European Union cookie law. Yes another topic!

[Dark Shogun]

I'm sorry I read half of the first page and just couldn't take it anymore. If this was covered on pages 2-5 then again, I'm sorry.

Problem: Michael_72 wants IPS to modify the IPS software to include notifying EU visitors that the site uses cookies OR write out detailed instruction about how the site owner can do it themselves.

My problem with the problem is while IPS has a great number of EU members you are asking for something that could come back to bite them.International laws are meant for the countries thost laws govern. IPS isn't bound by the law being discussed and as such isn't the party to go to about it. If they add something in their software OR tell people how to add something in their software that they think complies with this law they can be held legally responsible. You say they can't if they put something in the TOS or whatever but you know as well as I do that people will try their best to push the envelope. Its like buying coffee from McDonalds that has a caution on the lid, spilling it on yourself, and then suing them.

My solution: Hire a EU company or person familiar with EU law that has php skills. Have that company/person create a mod that will allow you to install the exact notification that you are looking for. Better yet you can then sell said mod in the marketplace to other EU customers and possibly get any money you spent back in the process.

 

Dark Shogun

[DReffects2]

Honestly I couldn't give a crap and I don't think any of my users in the EU give a crap either.

​We are talking about a law here. It does not matter what you think or feel about that, you have to obey it. If this discussion would be about what we personally think about that it wouldn't need 5 pages and counting to find consent.

My problem with the problem is while IPS has a great number of EU members you are asking for something that could come back to bite them.International laws are meant for the countries thost laws govern. IPS isn't bound by the law being discussed and as such isn't the party to go to about it.

If they add something in their software OR tell people how to add something in their software that they think complies with this law they can be held legally responsible.

You say they can't if they put something in the TOS or whatever but you know as well as I do that people will try their best to push the envelope. Its like buying coffee from McDonalds that has a caution on the lid, spilling it on yourself, and then suing them.

My solution: Hire a EU company or person familiar with EU law that has php skills. Have that company/person create a mod that will allow you to install the exact notification that you are looking for. Better yet you can then sell said mod in the marketplace to other EU customers and possibly get any money you spent back in the process.

​YES THAT'S absolutey right. My customers are looking for that kind of liability! As you might know, web shops have a very specific requirement in terms of the way a "buy now" button looks these times as well. Web-Shop Companies are in fact advertising with the USP, that their software is compliant. And of course they have to accept liabilities for that. That's the whole point of my customers asking for this as well.

They want a compliant software and a company that assures them that the CMS, shop or board software is. Simply modding the software will not work, I've tried that over the last 3 years time and time again. The basic requirement always is "usage of a CMS compliant with EU data privacy law". There's no room for a cool modification.

They want a well know, widley used software that's within the parameters of the law. Is that too much to ask for?

[Will Munny]

​We are talking about a law here. It does not matter what you think or feel about that, you have to obey it. If this discussion would be about what we personally think about that it wouldn't need 5 pages and counting to find consent.

​Well I believe bad law SHOULD be disobeyed. Regarding this '5 page' topic, quod erat demonstrandum. Even the lawyers (i.e. the people most likely to profit from it) are groaning at this kind of legislative diarrhea.

[DReffects2]

​Well I believe bad law SHOULD be disobeyed. Regarding this '5 page' topic, quod erat demonstrandum. Even the lawyers (i.e. the people most likely to profit from it) are groaning at this kind of legislative diarrhea.

​I'd have to say, you've chosen a fitting avatar ;-)

What you do personally I don't care about. I care about my business. And that demands the cookie stuff. Disobedience does not finance my breakfast, lunch and dinner...

[Will Munny]

It sure finances mine, because no matter how much the unelected EU lawmakers bleat on about everyone having to comply, nobody outside the EU has to give a crap. What are they going to do to us in Singapore, throw stones? All this absurd legislation does is advantage non-EU entities. Even so, I don't think anyone has yet been prosecuted, all they've apparently done is send out letters. Farce at the expense of EU tax payers.

Anecdotally, the only sites I've seen complying are British ones (BBC et al). Perversely, the British seem to do more than most EU states to comply with the blizzard of legislation that comes out of the EU. Probably why they're so sick of it.

In summary, I have a fatter breakfast lunch and dinner on my table for ignoring the above and nobody is ever going to penalise us for that.

[hmikko]

1. There is a law in the entire European Union that requires to inform your visitor about cookies, before ANY tracking cookie is being written to the visitor. You can turn this left, right upside down, but this is the law. No discussion about that. There are no other interpretations of this law.

​Actually, the following cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes:

1. User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases.
2. Authentication cookies, used for authenticated services, for the duration of a session.
3. User centric security cookies, used to detect authentication abuses, for a limited persistent duration.
4. Multimedia content player session cookies, such as flash player cookies, for the duration of a session.
5. Load balancing session cookies, for the duration of session.
6. UI customization persistent cookies, for the duration of a session (or slightly more).
7. Third party social plug-in content sharing cookies, for logged in members of a social network. 

And IMHO everybody knows what's a cookie and that almost every site in www are using cookies. So this law seems a bit overrated. And to have a cookie for additional purposes, write it into your Terms of Service.

Thats just my humble opinion. Don't hate me!   

[Dark Shogun]

From my brief read of this topic, in order for IPS to be fully EU compliant they would need to, basically, have a Europe HQ w/EU lawyers to make 100% sure they are EU compliant. The reason I bring up a fully HQ is because from what I read about this cookie issue and data not leaving EU. If they are going to comply with all requirements they will need a HQ. If that is the case they will need staff, facilities, etc. which will cost boat loads of money. That cost will be passed on to the customer which will either raise the license and renewal fee for everybody or just for EU customers. I am a US customer and I can say that it would piss me off severely if my fee's went up because of something that had nothing to do with me. But then if only the EU price went up they would, probably, be pissed because they are paying more than customers elsewhere.

Honestly this seems like a no win situation. IPS because fully EU compliant and prices go up which makes customer upset. OR IPS stays exactly like it is now and (some) EU customers are upset because IPS isn't catering to them more. Again, a no win situation. You can please some of the people some of the time. But you can never please everyone all the time.

 

Dark Shogun

[opentype]

 

My solution: Hire a EU company or person familiar with EU law that has php skills.

​Possible, but is that really the best solution for everyone? You are basically saying: Those EU rules are so complicated, all American car makers – for example – should just comply to US rules. If EU citizens or companies want an American car, it’s their problem! The car makers don’t want to be responsible. So every EU buyer needs to spend thousands of dollars to turn that finished US car upside down to make it comply with all the stricter emission and safety rules. Possible, but not really in the interest of the buyer or seller, is it?

Its no different with software. Lets take just 100 IPS clients in Europe who need a perfectly legal page according to EU rules. They all spent $1000 for a legal consultant doing a full audit (because it’s about so much more than just cookies). Then they all spent $2000 for a developer and end up with software so modded, that is hard and expensive to maintain in the future. In total, those 100 clients have spent $300,000 for something that IPS could do ONCE for so much less money. And that was just calculated with 100 clients. If done correctly, IPS would be in the position to sell the software much more easily to many more clients in Europe …

I am a US customer and I can say that it would piss me off severely if my fee's went up because of something that had nothing to do with me.

That’s how it works anyway. Your money for “just the forum app” for example wont go just into the forum development and your renewal wont just go into your support tickets. You might not even have started one, but pay indirectly for another user who filed 30 ones. 
But after all, all users benefit from this system, INCLUDING you. Because it makes the product you too are using better. This selfish idea, that every cent from you must directly be returned as service to you personally is rather shortsighted. What if an US client takes an IPS-powered business global and needs to comply with EU rules then? Wouldn’t it be great if that functionality was already there and a few of your dollars in the past already went into that development? 

A big user base can make the software better, because IPS can hire more developers. So you shouldn’t be “pissed” about feature requests from Europe …

[wimg]

It sure finances mine, because no matter how much the unelected EU lawmakers bleat on about everyone having to comply, nobody outside the EU has to give a crap. What are they going to do to us in Singapore, throw stones? All this absurd legislation does is advantage non-EU entities. Even so, I don't think anyone has yet been prosecuted, all they've apparently done is send out letters. Farce at the expense of EU tax payers.

Anecdotally, the only sites I've seen complying are British ones (BBC et al). Perversely, the British seem to do more than most EU states to comply with the blizzard of legislation that comes out of the EU. Probably why they're so sick of it.

In summary, I have a fatter breakfast lunch and dinner on my table for ignoring the above and nobody is ever going to penalise us for that.

​Rather interesting attitude you have here (let me explain I lived and worked in the UK for 5 years; take this as a typical British expression).

You clearly only look at UK sites other than this one and your own.

All EU sites make you agree or disagree with cookies, and there are many, many international sites who do so as well. If you sell in the EU you have to comply no matter what. Even eBay and Google comply.

Yes, I am in the EU too. Do we like it? No we don't. Do we want to get fined? No. Will we get fined if we don't comply? Yes.

And it would indeed be very easy for Invision to add this to the software, with an option to switch it on or off depending on desirability.

Regards, Wim

[Dark Shogun]

*edit: Nevermind

 

Dark Shogun

[Will Munny]

I just read this: http://barker.co.uk/cookielaw

It seems to me that unless you're operating one if the top 200 sites in the UK you've got little to worry about no matter what you choose to do, and even if you are top 200, no one is being fined anyway.

So, it looks like an excuse for rinky dink forum site owners to talk about lofty legal talk. I guarantee none of you visitors give a hoot.

But remaining on topic, being compliant appears as straightforward as inserting a line of code to your global template (like you would with an additional meta tag). . . so I conclude IPS already provides the necessary functionality and you can all quit your Euroweeny whining.

[wimg]

But what I am talking about isn't just a feature. You are getting into things dealing with the law. Things that companies can be held to account for. As far as making cars go, there are US auto makers that don't sell to UK and vise versa. IMO a company should choose whether they want to change their product to the specifications to the whim of a foreign country. I call it whim because, in the case of the cookie law, it is a useless law. If you know ANYTHING about the inernet you know there are going to be cookies put on your computer. That is a given. To have to tell people and make them agree or leave or the site owner can be sued seems petty. As far as using the auto maker example again, carbon emissions deal with the environment which is a REAL and WORLDWIDE health concern.

And in closing, I wouldn't be pissed about adding devs for feature requests but to force the company into expansion JUST to comply is crazy. I means it's not even like the Microsoft thing where they just had to add some other browser options. No in this case they would need to make sure that they word the notification exactly right and keep it updated in case of law changes. And I know it really doesn't go with the theme of this thread even though it was bought up, but what about the data not leaving EU thing? THAT far more than this cookie thing would be a deal breaker for me as a company, especially a small business.

 

Dark Shogun

​Where you are wrong is that the wording is Invision's concern.

All that is needed is the possibility to do so, a simple "Yes I agree", a "No I don't agree" and an option to read the full description etc. We already have such an option with regard to rules and guidelines, and selling through Nexus/Commerce.

The full description, and that is the bit that needs to comply with local law, is what the web site owner/exploiter is responsible for, not Invision.

If Invision does not have the inclination or capacity to make such a thing, and someone provides this option as an add-on, we will get it for sure. We tried to avoid it as long as possible, but soon it is not an option anymore.

Kind regards, Wim

[Will Munny]

Next you'll be asking IPS to come up with interesting topics for your forum, fully localised of course.

[wimg]

As someone suggested earlier, your avatar is fitting.

Wim

[Dark Shogun]

I'm sorry if I read you reply wrong wimg but just to be clear. Your saying IPS just needs to add in something where via the admin cp the site admin(s) can input text and on the user site something will pop-up saying blah blah blah. Agree or Don't agree and save the results? If thats the case and IPS isn't actually putting the text in there I don't see how that is EU compliant. The addition just gives the functionality to add text. The text could be anything. If what I said about what you said is correct any modder could make that. And yes I guess IPS could do so as well but I am/was of the opinion that IPS would have to include the text as well.

 

Dark Shogun

[wimg]

Yes, exactly.

The legal text is not the responsibility of the software or software supplier, but of the site owner/exploiter, as is compliance with the law. So yes, any modder could do this.

Actually, I realised with the stuff I have been trying today that even I could do this as a plugin in 4.0. And that is just using the example for a Global Message plugin as a basis.

Kind regards, Wim

[opentype]

… but I am/was of the opionion that IPS would have to include the text as well.

​No, just as they don’t provide the privacy policy or the imprint for you. It’s about having a technical foundation that allows the legal compliance, not about a turn-key solution, which comes with bullet-proof legal texts. 

And even though the cookie law is the topic here, I cannot stress enough that EU legal compliance is about so much more than cookies. So answers like “just add this thingy to your template” or “check out that link which shows you can ignore that cookie law” won’t stop these EU law topics. 

[wimg]

​No, just as they don’t provide the privacy policy or the imprint for you. It’s about having a technical foundation that allows the legal compliance, not about a turn-key solution, which comes with bullet-proof legal texts.

And even though the cookie law is the topic here, I cannot stress enough that EU legal compliance is about so much more than cookies. So answers like “just add this thingy to your template” or “check out that link which shows you can ignore that cookie law” won’t stop these EU law topics.

To summarize it, the "cookie" legislation (which is not only about cookies, hence the quote marks) is about tracking surfing behaviour, which is not allowed without asking permission. For analytical and functional no permission is required. In principle that means as long as you do not bother people with, e.g., adsense, it is not a problem, as this is not part of the cookies used for Invision forums. It is about how many people visit, and helping the member/visitor or member where he was, no more than that.

However, you do have to protect the privacy of your visitors. There are several ways of doing this, like implementing SSL for logins etc., and/or making sure no one can (ab)use private information of any of your visitors. That is all easy to do, actually.

If anything, these laws have recently become less strict, for the analytical and functional side anyway (number of visitors, etc.). Looks like they finally saw the light.

However, you still have to notify people, and let people accept, the use of cookies f r functional and analytical use, or rather, make them aware of it.

Kind regards, Wim

[Setsumi]

Why not just make a plugin?

[DReffects2]

To summarize it, the "cookie" legislation (which is not only about cookies, hence the quote marks) is about tracking surfing behaviour, which is not allowed without asking permission. For analytical and functional no permission is required. In principle that means as long as you do not bother people with, e.g., adsense, it is not a problem, as this is not part of the cookies used for Invision forums. It is about how many people visit, and helping the member/visitor or member where he was, no more than that.

​It's about "personal data" - and in the EU even an IP Adress ins considered "personal data". For analytical a permission is required for sure. That's why google had to modify their google analytics product to comply with EU law. There's an option to anonymize the ip and tracking data which greatly degrades the quality of the statistics, but you have to implement that in order to comply with the law.

​And even though the cookie law is the topic here, I cannot stress enough that EU legal compliance is about so much more than cookies. So answers like “just add this thingy to your template” or “check out that link which shows you can ignore that cookie law” won’t stop these EU law topics. 

​Thanks!

[wimg]

​It's about "personal data" - and in the EU even an IP Adress ins considered "personal data". For analytical a permission is required for sure. That's why google had to modify their google analytics product to comply with EU law. There's an option to anonymize the ip and tracking data which greatly degrades the quality of the statistics, but you have to implement that in order to comply with the law.

​Thanks!

​I did mention private information in the part just below your quote of my text. I also mentioned the use of analytical data, to which degree would be allowed, and no, the way Google was using it was not allowed. It is also why I gave the adsense example.

In the end, what it boils down to, if you don;t use any of the information on your own website to target an individual with specific info, or anything based on personal info, it is fine. The moment you do, it is not.IOW, if you only use the plain and simple cookies created by the Invision software, and don't add anything else, you are fine with a standard cookie policy and approval. If not, you need to implement a more complex policy, and get specific approval.

Kind regards, Wim

[DReffects2]

​I did mention private information in the part just below your quote of my text. I also mentioned the use of analytical data, to which degree would be allowed, and no, the way Google was using it was not allowed. It is also why I gave the adsense example.

In the end, what it boils down to, if you don;t use any of the information on your own website to target an individual with specific info, or anything based on personal info, it is fine. The moment you do, it is not.IOW, if you only use the plain and simple cookies created by the Invision software, and don't add anything else, you are fine with a standard cookie policy and approval. If not, you need to implement a more complex policy, and get specific approval.

Kind regards, Wim

​Hey Wim, actually that's not correct, sorry. I does not matter if you USE any of the information to target some individual. The only thing that matters to the law is wether this information is available in theory. Personal data is being collected all over the place by the Invisionpower products. For example:

• Last login time
• Last visit (by cookie) to personalize the "what's new" stuff
• IP Adress
• etc.

This information is considered "personal" and is being regulated by the ePrivacy Directive. You aren't even allowed to protocol IP Adresses in your apache logs. It does not matter if you can or do actually use that info.

 

[wimg]

​Hey Wim, actually that's not correct, sorry. I does not matter if you USE any of the information to target some individual. The only thing that matters to the law is wether this information is available in theory. Personal data is being collected all over the place by the Invisionpower products. For example:

• Last login time
• Last visit (by cookie) to personalize the "what's new" stuff
• IP Adress
• etc.

This information is considered "personal" and is being regulated by the ePrivacy Directive. You aren't even allowed to protocol IP Adresses in your apache logs. It does not matter if you can or do actually use that info.

 

​There have been some very recent changes to the law over here, in the Netherlands, which I read in detail, including the explanation by a legal person specializing in this stuff, and certainly over here it doesn't matter anymore, it is about use and protection. If information stored in cookies and on-site is only used to help the user with navigation on the site itself, and information to make navigation easier, IOW, about functionality and not analytics to target the user, it is all acceptable now. You still have to inform people you use cookies, and they still have to approve, however.

This may (still) be different elsewhere.

Kind regards, Wim

[ZakRhyno]

Can't one just say in a simple script this site uses cookies and if you continue or say yes button you give the okay.

[Lindy]

EU customers historically tend to pay more than those of us in the US to companies like Adobe, Microsoft, etc. -- this is a large reason why. There's simply a higher cost of doing business with EU customers. If you wouldn't mind paying more as an IPS customer in the EU, we likely wouldn't mind entertaining the notion of retaining ongoing EU counsel, researching and maintaining the software for seemingly ever-changing EU regulations. Otherwise, as a US company we can't guess and offer our own interpretations of EU law for our customers -- it would be irresponsible to do so. From a sheer business standpoint, eating the costs of retaining ongoing EU counsel to maintain ongoing EU compliance across the suite would not be a fruitful venture for whatever slight gain in marketshare.