EU privacy cookie directive
-
- Forum Members
- Posts: 85
- Joined: Wed Jun 20, 2007 5:40 pm
EU privacy cookie directive
Hi All,
Is it at all possible to prevent CMSMS using a session cookie so that the script may be compliant with the new UK cookie laws?
Perhaps a flag in the config file to allow us to switch on/off the session cookie (I dont mean the backend one)
http://www.ico.gov.uk/news/blog/2011/ha ... iance.aspx
Is it at all possible to prevent CMSMS using a session cookie so that the script may be compliant with the new UK cookie laws?
Perhaps a flag in the config file to allow us to switch on/off the session cookie (I dont mean the backend one)
http://www.ico.gov.uk/news/blog/2011/ha ... iance.aspx
Re: EU privacy cookie directive
Only the backend of cmsms uses session (cookies).
The frontend is not. Add-on modules might, but the core isn't.
grtz. Rolf
The frontend is not. Add-on modules might, but the core isn't.
grtz. Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Re: EU privacy cookie directive
It does...
at least I have a cookie like so: CMSSESSID15bbf057.....
Recent version of CMSms, standard installation without any additional modules.
at least I have a cookie like so: CMSSESSID15bbf057.....
Recent version of CMSms, standard installation without any additional modules.
-
- Forum Members
- Posts: 85
- Joined: Wed Jun 20, 2007 5:40 pm
Re: EU privacy cookie directive
Its not from the backend. Go to http://www.cmsmadesimple.org/ and delete all your cookies related to that page (Firefox > Tools > Page Info > Security > View Cookies).
Refresh the page
You'll most likely see 5 cookies, 1 called CMSSESSID<number> and 4 for GA.
As I dont have access to the cmsmadesimple.org backend, why would CMSMS be placing a cookie called CMSSESSID unless of course there is a module doing this? Try it out on a clean install of CMSMS and see what happens. Try going to http://www.opensourcecms.com and doing the same on the CMSMS demo
Regardless of whether this is a session based or permanent cookie, it still requires consent, hence the question.
You know what, I might be wrong, but I don't know as my coding skills aren't great and I didn't code CMSMS. If I am wrong then I will hold my hand up, apologise to everyone and get on with it.
What I do know is that CMSSESSID shows up when viewing cookies in Firefox and new UK law requires website owners to obtain consent to place cookies on a users terminal.
Refresh the page
You'll most likely see 5 cookies, 1 called CMSSESSID<number> and 4 for GA.
As I dont have access to the cmsmadesimple.org backend, why would CMSMS be placing a cookie called CMSSESSID unless of course there is a module doing this? Try it out on a clean install of CMSMS and see what happens. Try going to http://www.opensourcecms.com and doing the same on the CMSMS demo
Regardless of whether this is a session based or permanent cookie, it still requires consent, hence the question.
You know what, I might be wrong, but I don't know as my coding skills aren't great and I didn't code CMSMS. If I am wrong then I will hold my hand up, apologise to everyone and get on with it.
What I do know is that CMSSESSID shows up when viewing cookies in Firefox and new UK law requires website owners to obtain consent to place cookies on a users terminal.
Re: EU privacy cookie directive
@Dr.CSS
sorry to disagree.
I clear all the cookies in Firefox.
I then open a frontend page.
The cookie is set again.
Cookies are activated in /include.php as far as I understand.
sorry to disagree.
I clear all the cookies in Firefox.
I then open a frontend page.
The cookie is set again.
Cookies are activated in /include.php as far as I understand.
-
- Power Poster
- Posts: 1049
- Joined: Wed Mar 19, 2008 4:54 pm
Re: EU privacy cookie directive
Did you read the updated version of the advice? http://www.ico.gov.uk/news/blog/2011/~/ ... tions.ashx
session cookies aren't a problem, they even advice to use session cookies
session cookies aren't a problem, they even advice to use session cookies
also read on page 8, Exceptions from the requirement to provide information and obtain consent, and on page 10, Activities likely to fall within the exception .ou should also consider whether users who might make a one-off visit to your site would have a persistent cookie set on their device. If this is the case, you could mitigate any risk that they would object to this by shortening the lifespan of these cookies or, where possible given the purpose for using them, making them session cookies.
Re: EU privacy cookie directive
I asked Calguy1000: core CMSMS does use session cookies in the frontend! I was wrong here, didn't know that...
But before this was implemented CG did some extensive research in this EU law. He found the quote from Staartmees above and some other pages on this subject.
There is absolutely nothing wrong with the use of session cookies, particularly when that session cookie only contains a single string that does not contain any personal information.
So CMSMS is completly legal to use in the EU.
Hope this answers your question.
Rolf
But before this was implemented CG did some extensive research in this EU law. He found the quote from Staartmees above and some other pages on this subject.
There is absolutely nothing wrong with the use of session cookies, particularly when that session cookie only contains a single string that does not contain any personal information.
So CMSMS is completly legal to use in the EU.
Hope this answers your question.
Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Re: EU privacy cookie directive
@Rolf
Thank you.
Thank you.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: EU privacy cookie directive
actually, this is slightly incorrect. CMSMS has ALWAYS used session cookies. And we have no plans to change the behavior.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: EU privacy cookie directive
I was wrong, I apologize...
Re: EU privacy cookie directive
According to the ICO, regardless of what the cookie is, we will need to tell people what cookie is being run and what the use of it is. My question is, exactly what does the session cookie do as we will need to add this to our Privacy Policy to all exisiting CMSMS websites?
Thanks
Mark
Thanks
Mark
Re: EU privacy cookie directive
The question is not whether the setting of certain cookies makes CMSMS "legal" or not, and the above could be misunderstood as meaning that no action need be taken in order to comply with the new law.Rolf wrote:There is absolutely nothing wrong with the use of session cookies, particularly when that session cookie only contains a single string that does not contain any personal information.
So CMSMS is completly legal to use in the EU.
The following extract from the guidance document clearly states that the Regulations apply to to both session and persistant cookies, compliance requires seeking the visitors permission to set the session cookie.
So, can the session cookie be removed from the front end?Session and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies
If not, any suggestions for how to implement an opt-in for CMSMS sites?
Re: EU privacy cookie directive
Thanks for your reply, winkelman.
Can you tell me how to configure CMSMS to prevent the cookie from being set?
EDIT: as you've since deleted your post, I guess not.
Can you tell me how to configure CMSMS to prevent the cookie from being set?
EDIT: as you've since deleted your post, I guess not.
Re: EU privacy cookie directive
I too would like to know how to implement some form of cookie consent system for cmsms.
The info I have read says that all cookies must require consent. But then says session cookies that do not contain personal data and are removed when the browser closes may be exempt. So it seems to contradict.
If we do need consent for ALL cookies, then this needs addressing pretty quick otherwise the cmsms base in the EU is going to look elsewhere (and when at the Geekmoot a few weeks ago, the EU countries is where the largest user base is!)
The info I have read says that all cookies must require consent. But then says session cookies that do not contain personal data and are removed when the browser closes may be exempt. So it seems to contradict.
If we do need consent for ALL cookies, then this needs addressing pretty quick otherwise the cmsms base in the EU is going to look elsewhere (and when at the Geekmoot a few weeks ago, the EU countries is where the largest user base is!)
Re: EU privacy cookie directive
Realistically, if any legal action is taken it will be preceded by a request for a statement of intent i.e. what action the offender intends to take in order to comply, and the time scale. Therefore, as immediate penalties are not threatened, the vast majority of sites will probably do nothing until it becomes imperative.
But that does not mean we should do nothing.
Short of complete compliance, a sensible course of action is to:
1. Audit the cookies on your sites and provide details of their purpose and behaviour in your Privacy Policy information page.
2. Make links to Privacy Policies more prominent i.e. at the top of the page.
3. Include mention of cookies in link, either a direct link to the information or add to Privacy link e.g. "Privacy and Cookies".
Even so, I'd still be interested in how to prevent the CMSMS session cookie being set.
And, has been requested above, can we please have an explanation of what the CMSSESSID session cookie does. It doesn't appear to be necessary for back-end use.
But that does not mean we should do nothing.
Short of complete compliance, a sensible course of action is to:
1. Audit the cookies on your sites and provide details of their purpose and behaviour in your Privacy Policy information page.
2. Make links to Privacy Policies more prominent i.e. at the top of the page.
3. Include mention of cookies in link, either a direct link to the information or add to Privacy link e.g. "Privacy and Cookies".
Even so, I'd still be interested in how to prevent the CMSMS session cookie being set.
And, has been requested above, can we please have an explanation of what the CMSSESSID session cookie does. It doesn't appear to be necessary for back-end use.