European Electronic Communications Framework Compliance

[mandville]

Nearly every BWS i have visited so far allows me to continue onto the site without accepting or rejecting cookies. all apparently have a different interpretation of what is 1st, 2nd, 3rd or 99th party cookies.

[Webdongle]

BWS ?

[Webdongle]

Have been using http://www.conquerjoomla.com/cjnocookies.html on a live site and it blocks the Joomla session cookie

On my site I allow the session cookie and Google analytics. Am still waiting for clarification from the ICO about session cookies. But have set my site in accordance with my interpretation of their guide lines.

The statcounter cookie is controlled by Kookie Grab. Although I find statconter better than Google analytics statcounter drops a 5 year cookie. And their privacy policy appears to stick it's nose up at the new regulations.

[BenTasker]

Ben, do you see any contradiction in offering what is probably a fine extension to block cookies and then drop 2 on a visitor without consent?

Yeah I see the irony! Unfortunately we've had a few problems integrating VCM with the Akeeba Release System so have had to temporarily disable VCM on Virya Software. I'm still working on a solution at the moment, and as a small business the analytics are absolutely essential in considering where our energy needs to be directed (hence GA had to be re-enabled when VCM was disabled).

The facebook connect cookie is a new one on me though, may have been added since I last checked (I don't manage the VS site, only the underlying server) and will be blocked once I get VCM to play nice with our site.

Actually, the E-Commerce side of things has proved to be quite a PITA. I don't know what others have experienced, but I've found getting a solution to work _without_ ruining the shopping flow has been really hard. I can force visitors to create an account (so that they aren't buying as the Cookie user) but do you really want to force them to do so just to browse (not our site, another!)?

We noticed earlier that the BBC has got their Cookie bit up now. Interestingly, a lot of the big players aren't actually asking consent in the way everyone here has been. Instead they are saying "We use cookies, if you continue we'll assume you accept them" which to my mind isn't in the spirit or the letter of the law.

[Webdongle]

a lot of the big players aren't actually asking consent in the way everyone here has been. Instead they are saying "We use cookies, if you continue we'll assume you accept them"

Including Nominet who are the Registry for .uk domain names http://www.nominet.org.uk/cookies/

Addendum
I just rung the ICO and the woman told me that consent must be obtained for all cookies(including session cookies). I mentioned the Nominet site and then they got vague. They mentioned essential cookies and to read their guidelines.

I explained the guidelines were vague and why. She told me new guide lines were coming out tomorrow ... and hung up on me

[BenTasker]

I can't help wonder though, given how err...... keen.... we all know the ICO to be, whether the actions of the big players will be deemed good enough for sites in the UK (at least until the EU rattles a few sabres).

It'd be kind of galling having done a lot of work to work towards staying in-line with the letter of the law (and we're not entirely there yet) to find that it's overkill because the big players can't be bothered and the ICO, well acts like it always has. Certainly be interesting to see if there's any 'clarification' from the ICO but I won't hold my breath

[Webdongle]

The logistics of them prosecuting all the sites that don't comply must be massive.

What say you that we all complain that Nominet are not complying and see if they bother doing anything ?

[BenTasker]

Yeah sounds better than previous plans I've seen on the net. Focusing on one site is the way to do it, just mass complaining about everything does nothing but prove it's impossible to enforce against everyone. Mss complaining about a single site shows whether or not the ICO are actually willing to enforce!

[Webdongle]

The ICO site has a complaints form and said it should be downloaded and filled out. Then emailed to [email protected] http://www.ico.gov.uk/complaints/privac ... tions.aspx

However not everyone will want to give their name and address, so ...
If everyone emails [email protected] about http://www.nominet.org.uk/cookies/

My email has been sent

[abernyte]

@Ben

and as a small business the analytics are absolutely essential in considering where our energy needs to be directed

"...strictly necessary for a service explicitly requested by the user..." is what the regulation says. What bit of that does your need for analytics fall into?

I know this is the purist's view but the law is about the users privacy not your convenience or your needs or even desires. That argument was spent between 2003 and 2009 when the law was flouted openly. Please don't expect sympathy or understanding now.

All I see from business big and small is self interested kicking and screaming as they are dragged towards compliance. IMHO I wouldn't get too hung up on the session cookie. It is actionable but highly unlikely to ever be a runner.

The ICO has a track record of being spineless...we might get a surprise if they decide to grow a pair and hang a big player out to dry just to prove a point.

[mandville]

i dont use ganalytics - cpanel does that for me - unless it was specifically requested.
I have placed banners with (sorry ben) "if you dont like it turn over" messages.

so next question is, how much is dreamweaver or front-page these days?

[Webdongle]

...
The ICO has a track record of being spineless...we might get a surprise if they decide to grow a pair and hang a big player out to dry just to prove a point.

Yes they may go for an easy target to get some revenue but if they get unindated with complaints it may prompt them to clarify/justify their stance on the Nominet site.

Have you sent your complaint yet ?

[abernyte]

so next question is, how much is dreamweaver or front-page these days?

Clean keyboard required here. I am sure that I have an old cover disk from a magazine I could let you borrow.

The ICO has already observed that there could be many routes to compliance and that analytics are the least of his worries:

The Regulations do not distinguish between cookies used for analytical activities
and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the
possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

Nominet? ....save your ammo

[Webdongle]

Anyone else complained to the ICO about Nominet ?

Addendum

Another big player that asks if you want to accept cookies but drops the cookies before they are accepted https://www.which.co.uk

[chrisjg]

Complaint sent...

Here is a copy - Feel free to use/re-use/modify for your own complaint
-----------------------
To whom it may concern,

Having read the PECR laws and your guidance regarding compliance in the UK it appears that NOMINET is not complying with the law.

Namely, it drops a session cookie and 4 analytics cookies without asking for permission to do so.

In addition to setting cookies without permission, their cookie policy does not allow opting out, and they clearly believe this is OK because they link to ICO from that policy - http://www.ico.gov.uk/news/current_topi ... rules.aspx

If the manager of all .uk names cannot, or will not, comply with the ICO guidance then realistically why should anyone else?

Quotes are taken from your document "Guidance on the rules on use of cookies and similar technologies" version 2

http://www.ico.gov.uk/news/latest_news/ ... tions.ashx

#1

Nominet does not seek consent, nor actively inform visitors (so no implied consent can be assumed), and as such fails to meet the guidance given on page 5 regarding consent.

Quote: "Consent must involve some form of communication where the individual knowingly indicates their acceptance"

Quote: "A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen – in this situation a user has a full understanding of the fact cookies will be set, is clear about what cookies do and signifies their agreement."

And the relevant law - Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)

===
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
===

#2

Nominet sets cookies that are not considered exemptions by the ICO (see the table on page 10)

Quote: "Activities unlikely to fall within the exception
Cookies used for analytical purposes to count the number of unique visits to a website for example"

Nominet acknowledge their use of 4 analytical cookies, and are therefore fully aware of the type of cookies they are storing on users devices.
The only option given to allow users to opt-out is to require users to install (software) a browser plugin from a 3rd party - and that information is only found after navigating to their cookie policy, which is a small link at the bottom of their page.
Requiring the user to install additional software to opt-out is not good practice, especially after the 'crime' of setting these cookies has already been commited.

#3

Nominet makes no effort to actively inform users about its use of cookies (see pages 13, 14 and 15)

The link to their cookie policy is not highlighted or distinguished in any way from other links, and the link is placed in the footer.
Quote: "Positioning is important – simply moving the link from the footer of the page to somewhere more likely to catch attention is an easy but effective thing to try"

It seems clear to me that Nominet is not complying with the law, and that it is making no attempts to do so. Unless their reading of the law is correct and your guidance is flawed.

As the manager of all .uk domain names, including the ICO url, they should set the standard by which all others can benchmark themselves.

If they, as they appear to be doing, willfully ignore the ICO guidance regarding cookies then it begs the question "Why should I bother, if they don't"

If this law is to mean anything at all then those websites with prominent roles in the UK website industry, in conjunction with the websites of the lawmakers (such as all governement, local authority and public service websites) should be at the forefront of the push to make every site compliant. Leading by example, not by "Don't do as I do, do as I say."


I expect this complaint to be taken seriously, and Nominet be investigated and, if found to be in breach of the law, forced to comply.

As a small business owner and operator I am at the coal-face with regards to this law. If I cannot take guidance, examples of good practice and compliance from key businesses in the UK website industry, then it is very difficult to know what is the correct and proper way to implement this law in practice.
Additionally it becomes very difficult to justify the extra work (and cost) associated with helping other businesses' websites becoming compliant if they can see that the law is being ignored by simply visiting government and/or key websites.


Please keep me informed of your progress regarding this matter, and confirm to me if Nominet is indeed in breach OR if they are not. This information/clarification will form a key part of any future work I (and many other designers) undertake.

Regards,

Chris<redacted>
<redacted>
Company number: <redacted>
VAT registration: <redacted>
--------------------------

[abernyte]

Dear Chris,
Thank you for your letter received today.
It does appear that Nominet are having some difficulty in complying with the recent change in the law. We have decided that they are really important people in the Intertubes stuff and that we are likely to get our ass handed to us if we try to enforce the law with them.
Thanks anyway.
Love

ICO

[maxelcat]

Oh dear! I have spent ages reading through this post. I am one of the millions (i guess) people who create sites that use the joomla session cookies and ga as well. Whilst I am sure cookie grab works well, I really don't want to have that on my sites!!!

I was hoping to find a "here's what you do and ts sorted" answer. But alas, it doesn't look like it exists...

[BenTasker]

Hmmm I tapped out a post this morning but it appears to have been routed to /dev/null

@abernyte

"...strictly necessary for a service explicitly requested by the user..." is what the regulation says. What bit of that does your need for analytics fall into?

I wasn't suggesting it did! I was saying that whilst we don't have VCM tweaked to play nice with our site, we are continuing on the basis of 'business as normal' with a few changes. The fact is, we are a small business with a limited budget, we need to be able to see which marketing efforts have worked and which haven't. I could be difficult and suggest that this is service-essential, because otherwise the service isn't cost-effective and won't be provided, but I wouldn't buy this, wouldn't expect a court to buy it and don't expect you too either. I suspect, though, it may be an argument we hear at some point (lawyers being like they are!).

All I see from business big and small is self interested kicking and screaming as they are dragged towards compliance.

I agree, but given that the nature of a business is to make money, are you really surprised? Leave ethics aside for a minute (as some businesses do), what does this do for businesses? Involves cost with no real return. No wonder so many are complaining, especially if they can't see the benefit.

Personally, my view is the privacy is valuable (and I know my colleagues feel the same) and shouldn't be treated lightly. It's all about balance though, and I'm not sure anyone has quite achieved that perfectly yet!

i dont use ganalytics - cpanel does that for me - unless it was specifically requested.
I have placed banners with (sorry ben) "if you dont like it turn over" messages.

Ach, use what suits! This whole thing comes down to choice, and let's face it even when we don't have one the first thing we do is wish we did. If you were happy with a JS script that fills the page with a donkey until a user accepts cookies then that'd be great too. A banner is much more graceful than a donkey so I suspect you've done well

I suspect a lot of sites are going to take the "accept cookies or leave" line, and under certain circumstances I don't entirely blame them. Users forget that they have no entitlement to view any of our content, we can choose to charge for access or make it publicly available. If the admin has gone for the latter, but is using ads to help pay hosting costs will he really want to risk losing money because people are saying 'No' and so blocking adsense? (Not that I'm trying to start an AdBlocker argument!). As long as the users are actually informed, that seems sufficient. I've not seen anything in the law that says we have to let them browse cookie free!


@WebDongle - Email sent! I've also asked for clarification on whether the Beebs approach is acceptable under law, but I'll be amazed if I get a response


@maxelcat - Sadly we'd all love a quick and easy answer, but at the moment there just isn't one. IMHO the community has been caught out a bit really, given that the law has been in effect for quite some time now! A quick fix, that may or may not be acceptable under the law is a large banner stating that you set cookies and that if they continue they accept. I'm not sure it's in the spirit of the law, but that's what the BBC have done (though they have a page where you can edit cookie settings)

[abernyte]

The real ghost at this feast is OSM.
The EU is not a small user base for Joomla. If OSM don't want to support us with Joomla coded to do the accept cookie thing then please say so.
The silence is deafening.

[abernyte]

@Ben
We are on the same page, mostly!

It's all about balance though,

That suggests that when the balance starts to tip away from you the users privacy is the first casualty. That is what got us here in the first place!

I suspect that the stoor will settle, in the UK, on more prominent and clearer admissions of what cookies a site uses and a grudging policy of no ICO enforcement where they are restricted to 1st party cookies only. Although who ever ran away with the idea at GA cookies are 1st party when they can be used to track users across domains remains a mystery to me.
Question: will the EU endorse that as proper compliance of the Regulations within the Directive?

[BenTasker]

That suggests that when the balance starts to tip away from you the users privacy is the first casualty. That is what got us here in the first place!

Unfortunately, sometimes it is (a la Facebook). I agree that it shouldn't be though. On most sites I regularly visit, given the choice, I'd probably be happy to pay a small monthly subscription not to be served ads (with the tracking cookies that accompany them) rather than view the ad-supported version. I do use an ad-blocker for sites I don't regularly visit, but it doesn't quite feel right viewing the content for free and blocking the ads on sites I frequent. Instead, I have my browser nuke cookies whenever I close it.

Question: will the EU endorse that as proper compliance of the Regulations within the Directive?

Based on previous behaviour by the EU, I'd give that a resounding No! But then, they may also be realising how hard this will be to enforce, and so may opt for the path of least resistance. User awareness does seem to be the focus, although it's easy to miss amongst all the dialogue.

I do think, though, that more should have been done to make people aware of this. We saw someone on the net recently who was starting a petition to try and stop the law getting passed on 26 May. Might be somewhat unsuccessful considering it was passed quite some time ago!

Now that sites like the Beeb have started putting things up, I suspect users will be far more aware of what cookies can do. I doubt most of them will care, but at least the opportunity to understand is now there.

Oh, and I agree on the GA cookies. There's no way I would consider that a 1st party cookie, it's third party without shade of a doubt. No different to calling an Adsense cookie 1st party (isn't it funny how Google seem to be the main example, might almost think they have a track record )

[abernyte]

Google are the new News International. In 10 years time we will have a public enquiry into how Google managed to get so close to the seats of influence in Westminster and the BBC. And be in no doubt, they are dug in deeper than an Alabama tick.

[BenTasker]

Google are the new News International. In 10 years time we will have a public enquiry into how Google managed to get so close to the seats of influence in Westminster and the BBC.

<joke>You expect the Tories to lose power then?</joke>. I suspect you're probably right, what was once a company who just did search very well (and even then, their business model was still ads) has become a huge monolith with fingers in every pie!

I don't know that we'll ever seen an enquiry though. It took the evocation of a childs name for the News International stuff to come to a head, I can't quite see a situation where the same could happen to Google. There may, of course, be something equally embarrassing round the corner for them: they do so much it'd be hard not to drop a clanger somewhere. They managed to paper over the cracks of the Wifi slurp though, and that was a pretty big invasion of privacy (lack of encryption ignored!).

It does seem that many of the companies that invade privacy are doing really, really well. Perhaps I'm reversing causality a touch, but fancy starting a business with me? PeepingToms 'R' Us. We could be rich!

[chrisjg]

@Abernyte: PMSL

I remember when google=search. They have lost their focus on what made them - fast, accurate searches - and now spend time tweaking the page rank algorithm to stop 'bad seo' and gaming of their search results.
Not to mention making sure that google hosted results are given priority - http://techcrunch.com/2011/02/26/my-mes ... -cheating/

I use DuckDuckGo as my primary search engine these days - https://duckduckgo.com/ - if you think privacy is important on the 'net then check it out (I am not associated with it in any way).

Also, for fun, try out millionshort - http://gb.millionshort.com/ - removes the first 1 million (or 100k, 10k, 1k, 100) results from the search. Gets some really interesting stuff down there. (I am not associated with this either)

Perhaps the ICO will grow a pair and really kick up a storm about this... Damn! nearly managed to keep a straight face then.

For now, I have decided to leave all my sites alone. Change nothing - not that I ever used nasty tracking cookies or anything like that anyway - sit back and see what happens over the next month or so.

Then implement a solution that reflects what is happening in the real world.

Chris.

[zeno]

This might be interesting. I was pointed to this when I questioned an organisation about their compliance:
ICO issues last minute further cookie guidance

It was published today and says:

This morning the ICO has issued further updated advice and guidance on changes to the EU cookie law. This is the third version of the Guidance in a little over a year. The Guidance now confirms that an implied consent mechanic, rather than an explicit opt-in mechanic is a valid form of consent to comply with the new law. In particular, the ICO has confirmed that a user’s consent can be inferred from moving from one page to another on a website provided that the user has a reasonable understanding that by doing so, they are agreeing to cookies being set.

See the article for the rest.

The ICO guidance this refers to is here (again, published today): ICO blog: updated advice and guidance on changes to the EU cookie law

[abernyte]

ICO is unlikely to prioritise for enforcement first party cookies used for analytical purposes

I wonder where he is going to find one of those? They must be as scarce as Unicorn merde.

[JacquesR]

The real ghost at this feast is OSM.
The EU is not a small user base for Joomla. If OSM don't want to support us with Joomla coded to do the accept cookie thing then please say so.
The silence is deafening.

OSM looks after Finance, PR and Trademark (and a few more).

The Production Leadership Team (PLT) is responsible for managing the Joomla code, bug fixes, and code contributions. (and also a few more things)

The CMS google list is a good place to reach them and fellow developers.

With that said, what is the support that you are missing from OSM?

[Webdongle]

From their new guidelines

Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes obtaining consent before the cookie is set difficult. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options.

Still no definition of what are necessary.

Their explanation of 'consent' appears to say that if you have a notice saying that navigating the site ... then by navigating the site you are accepting cookies. What a load of bull ... the cookie goes on and stays on so that does not make sense.

Then it says

To be confident in this regard the provider must ensure that clear and relevant information is readily available to users explaining what is likely to happen while the user is accessing the site and what choices the user has in terms of controlling what happens.

Oh yes ? "thank you for accessing the site you have no control of what happens to the cookies we dropped on your computer."

[chrisjg]

I bet the ICO offices were fun today!

New guidance, the day before it becomes law, well done.

I am just picking analytical cookies because they are specifically mentioned in the guidance.

Old guidance = you must have explicit consent. analytical cookies are not exempt.

New guidance = you must get consent. analytical cookie are not exempt. but you can imply consent - but that does not mean "do nothing" (the thought never entered anyones head).

Hang-on a minute.

Consent is defined by the ICO (in that new guidance document) as:

‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

So how can you have implied consent if consent must involve the user knowingly indicating acceptance?

Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.

Mmmm.

To rely on implied consent for cookies, then, it is important that the person seeking consent can satisfy themselves that the user’s actions are not only an explicit request for content or services but also an indirect expression of the user’s agreement that in addition to providing such content or services the provider may store or access information on the user’s device.

Say that again...
If I can satisfy myself that the users actions are an explicit request for content or services (like visiting my website is an explicit request for the content that exists there), and that because they have made an explicit request for content I can satisfy myself that it is also and indirect acceptance of my wesite setting cookie(s) then I am complying with the law?

Well, I am satisfied that anyone visiting my website(s) have made an indirect acceptance of the cookie(s) that my website sets, and I am implying that for all pages, sites, domains and sub-domains under my control or of my design.

Good. That was easy. My work is done!

Wonder why they didn't tell us that last year?

Now I feel the need for some food, choc chip cookie time!

Chris.

[abernyte]

Thank you for your intervention.

With that said, what is the support that you are missing from OSM?

OSM has as its vision:
A project that is socially responsible;The words "socially responsible" echo Google's mantra "do no evil". Society could mean just "the community", but it could also refer to society in general.

A project dedicated to maintaining the trust of its users. This is a recognition that anyone who is part of the community, even if only as a user of the software, places some degree of trust in the project and that is something that the project should strive to live up to.

As of 2011 Joomla out of the box, has placed its users in the EU as liable under EU Law for the cookie is delivers without consent (session) It also provides a means of distributing extensions which actively promote the use of 3rd party tracking cookies.
A small number of individuals in the community have in the past 9 months attempted to address these issues in the way of developing extensions. They have repeatedly asked on the boards for developer input to better understand how Joomla handles cookies but these requests have gone unheard.
An early thread on this subject some 9 months ago saw influential members of this project argue strongly against the need to do anything. It is a European problem after all.

This is a problem that is best fixed by Joomla being in compliance and help its users achieve legal compliance. Joomla..."all together, as a whole." I cannot see how OSM can stand on the sidelines and say that it is for another part of the organisation to fix. Had this legislation been enacted in the USA, would we be in this situation now?

Deepest regards.