conformance with EU cookie laws

cederic

Heya,

My site is creating cookies, both attached to my domain name and to smugmug.com itself, when people visit it.

As I'm based in the UK I'd kind of like to try and obey the law and avoid a £500,000 fine. Is there an easy way for me to do one of the following:

• disable cookies
• add a 'Please confirm you're happy with cookies' request (that can disable the site if they say no)
• get confirmation that all of the cookies set by Smugmug (whether on my own domain or smugmug.com) are exempt due to the exceptions to the regulation

I'd also like to be sure that my site complies with users' "Do not track" preference set in their browser, and I think I need to describe the use of any cookies that aren't covered by the exception.


As an individual, I'm unlikely to get more than a telling off by the ICO, but any UK based professionals are liable to a proper spanking.


Here's a link to the guidance on the law:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx


I should've thought about this a while back, but it didn't occur to me to check my photo site for cookies until today.

jfriend

Interesting question. I am not an expert on this, but aren't these regulations related to the storing of personal information and tracking? Are any of the Smugmug cookies actually storing information that this regulation would apply to?

If your site stores a cookie in the user's browser to remember that the viewer selected the Journal viewing style so that the site can use that viewing style on subsequent pages, does this regulation really apply to that cookie?

If I'm understanding this correctly, I think the first question would be whether any of the cookies that Smugmug does set are actually doing things that are covered by this regulation and if so, which ones and what can be done about those specific cookies.

Motorsports

European Cookie Law
Hi

As of 26th May in Europe all business websites are required to have the functionality to allow users the option to control which type of cookies functionality they accept. (http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx ). This is in addition to any control the user has via browser settings.

Can you tell me if Smugmug is planning to develop something for us so that we can continue to use SM for our business needs ?

Mike

Motorsports

Cedric, a good example of how to handle this can be found at bt.com. Look for the popup box bottom right. If you click to change settings it shows 3 levels of cookie and explains what will happen if you disable each.

If a user disables a cookie that remembers if they visited the site before its no big deal but if they disable those that control login id and shopping cart items the site will not function correctly. Somehow this needs to be clearly explained. Would probably require a prompt if the user tries to buy something that they will need to enable a cookie again.

paulbrock

didn't there used to be an official response on this thread?

Presumably it's enough that we have a .co.uk domain (pointed to smugmug) to fall under the remit of this law?

i find the whole thing a bit of a PITA as a site visitor to be honest, yes its only once per site, but I've realised this week just how many different sites I visit, each requiring at least an acknowledgement that yes, I'm not scared if you 'track' me.

Anyway, I'd imagine we're pretty cookified here, even for customers. Not only the shopping cart, but also sharegroups, gallery passwords, event favourite galleries, preferred viewing style....

I would prefer a catch-all "yes this site uses cookies. Please opt in if you're happy" popup rather than a suggestion that maybe we probably don't need an opt-in for what smugmug currently does.

What have sites been doing if users refuse to opt-in? One I know of, Barclays bank, has a "if you login, you accept we will use cookies". essentially saying, no cookies, no service.

I confess the changes caught me by surprise as well - I wasn't expecting cookie popups to appear on sites like bbc.co.uk, so a bit of a communications fail by the lawmakers to let us all know about it. We're certainly not the only ones!
http://www.bbc.co.uk/news/technology-18206810

but yeah, lets get something in place.

paulbrock

actually another easy option for smugmug and us might be to go down the route of 'implied consent'. From the ICO page:

Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

So more a "hey, we use cookies here for x,y and z. If you don't like this, please don't continue to use the site"

Also relevant:

How can UK organisations comply with the new cookie changes?

The first is, do a cookie audit. Work out what your website does, which cookies it uses, what other technologies you might use. And from there, you can at least establish where your starting point is.

The other thing to do, at the same time as that, is to review the information you give to your users about cookies. Make it more prominent, make it more user friendly, make it mean something to them, rather than just the person who wrote it.

So being clear, honest, open and upfront about cookies is a really easy first step towards compliance. Once you've done that and your users are aware, you can then start to think about the best methods for getting user consent on your site.
That suit what you do, what your users know and what their understanding is.

http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_faqs_video_transcript_20120525.ashx (pdf)


OK, so, how about we get together a comprehensive list of what cookies Smug uses..... is this anywhere already?

edit: also, if you use any 3rd party tools like Google analytics these will need to be considered.

paulbrock

A link elsewhere suggested the Daily Mirror site had a good example. Here's what they put, a prominent, but not excessive, link in the top right "how we use cookies" which goes to:

http://www.mirror.co.uk/cookie-policy/

and a first time visitor pop up that says " This website uses cookies to give you the best, most relevant experience. Using this websites means you're OK with this. You can change which cookies are set at any time - and find out more about them - by following this link[hyperlinked] (or by clicking the cookie link at the top of any page)"

jfriend

It's interesting that Andy originally replied in this thread and said he would look into it and get back to us and now his post has apparently been deleted. Where is the Smugmug info on this?

Andy

jfriend wrote: »

It's interesting that Andy originally replied in this thread and said he would look into it and get back to us and now his post has apparently been deleted. Where is the Smugmug info on this?

I had a mistake in my post We'll have a reply to this thread, thanks everyone for your patience.

paulbrock

I'm now seeing a little smugmug pop up about cookies when visiting my home page, linking to
http://help.smugmug.com/customer/portal/articles/93251

the link isn't perfect (as its more about troubleshooting rather than a "we have cookies, here's why"), but I totally appreciate the speedy solution.

I will say Andy, on your page, the pop up banner clashes a little with your nav bar though (On Chrome, 1024x 768)

Presumably it's a catchall 'all smugmug sites' rather than trying to determine which are EU or not.

Anyway thumbs up Smugmug

Andy

Visitors to SmugMug from EU countries will now see this message, the first time they arrive at SmugMug. Thanks for your patience while we took care of this!

Andy

paulbrock wrote: »

the link isn't perfect (as its more about troubleshooting rather than a "we have cookies, here's why"), but I totally appreciate the speedy solution.

Yeah we'll update that cookies page with some additional wording, stay tuned on that. Thanks!

Andy

paulbrock wrote: »

Presumably it's a catchall 'all smugmug sites' rather than trying to determine which are EU or not.

Anyway thumbs up Smugmug

No, it's for visitors who are coming from EU countries to anyplace on SmugMug. Visitors from outside the EU will not see the message.

jfriend

Andy wrote: »

No, it's for visitors who are coming from EU countries to anyplace on SmugMug. Visitors from outside the EU will not see the message.

Is there any way for a US account holder to see what your own site looks like with an EU visitor?

Andy

jfriend wrote: »

Is there any way for a US account holder to see what your own site looks like with an EU visitor?

No, there isn't. You can look at the screenshot above, that's the message. It shows only once and when they navigate away it's gone.

Daniel UK

Great!

To say the UK required consent for cookies they appear to have made a major change as they brought the law in to allow for implied consent (that appeared to be not allowed at first).

Great that SmugMug has brought this in, one less thing I need to worry about and have to hack in to the custom template headers etc.

cederic

Thanks for the swift implementation!

iamback

Andy wrote: »

Visitors to SmugMug from EU countries will now see this message, the first time they arrive at SmugMug.

Not quite.

You see that banner the first time you visit ANY site hosted on SmugMug. Look at a few sites by others (going through this forum and look at examples) and you'll soon get very sick of that banner.

Besides, what are you doing to make sure it does not clash with the styling of anyone's site?

I've just hidden mine (I hope!) so I can find a solution that actually fits my design instead of fighting with it. I'm happy to comply with the law, but it doesn't have to be so annoying - you now have to click it away. Why not the other way around? Click if you need more info?

iamback

jfriend wrote: »

Is there any way for a US account holder to see what your own site looks like with an EU visitor?

Sure - you can use a proxy that 'places' you outside the EU. There are several plugins for Firefox to browse through a proxy, for instance FoxyProxy; search the plugins site with 'proxy' and you'll find some more.

If nothing else - useful for some testing!

Andy

iamback wrote: »

Not quite.

You see that banner the first time you visit ANY site hosted on SmugMug. Look at a few sites by others (going through this forum and look at examples) and you'll soon get very sick of that banner.

Besides, what are you doing to make sure it does not clash with the styling of anyone's site?

I've just hidden mine (I hope!) so I can find a solution that actually fits my design instead of fighting with it. I'm happy to comply with the law, but it doesn't have to be so annoying - you now have to click it away. Why not the other way around? Click if you need more info?

If you are not clearing cookies, once you've seen it, you should not see it again. Can you confirm please?

Andy

iamback wrote: »

Besides, what are you doing to make sure it does not clash with the styling of anyone's site?

it's just a transparent light blue info bar, that will go away after you click the "x" - once done, it won't reappear to the visitor.

iamback

Andy wrote: »

If you are not clearing cookies, once you've seen it, you should not see it again. Can you confirm please?

I am not clearing cookies - but I see it for every new SmugMug-hosted site. That, plus the fact that you can only get rid of it by clicking it, makes it extremely annoying.

That said, I am not (not ever) accepting third-party cookies - I have not looked at what cookie you actually set, but maybe that could be the problem?

I'm planning to put just a small link somewhere, along the lines of the (unobtrusive) link on the Daily Mirror site.

BTW, you also confirm what I had already concluded must be the case: that the user must allow a cookie to be stored in order not to see a warning about cookies being used! Doubly irritating for those who really do not want cookies (and, for instance, set their browsers to only store session cookies, and clear all when closing the browser). That's why I think a simple link - instead of a have-to-click-way banner - is best.

iamback

Andy wrote: »

it's just a transparent light blue info bar, that will go away after you click the "x" - once done, it won't reappear to the visitor.

And what makes you think 'transparent light blue' does NOT clash with anything? It only doesn't if the user is already using a theme that actually uses blue.

Actually, what you say is not true - it seems to be black, or at least very dark, but with a bright-blue icon that looks like a button but isn't. (certainly enough to irritate me!)

And have you looked recently at your own site (the one in your sig) to see how it appears? It's darker than the background it sits on, has a thin lighter-blue border, and that bright-blue icon. The link, and its close button, are totally obscured by your top menu...

But at least, get rid of the color to avoid theme clashes!

(I, for one, won't accept anything blue - and I don't care if it takes me a day to get rid of it...)

iamback

Andy wrote: »

it's just a transparent light blue info bar, that will go away after you click the "x" - once done, it won't reappear to the visitor.

This is the actual style:

[PHP]#messageHeader {
background-color: #112025;
border: 1px solid rgba(43, 117, 209, 0.3);
border-radius: 6px 6px 6px 6px;
color: #D6D8DA;
font-size: 13px;
margin: 10px 20px;
min-height: 24px;
padding: 4px 6px;
}[/PHP]

As you can see, a solid background color, with a transparent border that is light blue.

It also has a top margin, which, having it sitting at the top of the page, pushes the whole page down, leaving an ugly gap at the top.

iamback

Andy wrote: »

If you are not clearing cookies, once you've seen it, you should not see it again. Can you confirm please?

Also, the page the bar links to is badly outdated. Please update it for current browsers (including Opera and Chrome/Chromium!).

(And the instructions for getting rid of 'bad files' only takes Internet Explorer into account - please update that for other major browsers as well - IE is no longer the most-used browser!)

This is what the dialog looks like for current (v.13) Firefox running on Windows (don't call that 'PC' - that's hardware!):

Andy

iamback wrote: »

This is the actual style:

[PHP]#messageHeader {
background-color: #112025;
border: 1px solid rgba(43, 117, 209, 0.3);
border-radius: 6px 6px 6px 6px;
color: #D6D8DA;
font-size: 13px;
margin: 10px 20px;
min-height: 24px;
padding: 4px 6px;
}[/PHP]

As you can see, a solid background color, with a transparent border that is light blue.

It also has a top margin, which, having it sitting at the top of the page, pushes the whole page down, leaving an ugly gap at the top.

You're welcome to change it

iamback

Andy wrote: »

You're welcome to change it

You are totally missing the point, Andy! Besides, I have already stated I have hidden mine until I have implemented a better solution. But that is for my own site - and that is not what this is about at all.

Have you even looked at how it looks on your own moonriverphotography.com site? There's a gap at the top, your title is pushed down, and the close button is unreachable. And no, I cannot change yours. Or anyone else's, for that matter.

I have more bad news, but I'll put that in a separate message.

Andy

iamback wrote: »

And have you looked recently at your own site (the one in your sig) to see how it appears? It's darker than the background it sits on, has a thin lighter-blue border, and that bright-blue icon. The link, and its close button, are totally obscured by your top menu...

Thanks for reminding me! I'm like the shoemaker's child sometimes, and I get to my own site last. I had an error in my own coding that causes this. Should be fixed now, and I'd love it if you would verify

Andy

iamback wrote: »

You are totally missing the point, Andy! Besides, I have already stated I have hidden mine until I have implemented a better solution. But that is for my own site - and that is not what this is about at all.

Perhaps you can elaborate then, as I truly do want to help
The bar is there, and for those that want to customize it they can easily do so with CSS. Or you're free to suppress it on your own site and do something else. We needed to implement something that would go across all of smugmug.com for EU visitors. I'm standing by.

iamback

The bad news - and some possible solutions
I have spent several hours today to analyze (with the help of a cookie management extension in Firefox) what, exactly, is happening. First, the bad news. Then the explanation, and suggestions.

The bad news.

Any attempt to control whether or not a message about cookie usage will appear or not by setting a cookie will inevitably most annoy those who already manage their cookies.

The explanation - or, what SM is actually doing

It took some time to piece this together, because cookies are tricky to analyze from the user's end: that is because they tend to appear only after a page refresh. And, the server may send a cookie, but that is no guarantee it will be stored at all, or be stored in the intended form. I'll spare you the testing details, but these are my conclusions of what is happening - and why that process leads to quite annoying situations for some.

1. When the SM server first detects a visitor from the EU, they will generate an extra div called #messageHeader at the top of the #bodyWrapper div. It has a blue 'i' icon, a bit of text, a link to the (rather outdated) information page about cookies, and a close button.
2. If a visitor manages to reach the close button (not possible on every site!) SM will produce a cookie called 'EUCookie' with content '1'. It will be valid for the current main domain and all its subdomains, for either http or https protocol, and has a path '/' (root) so it applies to any page within that domain or any of its subdomains. It is sent as a cookie with an expiration time exactly one year in the future.
3. When this process happens for a site with a custom domain, the cookie's domain is the custom domain, not the smugmug.com domain
4. When the visitor reloads the page, or a different one on the same domain, the 'cookie bar' will no longer appear as long as the EUCookie is present, and has not expired.
5. However, in response to a new page request for the same domain accompanied by a not-yet-expired cookie, the SmugMug server does not 'refresh' the cookie by resetting its expiration time to one year from that moment.

At first sight, this seems simple and straightforward enough, but there are a couple of major flaws:

1. Because the cookie is set for either the smugmug.com or a custom domain, someone from the EU browsing several sites on different domains (even though technically hosted on the smugmug servers), will repeatedly be confronted with the same banner - the design of which is clashing in various ways with the design of customized sites (Power or Pro). This gets annoying very quickly.
2. Because the cookie is never 'refreshed' and thus will inevitably time out, after at most a year the cookie will not be sent back to the server, and the server will produce that same cookie bar again. Together with a fresh cookie set to expire after another year.
3. For all of this SmugMug assumes the visitor is actually accepting those cookies, and accepting them as 'permanent' (valid for a year) cookies. But many of those who are aware of cookies and the danger they pose for privacy and 'tracking' either do not accept cookies at all, or only accept them until the browser is closed which effectively tells the browser to not store any expiration time, so it becomes a 'session' cookie, valid only until the browser closes. In most cases, browsers or cookie managers then allow to set 'exceptions' for:
   • Allowing 'third-party' cookies or not (i.e. cookies set by other domains than the one of the page they are loading)
   • Allowing permanent cookies for particular domains (typically those where a user has an account and wants to maintain 'sessions' across closing and reopening the browser)
   • Forbidding all cookies for a specific domain
4. A very common strategy for those who manage their cookies is to allow only session cookies (simply not storing an expiration time, even if the server sends it), often combined with not accepting third-party cookies at all, and specific 'Allows' for sites where the user has an account. Consider what happens in this scenario with the 'EUCookie':
   • For someone who does not have an account on SmugMug and has not explicitly 'Allowed' it, the EUCookie will be a session cookie, and disappear as soon as the browser is closed or restarted - with the result that the cookie bar is re-displayed as soon as they visit any SmugMug page, whether on the main domain or a subdomain.
   • For someone who does have an account on SmugMug and has 'Allowed' the domain to place cookies, the cookie bar mostly stays away - but only for a year at most. And for any site hosted under their own custom domain, the cookie bar will reappear on each new browser session - unless they 'Allow' each of the domains they regularly visit.
5. In-browser cookie management has progressed greatly, but I have not yet seen any that permit the user to accept only one specific cookie by name as permanent, while still accepting only session cookies for all others sent by the same domain. So suggesting the user accept only the EUCookie will not work.
6. Suggesting a user accepts all permanent cookies by SmugMug when they are not doing that already is also likely to fail (and cause irritation), because most site functionality will be just fine with only session cookies. Even shopping, as long as you finish the process before closing the browser.
7. As a result, precisely the people already managing their cookies will be plagued by these cookie banners repeatedly popping up. If they were unobtrusive it would not be so bad, but they are not, they often interfere with the layout of a page, and - depending on the customization done - it may not even be possible to see, let alone reach, the 'close' button.
8. Given that the intention ultimately is to inform not to annoy it is obvious that relying on a cookie-meant-to-be-permanent is not a very good strategy because very often it isn't.

So what can be done?

A few ideas:

1. Consider the main purpose of the EU directive: that users understand that their actions will result in cookies being set. So, you want to inform those EU users. Do you want to comply even if you find that idea objectionable? Or do you think it is actually a good idea to inform your visitors? In the latter case, devise a mechanism that applies to all visitors and save yourselves the effort of trying to determine where your visitor is located.
2. Forget about any mechanism that relies on permanent cookies. Savvy users already avoid them as much as possible and are bound to be annoyed by repeatedly being confronted with an obtrusive banner.
3. Look at how some other sites have solved the problem. A clearly-visible link (that stays visible, for everyone), similar to how the Mirror has implemented it seems like a good approach to me
4. I do not think any approach to have different 'levels' of cookies is a good idea, because inevitably this will rely (again) on a permanently-stored cookie: it will likewise fail with users who already manage their cookies.

Conclusion

So: keep it simple:

• inform your users what, exactly, you are using cookies for (all of them);
• what will happen if they choose to allow only session cookies (most things will work!);
• and what will happen if they do not accept cookies at all (some things will still work!).
• Also give them some pointers on how they can manage such settings in current browsers (don't forget Opera and Chrome!), link to their information pages, and link to a page or a search where they can find the corresponding information for browsers not listed.

It will also be a good idea to inform all your users (those who have an account) what will happen with these banners (or a better solution!!), and also provide Power and Pro users with a way to see what is happening on their own site even if they, themselves, are not located in the EU. Newsletter?

Finally, just one screenshot (with comments) that shows how badly the current 'cookie bar' can mess with layout and be impossible to even close:

iamback

Andy wrote: »

Perhaps you can elaborate then, as I truly do want to help
... I'm standing by.

See my next post. Very elaborate.