Skip navigation
simonking76
simonking76
Currently Being Moderated

EU Cookie Law compliance

Apr 18, 2012 2:30 PM

Tags: #cookies #session_cookies #cookie_law

Hi.

I've searched the forums and had a chat with live support; it doesn't appear as if Business Catalyst has done anything about the EU Cookie Law which will become enforcable from 26th May 2012.

 

The law came into existence on 26th May 2011, but because of its potentially severe consequences and horrified reaction from the internet community, the ICO added 1 years grace period for businesses to become compliant.

 

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communi cations/the_guide/cookies.aspx

 

Well, its not gone away as we hoped and soon the powers that be will start to make their move.

 

I see on my Business Catalyst website 5 cookies are created, but there isn't a way to allow my visitors to consent to them being created. If I guide a visitor on how to delete these cookies, they are just going to be created again on their next visit.

 

A chat with live support concludes BC aren't offering any kind of solution which puts Business Calatyst site owners in a tricky legal position.

 

That said, most businesses and even major brands appear to be playing the waiting game. I haven't found a website yet, bar the ICO website, that doesn't create any cookies until you consent, as the law requires.

 

This includes major brands such as Adobe, The BBC and BT.

 

The BBC have updated their Privacy Policy quite extensively and I hope to god this approach becomes an acceptable measure.

http://www.bbc.co.uk/privacy/bbc-cookies-policy.shtml

 

BT have gone a step further and implemented a rather impressive solution where you get a modal pop-up regards cookie consent and a rather cool slider to indicate the type of cookies you are happy to receive.

Strictly speaking though it is still not fully compliant as they create cookies first and then ask you after the event if you are ok with it.

 

It's a topic I'm watching closely and would be interested in other BC users opinion or what you are doing with your business catalyst website to make it compliant with this (absurd) law.

 

Simon

2517 Views   15 Replies   Latest reply: simonking76, May 23, 2013 2:48 PM
 
Replies
  • Liam Dilley
    4,055 posts
    Feb 28, 2012
    Currently Being Moderated
    1. Liam Dilley,
    Apr 18, 2012 2:57 PM   in reply to simonking76
    Report

    Hi Simon,
    You have not covered the fact it is being lobbied / appealed and reviewed heavily.

    Just like a number of things it has not been thought properly and done by people not in the right fields and those people not spoken to properly.

     

    I simple link to the Terms & Conditions of any signup/registration to have a paragraph about cookies and what they are doing seems to be enough at the moment and that really is all you need to do. But because the internet is global it is only actually relevent to servers located in the EU which fall under the regulations.

     

    It also does not properly cover all the modern offline storage methods such as HTML5 offline storage or javascript languages using modern browser tech such as jQuery and its .data for example.

     

    IT is a stupid thing and will change by the end of the year. I do not think pop ups about cookies every time your trying to use a website is at all a good solution, it is a pain in the *** and will annoy most of your users away. Your right it is obsurbed and like I mentioned, terms and conditions updated on the sites and the link to these when you have forms for logging in etc that use them.

     

    http://www.cookielaw.org/google-analytics-eu-cookie-law.aspx

     

    This is a titbit from google who are activly trying to get this thing changed or scraped because as they point out things like google analytics and the way google operates wont be allowed.

     

    I get the ICO goals but like a number of things, it is not thought out at all.

     

    Expect this to change and bar just adding some info about it on your site Adobe, Google, Microsoft are all but waiting because they all expect this to change/be scrapped.

     
    |
    Mark as:
  • EStrands
    Currently Being Moderated
    2. EStrands,
    Apr 19, 2012 4:10 PM   in reply to simonking76
    Report

    Hi Simon,

     

    I found this website that offers a jQuery solution to asking a visitor whether they wish to opt-in to using cookies on a site.

    http://civicuk.com/cookie-law/index

     

    This could be easily implemented on BC sites to help compliance with the Cookie legislation.

     

    Regards

     

    Mike

     
    |
    Mark as:
  • Didigy
    Currently Being Moderated
    3. Didigy,
    Apr 21, 2012 5:15 AM   in reply to Liam Dilley
    Report

    Hi LiamDilley,

     

    You state "it is only actually relevent to servers located in the EU which fall under the regulations." but when I went to log on to our site today I am now 'required' to agree to the following "I have read and agree to the Terms of Use and Privacy Policy. I understand that my relationship is with Adobe Systems Software Ireland Limited, and I agree to be bound by the laws of Ireland."

     

    My website is hosted on the Asia Pacific servers but it seems I now HAVE TO agree to be covered by EU laws (Ireland was a Founder member of the EU in 1973) to GAIN ACCESS to my website (i.e. I have NO CHOICE whatsoever) even though I originally purchased it from an Australian based company (before Adobe acquired it) that was hosted in Sydney.

     

    Given this requirement I feel your statement is no longer valid.

     

    Also, I don't recall any correspondence directed to the partners or website owner (not just put in a general announcement) from Adobe announcing this very dramatic change which includes a requirement to:

    4. Your Compliance With This Agreement.
    You acknowledge that your compliance with the terms of this Agreement may require you to provide certain notices to, obtain certain rights from, and impose certain obligations on your Clients and/or users of the websites hosted by the Services. To that end, you agree that each website for which Adobe provides Services on your behalf (including, if you are a Partner, your Clients’ websites) will contain a clear and conspicuous link to a terms of use and a privacy policy that comply with all applicable laws, rules, and regulations.

     

    Regards

     

    Graeme

     
    |
    Mark as:
  • Liam Dilley
    4,055 posts
    Feb 28, 2012
    Currently Being Moderated
    4. Liam Dilley,
    Apr 21, 2012 5:16 PM   in reply to Didigy
    Report

    Hey there,

    Actually it still applies.

    The fact is, you can choose which server you build sites on and one of the servers is for the EU which is in In in Ireland.
    One of the changes (see the blog) is regard to the Adobe ID intergration on BC going live. Of which you need ot agree to the terms and conditions of Adobe moreover then BC, which they have in those polices. This has been on the cards for some time and is the lead to the greater Adobe integration with these forums, other Adobe products and the Creative Cloud.

     

    To the implementation, they just have information about cookies in their privacy policy which I mentioned is all you need to do.

    The bits you highlighted are not specifc to cookies and been there for some time It is standard stuff, the websites you build need to compliy to laws and regulations, further BC has always had things like no Porn sites on their systems etc.

    We have checked and sites running in the OZ servers and targeted for say NZ customers etc then you do not need to comply to the regulations, BUT we have already advised a number of our clients to update their Policy and terms of conditions with a little note about cookies.

     

    I still stand by what I said

     
    |
    Mark as:
  • kindaian
    Currently Being Moderated
    5. kindaian,
    May 8, 2012 2:06 AM   in reply to Liam Dilley
    Report

    Be wary that the "Cookie Law" doesn't apply only to Cookies!

     

    Additionally there is more then just UK Law. Check the French Law which is also active right now.

     

    And as an user of an international site, you will need to comply with both (and be ready for the rest of them).

     
    |
    Mark as:
  • rickynoble
    Currently Being Moderated
    6. rickynoble,
    May 11, 2012 9:02 AM   in reply to Liam Dilley
    Report

    Hi Liam,

     

    I hate to have to correct you as I have seen many a thread in which someone tries to do just that only to have you prove them wrong, so at risk of that happening to me too (please don't, even if I am wrong..!!) I thought I should chip in here and explain that the location of the server on which a website is hosted in unlikely to be the determining factor regarding whether or not that website must comply with the EU Directive (or 'cookie law' as it's known).

     

    It's still very much up in the air, and there are plenty of people lobbying against this, so it's likely to change considerably. However, at the moment, it seems that it is the intended audience of the website that determines the need for compliance.

     

    This is an extract from guidance provided by the 'Information Commissioner's Office' (ICO), a government organisation here in the UK: "An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided." - suggesting that we all have to be mindful of these regulations.

     

    It's very ambiguous and highly contested, and so currently I can't figure out what needs to be done to ensure compliance, if anything at all.

     

    Ricky

     
    |
    Mark as:
  • simonking76
    Currently Being Moderated
    7. simonking76,
    May 11, 2012 12:44 PM   in reply to rickynoble
    Report

    Ricky is right, it is not where the server is located but where the website visitor is located.

     

    Not sure where the ambiguity comes from though, the law has been well covered since it came about 12 months ago and it's pretty clear what is required - before creating a cookie you must first gain consent.

     

    Despite it being lobbied and contested heavily - it is already the law - we just got 12 months grace to comply before the ICO would enforce it.

     

    However, the ICO have said they are unlikely to pursue a complaint about a website if they only use first party cookies for analytics purposes, providing clear information is provided about the usage of cookies. This is a relatively recent development, but they are standing by the law and its not going away.

     

    It also sounds like they will only respond to complaints, initially anyway - so they are not going to be on your doorstep banging on the door on 26th May!

     

    Updating privacy policies is not enough. The ICO have referenced that directly stating that "for the last 8 or so years website owners have put cookie usage information in privacy policies, which people rarely read" and they no longer consider that acceptable.

     

    If using cookies for purely analytical purposes then it appears acceptable that you can just create a cookie information page and provide a clear link in the header or footer to the page. The emphasis being not to hide it away in a privacy policy.

     

    Relating back to Business Catalyst, I raised a support request to ask what cookies are created and what they are used for so that I can create my cookie information page on a BC site ( I provided them the names of 5 cookies I noticed are created). This was their reply..

     

    The cookies that you have provided are used for tracking purposes (analytics). Those cookies are set up for anonymous users (users that are not logging into a particular secure zone) and track the actions that they took on the front end of the site. Please note that those cookies are being removed once the customer close the browser and if he comes again then we will generate a different session ID. As for the last one "visitorDeviceClass" this cookie we are setting up so that we can see from where the customer is accessing the site (desktop, tablet, phone etc.) so that if you are using different templates for your site for each type of device to be able to render them accordingly.

     

     

    I also use Google Analytics on this BC site. So, because all my cookies are for analytics and purely functional use, creating a cookie information page and providing a link to it clearly in the header or footer would (as I interpret it) be compliant - or in the words of the ICO, a complaint would not likely be pursued against me if one was made.

     

    I certainly wouldn't agree with Ricky's comment about it being 'up in the air, ambiguious and likely to change considerably'. Its days away, its clear enough whats required and by now you should have done or are doing something about it.

     
    |
    Mark as:
  • Liam Dilley
    4,055 posts
    Feb 28, 2012
    Currently Being Moderated
    8. Liam Dilley,
    May 11, 2012 4:23 PM   in reply to rickynoble
    Report

    It is funny, you said your correcting me but agreeing what I have said here and other threads. It is up in the air.

     

    I got a creditiation for the report at Uni on the topic of country law and regulations and locations of servers. Things like gambling sites etc. You even have Net trulaity laws being passed in certain countries.

    This is a very complex area Ricky.

    The thing you quoted is suggestive not absolute and google and co are working to get the EU law changed. Google Drive, iCloud, Itunes, Adobe Creative Cloud, Dropbox all break not just this regulation in the EU because they are dumb.

     

    There are several laws and laws in your country that super seed this cookie thing. If you have a site in the AU or NZ for example and people view it in France you with the regulations and feedom you comply to in those countries you do not have to server stupid cookie information messaging. Reading the regulation documentation in full you can not even use offline storage and in fact if you want to meet the regulations in full you have to plaster your site informing people that the images and html and css files of your site and moreover javascript (because it has functionality) will be stored on your machine as cache.

     

    This is why it is stupid on so many levels and will never be pushed.

     

    Like I said, a message in your terms and conditions and a link to agree to those when you sign up (which most sites do) is all you really need. Go to a site and see nothing mentioned about cookies an the same "Agree to terms" Tick and actually agreee to those you will see cookies and use mentioned in there as an update

     

    You also have things along this lines such as auto ticking for newsletter sign ups.

    In say New Zealand you are not allowed to have this ticked by default. It has to be an opt in, not opt out.

    In other countries you can, but in New Zealand filling out a form, which regulation does the site have to comply to? It often in most cases, as I mentioned falls on the sever location.

    This becomes more complciated when you have states. US for example has different laws per state and quite a variety. And a lot of things form very complex regulations and what is "Grey Areas"

     

    Like I said, it is very likely this regulation will be dumbed down by the end of the year and just doing the terms update (which is what most companies have done, I bet if I read the next itunes terms it will have the paragraph about cookies) and it should be covered.

     

    Big companies are doing this and in terms of the Adobe ID that was all covered in several threads and are in regard to the fact your now on Adobe ID not just a business catalyst account.

     
    |
    Mark as:
  • Liam Dilley
    4,055 posts
    Feb 28, 2012
    Currently Being Moderated
    9. Liam Dilley,
    May 11, 2012 4:37 PM   in reply to Liam Dilley
    Report

    I forgot to add you can not use things like facebook like, share, google plus, tweet, pininterest... Any of those because they run through iframes and anything like that and what they run through your site, 3rd party implementations, advert systems, google anaylitcs...

    Its Dumb dont worry about it, honestly. Just cover the basics do not worry about going OTT.

     
    |
    Mark as:
  • kindaian
    Currently Being Moderated
    10. kindaian,
    May 14, 2012 4:13 PM   in reply to Liam Dilley
    Report

    Just a small note... IF you use 3rd party cookies, like facebook, addthis, youtube, etc, be ready to ask your users ALWAYS, because asking only once is not enougth (contrary to first party cookies, like your own site cookies and google analytics).

     

    Also, i've noticed several notices stating that only 3 coutries have implemented it, which is a bit far from the truth:

     

    http://www.ffw.com/pdf/cookie-consent-tracking-table.pdf [just googled fresh "cookie-consent-tracking"].

     

    Aditionaly, something that was ignored on my previous remark, the legislation doesn't state cookies, but information. So if you use webstorage, flash storage, image with encodings, url with encodings or any other mean to convey information between requests, that also require authorization.

     

    Another part of the law that is being ignored is the implication on mobile devices (real state if very small, and apps also ask for permissions and don't state why or how they use those permissions).

     

    So, yurp not a simple thing to swallow in one chunk.

     

    And btw, i don't think you will get away with a simple opt-out... as some countries, mainly France are inclined to demand a opt-in.

     

    IANAL but i would advise to not only add an opt-in, but also LOG the answers for legal reasons.

     

    One never knows when you are required to prove that you complied with a specific "do-not-track" ergo no cookies please request...

     
    |
    Mark as:
  • kindaian
    Currently Being Moderated
    11. kindaian,
    May 14, 2012 4:18 PM   in reply to Liam Dilley
    Report

    Small note on sovereignty (sp)...

     

    It will not protect you at all. Just check US cases against gambling sites based in Europe or French cases against Google regarding Nazy memorilia (if i recall correctly), and some French cases regarding ebay and "brand" stuff...

     

    The fact that you are not in the country will not help that much anymore.

     

    As i said, IANAL, so, choose one of the countries in europe as base for the law and apply it to the letter. And keep records of your steps to become compliant, because if the $%$£% hits the fan that may be a diferenciating factor between a warning and a fine.

     

    And the fines are in uk £ 500.000, yes, half a million!

     
    |
    Mark as:
  • Simon Darby
    Currently Being Moderated
    12. Simon Darby,
    May 17, 2012 3:25 PM   in reply to simonking76
    Report

    From what I read it still sounds confusing. One thing that seems somewhat clear is that it's about permission for information stored and retrieved on an end users device in an EU country, regardless of where it is serverd. I'm not clear if a temporary cookie session (or any other variation on information gathering) is exempt, as it still stores and retrieves data from a third-party requiring permission I assume. The length of session time is probaby not the issue, be it 1 second or forever.

     

    It would be good if BC could offer some guideance given their considerable resources and expertise. It would impact on BC in its EU markets I imagine.

     

    Meanwhile, this was an interesting post on the topic of EU Cookie Law ...

    EU Cookie Law and How It Affects the Web

    Posted by: Christian Vasile

    Source: http://designmodo.com/eu-cookie-law/#ixzz1vA8HKgwd

     
    |
    Mark as:
  • Daniel Gundi
    Currently Being Moderated
    13. Daniel Gundi,
    Oct 15, 2012 8:30 PM   in reply to Simon Darby
    Report

    Hi all,

     

    I know this is a little late but I've just come across this post.

     

    If it helps, you now have the ability to add a checkbox/form to your site that allows site visitors to dsiable cookies. See Allow site visitors to disable cookies.

     

    Hope it helps.

     

    Danny

     
    |
    Mark as:
  • jasonburns
    Currently Being Moderated
    14. jasonburns,
    May 16, 2013 10:36 AM   in reply to Daniel Gundi
    Report

    I realize this is an old discussion, but the topic is still relevant and this is the best conversation in the forums on said topic.

     

    As far as I can tell, simply loading a page hosted by the BC solution sets three "performance cookies". I can add the cookie opt in/out checkbox form, but the issue is that the cookies have already been set which is a problem for one of my customers whom is trying to comply to the EU law. Using the cookie API, I can programmatically immediately unset the cookies when the page loads, but the fact that they are getting set without user consent, or before user consent, is of concern.

     

    Has anyone solved for this issue, or better yet, is there a setting or way to disable the application of these performance cookies entirely that I am just missing? The cookies in question are as follows...

     

    ANONID...

    ANONID_FS...

    VISID...

     
    |
    Mark as:
  • simonking76
    Currently Being Moderated
    15. simonking76,
    May 23, 2013 2:48 PM   in reply to jasonburns
    Report

    Hi Jason.

     

    It should suffice to tell your client that the website is compliant despite these cookies being created automatically without user consent.

     

    They are anonymous first party cookies used purely for analytics purposes which don't fall within the remit of the EU privacy directive, or cookie law.

     

    I can't believe its a year ago already since this became 'enforceable' !

     

    I think the EU lawlords have shaken their fists at Google about user privacy since this came into play, but unless your client is google, apple or facebook I would settle for a cookie policy page with details about the cookies.

     

    Simon

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points