European Electronic Communications Framework.

[abernyte]

The new European Electronic Communications Framework must be ratified in member states domestic legislation by May 2011.
The new Directive amends the existing Directive on Privacy and Electronic Communications. The new law includes an Article that demands that websites get every visitor's prior consent before sending cookies to their machines. ( Note it does not differentiate between 1st or indeed 3rd party cookies.)

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

When does a Joomla! based site first drop a cookie on a visitor? Is it only on login and can website owners therefore rely on the login request to have the cookie "explicitly requested"?

Not expecting a definitive answer to the second point but will be intrigued to have the first answered.

[abernyte]

Q. How does Joomla handle cookies and when does Joomla first drop a cookie on a visitor?

Is it only mod_login or not at all?

The new European Electronic Communications Framework must be ratified in the European member states domestic legislation by May 2011.
The new Directive amends the existing Directive on Privacy and Electronic Communications. The new law includes an Article that demands that websites get every visitor's prior consent before sending cookies to their machines. ( Note it does not differentiate between 1st or indeed 3rd party cookies.)

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

This is going to have far reaching consequences.

[dhuelsmann]

Duplicate topics are not permitted in the forums. Your topics have been merged.

[abernyte]

Thanks Dave.
Unfortunately the whole subject is sinking faster than a burning Zeppelin. It looks like this is going to be left undiscussed until we who operate in Europe are in breach of the law and then it will be a panic.
Sigh..

[RussianBlue]

OK, we're starting to panic here in the EU now, did anyone find out what this means to Joomla users?

What cookies does Joomla drop onto a visitors computer?

[abernyte]

Hi,

I have enquired again with some of the mods regarding this. As far as I can determine Joomla drops its first cookie on login, without explicit consent. This is to set the session to keep the user logged in. Any Ad based (Google?) cookies after that will be according to what Ad plugins you have installed.
You can of course insert pre login text to ensure that users know that a cookie will be set.
But this does mean that using Joomla out of the box in the EC will be illegal once the various countries have brought forward their domestic legislation to comply with the Regulation.

[g1smd]

Another knee-jerk-reaction law to fix "unspecified problems" in a way that clearly shows lawmakers have no idea how the technology actually works. As soon as the word "privacy" is mentioned, it seems to set lawmakers into a spin.

[abernyte]

If business and in particular the advertising and tracking industry (yes, BT and Phorm we are looking at you...) had not played so fast and loose with everyone's privacy we might not be in this position now.

Their stated view that the cookie settings in the browser give consent for tracking is a joke when browsers are shipped with the default setting to accept cookies. Or as the EU put it:

"It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes,"

So now we need to ask. Question is how is it best achieved?

[mandville]

my personal opinion,
as far as im aware, joomla only sets a cookie if you log in. adverts drop a cookie if you want them to or not. *****
so far i have only found one company who has the new "blockable advert" cookie

it is also browser dependant, you can set browsers to the level where every cookie request is notified and must be agreed, so its user controlled.

The new consent rule for cookies contained in amendments to the ePrivacy Directive is proving to be one of the trickier areas of the revised Framework. The difficulty lies in the interpretation of this requirement, and the question of whether a strict “opt-in” process is required. The government has indicated that it would not wish to depart from the wording of the revised directive but that it will give the Information Commissioner the power to decide how the law should be interpreted.

**** edit to add, on my sites as they dont have any visitor stats, cache and session control is by db or off.

[PhilD]

In my experience All versions of Joomla put a cookie in your browser without asking and without having to log in.

Name: fc5d2c8fa69b29a554ebc38b36af918e
Content 585442c7f9eb611a533033d6365f22e5
Host: xxxxxxxx.com
Path /
Send for: Any type of connection
Expires At end of session

Virtuemart, some templates, and other extensions also add their own cookies.

For FireFox at least, the default privacy setting for cookies is to accept ALL cookies without asking.
Including 3rd party.

[mandville]

i just tested, adn wont public the sites names but phild knows them - with sessions set to database, cache off, cache plugin disabled, no visitor counts (in IE8 as i dont use that)

s.......org.uk -no
m******.info - no
test site
soca.org.uk - yes
weeeiiirrd

still its browser preference

[abernyte]

Oh dear...this is going to be a headache. The EU Article 28 working party has made it clear to national governments that relying on browser settings is not an option so it will require some opt in.

Those sites that use the small income from Google ads to pay for their bandwidth are going to find this very difficult.
This is the text of article 5(3) which was passed as EU law:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Not a great deal of wriggle room there.

[mandville]

I can offer you the poison but will you drink it? Disable cookies. Like we keep saying, America is not the only country, Europe is not the only web site visit location.

[scampiuk]

Ahhh laws

Wondering who has done what to prepare for this, or what they are planning at least.

I'm not liking the idea of having to put a msg on pages that use cookies for the user to deal with.

Don't forget, that the administrator does use Cookies, so that will have to be dealt with also!

Chris -.

[abernyte]

Prepare?.... You own me a new keyboard.

The UK government department dealing with this, Department for Culture, Media and Sport have said that they intend to copy in the EU directive, without alteration into UK national law.

They also said that they are working with browser manufacturers to enhance the settings to allow compliance with the Law....not holding my breath there.

The best I can suggest is to use the pre-login text to cover the Joomla session cookie and have some form of prominent warning on the site regarding other cookies.
I suspect that we are not going to see this madness enforced in the courts any time soon, unless someone with an axe to grind takes a test case.

[abernyte]

@Mandville

...this even-handed justice
Commends the ingredients of our poisoned chalice
To our own lips. (1.7.1) Macbeth

[mandville]

The best I can suggest is to use the pre-login text to cover the Joomla session cookie and have some form of prominent warning on the site regarding other cookies.

sounds similar tothe American - i mention this product without being paid etc statement

[codeboyuk]

Hi all,

I have a lawyer client who has been kind enough to keep me updated on this issue without charge (I know: there are actually good, kind hearted lawyers out there!!).

He passed on this information:

"
Dear Will,



Thought you might like an update of the governments view



In a speech to a CBI forum on 29 March 2011 on e-privacy and the digital economy, Communications Minister Ed Vaizey indicated the government's approach to the revised version of the e-Privacy Directive due to become law throughout the EU on the 25 May 2011. The major amendment to the existing law in relation to the internet and privacy is that users of websites will now have to give their prior consent for the import of cookies on to their terminals.



He stated "the cookie provision ... is the biggest change, and therefore of most concern to business. It's a good example of a well meaning regulation that would be very difficult to make work in practice. If we get the implementation wrong it will seriously hamper the smooth running of the internet".



Consequently, the government do not plan to make it unlawful for the importation of cookies where it is necessary for the service that has been requested by the user, for example, the use of cookies for shopping baskets.



Best wishes



Howard

"

Ok, this basically tells us what we already know. However, after exchanging numerous items of correspondence with him, I suggested that the work around for this problem would be to display prominently on the website - preferably on every page, that cookies are going to be used in order for the site to function appropriately. He did not disagree.

I would therefore suggest placing notification in the header or footer (that way it is carried to every page).

"Please be aware that this site uses cookies to store user data in order to enable the site to function correctly. Please leave the domain immediately and then clear your browser history should you not be comfortable with this requirement".

Someone earlier pointed out that the admin interface uses cookies, and therefore will be subject to the same legislation. No it will not! As only the administrators use the admin system, that part of the application will not be subject to this legal writ.

As for the advertising cookies: I would suggest that the cookie notification detailed in the header or the footer should suffice (maybe with a few extra words).

This legislation is a pain in the a**e!

Will

[abernyte]

I am afraid I have to disagree with your solution. What you are doing is using "implied consent" in that if you continue to use this site, I have put a big warning on the top or bottom that cookies will be used so you must have consented to take them.
This is the current position via the browser settings.
The EU have closed the door on that, because some businesses (BT, Phorm et al) abused that and they have directed that each site must obtain "explicit consent". So, click here if you wish to continue to use the site and receive a cookie.
The shopping cart cookie is permitted as it is a service which you are seeking and occurs to make the service work.
So your header,footer idea will not wash as it does not cover the Joomla login or Google Adsense or the font changer on the template ....etc,etc.

The UK Gov are in total denial on the issue and have said they will not seek the prosecution of any site owner for a breach of what ever legislation they come up with to implement this. At least not in the short term. That position is unsustainable in the longer term, and in any case would you trust a politician on this?

Someone earlier pointed out that the admin interface uses cookies, and therefore will be subject to the same legislation. No it will not! As only the administrators use the admin system, that part of the application will not be subject to this legal writ.

Oh yes it will! You are back using implied consent again! The EU Directive does not differentiate between 1st or 3rd party cookies or the purpose for which they are used. Just because your user knowingly uses the admin area cannot be taken that he/she has given explicit consent to receive the cookie.

[codeboyuk]

"Consequently, the government do not plan to make it unlawful for the importation of cookies where it is necessary for the service that has been requested by the user, for example, the use of cookies for shopping baskets."

Based on this, I would argue that admin area is a service that has been requested by the user and thus is exempt i.e. a client approaches, requests a web site to be built with a content management system: and for a CMS to work - cookies/sessions are required.

Now to the front end issue: So you are saying that the legislation requires what amounts to a splash page in order to consent with the legislation?
The whole idea of keeping user clicks down to a minimum is blown out of the water with this.

The alternative would be a javascript popup box. In order for that to work - we have to assume that the browser has javascript enabled....But if it is not sufficient to have a browser set by default in order to receive or not receive cookies, then the javascript option will not suffice.

The only alternative is a splash page with a link on it to the homepage of the website.

My colleague and I have been talking about this. We have decided to just wait and see what happens before we do anything. For example, how does this legislation effect existing web sites?
Am I as a developer obligated to go back and add these measures to sites I have previously built? Or is it the client's responsibility to come to me and ask for a solution?

I had no idea that this legislation was being brought in until recently. My head must have been in the clouds.

What a total pain in the preverbial....

[codeboyuk]

If the government to get tough on this - Joomla will have to change its format. That could amount to going back to the drawing board - and starting from a blank canvass.
I am totally worried that this could be the end to all open source cmss.

[codeboyuk]

I think that this is a browser issue. They should be the ones who should be made to deal with this. It would be a much simpler procedure for them to disenable cookies by default, by law: thus leaving it to the user to enable cookies. Then having notification on a website stating something like 'this site requires cookies enabled to work' would, I should think, be ok....

You mentioned in a previous post that a "pre login notification" would suffice. Where would you suggest this notification be? On the homepage?....This comes back to my popup problem...
If the homepage is suffice, then surely having it on the header or the footer would also be sufficient....

[abernyte]

Let's deal with the Admin area first.
Your contention is that it is a service requested by the user. The Directive states
..

consent is not required when the cookie is strictly necessary to deliver a service which has been explicitly requested by the user

In other word the user has been told and accepts to take a cookie. It is the placing of the cookie that is the thing, not the service. (I know, lawyers argument..dancing on the head of a pin!)
This may be achieved by placing suitable text beside the login box, perhaps. "By logging in you agree to accept a cookie that will only be used for ...."
But I believe ( as do Pincent Masons) that this applies to any web page.

I am intending doing this at the log in:

log_in.png

in the hope that it will suffice for now. It will also be done on the Admin login page.

I doubt if Joomla cares two hoots about this. It only affects the EU and Joomla's strength is elsewhere around the world.
As for existing sites. Yes it applies to them too, but is the responsibility of the site owner. I can see a business opportunity in the offing in making the required adjustments. !

[abernyte]

It will be interesting to see how many sites adopt a similar technique but with the wording changed to...."this cookie will be used to let Google and other agencies track you across the web and inject adverts into the pages that you load on other sites. The data gathered will also be flogged to any one willing to pay me"
Which is a after all the purpose of the Directive. To protect peoples privacy.

[codeboyuk]

Thanks....I will follow your lead - it seems like a simple enough solution. Hopefully it will be sufficient.
My lawyer client suggested that I hold fire for the time being. But if your login notification is acceptable, then perhaps it isn't going to be as drastic as first thought.
I don't get why Joomla might still plant a cookie when a user hasn't even logged in. Can you shed light on that?
Just when I thought life was getting easier as a developer: great choice of open source cmss, drastically reduced development time; then the bloody government have to poke their nebs in!
It might be a case of going back to the old coding from scratch.....
Otherwise it's going to be landing pages galore all over the web for sites created using open source cmss....and then its the issue of how to direct a site from the landing page to a site's index (which will then no longer be its index due to the landing page....aagh!).
Having said that, the landing page probably won't be so difficult to incorporate.....Build one, name it index.php, produce the landing page content with blurb about the cookie issue, also include a link to the site's official homepage - which is also called index.php, but contained in a sub directory
I hate landing pages and have never used one!!!!!!

I suppose you are right - there is room for extra fees to be made here. I've only been operating for the last couple of years though: so not too many sites to squeaze fees from (God that sounds bad!).

[abernyte]

I don't think Joomla drops any cookie until log in. I have seen some templates drop a cookie if they use the font sizer, so you would get that straight away.
Otherwise it is a pain but in the short to mid term I think most sites will just ignore this until there is a big fall out and some poor sod gets hung out of dry.
We might even stop tracking users...now there is novel idea!

[mandville]

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner's Office has said.

The UK government also sought to reassure the industry that there would be "no overnight changes".

The EU's Privacy and Communications Directive comes into force on 26 May.

It requires user's consent before using cookies - the text files that help organise and store browsing information.

Technically all firm must comply with the law but the UK has said that it needs more time to find a workable solution.

http://www.bbc.co.uk/news/technology-13541250

see the big warning here
http://www.ico.gov.uk/ for interest

[jeffchannell]

No offense meant to those of you in EU countries, but I'm not changing a damn thing to accommodate this law.

[leolam]

By not changing a thing you will be out of business in Europe soon. Fact remains that clients who have enough IT-experience/departments, lawyers of companies or who do care about privacy will question you on this issue and if you do not accommodate that crazy directive than you simply will loose clients. It counts for each country that people have to obey the law, like it or not. (I do also drive faster than allowed when possible so i am not holier than the Pope, don't get me wrong. However we in Europe also obey the laws of USA or Australia etc so saying "i am not changing a damn thing" is rather short sighted imho

Leo

[abernyte]

There is also the issue that in a large lump of the planet, using Joomla "out of the box" now renders you liable either directly for your omission or by action from a client who you leave exposed because the site you made leaves them liable.
Then there is the contradiction that the slightest mention of warez or crackz in a post here will be instant deletion and yet we host an entire slew of extensions whose use in Europe is equally illegal. Yes, Google Adsense we are looking at you.
Joomla like all other CMS needs to catch up with this, cause it ain't going away.

Edit: 'cause when I read the last line "catch up" I laughed out loud. This directive was passed in 2009. We have sleep walked into this!