Feedback needed - Cookie law

   —   
There are some new laws about user privacy out there that make all our lives a little more complicated. We would like to cover that somehow so we need to hear your expertise on it ...

From May 26th, there is a new law in the UK that says:

"the website owners need to get consent in order to store or access information (including cookies) on users’ computers – unless the cookie is strictly necessary to provide a service requested by the user"

This seems quite general so we are not sure how to handle that so it is feasible to everyone.

State of Kentico CMS

We clearly have some cookies that are required to provide the service, such as preferred culture, authentication and session cookies, and some other that are used to control the admin UI context. We do not see any problems with these.

On the other hand, we have some cookies that are not neccessary to provide the service and serve more to track users and maintain web analytics of the web site and will also track contacts in our new Online marketing solution. These are probably the ones that this law targets. Also, it for sure targets the "hacks" that identify users through other storages such as flash.

Here you can find the list of cookies that are currently used:

Cookies in Kentico CMS

The thing is it may be different in each country (and in some countries we see this law being discussed or planned). So we need to hear your stories and thoughs on how we can help you provide something that would give you the power to fight this, and easily allow users to provide their consent.

Our current thoughs

Here is one solution that we could imagine:

There would be a system setting whether the users need to confirm cookies or not (if disabled, then all users will have cookies (the extra ones for tracking and personalization) automatically enabled.

We would provide a web part „Confirm cookies“, that would popup a dialog where a user chooses whether or not he or she accepts the cookies. This dialog would be displayed on their first visit to the site and store the decision into a cookie (this one can be considered as one that is neccesary to provide the service). Also, authenticated users could change this setting in their profile.

Anonymous users with cookies disabled in their browser would not get this dialog at all.

Now your feedback is required

Let us know via comments what are the plans around this law in your country, how strict the law will be, and what would be the ideal solution that you would like to have on your websites in case you need to obey those laws.
 
Looking forward to your feedback ...
Share this article on   LinkedIn

Martin Hejtmanek

Hi, I am the CTO of Kentico and I will be constantly providing you the information about current development process and other interesting technical things you might want to know about Kentico.

Comments

Martin Hejtmanek commented on

UPDATE: We have it now prepared on v7 and will be testing it. Then we will transfer it to v6 and provide with the hotfix. The general approach is following:

1) Cookie helper supports "cookie levels" to which the cookies may belong, the important levels are:

System (only being able to remember the level, no other cookies allowed)

Essential (cookies required for the main features of the web site to be functional, such as authentication, shopping cart etc.)

All (All cookies including user tracking and analytics)

There are some more levels and also more customization options, but these are important for now.

2) We have a web part "Cookie law consent" which allows to display particular message and actions to allow/disable cookies based on the current user cookie level with all possible options shown. The web part also serves to initialize the default user cookie level. Both web part and API changes to cookie helper are quite flexible, so you should be all able to make it your required way just by simple customizations if really necessary.

3) There is also a preconfigured version of that web part "Simple cookie law consent" which sets the default user level to no cookies with single option to allow the cookies. The web part hides after approval.

4) Login to CMS Desk / Site manager enables all cookies for the user without consent, but we don't see this as a problem since this logon page is for editors only.

If you have any feedback right now, you have time until Wednesday (May 16th) noon so we can make other potential changes to this week's hotfix, or to next Wednesday (May 23th) noon to make the last changes available before May 26. Once we release this week's hotfix, I will cover more on my blog.

Martin Hejtmanek commented on

Hi, we have had some timing issues, but we are working on it right now, so it will be ready with hotfix next week, including some basic web part that should comply to requirements.

Phil Martin commented on

Is there any update on a hotfix for version 6? Will it be available for 26th May?

Martin Hejtmanek commented on

I see, then we will look into this during the next week to provide at least some basic solution in the next hotfix so you can adapt to that. Thank you for the feedback.

Steve Moore commented on

Abslutely, Martin, anything you can provide as a hotfix for the current version, even in a fairly basic form would be very welcome.

David Philippe commented on

Hi Martin

Thanks for the prompt comment back. The new privacy law comes into force in the UK on 26th May so any solution that could be made available before then would be appreciated.

Martin Hejtmanek commented on

Hi,

We will have a complete solution which will allow several levels of cookies (Essential, Editor, Visitor) to be selected from, with customization options. This will be in version 7 which will be released at the end of June. It spans through the whole system so we cannot easily transfer it to v6 within hotfix.

However, if absolutely necessary, we could issue something very basic in our v6 API (like just enable/disable all cookies) through hotfix for which you could then create a web part to control that until we release v7 with complete solution. How important is that and is end of the June too late for current solutions?

David Philippe commented on

Hello everyone

In relation to Martin initial post, I was wondering if Kentico came to issue a webpart to manage consent and cookies?

Thanks and regards

David

Rob Nisbet commented on

I would welcome this solution as we are currently looking at having to implement this ourselves. The law is fairly clear that cookies that are not strictly necessary for the site function are not allowed without consent. That I believe includes several non-tracking cookies that Kentico writes, for instance to do with Culture or Vist Status. This may not be something that the legislation was originally intended to outlaw but all the same, some companies want to comply with the law as it stands and so must therefore stop these cookies being written without consent. A customisable pop-up that can the themed, asking if these cookies can be written would be great. Any ideas when this might be delivered and with what version?

Chris Benton commented on

Just an additional note, the best overview and advice I've seen on approach so far is published by Adobe (who now own the Omniture Analytics system)

http://blogs.omniture.com/2011/05/24/european-union-eprivacy-directive-update/

And a round-up of the media response and other analytics provers is at:

http://www.whencanistop.com/2011/05/new-cookie-law-reaction-round-up.html

Chris Benton commented on

We're in the middle of a major Kentico installation (upgrading panmacmillan to the new century) and I've just been tasked with looking into the technical solutions for the cookie law. (We have around 50-60 websites, so not a trivial exercise)

The part that worries me most is what the ICO have done themselves and written up in their privacy statement:

http://www.ico.gov.uk/Global/privacy_statement.aspx

Note that they show one cookie set by a CMS solution outside of their control, and so they are in active discussions to get the CMS provider to remove it or they will find another solution.

This is daunting to me and my team, as we have many active CMS systems (Kentico, Ektron, Wordpress, etc), and also we've various social networking and affiliate analytics providers (addthis, google, xgraph, yieldmanager, etc).

I don't know whether a privacy policy listing the CMS cookies is going to be enough (although its currently enough for the ICO...) or whether we need a near-static landing page (with agreements) before entering the CMS-hosted part of the site, or some other technical means.

I'm at wits end and open to suggestion.

Rick Seinfeld commented on

Martin, the law will be enforced only in UK at the moment (it may be implemented - slightly differently - in the rest of the EU but it may take several years).
You cannot be persecuted in your country just because someone from UK visits your web site. This is the same like "PirateBay" in Sweden. You should worry only when your server is hosted in UK (and other countries that implements the EU directive) - which brings one interesting question: how this influence cloud hosting?

Also note that IP block or restrictions based on IP addresses doesn't work (you have to make sure, anyone from UK would get "popup") -> there are so many proxies VPNs and IPv6 is about to change this completely... So this is not an option. Or it is as good as any other solution, not the ultimate one.

The law is rather vague and mention several methods - for instance, refer to the 3(a)"...consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent."

While at the same time ICO document mentioned before says "Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."

But this "nonsense" can be applied to any method, pup ups, or whatever. Anything may not be displayed on some extraordinary browser... We may end up with several methods as James suggested.

Hence we believe we don't have to worry. If a visitor doesn’t want to store the cookies, she should set her browser accordingly. That's what we goanna include in our privacy policy.

Martin Hejtmanek commented on

I think this video just answered some of my questions :-)

http://bit.ly/iqjn01

Martin Hejtmanek commented on

To DesignByOnix:

Same question as to James, do you have any idea if the law applies to the country of visitor, or to the country of web site owner.

e.g.: What happens if US web site doesn't handle UK visitors in such way?

Isn't it then just a way how to terminate all UK hosting providers because everyone will then move their web sites abroad rather than putting additional resources to it?

Martin Hejtmanek commented on

Hi Jiri,

This looks like a good example of what we could offer, there is one important thing I noticed, which is "... has already been set ..." which helps us to have those essential cookies until the user blocks them in their browser (which is something we don't need to care about, they will handle that on their own), and we just need to handle the consent for the additional ones.

One way or another, they clearly didn't provide any specific guidance on what is allowed and what isn't.

Martin Hejtmanek commented on

Hi Rick,

Thanks. For sure, we wan't to offer more options of how to display the consent than just popup. Most of the cookies we have now are not privacy-breaking, except for the web analytics stuff, but there will be some more coming with the On-line marketing, so we need to cover that somehow.

Martin Hejtmanek commented on

Hi James,

That is a really good point, I guess we could allow that as well.

How the message will look like will for sure be customizable, I can imagine some in-line message or modal popup options.

Does this law apply based on the country from which the visitor comes or the country of the owner of the web site? That would make a significant difference.

DesignByOnyx commented on

It would be nice to be able to configure "visitor ip ranges" which should trigger the "confirm cookies" popup. For example, UK has probably had the same range of IPs for quite a while. Same applies to just about any country. It would be nice to configure ranges like this:

11.111.11;11.111.33
88.888;88.889

Any visitor that falls within that range would be presented with a popup. I realize this doesn't cover anybody using a proxy.

Jiri Brazda commented on

One example of such consent application as demonstrated by UK's Information Commissioner’s Office at their website http://www.ico.gov.uk/

In the analytics community there's this understanding (or let's say hope) that analytics is going to be perceived as "necessary" provided there is strict and transparent privacy policy in place. It is primarily the 3rd party cookies used to track visitor across websites the directive aims to slash.

But there's more questions than answers :-(

Rick Seinfeld commented on

Have a look at this document: http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx

Every single method "may or may not be enough" - depending on the "privacy intrusive activity".

We don't care and are waiting for the big companies (Google, Yahoo, Microsoft).

If there should be something I would vote against pop-ups since they are extremely irritating from the user standpoint, also they wouldn't work for everyone (mobile phones or web applications). I believe most of the cookies used in Kentico are non-heavy-privacy-breaking and can go with user's browser setting.

James Ford commented on

I think that the solution must have the ability to disable cookies wholesale for anonymous users - confirmation or no, for really strict webmasters.

In addition, another option for displaying a confirmation to new users would be good, and use web parts to customise the display - changing the message and the style of the message (from warning bar to pop-up message).

I would like to see the option to also change the behaviour based on localisation - so that customers outside of the EU won't have to be troubled by such annoying messages that don't apply to them.