European Union cookie law. Yes another topic!

[Aiwa]

All this talk about cookies makes me hungry...

NOM NOM NOM NOM... AHHH

[Collin S.]

All this talk about cookies makes me hungry...

NOM NOM NOM NOM... AHHH

binge.png

Woot is awesome. I'm wearing a Woot shirt right now.

To sum up all the points made in this topic: What one person's idea of following the law is, might be different from another person's idea of following the law. We don't want to implement something that we aren't sure actually follows what the law is. As Charles and Matt mentioned in this topic, once it's clear exactly what needs to be done and how to best do that, we're all ears.

[Hexsplosions]

It's interesting to look outside of IP.Board.

Let's take Amazon. You'd think they would have a capable legal team, right?

http://www.amazon.co.uk/gp/BIT/InternetBasedAds

That's all I can see as far as notifications go. I haven't been prompted to give consent, there are no flashy banners, nothing of the sort.

If Amazon deem this to be satisfactory, with their legal resources and knowledge, this suggests the law is not so rigid as to require permission before setting a cookie.

Amazon are not unique in this respect. Many other UK retailers have adopted similar approaches.

The law simply is not clear.

[Hexsplosions]

Additionally, there's information on the ICO about this law:

European data protection authorities opinion

In June 2012, European data protection authorities (as part of the Article 29 Working Party) adopted an opinion which clarifies that some cookie uses might be exempt from the requirement to gain consent:

• Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.
• First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

[Royzee]

2. There is a Dutch law, that takes this even a step further and requires you to specifically ask for PERMISSION before writing any tracking cookie to the visitor.

No one should write "tracking cookies" to anyone, and in my book they are malware.

[Marcher Technologies]

No one should write "tracking cookies" to anyone, and in my book they are malware.

You are one of the internet users that uses the browser features mentioned above, and block all ads and analytics.

That is your opinion and your choice.

[Royzee]

That is your opinion and your choice.

Agreed :)

[Alex]

I am of the opinion that it's up to you as a site owner to make sure you comply to local laws. If IP.Board implements this cookie law for example, what would stop some customers from another country demanding that their laws are adhered to? Things like this, and COPPA (which is another silly law) compliance are definitely up to the site owner :smile:

Just do what the BBC and the majority of major UK sites I have seen use, put a small banner at the top that says along the lines of "By using this site you agree to us storing cookies, leave now if you do not wish to". IP.Board wouldn't have stored anything by that point.

[Michel_72]

That's not what this is about.

This is about IPS taking a more proactive approach.

Fact:

- There is a law for EU countries

- Many IPS customers have to act upon this law

- Many customers don't know how to do this (in combination with the IP.community software)

Then you can put your head in the sand, claim it is legally not your problem, blame the law for being unclear about what you have to do..... and so on...and so on....

Or..... You could blog something on your website helping your customers to (try) to comply to this law that has impact on a large base of IPS customers.

IPS's choice is now 100% clear to me: The non-active approach..... which is sadly quit common for US based companies.

They worry more about legal implications then their own customers.

[Lindy]

Michel, you've stated you know "100%" what needs to be done to comply. You've been asked several times to elaborate and provide the method of compliance you're certain is required, yet you've not done so.

Could you please share your expertise with us?

[Michel_72]

That's not true.

I have written before that we have to ask for explicit permission before any tracking cookie is written to the visitor.

Since most IP.Board websites use adsense, google analytics, gravater, faccebook, twitter, google+ etc. I see only one option and that is to give a 'accept' or 'leave this website' option.

But that has to be crawler and bot-fiendly, store the users choice and if possible blur the website.

Example (major Dutch website): http://www.fok.nl/

[Grimace`]

Is this Law even final yet? Are people getting fines as such?

I don't think so and IPS has said where they stand on this several times.

[Michel_72]

Sure it's final. Sure you can get large fines.

read this (if you can read Dutch):

http://www.klantenservicefederatie.nl/download_file/view/267/396/

This (legal, officially issued) document is 100% clear.

[Lindy]

Those are all services independent of IP.Board itself. We cannot start incorporating changes based on a half-baked law (in that it's vaguely written) that no two people seem to agree on in terms of interpretation and in fact 80% of the EU have deemed they will not adhere to, including leading companies as mentioned earlier in this topic.

Ultimately, the law is not clear. Our interpretation and subsequent implementation may differ from the EU's and providing a false sense of compliance to our customers is a responsibility and liability we are not willing to accept, I am deeply sorry.

It is up to you to adhere to your applicable local laws in accordance with your own interpretation and/or based on advice from local legal counsel, I'm afraid.

[Michel_72]

I get it. No help from IPS. Thanks.

Just keep blaming it on a unclear law. When we get a fine, I'll get back to you to thank you again.

[Rik]

The problem of the EU cookie law is that the law is implemented in different ways by the members of the EU. You state the Dutch implementation as an example, but that in fact is probably the most stringent implementation. This because the Dutch law acts through opt-in, while the EU law states opt-out - which indicates that a message like the mentioned hooks should be enough, whereafter a user can opt-out via his browser settings.

Because the law is implemented in so many different ways by the members of the EU, I fully understand why IPS can not support it.

[RevengeFNF]

What about when we make login, appears a message saying that it will store cookies on our browser? I thinks its simple as that.

And make that message optional on Admin CP.

[Cyrem]

Or..... You could blog something on your website helping your customers to (try) to comply to this law that has impact on a large base of IPS customers.

So you would rather IPS throw out there how to comply with the law of other countries, to their interpretation no matter if the information turns out to be true or false because the law itself is a muddled mess? Just for the sake of being 'pro-active'?

Are you crazy?

You do realize customers will take their word for it, and should the information turn out to be wrong.. wow... the mess IPS could get itself into....

And make that message optional on Admin CP.

LOL. Deny cookies from your own forum.

EU, should have better spent their time educating people about cookies and how to block them through the browser software they use.

[Marcher Technologies]

What about when we make login, appears a message saying that it will store cookies on our browser? I thinks its simple as that.

And make that message optional on Admin CP.

I told you your answer.

go find me a php script does not set a cookie onload.

just one.

HTML landing page.

shoot me. Just the messenger.

[Bethanyrayne]

I really can't understand this (storm in a teacup)

There is no personal information gathered by IPB software.

Should anything that IPB does collect at the moment fall foul in the slightest way of a European Directive what do you think is going to happen?

The infringement would be so minor that absolutely nothing would be done.

We who live in the EU have a healthy disregard for EU Directives. Please remember this is the EU it has a habit of releasing silly directives that have no real world application and that EU countries quietly ignore.

Get serious and talk about something else, more time than it is worth has already been spent on this non topic.

[Weppa333]

Fully agree with the above #70

I absolutely will dedicate 0.01% of my brain time to this matter.

Not only is this law at european level (it has to be passed to country laws to be of any importance to anyone) but it's so pointless that in my country, very few websites have done anything about it. Seems the UK is a bit more reactive (maybe it's passed in UK law I don't know).

I believe that anyone who actually cares that much about the law obviously already has a lawyer working for him, and is paying taxes of the adsense revenues :smile: , so simply ask a local lawyer what to do.

[Dmacleo]

I get it. No help from IPS. Thanks.

Just keep blaming it on a unclear law. When we get a fine, I'll get back to you to thank you again.

are you that obtuse?

they can't do it.

simple.

[GreenLinks]

That's not true.

I have written before that we have to ask for explicit permission before any tracking cookie is written to the visitor.

Since most IP.Board websites use adsense, google analytics, gravater, faccebook, twitter, google+ etc. I see only one option and that is to give a 'accept' or 'leave this website' option.

But that has to be crawler and bot-fiendly, store the users choice and if possible blur the website.

Example (major Dutch website): http://www.fok.nl/

We are a holland base company and our lawyers clearly tell us there is NO best practise. Here is what you are missing , laws are not clear yet. Every lawyer , every website owner have different understanding.

Additionally this is not a requirement that software producer should apply. This is responsibility of website owner.

[stoo2000]

are you that obtuse?

they can't do it.

simple.

[Michel_72]

We are a holland base company and our lawyers clearly tell us there is NO best practise. Here is what you are missing , laws are not clear yet. Every lawyer , every website owner have different understanding.

Additionally this is not a requirement that software producer should apply. This is responsibility of website owner.

I would advise you to get a new lawyer, because both the EU directive and the Dutch law are very clear about cookies.

Dutch law: Only cookies that are absolutely necessary for a website to function properly may be written without consent of the visitor. Any cookie that tracks privacy related data (IP address and any other data from the visitors PC or network) may only be written after explicit consent. There is no discussion about that. Lawyer says this, lawyer says that is irrelevant. A judge will look at facts and fact is that this Dutch law is not to be interpreted in different ways. It is clearly written on paper (my link to OPTA a few posts backs). OPTA is checking websites and in fact enforcing the law and they even help you understand this law without consulting a lawyer ;)

Q: Hoe kan ik als website-eigenaar de nieuwe regel implementeren?
De cookieregels houden een informatieplicht en een toestemmingsvereiste in. Partijen die
cookies plaatsen en lezen moeten duidelijke informatie geven over het feit dat zij cookies gebruiken
en met welk doel. Daarnaast mogen de cookies, behoudens de in de wet opgenomen uitzonderingen,
alleen geplaatst of gelezen worden indien de gebruiker daarvoor toestemming heeft gegeven. De
partij die cookies plaatst en leest kan deze toestemming vragen door bijvoorbeeld een pop-up. Als de
gebruiker desgevraagd toestemming geeft, kan deze toestemming worden opgeslagen in een cookie,
zodat het niet nodig is om bij elk bezoek opnieuw om toestemming te vragen.

Short translation:

Q: How can I comply to his new law on my website?

A: You have to inform and ask for permission. Websites that write cookies have to give very clear information about the fact they use cookies and for what purpose. Furthermore the cookies (2 exceptions) may only be written if the visitor has explicitly given permission. You may ask for permission using a pop-up for example. If the visitor gives his explicit permission you may store this information in a cookie.

The ONLY differnce with the EU directive is that the directive states you have to inform before writing the cookie(s), and Dutch law says you have to specifically ask for permission before writing the cookie(s).

In both cases the cookies may only be written after the visitors action. Not before. This is in writing so I dont understand how you can interpretate this in different ways.

On most websites that means you would have to replace the index and implement 'leave' or 'approve all cookies' buttons if you want to comply. A simple website statistics tool writes a tracking cookie. Facebook, twitter..they all do..

Nobody says IPS is RESPONSIBLE. I don't say they are!

They just shouldn't be sitting on their hands, but assist any way they can on order to help their customers. That's called proactive SERVICE/SUPPORT!

A simple blog post suggesting a few different ways to help customers to comply to this law would be sufficient.

Apparently that is to much to ask for IPS.

For now my last post on the subject. Please leave the topic in place. When we get a fine or written warning, I would like to give this topic a bump.

Kind regards,

Michel