Jump to:

23001 Posts in 11854 Topics by 2828 members

General Questions

SilverStripe Forums » General Questions » Cookie permissions and UK regulations

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2
Go to End
Author Topic: 1879 Views
  • martimiz
    Avatar
    Forum Moderator
    1038 Posts

    Re: Cookie permissions and UK regulations Link to this post

    Hi all,
    I realise this is an older post, but since the cookie law has now been installed in the Netherlands as well and requires a very strict opr-in policy, i was wondering how you all are complying..

    It looks like, since last year, a couple of companies have created online services/plugins to make things a easier, like these guys, http://silktide.com/cookieconsent

    I'm not sure how and if this could successfully be implemented on Silverstripe, as not every cookie silverstripe core and modules set can safely be considered 'essential'... But as this involves the whole of Europe - would it be a good idea to add some extra cookie management to the (core) cookie/session objects?

    Maybe a second optional param as in Session::set('key', 'value', 'essential') or Session::set('key','value', 'analytics') or Cookie::set(... And a way to hook into that?

    I'd be very interested in your opions and experiences,

    Thanks, Martine

  • Willr
    Avatar
    Forum Moderator
    5464 Posts

    Re: Cookie permissions and UK regulations Link to this post

    You may want to talk to the Better Brief guys, for the hackathon they did some work on Cookies to make it easier to put in your own custom cookies (https://github.com/silverstripe/sapphire/pull/595). I assume they may release something as a module or recipe for EU compatibility.

  • jpmcc
    Avatar
    Community Member
    14 Posts

    Re: Cookie permissions and UK regulations Link to this post

    I have now taken the implied consent approach, with the first page load detecting if the visitor already has a cookie preference set (yes, in a cookie - apparently allowed). If not, then no cookies are set and an unobtrusive message displays asking if they would allow the use of cookies for the site. There are also links to more information. On the second page load of the session, if still no cookie preference is set, then implied consent is taken as the visitor has continued to use the site and not explicitly denied the use of cookies. The facility to explicitly accept or reject is still available. This is done in a specific cookie controller with actions for accept and reject. The extension provides methods that can be checked for cookie usage availability within normal page controllers if other cookies are going to be used for whatever reason.

    *edit*
    I don't know if implied consent is available in the Netherlands, but the ICO in the UK updated its advice on how the visitor may provide consent for the use of cookies a day or so before the implementation deadline arrived. That followed a grace period of 1 year after the actual introduction of the regulations. The updated advice included the fact that implied consent would be valid as long as it could be demonstrated that it was reasonable. I take the approach that if you provide explicit accept / reject functionality and the visitor chooses to continue using the site without taking either action, then it is reasonable to assume implied consent. You present the information, you have to assume the visitor has read stuff on the page - it isn't hidden away.
    *edit*

    Obviously alternative approaches for functionality that requires the use of cookies that would be considered non-essential, e.g. affiliate referral tracking etc. would need to be implemented, but that is outside the scope of allowing the visitor to allow the use of cookies (or not).

    I have another non SS site where the site owner wanted implied permission to be used from the very first page load, as other large sites (mainly newspapers and broadcasters were doing a similar thing), effectively an opt-out, but without having to mess around with browser settings.

    In SS, I am doing the checks etc. in the onBeforeInit method of an extension applied to the ContentController. In the onAfterInit, if cookies are not allowed, then the PastMember cookie (which is set in the Controller init method if the user is logged in and a past member), is overwritten with one that is expired so would be removed from the browser, if required.

    If cookies are explicitly denied, then any GA cookies are also removed. The only cookies remaining essential to the site are the site session cookie (which if it wasn't essential before, is now to track the visitor's cookie choices in order to implement implied consent), and the cookie containing the visitor's cookie preference.

    I know there are previous posts saying that if the user is registered, then part of the Ts & Cs could include that cookies should be accepted (as that is the visitor's choice to register and therefore they have a free choice to accept or reject the use of cookies), therefore the PastMember cookie doesn't have to be worried about.

    I am working on turning this into a module - mainly so I can easily apply it to the SS based sites that I work on - so stuff like the PastMember cookie could be an option, as is the use of implied consent.

    So far, the PastMember cookie is the only one that needs to be caught if you are not going to alter the core. For "remember me" functionality, that can be presented, or not, based on cookie preferences by overriding the MemberLoginForm and disabling the option from being presented.

    Cheers,
    Jason.

  • martimiz
    Avatar
    Forum Moderator
    1038 Posts

    Re: Cookie permissions and UK regulations Link to this post

    Thanks Will, I'll have a look at the module.

    And thanks, Jason, for your extensive reply.
    As for using the implied consent approach, as far as we understand it now, we cannot use that in the Netherlands It looks like our cookie law is one of the more strict in Europe, but still that doesn't necessarily make it any clearer...

    Also it seems that over 90% of all webowners are still waiting for the competition to go first. I've read just yesterday that the OPTA has a job opening ready for a stagiair(!) to build an automated checking system (later they apparently stated he's not going to do it all by himself). Still we need to have something prepaired that is easy to implement, I guess.

    So I'm interested in your module as well. Are you planning on supporting opt-in as well?

    Cheers, Martine

  • jpmcc
    Avatar
    Community Member
    14 Posts

    Re: Cookie permissions and UK regulations Link to this post

    Hi,

    Opt in (without implied consent) is the approach that I originally took - obviously the downside is completely blank analytics as people either explicitly deny cookies, or more likely, they just ignore the cookie information (same result).

    In the module the use of implied consent is intended to be optional. If I ever get to the point of releasing the module, I'll let you know. Hopefully I'll get some time to tidy it up soon. I guess it would also need to be translatable.

    Cheers,
    Jason.

  • Aram
    Avatar
    Community Member
    598 Posts

    Re: Cookie permissions and UK regulations Link to this post

    Hi Guys,

    We (Aab Web) decided to follow some large organisations in the UK (e.g. BBC, Channel 4 etc.) and simply inform users of the use of cookies and provide them a link to more information about the specific cookies used and how to delete them, rather than ask for their permission explicitly before setting them.

    We have released a customisable 'Cookiebar' module to add a cookie bar at the top of the page which you can get here:

    https://github.com/arambalakjian/Cookie-Bar

    You can see it in action on our site (the image/text/Links are all CMS controlled): http://www.aabweb.co.uk

    Any comments/suggestions let me know.

    Cheers,

    Aram

  • borriej
    Avatar
    Community Member
    267 Posts

    Re: Cookie permissions and UK regulations Link to this post

    Aram, nice module. Are we free to use your plug-in and content of the description page for a commercial website?
    Is it sufficient for a website in the Netherlands?

  • beren
    Avatar
    Community Member
    9 Posts

    Re: Cookie permissions and UK regulations Link to this post

    I've tried to use the module but failed.
    If you can help please read this thread:
    http://www.silverstripe.org/all-other-modules/show/23509

    Also, is the Cookie-bar module available from https://packagist.org/ for composer installation?

    Thanks.

    1879 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.