Complying to the EU cookie law

I second this post whole heartedly. I have a number of client websites running EE that I need to be able to go back to and offer some kind of solution for that doesn’t cost the earth to integrate, but having no knowledge or experience of PHP or cookies would have no idea where to start on this.

The implementation on the Cookie Collective site is indeed an excellent approach - unobtrusive, simple and effective.

Looking forwards to what you EE boffins come up with 😊

Found this earlier - http://www.wolf-software.com/home/ - they offer a couple of GPL’s javascripts:

http://www.wolf-software.com/downloads/jquery-plugins/pecr-and-google-analytics/ http://www.wolf-software.com/downloads/packages/jpecr-package/

Also

http://cookieq.com/CookieQ/GetButton http://civicuk.com/cookie-law/index

Hi Rob,

I’d seen the Wolf one actually, I think that could be a good option but it seems to have too many options which I think could scare users. I may have missed a simple “accept cookies” version.

The Civic UK implementation looks brilliant! The best one I’ve seen by far, also I think showing users how to control cookies via the native browser settings is the right approach.

I would still like to see how to create a custom one, for those occasions when a client has specific requirements.

Cheers

@TheBlackHole and @bluedreamer, thanks for the mention of Cookie Control!

We’ve tried to make Cookie Control as flexible / easily configurable as possible. For most webmasters a lightweight implementation may be enough: if your only non-essential cookies are for Google Analytics you may be justified in taking a small risk and not testing for consent.

There’s more of an overview of how to approach it in .Net mag here: http://www.netmagazine.com/opinions/cookie-law-gnarly-truth

If you need any help implementing Cookie Control, please just give me a shout.

Hi Mark - thanks loads for that - have looked at the Cookie Control site and planning to add it to our site.

One of the things you mentioned in the .net article is “Do a cookie audit and update your privacy policy with friendly information about your cookies.” How would I go about this? I use EE because I’m not a technically minded person, and cookies I have no idea about. I know EE requires them, but I dont know about the front end of sites, how do determine if an addon I’ve used is using Cookies, what they’re specifically doing etc.

Having then done an audit and updated the privacy policy what next? If a user wishes to opt out of consent to cookies on my (or any other site), how do they do this using the Cookie Control tool? (it only seems to have an accept button, not a decline button) If they do opt to not allow cookies, what are the effect to the end user? How do I test what breaks? How do I go about fixing anything that does break?

OK - have added the cookies FF extension and it’s showing the following for my site currently (see attached image)

http://cl.ly/2R1Z2r073Z350G180h2I

It looks like 4 are EE ones - the exp_ ones What are the other 4 - how do I find out?

The __utm ones are google analytics, I think.

Andrew

utm ones are Google Analytics.

If you’re going for strict compliance, you can test for consent in Cookie Control before deploying GA. There’s an example of how to do this here: http://www.civicuk.com/cookie-law/deployment#scripts

Those EE cookies create more of a problem. From a user point of view they’re not particularly necessary - they’re really just helpful for help EE handle things like AJAX pagination and browsing history within the site. As such, they’re unlikely to be fully exempt from the regulations. I don’t know Expression Engine particularly well, but I guess it’s not possible to simply intercept them without hacking around with Expression Engine. Perhaps there’s a configuration option to control how EE uses cookies?

That said, they’re reasonably innocuous, and I think you could get away with letting them run anyway, though you should inform users about what they do.

Well then - I’ve added it to our main site front page - moogaloo.com - will give it a go, see how we get on with it.

@Mark - the Privacy Policy you have on CivicUK - I got the impression that you’re happy for people to use that on their own site (which I have). I’ve linked back to yours - could you confirm you’;re OK with this please?

Absolutely fine with that. Nice implementation!

If you signed up for email alerts while working with the configurator you’ll get a notification when we roll out updates. The next update should include a colour picker and fixes for one or two rare IE issues.

Since rolled back the cookieControl on our site as, seeing as I cant actually stop the EE cookies being dropped, nor the Hits module (3rd party EE module), there’s little point having this (I’ve kept them on the dev site). I think we need Ellilab to do something about this, or someone to actually write a plugin that can effectively kill all EE cookies until a user opts in… unless there is someway of using the deployment hooks you have, like for the GA tracking.

I noticed that the popup box doesn’t really give the user a clear way to opt out of cookies and has to just ignore the message… is that intentional? Is that going on the basis that cookies are off by default and you have to proactively opt in to accept / use them?

Since rolled back the cookieControl on our site as, seeing as I cant actually stop the EE cookies being dropped, nor the Hits module (3rd party EE module), there’s little point having this (I’ve kept them on the dev site). I think we need Ellilab to do something about this, or someone to actually write a plugin that can effectively kill all EE cookies until a user opts in… unless there is someway of using the deployment hooks you have, like for the GA tracking. I noticed that the popup box doesn’t really give the user a clear way to opt out of cookies and has to just ignore the message… is that intentional? Is that going on the basis that cookies are off by default and you have to proactively opt in to accept / use them?

To be (strictly) legally compliant you shouldn’t be providing an opt out option but an opt in.

That’s why by default Cookie Control only has an “I’m happy with this” button. If you’ve intercepted your non-essential cookie dropping scripts in the recommended way, that’s all you need.

On the server side (ie Expression Engine) you should be able to use Cookie Control to test for acceptance before dropping cookies - but I don’t know EE well enough to suggest where exactly you should do this.

This will be a generic issue for all Expression Engine users: if EE cookies can be classified as “essential” you don’t need to worry about them - but this sounds a bit iffy.

Probably we need an EE module to work in conjunction with Cookie Control. Happy to assist if anyone wants to develop one.

I think we will need some kind of EE specific module to handle this - theres 3 cookies that EE drops by default (as listed on our privacy policy http://moogaloo.com/privacy/#useofcookies) that I dont think can be turned off and none are essential (just basic user tracking for sessions / activity). There’s other non essential ones that can be set to do with commenting, 3rd party modules etc…

But I have no way of preventing any of these. Something that can block cookies, even if just like the GA code using JS would be great, but it would need to be broad enough to catch all EE related cookies including 3rd party addons. I guess by default it would need to block any cookie starting exp_ and ideally have an exclude=”” parameter so essential cookies related to eCommerce for eg can be kept regardless of opt in/out.

I’m not that person tho. I can’t write a line of JS or PHP to save my life!