EU Cookie Law - ?!

sticker

Hi,

This was recently brought to my attention -
http://www.youtube.com/watch?v=arWJA0jVPAc

Anyone and opinions or professional input on this issue from a developer standpoint?

Giblet

It's all in limbo over here at the moment, but it boils down to SSL connections wherever a secure cookie is sent over the wire, permissions setting cookies for tracking and such. If you need a cookie to operate you can use them (setting some localisation, or maintaining some state which is needed to allow the site to function). It's all a bit hand wavey at the moment, a bit like PCI Compliance with their "You may or may not be in scope if you are 1 hop away" bs.

sticker

Giblet wrote: »

It's all in limbo over here at the moment, but it boils down to SSL connections wherever the cookie is sent over the wire, permissions setting cookies for tracking and such. If you need a cookie to operate you can use them (setting some localisation, or maintaining some state which is needed to allow the site to function). It's all a bit hand wavey at the moment, a bit like PCI Compliance with their "You may or may not be in scope if you are 1 hop away" bs.

Cheers for the feedback. I develop standard html/css/js websites - no ecommerce or database backends. I do not intentionally include any cookie application in development.... Forgive the possibly silly question, but would a 'standard brochure website' generate a cookie automatically or would you need to "tell the code" to generate a cookie with each new site visit?

Giblet

Do you use a CMS like WordPress?

sticker

Giblet wrote: »

Do you use a CMS like WordPress?

Nope - I edit html/css/js frameworks - no CMS

Giblet

You're probably ok then!

uck51js9zml2yt

Giblet wrote: »

Do you use a CMS like WordPress?

does wp use them?
I assumed thats how Google analytics works with a wp plugin

Giblet

Logins and stuff, people leaving comments and what not. A simple "I agree to allowing a cookie" beside a login button should be ok.

Boards.ie: Paddy

The advice we were given in boards.ie was that to be in full compliance you have to provide a description of all cookies, including the data stored in them, their purpose and the retention period. This should form part of your Privacy Policy. You can see an example of the type of information we provided as part of boardsdeals.ie's Privacy Policy.

This is probably the only way to be sure you are 100% in compliance. Obviously for a large website like ourselves the effort involved in providing this information massively outweighs the problems that could arise from not being in compliance. For a brochure website for your local GAA club it may not be entirely necessary but there is a risk there.

If you aren't sure if your site is setting cookies you can use the inspector in google chrome to find out. When viewing your website hit F12 and select resources->cookies to see what cookies have been set by your site.

sticker

Boards.ie: Paddy wrote: »

The advice we were given in boards.ie was that to be in full compliance you have to provide a description of all cookies, including the data stored in them, their purpose and the retention period. This should form part of your Privacy Policy. You can see an example of the type of information we provided as part of boardsdeals.ie's Privacy Policy.

This is probably the only way to be sure you are 100% in compliance. Obviously for a large website like ourselves the effort involved in providing this information massively outweighs the problems that could arise from not being in compliance. For a brochure website for your local GAA club it may not be entirely necessary but there is a risk there.

If you aren't sure if your site is setting cookies you can use the inspector in google chrome to find out. When viewing your website hit F12 and select resources->cookies to see what cookies have been set by your site.

Very informative and much appreciated.

sticker

After a look at your Privacy Policy here on boards, I see you have described each cookie and what it does, Chrome gives my own website some cookie activity, but I'm unsure how to write this up for a Privacy Policy - not to mention the other websites I have developed.

Am I right in saying each website need a custom Privacy Policy to be compliant?

I'll have a serious headache retro fitting my portfolio with tailor-made Privacy Policies. Is this what other Irish developers are doing also? Or is this a bit of an uninforcable law?

sticker

sticker wrote: »

After a look at your Privacy Policy here on boards, I see you have described each cookie and what it does, Chrome gives my own website some cookie activity, but I'm unsure how to write this up for a Privacy Policy - not to mention the other websites I have developed.

Am I right in saying each website need a custom Privacy Policy to be compliant?

I'll have a serious headache retro fitting my portfolio with tailor-made Privacy Policies. Is this what other Irish developers are doing also? Or is this a bit of an uninforcable law?

Anyone any followup opinions on this issue? -

Seems quite big to me when an EU law break is quite possible for many innocent websites...

Peanut

I'm a bit surprised that the advice Boards got was simply to list all cookies used.

The main point of contention around the new EU directive was not so much about giving information about what cookies are used, but in obtaining consent from the user.

This was clearly going to be a problem since the consent needed to happen at the beginning of a user's interaction with a site, and as such, any popups etc. used to confirm consent could drive visitors away or give a sales advantage to non-EU sites.

I know there were exemptions for not requiring consent for cookies essential to site functionality (such as login sessions), but I'm pretty sure Google analytics was not covered under this.

The whole thing seems very badly thought out and will be virtually impossible to enforce, although I suspect the reality is that only very large sites will come under any scrutiny, and they may be able to find workarounds that may stretch the interpretation of what was required - it was reported today that bt.com have implemented an opt-out question when you first visit their site, instead of asking for an opt-in to tracking cookies.


@sticker - re: privacy policy - Although I don't think it's a legal requirement (yet), it's probably a good idea to at least have a generic privacy policy for any site as it may give people more confidence when using the site and/or business and is now also a requirement for any sites monetising using Adsense.

There's more details on what they recommend here.

boblong

1. We must do something
2. This is something
3. Therefore, we must do this.

MOH

boblong wrote: »

1. We must do something
2. This is something
3. Therefore, we must do this.

Is that yourself, deputy Sherlock?

Feathers

sticker wrote: »

Anyone any followup opinions on this issue? -

Seems quite big to me when an EU law break is quite possible for many innocent websites...

Nothing will likely come of this, as it will make the web unusable. Does anyone know what the Irish legislation around this has/will be? In London at the minute & seems to be fines for non-compliance, but most major companies are dragging their heels over this.

'Non-essential' is the real sticking point. The CSO over here are arguing that Analytics are essential as they allow them to provide the best possible service to users in a cost-effective way, which is part of their remit :rolleyes:

& is storing a cookie to say you don't want other cookies essential?

The reality is, until a test-case goes through the courts (or someone gets a complaint brought against them through an official watchdog), nothing will come of this.

sticker What type of sites are you talking about — gov/SME/community? & do you have a support contract against them?

mambo

Has there been any prosecution in Ireland because of a website not obtaining consent to use cookies?

I notice the DPP website www.dppireland.ie uses cookies and doesn't seem to have a cookie statement, so I'm guess no-one is taking the EU directive too seriously?

Feathers

mambo wrote: »

Has there been any prosecution in Ireland because of a website not obtaining consent to use cookies?

I haven't heard of any prosecutions at all tbh!