24 - March - 2012

The European Cookie Issue

Post by Mike C
Ixis Service

The EU Privacy Directive was announced in May 2011 to much groans and disagreement. In 2012 we see the rule being enforced from May 26th - but are you prepared yet?

The UK government has updated the Privacy and Electronic Communications Regulations in response to the EU Privacy Directive but many UK websites have probably forgotten, or chosen to ignore, the upcoming changes with a risk of being fined up to £500,000 for a serious breach of the law.

What is the EU cookie directive?

The aim of this legislation is to increase online security and data privacy, giving users more control over what data can be held about them. It addresses how personal information is held and used.

The legislation forces websites to be transparent about how they are using cookies, detailing exactly what information each cookie holds and how long it will be held, and requires them to actively request permission from their users before cookies can be used.

Previously, the law dictated that websites had to explain how they were using cookies and how users can ‘opt out’. Most sites did so in their Privacy Policies, but this isn’t enough under the new law:  users now have to ‘opt in’, having been made fully aware of the implications of doing so.

How sites reacted to the new requirements has been mixed, and even more difficult for organisations who have had their site custom built long ago and no longer have access to the same developers to shoe horn in the changes.

Thankfully open source content management systems like Drupal bring a number of bonuses to the user:

  • You're not alone having to support the new changes as there's thousands in the same position as you on the same platform as you.
  • It's quite likely somebody has already done the research and solved the problem and can be used as a reference point for others.
  • Use of APIs make it easier to integrate new features around existing functionality on the website.

What cookies are used for

Popular cookies on a large number of sites come from a few sources:

  1. Web analytics software, such as Google Analytics, counts the number of visitors to each page of a website as well as how often the same person returns to a website.
  2. Banner advertising often employed to fund the websites content and development often use cookies.
  3. Having the ability for visitors to log in to the website and customise their experience.

There are lots more - from simple things like having a YouTube video or Google Map embedded on your site, sharing pages with social networking sites, to simple things like allowing the text on pages to be made bigger or smaller and remembering the selected size.

For more in-depth details read the different types of cookie usage and what "level" they fall in to blog post at cookielaw.org

To find out what cookies your site is setting enter your website url on the Cookie Cert database site. It can take as long as two hours for your site to be checked, so don't expect an instant result!

What others are doing

We've taken a look at some UK Government sites to see how they are implementing their own rules.

gov.uk - includes a 'beta warning' modal pop-up which includes a message "N.B. This site uses ‘cookies’ and Google Analytics. Closing this page sets a cookie so you don’t see it again. There’s more information on cookies at AboutCookies.org." Every page also contains a link in the footer pointing to their very clear and helpful cookie information page.

bt.com - this is a really slick and informative user experience for cookies. Click the 'change cookie settings' link in the footer to reveal a pop-up detailing all the cookies being set, their purpose, and a nifty slider to control how many cookies are used.

ico.gov.uk - displays a drab almost hacked in like message box at the top of their site with a consent tick box. A good example of how the cookie consent requirments could damage your sites nice design.

The Solution

cookie control pop-up user interfaceTo address the requirements of the cookie law we need to have consent from the site visitor before any cookies are set. Before consent is granted by a user they should be provided with information about what the cookies will be used for and your sites privacy policy.

The Cookie Control widget from Edinburgh based CivicUK appeared to be an elegant and consistent answer to the cookie requirements. The user interface provided a simple pop-up in the bottom corner of a visitors web browser with minimal options to complicate things.

The Cookie Control is added to any site using JavaScript along with some configuration options to fit with your site.

Drupal gets it easy

For Drupal 7 powered websites Ixis made it even easier with the development and release of the Cookie Control module on drupal.org to wrap up all the configuration options and Javascript code embedding in to a Drupal administration web page, easy!

For developers there's a few JavaScript callbacks to hook in to. These should be used to only execute JavaScript which uses cookies if the user has already given consent. Details can be found on the Cookie Control project page and in the README.txt file provided with the module. One example use for these functions is to only run the analytic tracking code when consent is granted.

CivicUK are working on some new additions to the Cookie Control project which we'll be integrating in to the Drupal module as soon as possible. In the mean time - if you're running a Drupal 7 site for EU visitors it would be well worth considering installing the module earlier than May 26th to ensure you comply.

To find out more about the Drupal module and download the code visit http://drupal.org/project/cookiecontrol

Mike C

Managing Director

12 years of Drupal development wrangling and a background in digital project architecture.

Comments

Thanks to all at Ixis for developing this module.

David Eyre

Add new comment

Share this article

Sign up to our newsletter!

Our thoughts

Let's work together

Get in touch and find out how we can empower your organisation.
Back to top