European & UK Cookie Law legal implications?

[Graemezee]

There are a few request and threads asking about the European and UK Cookie Law and looking for solutions for existing websites. This is a query about the legal implications for designers and developer that install a site post May 26th in the UK. Effectively they would be providing a solutions to a client that is deemed to be illegal although you would be unlikely to be challenged by the authorities its leaves you wide open to malicious litigations by your customers.

Whilst not having any legal background I have a friend who writes policy for a government department and she feel going forward we have a problem. Any site delivered pre 26th May 2012 would be fine because it complied with the law at the time it was delivered. But to deliver a site post 26th May 2012 without the required capability could have serious implications.

Has anyone any thought on this.

[itips1011]

The new EU / UK "cookie law" Directive looks like it will become "law" by May 26, 2012.

The responsibility to fix seems to be firmly with website owners based in the EU.

The Joomla session cookie loads into a visitor's web browser immediately on visiting a Joomla website (currently the same for all Joomla versions I think).

However, if you list the cookies information sufficiently well on your privacy policy page, bearing in mind that the Joomla session cookie is pretty harmless, it's possible that the ICO (the body responsible for implementing this Directive in the UK) may consider it not to be a problem. I don't know.

There are rumours that they also may consider Google Analytics cookies to not be a problem. That would make things easier wouldn't it? However, if they let Google off, I guess, they're going to have to let Joomla, WordPress, Drupal, etc. off, and others, as well.

Of course, there may be an update from Joomla to prevent the session cookie being fired until someone registers or logs in - that would fix the issue the only remaining issue as far as I can see (the other issues can perhaps be tackled with the solution I've suggested below).

Likewise for shopping carts: if the shopping cart cookie can be fired at the point someone decides to add something to a shopping cart, then the user has explicitly chosen to buy something, and since you would have listed how this works in your privacy policy (you will won't you :-) , then at that point, that shopping cart cookie becomes exempt from the cookie law because the user has initiated the required action first.

So apart from the Joomla session cookie (which I'm not doing anything about for now), the solution I'm using is oultined below.

I've been checking into quite a few possible solutions and have now found, what for me (and all the websites I am responsible for), a great solution.

This is called "Cookie Control" and comes from: http://www.civicuk.com/cookie-law

And it works for pretty much for all versions of Joomla to-date.

I like this because it's elegant, bright, and upbeat, and doesn't bring down or bring up a sliding window or panel over the web page, to ask permission to use cookies, which can have the subliminal effect of raising a barrier.

Just go through the instructions they provide on the website.

If it doesn't work first time, most likely, the Javascript in "Cookie Control" is clashing with one or more other types of Javascript installed on your website - you could have a slideshow, or mootools menu, and so on. So I suggest install one of the following plugins to fix that:

- for Joomla v1.5.xx, the plugin at: http://extensions.joomla.org/extensions ... ripts/7230 worked for me. (In the plugin, I had to set the version of Javascript to at least v1.4.4, as your helpful guidelines stipulate - I've set it to the latest v1.7.2). Thank you to the provider.

- for Joomla v1.7.xx - v2.5.xx, probably the one at: http://extensions.joomla.org/extensions ... ipts/18327 should work, in a similar manner. Likewise, thank you to the provider.

Also, there's a useful list at: http://extensions.joomla.org/extensions ... ry-scripts

Important: in the plugin you use above, set the Jquery version to at least v1.4.4. I set it to the latest Jquery version, currently v1.7.2.

After doing that, I got it working almost perfectly. The one problem remained: how to let Google Analytics cookies through after a user has given permission.

The remedy was to slightly edit the last function in the block of code Cookie Control provides which you need to insert somewhere before the closing

Code: Select all

</body>

tag.

So for the last bit of code, instead of:

Code: Select all

      function ccAddAnalytics() {
        $.getScript("http://www.google-analytics.com/ga.js", function() {
          var GATracker = _gat._createTracker('UA-284815-1');
          GATracker._trackPageview();
        });
      }

I used:

Code: Select all

      function ccAddAnalytics() {
        jQuery.getScript("http://www.google-analytics.com/ga.js", function() {
          var GATracker = _gat._createTracker('UA-284815-1');
          GATracker._trackPageview();
        });
      }

... remembering of course to put in your own Google Analytics code in the correct place.

Thereafter, Google Analytics cookies were allowed through after the user had given permission.

So essentially, at that point, everything worked properly.

I plan to install this on all Joomla websites (and in fact, any website).

Here's a Joomla v1.5.xx example website in which I've installed this solution: http://www.touchstonerenard.com/

(I know it should be Joomla v2.5.xx; we're working on that: not enough hours in the day :-)

Anyway, also check out the updates pages at:

- http://www.civicuk.com/cookie-law/updates/Magento or

- http://www.civicuk.com/cookie-law/updates/Joomla

The nice folks at: http://www.civicuk.com/cookie-law/index are going to be adding the updates above there, plus more to come.

Also, I understand that one or two nice folks from the Joomla community are working on a plugin which may do all of the above in one go.

Yes, the Joomla session cookie still fires immediately on visiting a Joomla website, but since I'm going to list this in my privacy policies, I'm hoping that is enough to satisfy the ICO.

If not, then we'll find an efficient and reliable way to prevent the Joomla session cookie firing until a user registers or logs in (if your site includes those options). And such a solution will be needed even if your Joomla website has registration and login functions turned off (currently, the Joomla session cookie still fires into the visitor's web browser).

Without doubt, the cookie law hasn't really been thought through well by the ICO. I guess, they mean well, but were counting on the technical community to provide a fix.

As I see it, the biggest challenge is how to implement this thing without making our websites look bad or deter many more people. And for me, "Cookie Control" is the best of the bunch (so far :-).

So for now, the solution above addresses the issue for me. I hope it can help anyone else too, so we can all put this thing to bed and get on with the business of building websites, doing business, and serving customers.

What do you think?

[abernyte]

"Here's a Joomla v1.5.xx example website in which I've installed this solution: http://www.touchstonerenard.com/ "
This site drops the Joomla Session cookie without consent.

Code: Select all

http://www.touchstonerenard.com/
1 cookie
Name	fed26b8fa39123fab6b5f619d5e18bb2
Value	e91b4ff3639edcbaf290bc144a32e360
Host	http://www.touchstonerenard.com
Path	/
Secure	No
Expires	At End Of Session

It also displays no selection to opt in or out if javascript is turned off in the browser, as a prudent ( paranoid) user should.

The cicvicuk site is also not in compliance for the same reasons, only twice!

Code: Select all

http://www.civicuk.com/cookie-law/index
2 cookies
Name	HAAPPLB
Value	athena_3c08
Host	www.civicuk.com
Path	/
Secure	No
Expires	At End Of Session

    Edit Cookie
    Delete Cookie

Name	HACIVICLB
Value	atropos_28e7
Host	www.civicuk.com
Path	/
Secure	No
Expires	At End Of Session

It also requires javascript to be running and offers no alternative if you don't. Epic fail really.

[itips1011]

If you check the civic uk.com website, there is an option install the opt-out of cookies preference. However, we chose not to use that on this occasion, since the cookies used are explicitly listed on the privacy policy, and installing it still wouldn't stop the Joomla session cookie: under normal circumstances, that will fire every time when visiting a Joomla powered website.

And if a visitor chooses to register or login, at that point, the're going to activate the Joomla session cookie then anyway. The EU cookie Directive is a completely ill thought out idea (even if well meaning).

The best solution, I feel, is to at least demonstrate that steps have been taken to attempt to comply with the Directive, but still keep in mind common sense and the realities of doing business online today. In other words, having layered windows come down, or come up, and stringently checking for every cookie, may well confuse, or even alarm the average visitor even more.

When the ICO at http://www.ico.gov.uk/ implemented their first solution, they had a 90% drop in visitor numbers. But the ICO can't really be considered a commercial organisation can they? Their bills are most likely paid through government grants. So if their visitor numbers drop, it's not a big issue for them (perhaps).

Also, with a bit of luck, the Joomla session cookie, along with other CMSes, may yet even be treated as "essential to the application" (but don't bank on it :-) We'll just have to wait and see.

It seems crazy to invest too much time and hassle into this because a web browser fix for this may still become available. So it's reasonable compromise.

In response to your point about the solution not working if JavaScript is turned off in a visitor's web browser, since that would be abnormal today, I doubt if the ICO have an opinion on it. JavaScript is an essential aspect for most useful web applications today, it's turned on by default in most web browsers, and having it doesn't disadvantage screen reader users. So again, let's see what happens.

Of course, it's up to individual website owners to decide how they want to comply, or attempt to comply with the new Directive. I guess things will become clearer as the weeks and months go by.

[mandville]

may i heavily suggest people read the other topics on this and discuss here
http://forum.joomla.org/viewtopic.php?f=575&t=708343
to prevent this topic being discussed in numerous places
(the original topic was here http://forum.joomla.org/viewtopic.php?f=428&t=549868)