Compliance With European Cookie Legislation
Here in the crazy land that is Europe there's a new law about to come in to effect in May which means businesses (everybody?) need to get permission from users before placing cookies on their machine.
A customer of mine has asked that I implement this on a couple of Domino websites I've built for them.
This is probably going to involve doing something very similar to what the ICO have done on their site, which is to show a huge great opt-in message at the top of every page which doesn't go away until you accept the use of cookies. As below:
When the idea of implementing this was first mentioned to me it was one of those face-in-palms-of-hands moments. All the work you put in to make a great-looking site and then you have to do this!
The Domino websites in question use cookies in two ways. Firstly, as you may expect, for authentication and, secondly, as the sites use Google Analytics.
I tried reading the ICO's guidelines on this to see if this was really required in a case where Analytics was dropped and cookies were then only used for logging in. But the guidelines are written (purposefully?) in such a way as to make no sense. Either way the legal department of the customer have said it needs doing, so who am I to argue.
Implementation should be straightforward enough. Accepting cookies on ICO's site places a cookie called "ICOAcceptCookies" on your PC with a life of 2 years. I'd just do something similar and then only add the Analytics code if the cookie is there.
What about authentication though? How can you truly prevent logging in to a Domino server unless a cookie exists!? I'm going to try out a few ideas and report back if you lot are interested and the ideas work.
My initial idea is that the login form has not only the username/password fields but also an "Accept Cookies" tickbox. The $Login form in domcfg.nsf is then customised to set a cookie if this is ticked and delete the authentication cookie if it isn't. I know I could use JavaScript but that's only a half-baked solution. I love a challenge me.
Hi Jake,
See what happens when normal citizens delegate the authority for making laws to "gov'ment types"? ;-P I feel your pain. The whole world has gone mad with nonsense regulations up the wazoo.
But, soldiering on... this may be the long way around but I had a "don't support cookies or javascript" requirement way back 6 years ago and the solution was to add hidden inputs with the server side session document. The input wasn't obviously named in any way but if there was a "submit" action on the page, we were getting the value when whatever needed submitting was submitted and we tacked the value on the end of every link generated on the page so it was omnipresent.
It was a bit of work as you couldn't just merrily put links on your pages but had to have a session class creating each one for you, but it took things out of the way of "could be turned off by user", which is essentially the situation you find yourself in.
Best of luck. Let me know when Europe passes the "you must take your gov't approved vitamin to receive any health services" law. Looks like they're (some unaccountable policy wonks) contemplating something like that here. Oh, where will the joy end?!
Reply
In this case it's not that it needs to function without cookies. If the user doesn't like the idea of cookies then they can't play. Which makes it a bit less painful. I don't envy you having to do what you did!
Reply
One of the interesting paragraphs on the ICO site......
"The Regulations state that once a person has used such a device to store or access data in the terminal equipment of a user or subscriber, that person will not be required to provide the information described and obtain consent (and discussed above) on subsequent occasions, as long as they met these requirements initially. Although the Regulations do not require the relevant information to be provided on each occasion, they do not prevent this."
This suggests - in my mind - that asking the users permission to use a cookie could be part of a sign-up process. And once signed up you would not need to ask again.
Or did I miss read that?
Reply
That's how I'd interpret it as well. Although doing it that way would only be possible if you had a clean slate, surely? Otherwise there'd already be lots of signed-up users who need to accept cookies after the fact.
Also, how do you know if the person at the login form is one of the already-agreed users or not. You can't let them login to find out as that would put a cookies on their PC, which is breaking the law. You'd *have* to have the "do you accept cookies" checkbox on the login form all the time...
Reply
Show the rest of this thread
Its not hard using Internet rules in the Domino directory to have another version of your web site that doesn't use session-based authentication, but username/password.
So your 'not use a cookie' user can be redirected from www.customer.com (session/cookie based) to no cookie.customer.com, for instance. All DNS entries point at the same domino server, site, etc.
---* Bill
Reply
Good idea. I hadn't thought of that. Although in my case a solution for the users who don't accept the use of cookies isn't required. If they don't accept them they don't get in. Simple as that.
Reply
The new law's been in place since last May - it's just that the ICO has said they'll give everyone 12 months grace to get their solutions in place. And everyone's mostly been waiting to see how everyone else will implement it! It's going to make the likes of google analytics of dubious value
Reply
What happens with browsers like Firefox where you delete all your cookies on browser exit?
Will that prompt every time you go to the site to allow cookies?
Reply
Firefox deletes all cookies on exit? Is that something you have to turn on yourself? If so then having to re-accept cookies each time might be something you'd have to get used to. As discussed above you can't remember their decision in their "user profile" (rather than a cookie) as you don't know who it is until their logged in and a cookie is used. Catch 22.
Unless my idea of deleting the auth cookie in the headers of the $Login form works and in that case the user can login and we can check if they've accepted cookies. If not we log them out. Although, even then, it's a catch 22 as we don't want to be logging people out willy nilly.
There's no other way to do it than to have a cookie-acceptance option on the login form always.
Reply
I wonder what the law says on *how* this should be implemented. Therefore I wonder if this would comply:
- You write a privacy policy or terms and conditions page on the website, which includes the fact that you use cookies.
- During sign up, you refer them to the privacy document, as in..."by joining you agree with the terms and conditions"
- If needed, you send a one-time email to existing users to agree with the privacy policy
- For anonymous users, you simple make sure that a privacy policy is linked to on every page.
I think the last part (anonymous access) is where my plan falls apart. Yet I merely want to challenge the idea that we need an in-your-face permission dialog. The point is to ask permission, but how you ask for it is debatable (I think).
Reply
Page 17 of the ICO's guindance PDF (linked to in first paragraph of the page I linked to above) should cover this. They seem to say you can cover use of cookies in the T&Cs that a user accepts as part of signup but that you can't just add this bit about cookies to the T&Cs after the fact.
Going to be adding it to Jungle Dragon?
Jake
Reply
Hide the rest of this thread
I think I've seen this in play in some places already. Google itself actually had a nag on every page when they changed their T&C for non-logged in users. I didn't pay attention to how the transition was handled from Anonymous to signed in there as I always sign in.
But, you could do the same and where they "accept" T & C, log them in so that you can update their user record so that they don't get bothered when logged in but the little Nag stays up in the upper right corner till all of your legacy users are accounted for. Then you can remove it as all new users agree to the revised T&C on sign-up.
Firefox has privacy settings that allow you to select cookie deletion on exit as an option. It is a user activated thing. Anonymizer was an early add-on that offered this and it was later folded into the privacy settings.
Reply
My initial plan was to sit this one out or to ignore it alltogether. However, if it's easy to comply via an updated T&C, I may just do that. It makes sense that you need to inform existing users of that, since that is true for any T&C update, not just this one.
I still wonder how/if that covers anonymous users though?
Reply
Unfortunately, and Jake's approach is right, anonymous users will have to be prompted to accept cookies if the site requires them to function beyond authentication purposes. I don't suppose it would be sufficient to footer every page with "this site uses cookies and by viewing it you agree to accept those cookies".
Reply
I hope that's not true if 3rd party websites set the cookie. I set zero cookies for anonymous users, but Google Analytics and the social share buttons do.
As I'm not setting the cookie (directly), would it be me responsible for the prompt, or the third party?
If it would be my responsibility, I'll likely remove the third party libraries.
Reply
As I understand it you are responsible for setting the "3rd party" cookies like Google Analytics. The JavaScript lives on Google.com but it's your site that calls the code to set the cookie and if you look at the cookie details you'll see *.codestore.net (or jungledragon.com) as the host. In effect it's your cookie. I could be wrong, but that's how I see it. You'd have to disable Analytics for Anonymous users.
Like you though, I personally am thinking of sitting this one out. It won't be the only law by which I don't abide.
Reply
Your reasoning makes sense. That leaves me 3 options:
- The ugly permission dialog each and every time for every anonymous user. Not going to happen.
- Getting rid of third party libraries all together. Only if there is a realistic chance of me getting a penalty
- Doing nothing, and hoping somebody in the industry solves it.
I'm hoping for an in-browser solution. Similar to how you can request a user's location from javascript now.
Reply
You might be onto something with waiting till someone calls you out. Check into what the penalties are and weigh the cost.
Upcoming enactment of the US health care law specifies that employers must provide coverage or pay a penalty. The penalty is much less than the cost of providing coverage. Guess which option many companies are likely going to embrace.
But, this was by design as the intent of the law is to push consumers into the single payer govt system (where you default to if your employer doesn't provide coverage). So it bears deep research on your part - if you all opt out now at risk of small penalty, what effect does that have in addition to the penalty?
This reply is already 8 levels deep and so replying at this level is disabled.
Reply to Jerry, since we can't go any deeper in the nesting :)
My simple theory is that this law is a far bigger problem for large internet services, and that therefore I'll look to them as to what solution will be the consensus.
This reply is already 8 levels deep and so replying at this level is disabled.
Have a look at http://www.civicuk.com. It's free apparenty. Well it's cetainly free for .gov.uk sites.
Reply
Cookie Control from Civic is free for everyone... do go and help yourself at http://www.civicuk.com/cookie-law.
If you need any help implementing it - please give me a shout.
Cheers
Mark
Reply
Show the rest of this thread