comes into effect in May 2012. In fact, in the UK is should have come into effect May last year, but a reprive of a year was passed on the day it should have come into effect.

Besides the issue that the law is badly thought through, as webmasters we need to comply.

What we need to do.

No cookies, no problem.

If you run a site with cookies, you need to obtain user permission. Ignoring the law and it's at your own risk as the fines are potentially hefty, and at some point they are bound to make an example of a site. Just make sure it's not you.

In the UK, the ICO (Information Commissioner's Office) is the body responsible for the new law, and you can see how it is dealing with the new law with the ugly top bar.
[ico.gov.uk...]

So, you'll also need an up-to-date privacy notice, if you haven't aleady got one.

Take a look at the new rules on cookies. [ico.gov.uk]

Only a few weeks left, so now is the time to make sure of compliance.

gmb21

7:58 pm on Apr 5, 2012 (gmt 0)



Thank you very much for organising this. I found it very helpful (if not definitive).

dstiles

8:30 pm on Apr 5, 2012 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



IanTurner - thanks. Look forward to reading it! :)

From reading the above, is part of the problem third pary cookies set by (eg) google et al? If so, don't web browsers default to "block third party cookies"? Mine does but not sure if it was me that set it.

Leosghost

9:21 pm on Apr 5, 2012 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



FYFI The ICO continuing the "slipperyness" ..

[theregister.co.uk...]

Think I'll wait for the CNIL to decide..( at which point I'll decide wether to keep my UK companies ) at least the CNIL don't "pussy foot" around Google and try to make webmasters carry the can for the plex..

Dinkar

9:50 pm on Apr 5, 2012 (gmt 0)

10+ Year Member



Why don't anyone in UK challenge this stupid law?

Hissingsid

10:41 am on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Google Analytics Cookies

When I look at cookies set in my browser from my domain I see these four cookies _utma, _utmb, _utmc, _utmz. The browser appears to associate these cookies with my domain.

I was under the impression that a domain could only access cookies on a browser that it had set. Therefore only mydomain.com should be able to access them but Google actually does.

Who is responsible for those cookies?
How can Google access cookies that the browser thinks belong to my domain?

enigma1

10:59 am on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



it would be Google's responsibility

You're missing the point. They're outside EU.


The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.


Reference:
[google.co.uk...]

Hissingsid

12:43 pm on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Yes but is it Google who set them or me?

enigma1

12:49 pm on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



It's Google via your site's analytics js or other script you integrate with your pages. To normal visitors it looks like your site does this, don't expect them to check the cookie domain origin on their browser.

And for this reason browsers have some global cookie controls to set whether or not third party cookies are allowed or not. As far I know the default is off for years now.

Hissingsid

2:10 pm on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



OK I get all of that. What I'm just trying to explore is the grey area that is created by this. You see I was under the impression that only the domain that set a cookie could retrieve the cookie but here it looks like two domains can retrieve the cookie. My domain and Google.

It seems to me that privacy implications, which is what this is all about, only come into play if I (my domain) retrieves the cookie and do something with the information but I never retrieve it, my site does nothing with it. It is retrieved by Google and they do something with it. It is then only, by me, used for looking at the statistics created by analytics. I can't look at individual users and I can't react to individual behaviour.

I think that I'm going to have to read the wording of the legislation because it might well come down to interpretation of the finer points of the law.

kapow

4:03 pm on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I think session cookies such as those used temporarily for shopping cart functions are exempt. Persistent cookies that remain after the browser session has closed seem to be the main focus. The requirement is that uses indicate their compliance for sites to place a persistent cookie.

From the govenment pdf: "Activities unlikely to fall within the exception:
Cookies used for analytical purposes to count the number of unique visits to a website for example"
> Does that kill Google Analytics for visitors who don't click 'Comply'?

"First and third party advertising cookies"
> 'Click 'Comply' to see Google Ads'. I don't think so!

Hissingsid

5:13 pm on Apr 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The law says:

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment- Version 2 7
13 December 2011
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.


Since I have not stored or gained access to information stored by having Analytics code on my pages I don't see why I should have to comply with paragraph (2). The "person" who does this is Google Inc. Whether the EU has jurisdiction over Google Inc will come down to where the alleged offence took place. I would say that since the storage of and access to the information takes place in the users browser then where that user is in the EU the offence takes place in the EU.

The ICO disagrees. In their guidance document they say
The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.

The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.


There's a major problem in all of this. The law is about people gaining consent from people. How can it be proven who you obtained consent from. If upon consent being given you store a cookie on a user's browser noting that consent, how do you know who has given consent? or if a different user of that browser who has not given consent visits your site how can you know that they have not given consent? Can one person give consent on behalf of someone else?

The whole thing is a complete mess!

gmb21

6:11 pm on Apr 6, 2012 (gmt 0)



...and what if they delete the cookie that proves they gave consent? :(

johnmoose

9:05 am on Apr 8, 2012 (gmt 0)

5+ Year Member



@gmb21: That site needs to check if the consent cookie exists, if not: obtain consent again.

Hissingsid

9:59 am on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Unless you store information yourself, in a log or database, only the user of the browser controls evidence that consent was given or not. Your only defence, from a proof point of view, is that you included code in your pages that that had the function of obtaining consent. You can't prove that it actually did. It seems to me that this has more serious privacy implications than setting cookies. You could easily interpret the requirements that you need to store this information for as long as there might be some legal action taken against you.

Also as the law is drafted you might have to prove that a person gave consent not that the consent from some person was given but rather which person gave the consent. So really you need them to give you 3 pieces of identification information so that you can ID them. Name, date of birth and address should do. So now in order to fully comply with the law we need to know the identity of the person and keep that information in a secure form for 6 years.

Brilliant!

denisl

10:09 am on Apr 8, 2012 (gmt 0)

10+ Year Member Top Contributors Of The Month



Can anyone point me towards information on what cookies do what?

for my sites I see:
__gads
__utma
__utmb
__utmc
__utmz
PHPSESSID
cprelogin
cpsession
logintheme

Apart from PHPSESSID, I have no idea what these do and what scripts or third parties set them.

Hissingsid

11:04 am on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



__gads
__utma
__utmb
__utmc
__utmz

These are Google Analytics

cprelogin
cpsession
logintheme

These are just your CPanel cookies. Users don't have these only website admin

Cheers

Sid

PS I don't have __gads as I think that I'm running old analytics code.

denisl

4:42 pm on Apr 8, 2012 (gmt 0)

10+ Year Member Top Contributors Of The Month



Thank you sid. But how do you find this information if you don't knnow it?

I see the BBC have a large page about their cookies and what each does. I'm sure no-one is going to read it all.

I also didn't see an opt-in.

ken_b

4:51 pm on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Maybe a stupid question.... but...

Is this something that a USA based publisher with a USA hosted site needs to worry about?

.

Leosghost

6:12 pm on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



No..it isn't ..and you don't :)
Unless the FTC adopt a similar set of rules..( isn't going to happen while you have your "lobby" system )..so companies based ( ie where the company / business registered / incorporated ) outside of the UK and the broader EU are not affected by any of this..

However any company or business registered in the UK or the EU ( even if they are hosted outside the UK or EU ) must comply with the legislation in place in country or countries where their business is registered..

And not all EU countries are implementing / enforcing the EU legislation the same way..the UK is being particularly vague..in the opinion of many, specifically so as to not "catch" Google..

Hissingsid

9:08 pm on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank you sid. But how do you find this information if you don't knnow it?


Just put one of the strings into a search engine. Bing does a good job with __utma . Annoyingly Google does a little better.

Cheers

Sid

ken_b

9:33 pm on Apr 8, 2012 (gmt 0)

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Leosghost; Thanks

graeme_p

7:17 am on Apr 9, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



IANAL but as far as I can see, the rules are satisfied by adding something like "by using our website you agree that we can set cookies for the following purposes".

The rules seem tighter for targeted ad cookies, but if they are third party the company setting them has the primary responsibility.

Hissingsid

10:09 am on Apr 9, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



IANAL but as far as I can see, the rules are satisfied by adding something like "by using our website you agree that we can set cookies for the following purposes".


The problem with that is the fact that a cookie, Google Analytics for example, is set on page load so by the time they see that message they already have a cookie set.

One solution I'm thinking of using is to drop analytics for all sections of my site(s) except the interactive, script driven bits. I could change these so that on click signifies consent to set a cookie and that this would be a condition of entry.

The only way I can see for anyone to be certain of the correct interpretation of the law is for there to be a test case. Having gone to the High Court once before I wouldn't fancy being the one who took on that little task!

Cheers

Sid

g1smd

11:14 am on Apr 9, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



It may be that some sites will choose to block access to their site if the cookie isn't set.

Clearly there's no requirement to get Googlebot to tick the box as GB doesn't eat cookies.

So how do you identify a real "user"? How do you distinguish other bots from users?

Those who blindly require all users to 'tick a box or see no website' could find themselves deindexed from various searchengines.

This is a completely daft law. The requirement should have been for browser makers to build in better cookie management facilities, and better tools to set policies.

dstiles

8:03 pm on Apr 9, 2012 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



The fact that bad bots collect and return cookies is one very big thing in cookies' favour. The cookies (temporary session in my case) are often returned through IP-hopping, which makes it easier to trap such activity.

A very good way of over-coming the problem of GA cookies is to not use GA. I decided long ago they were too evil to live and GA was one of the very first things I decided against.

graeme_p

1:30 pm on Apr 11, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



@Hissingsid, this is what the ICO says

It is likely to be more difficult to obtain consent for this type of cookie where you do not have any direct relationship with a user for example where users just visit a site to browse. In this case websites should ensure the information they provide to users about cookies in this area is absolutely clear and is highlighted in a prominent place (not just included through a general privacy policy link). As far as possible, measures should be put in place to highlight the use of cookies and to try to obtain agreement to set these cookies.


In the case of a third party cookie:

These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.

graeme_p

1:31 pm on Apr 11, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



@dstiles, this legislation is a good reason to use GA: it puts most of the onus for compliance on them.

enigma1

2:46 pm on Apr 11, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



this legislation is a good reason to use GA: it puts most of the onus for compliance on them.

Don't count on it, they may have to deal with FTC if US decides to go suicidal with online business - which i really doubt - but not to ICO.

Hissingsid

4:41 pm on Apr 11, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.


Graeme,

Since the ICO will be doing the policing this is very good news since it seems that we will not need to get consent before setting these cookies. It would be up to Google but since they are in the US do they have to comply? It could be argued that any offence would occur where the browser is rather than where the data is collected and analysed.

Cheers

Sid

Hissingsid

4:56 pm on Apr 11, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Sorry to do a follow on but I just found this very specific advice in the ICO's guidance document.

We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement.
This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.


"What steps you can" what the hell does that mean, I wonder.
This 149 message thread spans 5 pages: 149
 

Featured Threads

Hot Threads This Week

Hot Threads This Month