Thread

I need to use the Cookie Consent module being in the EU. I have used it many times to disable cookies (and not bother re-enabling them as we don’t need them). But for some eCommerce sites we are using it is causing issues…

Firstly, we do not want a pop up on the site at all… so therefore we want to turn off all cookies by default. There is no need to set any cookie for casual browsing of the site. So Cookie Consent does this. Otherwise if we set cookies (the assumed consent) then we need the pop up to indiciate this (you are not allowed to rely on a privacy policy or other link in the footer menu). So no cookies is best.

But as its an eCommerce site (using Cart Throb) it requires a cookie for this part of the site to work. Therefore cookies only need to be enabled when a user uses the cart.

Ideally it would be good to exempt Cartthrob from the Cookie Consent because these cookies are allowed anyway, and do not need any consent. But in order to disable the tracking cookies which do need a notification, we are disabling cartthrob cookies.

So I thought adding this field to the Add to Cart form would work, as per the module documentation:-

<input type='checkbox' name='cookie_consent' value='y'/>

But this does not work. It actually works as a ONE OFF, i.e. items ARE added to the cart on the next page, BUT when checking out it states there is no item in the cart, and cookies are in fact still disabled.

I do not want a separate form to enable cookies that goes to a thank you for enabling cookies page… I want it integrated into the checkout form, OR better still I would add it as a hidden field, so they just get enabled in the background.

The best way would be just ignore cartthrob in cookie consent of course, but as this is not possible we have to do it backwards and enable cartthrob cookies on checkout.

Could you please advise how to get this working so we can have a legal website without unnecessary messages (because you dont need notifications for the cartthrob cookies we need, but you do for the tracking cookies we don’t need!)?

Thanks a lot

In a situation like this I’d go for “Implied consent” because cookies are essential for the site to operate properly. Ok that’s stretched a little for the non-cartthrob cookies but as the directive is so vague I cant see the ICO bothering you so long as you explain what all the cookies do on your cookie info page.

With implied consent you need more than a privacy policy link in the footer to inform people of the cookies. You need a more obvious message on the site to make it clear, hence the awful pop ups people have on their sites. I want to avoid such obvious message, therefore want to to block unnecessary cookies, and leave only necessary ones.

I dont understand why EE needs to leave the 3 cookies it does, when you disable all the tracking in Admin.

On similar ecom sites I’ve simply used implied consent with a “Cookie information” link in the footer which goes to a page that explains what cookies are used, no popups or overlays, just a link.

I’ve noticed quiet a few ecommerce sites (from big names) that have used the same approach with no method of opting out. Some include the cookie page link at the top of the page, others at the bottom. Even some solicitors site use the same method so that may say something 😊

Agreed it would be nice for use to block cookies on a per cookie basis, hopefully that will be added to the consent module in the future, but for now I still think that so long as you’ve made an informed decision on your approach I doubt the ICO will knock on our doors.

On similar ecom sites I’ve simply used implied consent with a “Cookie information” link in the footer which goes to a page that explains what cookies are used, no popups or overlays, just a link

Yes but the ICO specifically say you should not rely on a privacy statement being read. I agree it is unlikely the ICO will take action, only if a complaint is made, AND they can see the site has not even tried, but if you really want to be 100% compliant, which I would like, then you should not rely on that and need a way to bring it to the users attention.

So all I would like is to be sure we are 100% compliant. I dont think we should leave unnecessary cookies (we really do not need these EE cookies) and then fingers crossed we comply.

Hi amityweb,

Unfortunately, the Cookie Consent module is an all-or-nothing solution to cookies on a site right now. We wanted to make sure we had a solution that covered the most cases possible, so implied consent on only a portion of the site isn’t currently baked in as an option. I’d be happy to move this over to the Feature Request forum if you’d like so that our devs can see that our devs can see the need for this sort of functionality. Would you like me to do that?

Yes it needs to do that, rather than just a request from me. this should not be considered a request or nice to have feature. I mean, with the cookie consent module, essential cookies like that of cartthrob do not work, and without the module a site is illegal because of non-essential EE tracking cookies.

At the moment I have had to add an intrusive link at the bottom of the site and not use cookie consent as it breaks the cart. The intrusive link is a link to the cookie page with instructions how to block cookies in the browser (you need this latter method anyway even with the cookie consent because of third party cookies like analytics and addthis).

Thanks

I can certainly appreciate your need for this kind of functionality, and of course it’s not so narrow that it only applies to your situation. That said, it’s not something the Cookie Consent module currently provides, and the Feature Request forum is the place to make those sorts of requests.

I will note that the Cookie Consent module was built in a completely modular fashion so that anyone could use the same hooks we’re using to develop their own module if they have a use case that needs some other than what the Cookie Consent module provides. You could always fork the Cookie Consent module and modify it to your needs. As long as you don’t release it outside your own company, that’s perfectly fine.