Welcome to WebmasterWorld Guest from 35.172.195.49

Forum Moderators: webwork

EU: "any" cookie needs users’ active consent

     
2:14 pm on Oct 1, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Aug 30, 2019
posts:147
votes: 30


Hello-

We all know, especially European webmasters, about the GDPR, ePrivacy Directive, and the requirements about cookies. We also all know how loosely this is respected. Now The Court of Justice of the European Union made things very clear.

The Court of Justice of the European Union (CJEU) this morning ruled that storing cookies requires internet users’ active consent. It's not good enough, says the CJEU, to present users with a pre-checked box and require them to click it to opt out.


Also, so far, requirements were applying for cookies used to track users, and /or store personal information. However, now "all" kind of cookies are concerned.

That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data," says the CJEU


The ruling is the "fault" of a German based lottery company, which, in 2013 (!) used pre-checked options. Long ago, far from the common usage, but, now it becomes a jurisprudence...

[forbes.com...]

So it means that most of cookie consent banners are not valid. "Before" storing a cookie, you need to show a message, to obtain the consent of the visitor ("before"). Also, closing such message is not considered a consent. Prominent "accept" button, is not good either. So it requires to have a "yes/accept" and "no/refuse" buttons, so the user can "really" make a choice.

Good luck.

ps: I have no idea if the upcoming ePrivacy directive, will change this. From what I understood, in the ePrivacy Directive, due next year, all this stuff should be handled at the level of the web browser.
5:25 am on Oct 2, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


Are there any services or open source tools that webmasters can use to incorporate a compliant cookie notification system on their sites? This requirement seems technically complex enough to dissuade adoption for those who may not have capable in-house talent.

For example, your average webmaster running Google Analytics may not know how to show visitors an opt-in option for the cookies that Google is placing on visitor's browsers, nor would they easily figure out how to serve the website without those cookies if the visitor did not opt-in. Google seems to make it the site operator's responsibility to ensure compliance for serving their cookies to visitors.
5:44 am on Oct 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10574
votes: 1125


Google seems to make it the site operator's responsibility to ensure compliance for serving their cookies to visitors.


And therein is one of the many problems in all this ... how can the individual webmaster seek an opt in for a third party?
6:56 am on Oct 2, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


Noted in another article; even the Court of Justice of the European Union, who issued this ruling, aren't complying with this for their own site's analytics (Europa Analytics).
Europe’s top court says active consent is needed for tracking cookies [techcrunch.com]

at here refreshing Curia press release page & noticed their own non-compliant #cookie notice – spot the irony on their cookie information page – looks like the Court are about to render their own site illegal wrt to pre-ticked boxes… a little embarrassing…

Looking at the CJEU site privacy policy and their well written cookie section it looks like a lot of work went into this. However, if even they aren't compliant where do the rest of us look for examples of how this could be done right?

The requirement for getting consent for every cookie is going to be a nightmare to implement for a lot of sites. Advertisers are not going to be happy. However, this could be the death knell for analytics if taken to the extreme. How many of you would opt-in to be tracked if given the choice? GA and other site statistics services have forever relied on the implicit opt-in.

From what I understood, in the ePrivacy Directive, due next year, all this stuff should be handled at the level of the web browser.

That would actually be preferable and make a lot more sense. Just make "Do Not Track" support mandatory and most of this goes away.
7:09 am on Oct 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10574
votes: 1125


The fun and games begin. :)

And the confusion.

And hair pulling and teeth gnashing. :(

Cookies have a value for many things, not just "tracking", so there will a great deal of restructuring, reconsideration, and re-coding to make this happen.
8:16 am on Oct 2, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Aug 30, 2019
posts:147
votes: 30


Hello-

Google seems to make it the site operator's responsibility to ensure compliance for serving their cookies to visitors.

I can't find the article right now, but, at the time of the GDPR release, the EU stated that web publishers (us, webmasters) are co-responsible of what is happening at our site, meaning that, from the moment , you insert Adsense , GA code (for example), you are responsible, regarding the cookies Google drops, and the use of these data.Which,is right in my opinion, because, even contribute in allowing a third parties to collect data. This is your/our site.
4:44 pm on Oct 2, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15937
votes: 889


So it means that most of cookie consent banners are not valid.
Aren't most consent banners already not valid, because they don’t give the option of “let me view this site without cookies”?
6:44 pm on Oct 2, 2019 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Mar 12, 2004
posts:516
votes: 25


So, a full screen pop up that allows visitors to spend a few minutes carefully selecting which cookies are served, then another pop up asking if I can save that preference in a cookie.

It annoys me a lot. There are privacy issues but they are not been dealt with because everyone just clicks OK rather than go through some convoluted process before they can see the page.

I had a polite discussion with my EU representative who pointed out that cookies had viruses and trojens in them, and there were some bad flash cookies too. That was boilerplate from wherever he was getting his information from. I don't think they know what cookies are!

At least those actually wishing to send trojens and viruses now have a handy way to get consent from 99% of their visitors.
2:22 am on Oct 3, 2019 (gmt 0)

Preferred Member from AU 

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:481
votes: 22


Without cookies, forget about logging into most web sites. Is that what these dumbers want to do simply because they don't appreciate how anything works?

That is as dumb as disabling JavaScript which most web sites, especially CMS like WordPress, require.

Anyhow, I validate logins using Session ID which only lasts as long as the user's active visit. Dunno and don't care what the dumbers would think of that.
6:17 am on Oct 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10574
votes: 1125


Slow down, folks, ON SITE cookies are quite different from third party cookies!

Let us not toss out the baby with the bath water!
7:48 am on Oct 3, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


The ePrivacy Directive currently only makes exceptions for "necessary cookies", but that may change with the new ruling.
Tracking cookies are tracking cookies whether they're served from your local domain or not...according to what I'm reading.
8:10 am on Oct 3, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Aug 30, 2019
posts:147
votes: 30


Hello-

Without cookies, forget about logging into most web sites. Is that what these dumbers want to do simply because they don't appreciate how anything works?

Logging is an active consent from the user. So there is no problem there.

That is as dumb as disabling JavaScript which most web sites, especially CMS like WordPress, require.

That is the problem, of those, relying and being depend to CMS like WP. Like some here, I developed my own CMS, and I am fine with visitors disabling Javascript, they can use my site normally, and even get ads :)

If you are too dependent on Google for traffic, on WP for your site, on adsense to monetize your content, the future is uncertain.
5:08 pm on Oct 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15937
votes: 889


Without cookies, forget about logging into most web sites.
Who's talking about logging in? The cookie issue arises when you can't view a site without accepting cookies--not even the first page, where cookies should be irrelevant anyway.

disabling JavaScript which most web sites, especially CMS like WordPress, require
Say what now? There are plenty of drawbacks to using a CMS, but mandatory scripting isn't one of them.
6:29 pm on Oct 3, 2019 (gmt 0)

Preferred Member from AU 

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:481
votes: 22


There are plenty of drawbacks to using a CMS, but mandatory scripting isn't one of them.


All CMS have their limitations, which is why I write my own to suit the task. But what is "mandatory scripting" and what has that got to do with it?
7:26 pm on Oct 3, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15937
votes: 889


But what is "mandatory scripting" and what has that got to do with it?
Well, you tell me. I was responding to
JavaScript which most web sites, especially CMS like WordPress, require
11:08 pm on Oct 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 20, 2006
posts:2179
votes: 94


Good thing that govts are going to sort this all out perfectly for everyone. Like the Do Not Call list, and text message and email spam...
12:17 am on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10574
votes: 1125


@RhinoFish ... I heartily concur! We have decades of success in gov't help!
2:52 am on Oct 4, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


This CJEU ruling is about GDPR, but then we also have ePrivacy which seems to be overlapping some things here. I'm getting confused. Does one trump the other in terms of precedence?

I'm still a bit concerned how sites that use simple analytics tracking cookies will handle this. Say a site uses GA, they have to notify visitors of this cookie, explain how Google uses this cookie and for how long, make the visitor choose whether to be tracked or not, and then track and remember that choice for every subsequent page visit. Not only is it a pain to setup and maintain, but the user experience for EU sites is going to be seriously degraded.
3:29 am on Oct 4, 2019 (gmt 0)

Preferred Member from AU 

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:481
votes: 22


JavaScript which most web sites, especially CMS like WordPress, require


Disable JavaScript and dropdown menus will be disabled. So will form validation. These days most CMS use bootstrap, so if JS is disabled don't expect much to work there either. In fact by disabling JS you will most likely cause all CMS add-ons to fail.
3:43 am on Oct 4, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10574
votes: 1125


My drop downs are all css/html. :)

But you are absolutely correct that the majority of CMS sites are JS driven.