Jump to content

All IPB forums breaching EU law

Featured Replies

Posted

Further to the thread in the customer lounge, it's seriously disappointing to see that IPB have backtracked on their published plans to comply with EU cookie legislation without any notice or announcement.

What this effectively means is that every single IPB site who have visitors from the EU are now in breach of the new cookie directive from tomorrow unless they take action to remedy it. Having been lead to believe upgrading to 3.3.2 would be all the action that was required, it's a serious problem.

When you look at what many of the major UK based websites have done, they're taking the new law seriously, and I'm shocked that IPB have decided neither to take any action or offer any guidance to their customers on what they need to do, particularly when taken in context with what Matt said in late April:


It technically doesn't matter where you are in the world. The EU would like for you to offer EU visitors the opt in/opt out/info regardless of where you are hosted.



I agree that it's all really dumb but as a software vendor we have a responsibly to ensure our software complies with these things.



I've done a lot of research into this and there are many exemptions where you don't have to ask for opt in permission and that's when the cookie is used in such a way that makes it vital to the application.



Really this is a browser level problem and it's utterly ridiculous to expect internet apps to 'fix' this but there you are. At some point browsers will have to include these rules and we can stop messing about with pointless javascript.



However, here's what I've done for IP.Board



Guests only get served a session cookie which is essential for the application and contains no identifiable information unless they decide to change themes or languages, etc. This means there isn't a need for pop-ups, overlays, banners, swooshing nag panels or any other of the head slappingly stupid suggestions the ICO offer.



When you log in, you make the user aware that doing so will set cookies and there is a link to the cookie policy. Same when registering.



At the bottom of the board there is a message "This site uses cookies: Cookie policy". Upon clicking this you're taken to a description of every cookie IP.Board will try and set along with a 'show contents' button if the cookie is set so you can review what is stored.



This barely scrapes in above the bare minimum needed to comply but lets be honest. The internet is a massive place and there are millions of websites. The EU law is almost impossible to police let alone effectively punish offenders. In addition, the ICO has said that it will not target sites that make an effort and have a clear cookie policy. Indeed, almost all the cookies IP.Board sets are exempt and contain zero tracking data and aren't shared with other sites so our software is very low risk.



My hope is that either the EU forces browsers to implement something or the whole thing is discarded as unworkable.


  • Replies 143
  • Views 24.4k
  • Created
  • Last Reply

The sooner the UK move away from being directed by the EU, the better.

These directives are definitely coming into force? I have seen many similar situations regarding directives, and I would estimate that 99% of UK websites do not comply with them, mainly through lack of knowledge that they even exist.

Apparently from April this year, every single website in the UK had to have an SSL certificate if they are storing customer details. This was mentioned to me by a company who work directly with the government in the UK. Nobody has heard anything about it since.

To enforce such changes, would be near impossible.


Have a read of this:


http://www.ico.gov.u...de/cookies.aspx


Yes, but where did you see that link to the directive? How was it brought into your awareness? This is the first I have seen of it, and even in another 12 months 95% of website owners will still not have read it.

Ignorance is no excuse, of course, but to implement such rules amongst millions of websites, billions worldwide would be an impossibility.

Also, there are grey areas too. Trading in the UK, websites hosted in the UK, or using proxy international servers, etc. etc.? Most of the larger 'UK' websites, are not even UK based, nor is UK their first country, so clarification, and mass awareness is required for such directives to work, or even become public knowledge.

Governments all over the globe are still clueless on how to implement such regulations.
  • Management

IPBs are not breaching EU law or any other law.

Software cannot violate a law: it is up to you to comply with your local laws. We provide a terms of service and privacy policy settings group in the AdminCP that you are free to edit to comply with anything you need to do.

IPS cannot and will not try to sort through all the myriad of laws around the world (especially one like this where no one is 100% clear on what to do or how it applies). It is nothing something we can do and, as I said, the requirement is on the site owner to ensure their entier site complies with any law or even business requirements they have.

This is why we provide policy pages you can easily edit in the AdminCP to include any notices or wording you, your attorney, or your company legal department advises are needed.

  • Author

But that rather ignores the point made in my original post - Matt had clearly spelled out what IPB was doing to stay within the new EU directive, yet without any further announcement IPB have backtracked.

You're quite right, website owners need to make sure their sites comply, but since Matt said what he said, the very least you may have done is let your customers know that wasn't going to be the case and that they would need to implement their own strategy. Not a lot to ask I don't think, although I'm sure you'll disagree.

Us paying customers are just way too much of an inconvenience to IPB at times I think :lol:

Oh and fwiw, I assume IPB will be implementing something in the next 24 hours to comply on their own website, as it's down to them to comply with EU laws if people from Europe use their websites...

Charles is 100% correct. And I suspect such a stance will also be in the terms of usage policies for IPB customers. My company also supplies software that is used by end-users, and it is the responsibility of the USER of that software to comply.

  • Management

Two more points: no one is really clear on this law. One person will tell you our software is already compliant someone else will tell you another. Reminds me of SEO :smile:

For example: the only cookies our software stores are temporary cookies needed for the software to function. They contain no personal information. The only time personally identifiable cookies are permanently stored in IPS software is if a user logs in and check the "remember me" box. I would say that's consent seeing as they checked a box specifically telling the software to remember, personally, who they are.

Going beyond that point: sure we could include all sorts of complicated language and options in the Suite standard but what happens the instant someone customizes anything? When you install a hook, application, alter the skin to put in ad code, etc. you are changing how our software behaves out of the box. Therefore anything we might include to try to comply with this, or any other random law around the world, becomes fruitless.

Therefore I still go back to the fact that compliances with your laws is something only you can do. We provide tools to help you do that of course.

  • Author

That entirely contradicts Matt's post though Charles and tbh shows that you probably haven't read the guidelines either.

  • Management

That entirely contradicts Matt's post though Charles and tbh shows that you probably haven't read the guidelines either.




Matt's post was made before we made in-depth research on this law, its implications, and the total lack of clarity throughout the EU on what it really entails.

I am afraid your simple link to a PDF does not really touch on the broader picture here :smile:

As I said, there are tools in the AdminCP for you to provide any sort of legal notices or disclaimers you may feel are needed for your locality.
  • Author

Charles, I'll try to make this as clear as possible for you

1. The lack of communication is my issue, if further to Matt's post you researched further and decided to do nothing, then why not let your customers know? I've made this point several times now, would it be too much to ask you to address it, acknowledge you ought to have done or at least stop ignoring it?

2. My link was to the ICO website which has all the legislation and a whole range of guidelines, not just as simple pdf, it also has their cookie compliance implementation. Did you actually bother to click the link before commenting??

3. What is the broader picture you speak of? If you have that available to you and know more than the BBC, British Govt, and various other huge media companies with highly paid and qualified legal depts who have decided to take some form of action, please feel free to share it!

  • Management

some form of action




We have never posted an announcement one way or the other about this. Matt's, or any other staff's, conversation in a topic is not really gospel :) ... IPS is very communicative with clients and we cannot always know what is said in conversation might be something we change our mind about later.

That is the key here. No one knows, exactly and without any sort of confusion, what should be done. In fact many people we have spoken to on the matter say IPB isn't even something that needs to comply and others say yes it is. Until the situation in the EU matures we cannot justify doing anything.

I of course hope that you are able to decipher it all and sort out what is best for your site.

For all our IPB sites that must comply with the EU cookie law all we had to do was provide a list of all the possible cookies that could be set to put on file. Everything else was in compliance.

  • Management

Let me clarify that I am not being flippant about this law. I am merely saying that until the EU community can figure out very clearly what to do then IPS cannot justify any action :smile:. Do a search and you'll see a million legal opinions going in all different directions.

I would say if someone like Dll who has researched the law were to post clear things we should do that someone else would come along instantly and disagree. That is where our predicament is: clarity and agreement.

I'm not sure what you're looking for... it seems to me they've already implemented most of what Matt stated unofficially back in April.

Login has an opt-in box for cookies, and a link to the privacy policy...
%7Boption%7D

That link is also reproduced in the site footer...
%7Boption%7D

and the policy contains a note on cookie usage.
%7Boption%7D

What's missing that has you so upset?

  • Author

That's not what matt described though, and doesn't conform to the new directive.

The directive is filled with grey areas and as Charles says, there are many differing opinions, guides and solutions out there, but it's also clear on many points mainly that sites should offering users clarity as to what cookies are, what they're being set for and how to block them.

Whether permission to set cookies is implied or explicit is a grey area, whether a website should offer a method of blocking cookies (other than telling users how their browser settings work) is another grey area, and I'm sure there are many other points which could be argued around, but from the guidelines it's clear that ICO want websites to at least do something - even if in the first instance that is providing a clear link with info on what cookies are being set and how to block them. (which is what Matt described)

A quick glance around major sites in the UK shows a range of options being taken on, but I still don't think that's a reason to do nothing.

So you want the default policy to explain cookies and how they're used a little better.

Originally 3.3.2 had a link to a cookies page which listed all the cookies the site uses. It was on one of the betas on IPS. In the corner it said "This site uses cookies" and had a link to that cookies page. It's gone now though and was replaced with the privacy policy. I prefer it this way honestly.

  • Author

Originally 3.3.2 had a link to a cookies page which listed all the cookies the site uses. It was on one of the betas on IPS. In the corner it said "This site uses cookies" and had a link to that cookies page.





We have never posted an announcement one way or the other about this. Matt's, or any other staff's, conversation in a topic is not really gospel :smile: ... IPS is very communicative with clients and we cannot always know what is said in conversation might be something we change our mind about later.




?

I have just put a big red box on my registration form explaining this and stating that by clicking the register button you are consenting to the website storing cookies.

Sorted.


?


It was just a beta..I don't understand what point you're trying to make. Nothing was announced, nothing was confirmed. It was just a test.
  • Management

Matt posted a general idea -- it was not an announcement, blog entry, or anything that should have been construed as an official representation of IPS' permanent view.

From my perspective, if we were to do a cookie list/map - IPS then becomes liable for full compliance with the law. It would be quite easy for us to do a complete list of current cookies and how they are used. The moment a change is made, you install a modification that generates cookies, or similar - the list is inaccurate and we find ourselves in a position of having provided a false sense of security to our customer base.

Thus, we've decided to provide the user with a method of indicating their policies, but we are not incorporating any specific compliance directives into the software itself. Doing so starts us down the slippery slope of keeping track of all off-the-wall laws around the globe that ultimately, users are responsible for adhering to.

As a final point, nobody fully understands the law. That's why the deadline for compliance was extended a year. It's not even clear if the policy applies to Google, for which, as I understand it, the policy was written for to begin with.

  • Author

With the best will in the world Lindy, we're talking about a fairly important point, it was a discussion about a change in the law and Matt said that IPB had a solution which would be implemented in 3.3.2, it also made it into at least one beta version and was used on these forums.

Dress that up any way you like but I don't think it's unreasonable to ask for better communication when it comes to something that isn't a trivial matter.

We've been customers for something like 7 years now, and we're really disappointed with IPS of late, it's all the more frustrating as the software is pretty good in the main but something just isn't right & of all the 3rd party suppliers we spend money with, IPB are without doubt top of our 'wish we could find an alternative' list, sad really.

  • Management

Fair enough, I'll offer my apologies for the confusion and miscommunication here and we'll agree to move forward.



I'm not sure what you're looking for... it seems to me they've already implemented most of what Matt stated unofficially back in April.



Login has an opt-in box for cookies, and a link to the privacy policy...


[img]

[/img]



That link is also reproduced in the site footer...


[img]

[/img]



and the policy contains a note on cookie usage.


[img]

[/img]



What's missing that has you so upset?



I honestly thought this too. I believe I'm covered, it tells the user that cookies are stored, what type of cookies they are and you have to opt in to personally identifiable cookies.

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.