Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Cookie permissions and UK regulations

Go to End

16 Posts   2377 Views


Forum Moderator, 1132 Posts

15 July 2012 at 10:47pm

Hi all,
I realise this is an older post, but since the cookie law has now been installed in the Netherlands as well and requires a very strict opr-in policy, i was wondering how you all are complying..

It looks like, since last year, a couple of companies have created online services/plugins to make things a easier, like these guys,

I'm not sure how and if this could successfully be implemented on Silverstripe, as not every cookie silverstripe core and modules set can safely be considered 'essential'... But as this involves the whole of Europe - would it be a good idea to add some extra cookie management to the (core) cookie/session objects?

Maybe a second optional param as in Session::set('key', 'value', 'essential') or Session::set('key','value', 'analytics') or Cookie::set(... And a way to hook into that?

I'd be very interested in your opions and experiences,

Thanks, Martine


Forum Moderator, 5513 Posts

16 July 2012 at 7:32pm

You may want to talk to the Better Brief guys, for the hackathon they did some work on Cookies to make it easier to put in your own custom cookies ( I assume they may release something as a module or recipe for EU compatibility.


Community Member, 14 Posts

16 July 2012 at 7:36pm

Edited: 16/07/2012 7:40pm

I have now taken the implied consent approach, with the first page load detecting if the visitor already has a cookie preference set (yes, in a cookie - apparently allowed). If not, then no cookies are set and an unobtrusive message displays asking if they would allow the use of cookies for the site. There are also links to more information. On the second page load of the session, if still no cookie preference is set, then implied consent is taken as the visitor has continued to use the site and not explicitly denied the use of cookies. The facility to explicitly accept or reject is still available. This is done in a specific cookie controller with actions for accept and reject. The extension provides methods that can be checked for cookie usage availability within normal page controllers if other cookies are going to be used for whatever reason.

I don't know if implied consent is available in the Netherlands, but the ICO in the UK updated its advice on how the visitor may provide consent for the use of cookies a day or so before the implementation deadline arrived. That followed a grace period of 1 year after the actual introduction of the regulations. The updated advice included the fact that implied consent would be valid as long as it could be demonstrated that it was reasonable. I take the approach that if you provide explicit accept / reject functionality and the visitor chooses to continue using the site without taking either action, then it is reasonable to assume implied consent. You present the information, you have to assume the visitor has read stuff on the page - it isn't hidden away.

Obviously alternative approaches for functionality that requires the use of cookies that would be considered non-essential, e.g. affiliate referral tracking etc. would need to be implemented, but that is outside the scope of allowing the visitor to allow the use of cookies (or not).

I have another non SS site where the site owner wanted implied permission to be used from the very first page load, as other large sites (mainly newspapers and broadcasters were doing a similar thing), effectively an opt-out, but without having to mess around with browser settings.

In SS, I am doing the checks etc. in the onBeforeInit method of an extension applied to the ContentController. In the onAfterInit, if cookies are not allowed, then the PastMember cookie (which is set in the Controller init method if the user is logged in and a past member), is overwritten with one that is expired so would be removed from the browser, if required.

If cookies are explicitly denied, then any GA cookies are also removed. The only cookies remaining essential to the site are the site session cookie (which if it wasn't essential before, is now to track the visitor's cookie choices in order to implement implied consent), and the cookie containing the visitor's cookie preference.

I know there are previous posts saying that if the user is registered, then part of the Ts & Cs could include that cookies should be accepted (as that is the visitor's choice to register and therefore they have a free choice to accept or reject the use of cookies), therefore the PastMember cookie doesn't have to be worried about.

I am working on turning this into a module - mainly so I can easily apply it to the SS based sites that I work on - so stuff like the PastMember cookie could be an option, as is the use of implied consent.

So far, the PastMember cookie is the only one that needs to be caught if you are not going to alter the core. For "remember me" functionality, that can be presented, or not, based on cookie preferences by overriding the MemberLoginForm and disabling the option from being presented.



Forum Moderator, 1132 Posts

16 July 2012 at 11:09pm

Thanks Will, I'll have a look at the module.

And thanks, Jason, for your extensive reply.
As for using the implied consent approach, as far as we understand it now, we cannot use that in the Netherlands :( It looks like our cookie law is one of the more strict in Europe, but still that doesn't necessarily make it any clearer...

Also it seems that over 90% of all webowners are still waiting for the competition to go first. I've read just yesterday that the OPTA has a job opening ready for a stagiair(!) to build an automated checking system (later they apparently stated he's not going to do it all by himself). Still we need to have something prepaired that is easy to implement, I guess.

So I'm interested in your module as well. Are you planning on supporting opt-in as well?

Cheers, Martine


Community Member, 14 Posts

18 July 2012 at 3:51am


Opt in (without implied consent) is the approach that I originally took - obviously the downside is completely blank analytics as people either explicitly deny cookies, or more likely, they just ignore the cookie information (same result).

In the module the use of implied consent is intended to be optional. If I ever get to the point of releasing the module, I'll let you know. Hopefully I'll get some time to tidy it up soon. I guess it would also need to be translatable.


Carbon Crayon

Community Member, 598 Posts

25 July 2012 at 3:11am

Edited: 25/07/2012 3:11am

Hi Guys,

We (Aab Web) decided to follow some large organisations in the UK (e.g. BBC, Channel 4 etc.) and simply inform users of the use of cookies and provide them a link to more information about the specific cookies used and how to delete them, rather than ask for their permission explicitly before setting them.

We have released a customisable 'Cookiebar' module to add a cookie bar at the top of the page which you can get here:

You can see it in action on our site (the image/text/Links are all CMS controlled):

Any comments/suggestions let me know.




Community Member, 267 Posts

12 October 2012 at 12:17am

Aram, nice module. Are we free to use your plug-in and content of the description page for a commercial website?
Is it sufficient for a website in the Netherlands?


Community Member, 9 Posts

23 April 2013 at 12:22am

I've tried to use the module but failed.
If you can help please read this thread:

Also, is the Cookie-bar module available from for composer installation?


Go to Top