logo

Compliance With European Cookie Legislation

Here in the crazy land that is Europe there's a new law about to come in to effect in May which means businesses (everybody?) need to get permission from users before placing cookies on their machine.

A customer of mine has asked that I implement this on a couple of Domino websites I've built for them.

This is probably going to involve doing something very similar to what the ICO have done on their site, which is to show a huge great opt-in message at the top of every page which doesn't go away until you accept the use of cookies. As below:

image

When the idea of implementing this was first mentioned to me it was one of those face-in-palms-of-hands moments. All the work you put in to make a great-looking site and then you have to do this!

The Domino websites in question use cookies in two ways. Firstly, as you may expect, for authentication and, secondly, as the sites use Google Analytics.

I tried reading the ICO's guidelines on this to see if this was really required in a case where Analytics was dropped and cookies were then only used for logging in. But the guidelines are written (purposefully?) in such a way as to make no sense. Either way the legal department of the customer have said it needs doing, so who am I to argue.

Implementation should be straightforward enough. Accepting cookies on ICO's site places a cookie called "ICOAcceptCookies" on your PC with a life of 2 years. I'd just do something similar and then only add the Analytics code if the cookie is there.

What about authentication though? How can you truly prevent logging in to a Domino server unless a cookie exists!? I'm going to try out a few ideas and report back if you lot are interested and the ideas work.

My initial idea is that the login form has not only the username/password fields but also an "Accept Cookies" tickbox. The $Login form in domcfg.nsf is then customised to set a cookie if this is ticked and delete the authentication cookie if it isn't. I know I could use JavaScript but that's only a half-baked solution. I love a challenge me.

Comments

  1. Hi Jake,

    See what happens when normal citizens delegate the authority for making laws to "gov'ment types"? ;-P I feel your pain. The whole world has gone mad with nonsense regulations up the wazoo.

    But, soldiering on... this may be the long way around but I had a "don't support cookies or javascript" requirement way back 6 years ago and the solution was to add hidden inputs with the server side session document. The input wasn't obviously named in any way but if there was a "submit" action on the page, we were getting the value when whatever needed submitting was submitted and we tacked the value on the end of every link generated on the page so it was omnipresent.

    It was a bit of work as you couldn't just merrily put links on your pages but had to have a session class creating each one for you, but it took things out of the way of "could be turned off by user", which is essentially the situation you find yourself in.

    Best of luck. Let me know when Europe passes the "you must take your gov't approved vitamin to receive any health services" law. Looks like they're (some unaccountable policy wonks) contemplating something like that here. Oh, where will the joy end?!

    1. In this case it's not that it needs to function without cookies. If the user doesn't like the idea of cookies then they can't play. Which makes it a bit less painful. I don't envy you having to do what you did!

    • avatar
    • Ian Bradbury
    • Wed 14 Mar 2012 02:45 PM

    One of the interesting paragraphs on the ICO site......

    "The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this."

    This suggests - in my mind - that asking the users permission to use a cookie could be part of a sign-up process. And once signed up you would not need to ask again.

    Or did I miss read that?

    1. That's how I'd interpret it as well. Although doing it that way would only be possible if you had a clean slate, surely? Otherwise there'd already be lots of signed-up users who need to accept cookies after the fact.

      Also, how do you know if the person at the login form is one of the already-agreed users or not. You can't let them login to find out as that would put a cookies on their PC, which is breaking the law. You'd *have* to have the "do you accept cookies" checkbox on the login form all the time...

      Hide the rest of this thread

        • avatar
        • Ian Bradbury
        • Wed 14 Mar 2012 04:02 PM

        Mmmm. Of course. I had forgotten about the already signed up users.

        My first thought on reading your response was, for "legacy" users, to add a second step after login requesting permission. But that's just horrible, really horrible. I need a simple solution that is easy for users to understand, complete and easy to support.

        1. But you can't ask for permission *after* they've logged in as there's already a cookie in use.

          There's no avoiding the fact it's a horrible problem and an even horribler solution and I'm just going to have to stick a massive warning up there on all pages.

          It's funny as, like most customers, they obsessed to a near pixel-perfect degree over every minute detail of the website. Then what do they go and do... although I guess it's out of their hands to a degree.

          I wonder how many sites we'll see these acceptance forms on come May.

  2. Its not hard using Internet rules in the Domino directory to have another version of your web site that doesn't use session-based authentication, but username/password.

    So your 'not use a cookie' user can be redirected from www.customer.com (session/cookie based) to no cookie.customer.com, for instance. All DNS entries point at the same domino server, site, etc.

    ---* Bill

    1. Good idea. I hadn't thought of that. Although in my case a solution for the users who don't accept the use of cookies isn't required. If they don't accept them they don't get in. Simple as that.

  3. The new law's been in place since last May - it's just that the ICO has said they'll give everyone 12 months grace to get their solutions in place. And everyone's mostly been waiting to see how everyone else will implement it! It's going to make the likes of google analytics of dubious value

  4. What happens with browsers like Firefox where you delete all your cookies on browser exit?

    Will that prompt every time you go to the site to allow cookies?

    1. Firefox deletes all cookies on exit? Is that something you have to turn on yourself? If so then having to re-accept cookies each time might be something you'd have to get used to. As discussed above you can't remember their decision in their "user profile" (rather than a cookie) as you don't know who it is until their logged in and a cookie is used. Catch 22.

      Unless my idea of deleting the auth cookie in the headers of the $Login form works and in that case the user can login and we can check if they've accepted cookies. If not we log them out. Although, even then, it's a catch 22 as we don't want to be logging people out willy nilly.

      There's no other way to do it than to have a cookie-acceptance option on the login form always.

    • avatar
    • Ferdy
    • Thu 15 Mar 2012 06:10 AM

    I wonder what the law says on *how* this should be implemented. Therefore I wonder if this would comply:

    - You write a privacy policy or terms and conditions page on the website, which includes the fact that you use cookies.

    - During sign up, you refer them to the privacy document, as in..."by joining you agree with the terms and conditions"

    - If needed, you send a one-time email to existing users to agree with the privacy policy

    - For anonymous users, you simple make sure that a privacy policy is linked to on every page.

    I think the last part (anonymous access) is where my plan falls apart. Yet I merely want to challenge the idea that we need an in-your-face permission dialog. The point is to ask permission, but how you ask for it is debatable (I think).

    1. Page 17 of the ICO's guindance PDF (linked to in first paragraph of the page I linked to above) should cover this. They seem to say you can cover use of cookies in the T&Cs that a user accepts as part of signup but that you can't just add this bit about cookies to the T&Cs after the fact.

      Going to be adding it to Jungle Dragon?

      Jake

      Show the rest of this thread

    • avatar
    • Sandy Currie
    • Thu 15 Mar 2012 10:30 AM

    Have a look at http://www.civicuk.com. It's free apparenty. Well it's cetainly free for .gov.uk sites.

    1. Cookie Control from Civic is free for everyone... do go and help yourself at http://www.civicuk.com/cookie-law.

      If you need any help implementing it - please give me a shout.

      Cheers

      Mark

      Show the rest of this thread

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 14 Mar 2012

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content