Feedback needed - Cookie law

UPDATE: We have it now prepared on v7 and will be testing it. Then we will transfer it to v6 and provide with the hotfix. The general approach is following:

1) Cookie helper supports "cookie levels" to which the cookies may belong, the important levels are:

System (only being able to remember the level, no other cookies allowed)

Essential (cookies required for the main features of the web site to be functional, such as authentication, shopping cart etc.)

All (All cookies including user tracking and analytics)

There are some more levels and also more customization options, but these are important for now.

2) We have a web part "Cookie law consent" which allows to display particular message and actions to allow/disable cookies based on the current user cookie level with all possible options shown. The web part also serves to initialize the default user cookie level. Both web part and API changes to cookie helper are quite flexible, so you should be all able to make it your required way just by simple customizations if really necessary.

3) There is also a preconfigured version of that web part "Simple cookie law consent" which sets the default user level to no cookies with single option to allow the cookies. The web part hides after approval.

4) Login to CMS Desk / Site manager enables all cookies for the user without consent, but we don't see this as a problem since this logon page is for editors only.

If you have any feedback right now, you have time until Wednesday (May 16th) noon so we can make other potential changes to this week's hotfix, or to next Wednesday (May 23th) noon to make the last changes available before May 26. Once we release this week's hotfix, I will cover more on my blog.

Hi, we have had some timing issues, but we are working on it right now, so it will be ready with hotfix next week, including some basic web part that should comply to requirements.

Is there any update on a hotfix for version 6? Will it be available for 26th May?

I see, then we will look into this during the next week to provide at least some basic solution in the next hotfix so you can adapt to that. Thank you for the feedback.

Abslutely, Martin, anything you can provide as a hotfix for the current version, even in a fairly basic form would be very welcome.

Hi Martin

Thanks for the prompt comment back. The new privacy law comes into force in the UK on 26th May so any solution that could be made available before then would be appreciated.

Hi,

We will have a complete solution which will allow several levels of cookies (Essential, Editor, Visitor) to be selected from, with customization options. This will be in version 7 which will be released at the end of June. It spans through the whole system so we cannot easily transfer it to v6 within hotfix.

However, if absolutely necessary, we could issue something very basic in our v6 API (like just enable/disable all cookies) through hotfix for which you could then create a web part to control that until we release v7 with complete solution. How important is that and is end of the June too late for current solutions?

Hello everyone

In relation to Martin initial post, I was wondering if Kentico came to issue a webpart to manage consent and cookies?

Thanks and regards

David

I would welcome this solution as we are currently looking at having to implement this ourselves. The law is fairly clear that cookies that are not strictly necessary for the site function are not allowed without consent. That I believe includes several non-tracking cookies that Kentico writes, for instance to do with Culture or Vist Status. This may not be something that the legislation was originally intended to outlaw but all the same, some companies want to comply with the law as it stands and so must therefore stop these cookies being written without consent. A customisable pop-up that can the themed, asking if these cookies can be written would be great. Any ideas when this might be delivered and with what version?

Just an additional note, the best overview and advice I've seen on approach so far is published by Adobe (who now own the Omniture Analytics system)

http://blogs.omniture.com/2011/05/24/european-union-eprivacy-directive-update/

And a round-up of the media response and other analytics provers is at:

http://www.whencanistop.com/2011/05/new-cookie-law-reaction-round-up.html

We're in the middle of a major Kentico installation (upgrading panmacmillan to the new century) and I've just been tasked with looking into the technical solutions for the cookie law. (We have around 50-60 websites, so not a trivial exercise)

The part that worries me most is what the ICO have done themselves and written up in their privacy statement:

http://www.ico.gov.uk/Global/privacy_statement.aspx

Note that they show one cookie set by a CMS solution outside of their control, and so they are in active discussions to get the CMS provider to remove it or they will find another solution.

This is daunting to me and my team, as we have many active CMS systems (Kentico, Ektron, Wordpress, etc), and also we've various social networking and affiliate analytics providers (addthis, google, xgraph, yieldmanager, etc).

I don't know whether a privacy policy listing the CMS cookies is going to be enough (although its currently enough for the ICO...) or whether we need a near-static landing page (with agreements) before entering the CMS-hosted part of the site, or some other technical means.

I'm at wits end and open to suggestion.

Martin, the law will be enforced only in UK at the moment (it may be implemented - slightly differently - in the rest of the EU but it may take several years).
You cannot be persecuted in your country just because someone from UK visits your web site. This is the same like "PirateBay" in Sweden. You should worry only when your server is hosted in UK (and other countries that implements the EU directive) - which brings one interesting question: how this influence cloud hosting?

Also note that IP block or restrictions based on IP addresses doesn't work (you have to make sure, anyone from UK would get "popup") -> there are so many proxies VPNs and IPv6 is about to change this completely... So this is not an option. Or it is as good as any other solution, not the ultimate one.

The law is rather vague and mention several methods - for instance, refer to the 3(a)"...consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent."

While at the same time ICO document mentioned before says "Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."

But this "nonsense" can be applied to any method, pup ups, or whatever. Anything may not be displayed on some extraordinary browser... We may end up with several methods as James suggested.

Hence we believe we don't have to worry. If a visitor doesn’t want to store the cookies, she should set her browser accordingly. That's what we goanna include in our privacy policy.

I think this video just answered some of my questions :-)

http://bit.ly/iqjn01

To DesignByOnix:

Same question as to James, do you have any idea if the law applies to the country of visitor, or to the country of web site owner.

e.g.: What happens if US web site doesn't handle UK visitors in such way?

Isn't it then just a way how to terminate all UK hosting providers because everyone will then move their web sites abroad rather than putting additional resources to it?

Hi Jiri,

This looks like a good example of what we could offer, there is one important thing I noticed, which is "... has already been set ..." which helps us to have those essential cookies until the user blocks them in their browser (which is something we don't need to care about, they will handle that on their own), and we just need to handle the consent for the additional ones.

One way or another, they clearly didn't provide any specific guidance on what is allowed and what isn't.

Hi Rick,

Thanks. For sure, we wan't to offer more options of how to display the consent than just popup. Most of the cookies we have now are not privacy-breaking, except for the web analytics stuff, but there will be some more coming with the On-line marketing, so we need to cover that somehow.

Hi James,

That is a really good point, I guess we could allow that as well.

How the message will look like will for sure be customizable, I can imagine some in-line message or modal popup options.

Does this law apply based on the country from which the visitor comes or the country of the owner of the web site? That would make a significant difference.

It would be nice to be able to configure "visitor ip ranges" which should trigger the "confirm cookies" popup. For example, UK has probably had the same range of IPs for quite a while. Same applies to just about any country. It would be nice to configure ranges like this:

11.111.11;11.111.33
88.888;88.889

Any visitor that falls within that range would be presented with a popup. I realize this doesn't cover anybody using a proxy.

One example of such consent application as demonstrated by UK's Information Commissioner’s Office at their website http://www.ico.gov.uk/

In the analytics community there's this understanding (or let's say hope) that analytics is going to be perceived as "necessary" provided there is strict and transparent privacy policy in place. It is primarily the 3rd party cookies used to track visitor across websites the directive aims to slash.

But there's more questions than answers :-(

Have a look at this document: http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.ashx

Every single method "may or may not be enough" - depending on the "privacy intrusive activity".

We don't care and are waiting for the big companies (Google, Yahoo, Microsoft).

If there should be something I would vote against pop-ups since they are extremely irritating from the user standpoint, also they wouldn't work for everyone (mobile phones or web applications). I believe most of the cookies used in Kentico are non-heavy-privacy-breaking and can go with user's browser setting.

I think that the solution must have the ability to disable cookies wholesale for anonymous users - confirmation or no, for really strict webmasters.

In addition, another option for displaying a confirmation to new users would be good, and use web parts to customise the display - changing the message and the style of the message (from warning bar to pop-up message).

I would like to see the option to also change the behaviour based on localisation - so that customers outside of the EU won't have to be troubled by such annoying messages that don't apply to them.