Thread

For those of creating sites based in Europe there will be a new law coming into force on the 25th May regarding cookies and privacy known as the “Cookie Directive”.

Effiectivly the user will need to be asked if they agree to be tracked via cookies. In an EE implementation this will gernerally affect membership sign up where we can add it as part of the Terms and Conditions on registering but what is not clear at the moment is how far reaching the requirement is.

Do we need to ask permission if we are using MI cookies - Google Analytics for example?

Some shopping carts rely on cookies to pass information to gateway payments systems, is this included - we all know that making users sign up for membership will reduce sales dramatically?

Are there any other EE add ons or implementations where non members get cookies set and how are people dealing with this?

More on this story here:
http://www.bbc.co.uk/news/technology-12668552
http://www.pcworld.com/businesscenter/article/222640/yahoos_offers_cookie_optout_button_ahead_of_new_eu_law.html

From what I’ve read, things like shopping carts & user authentication, ie cookies that are essential to the operation of the site, are exempt.

http://www.clickz.com/clickz/news/1700584/eu-adopts-law-requiring-user-consent-cookies
http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-will-hand-the-advantage-to-the-us-kill-our-startups-stone-dead/ (1st comment)
http://www.mywot.com/en/forum/10454-changes-in-eu-legislation-privacy
http://www.google.com/support/forum/p/Google Analytics/thread?tid=6a4329cd152b47e1&hl=en

There is also the notion that the user’s browser settings to allow cookies are implied consent.

http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html 😊

http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html 😊

Funny.

What better explanation do you need?

That’s the most ridiculous thing I’ve ever heard.
I wouldn’t worry about it though. There’s no way they can enforce it. 😊

This law is so stupid. And I agree.. I can’t believe they think they can enforce something like this.

I wonder—if I put a fee into my Terms and Conditions page (you read those, right?) that says everyone who reads a page on my site must pay me $1.00, what would be the best way to enforce it? It would be difficult to find the name and address of each visitor, right? So, that being the case, why not insert a charge for $1.00 per page for crawlers, spiders, bots, et al. Those addresses would be easier to obtain. Google hits my site for a few thousand pages a week.

In order to see what is what in this area, I am looking at various bits of information. The most important one is that the cookies are opt in - that means to say that you have to ask permission before cookies are set. This is set to be UK Law, and even though the ICO are not immediately going to come down on a site’s owner immediately, it will happen as time goes on. So we need to be ready. As the company I use EE for is based in the UK, this is clearly important, and we need to workout how to comply.

As well as the usual suspects - that is to say Google Analytics - I note that there are some cookies that appears to be set by ExpressionEngine:

exp_last_visit
exp_last_activity
exp_tracker

I don’t know what these are, so I’d need the functions of these explained. They appear to be about tracking visitor behaviour - exactly the kind of thing this EU directive seeks to control. I also need to know how to control the setting of these cookies - specifically how to stop them being written until permission is granted.

I do not believe in the cavalier attitude of the “they won’t catch us” - I need to take this seriously so I can advise on what is what and to plan any action needed to make the site more compliant.

Thanks.

There’s another thread here on the same subject that has some info on the EE Cookies:

http://ellislab.com/forums/viewthread/190422/