Compliance With European Cookie Legislation
Here in the crazy land that is Europe there's a new law about to come in to effect in May which means businesses (everybody?) need to get permission from users before placing cookies on their machine.
A customer of mine has asked that I implement this on a couple of Domino websites I've built for them.
This is probably going to involve doing something very similar to what the ICO have done on their site, which is to show a huge great opt-in message at the top of every page which doesn't go away until you accept the use of cookies. As below:
When the idea of implementing this was first mentioned to me it was one of those face-in-palms-of-hands moments. All the work you put in to make a great-looking site and then you have to do this!
The Domino websites in question use cookies in two ways. Firstly, as you may expect, for authentication and, secondly, as the sites use Google Analytics.
I tried reading the ICO's guidelines on this to see if this was really required in a case where Analytics was dropped and cookies were then only used for logging in. But the guidelines are written (purposefully?) in such a way as to make no sense. Either way the legal department of the customer have said it needs doing, so who am I to argue.
Implementation should be straightforward enough. Accepting cookies on ICO's site places a cookie called "ICOAcceptCookies" on your PC with a life of 2 years. I'd just do something similar and then only add the Analytics code if the cookie is there.
What about authentication though? How can you truly prevent logging in to a Domino server unless a cookie exists!? I'm going to try out a few ideas and report back if you lot are interested and the ideas work.
My initial idea is that the login form has not only the username/password fields but also an "Accept Cookies" tickbox. The $Login form in domcfg.nsf is then customised to set a cookie if this is ticked and delete the authentication cookie if it isn't. I know I could use JavaScript but that's only a half-baked solution. I love a challenge me.
Hi Jake,
See what happens when normal citizens delegate the authority for making laws to "gov'ment types"? ;-P I feel your pain. The whole world has gone mad with nonsense regulations up the wazoo.
But, soldiering on... this may be the long way around but I had a "don't support cookies or javascript" requirement way back 6 years ago and the solution was to add hidden inputs with the server side session document. The input wasn't obviously named in any way but if there was a "submit" action on the page, we were getting the value when whatever needed submitting was submitted and we tacked the value on the end of every link generated on the page so it was omnipresent.
It was a bit of work as you couldn't just merrily put links on your pages but had to have a session class creating each one for you, but it took things out of the way of "could be turned off by user", which is essentially the situation you find yourself in.
Best of luck. Let me know when Europe passes the "you must take your gov't approved vitamin to receive any health services" law. Looks like they're (some unaccountable policy wonks) contemplating something like that here. Oh, where will the joy end?!
Reply
In this case it's not that it needs to function without cookies. If the user doesn't like the idea of cookies then they can't play. Which makes it a bit less painful. I don't envy you having to do what you did!
Reply
One of the interesting paragraphs on the ICO site......
"The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this."
This suggests - in my mind - that asking the users permission to use a cookie could be part of a sign-up process. And once signed up you would not need to ask again.
Or did I miss read that?
Reply
That's how I'd interpret it as well. Although doing it that way would only be possible if you had a clean slate, surely? Otherwise there'd already be lots of signed-up users who need to accept cookies after the fact.
Also, how do you know if the person at the login form is one of the already-agreed users or not. You can't let them login to find out as that would put a cookies on their PC, which is breaking the law. You'd *have* to have the "do you accept cookies" checkbox on the login form all the time...
Reply
Show the rest of this thread
Its not hard using Internet rules in the Domino directory to have another version of your web site that doesn't use session-based authentication, but username/password.
So your 'not use a cookie' user can be redirected from www.customer.com (session/cookie based) to no cookie.customer.com, for instance. All DNS entries point at the same domino server, site, etc.
---* Bill
Reply
Good idea. I hadn't thought of that. Although in my case a solution for the users who don't accept the use of cookies isn't required. If they don't accept them they don't get in. Simple as that.
Reply
The new law's been in place since last May - it's just that the ICO has said they'll give everyone 12 months grace to get their solutions in place. And everyone's mostly been waiting to see how everyone else will implement it! It's going to make the likes of google analytics of dubious value
Reply
What happens with browsers like Firefox where you delete all your cookies on browser exit?
Will that prompt every time you go to the site to allow cookies?
Reply
Firefox deletes all cookies on exit? Is that something you have to turn on yourself? If so then having to re-accept cookies each time might be something you'd have to get used to. As discussed above you can't remember their decision in their "user profile" (rather than a cookie) as you don't know who it is until their logged in and a cookie is used. Catch 22.
Unless my idea of deleting the auth cookie in the headers of the $Login form works and in that case the user can login and we can check if they've accepted cookies. If not we log them out. Although, even then, it's a catch 22 as we don't want to be logging people out willy nilly.
There's no other way to do it than to have a cookie-acceptance option on the login form always.
Reply
I wonder what the law says on *how* this should be implemented. Therefore I wonder if this would comply:
- You write a privacy policy or terms and conditions page on the website, which includes the fact that you use cookies.
- During sign up, you refer them to the privacy document, as in..."by joining you agree with the terms and conditions"
- If needed, you send a one-time email to existing users to agree with the privacy policy
- For anonymous users, you simple make sure that a privacy policy is linked to on every page.
I think the last part (anonymous access) is where my plan falls apart. Yet I merely want to challenge the idea that we need an in-your-face permission dialog. The point is to ask permission, but how you ask for it is debatable (I think).
Reply
Page 17 of the ICO's guindance PDF (linked to in first paragraph of the page I linked to above) should cover this. They seem to say you can cover use of cookies in the T&Cs that a user accepts as part of signup but that you can't just add this bit about cookies to the T&Cs after the fact.
Going to be adding it to Jungle Dragon?
Jake
Reply
Show the rest of this thread
Have a look at http://www.civicuk.com. It's free apparenty. Well it's cetainly free for .gov.uk sites.
Reply
Cookie Control from Civic is free for everyone... do go and help yourself at http://www.civicuk.com/cookie-law.
If you need any help implementing it - please give me a shout.
Cheers
Mark
Reply
Hide the rest of this thread
Hi Mark,
Does your solution rely completely on JavaScript? Or is there a <noscript> fallback?
Reply
No - it's entirely JavaScript - the reason being that most non-essential cookies are dropped via JavaScript. No JavaScript = no cookies.
There will be exceptions to this of course but these are rare enough that we've not felt the case is compelling enough for us to develop something.
Reply
Does that mean that the law only applies to non-essential cookies?
Most sites use a cookie for authentication which I'd class as essential and not set by JavaScript. How would you approach deal with those?
Reply
You don't need additional consent for authentication: this is implicit in the act of authenticating. Same goes for things like shopping baskets.
To be legally compliant you should identify those cookies and describe them in your privacy policy.
Cookie Control doesn't need to interact much with them - in the context of that kind of cookie it probably serves more as an awareness raising mechanism than anything else.
Hope that helps.
Reply