My understanding is that, as of 25 May, UK websites which use cookies will be required to be able to prove that users have given informed consent to receive the cookies. This means it is no longer sufficient to mention cookies in your privacy policy, you need to demonstrate that users positively opted in.

So two questions - under what circumstances does Drupal use cookies? I guess when you log in it uses a cookie, but do anonymous users ever get cookies? How long are the cookies stored and what data do they contain?

Any owners of UK websites, what are you planning to do? The law seems pretty stupid and unenforcable, and something which would be better done by the browser. But it appears that individuals can claim compensation, so just because the ICO could probably never enforce it, doesn't stop some anorak taking you to court because the have a grudge.

Any opinions welcomed, I'm not sure what to do myself. If cookies are only used after a user logs in, then presumably a message on the registration page would be sufficient (the fact that they have an account proves they agreed to the message)? IANAL of course.

Comments

zubo01’s picture

Can you provide the legal reference please...

not sure how on earth this could possibly be enforced...

morello80’s picture

http://www.ico.gov.uk/~/media/documents/pressreleases/2011/cookies_regul...

It looks like they are giving it a bit of time to see how things go (because they probably have no idea how to enforce it either).

Cookies can be exempt if they are "strictly necessary" to a function the user has explicitly requested, they gave the example of a cookie used to carry goods to the checkout. No idea if this applies to, say, a session cookie used to store the fact that you are logged in?

suthagar’s picture

subscribing

greggles’s picture

It seems there are now two modules which try to solve the problem:

http://drupal.org/project/cookiecontrol - which is Drupal 7 only
http://drupal.org/project/eu-cookie-compliance - which is for Drupal 6 only

Whether or not these actually are 100% in compliance is hard to say. It's also worth noting that both modules require you to audit your own code that sets cookies and add conditionals around it to prevent setting cookies if the user has opted out.

--
CARD.com :)

gpk’s picture

http://drupal.org/project/cookiecontrol has an open issue about a D6 backport (a technical issue needs to be solved)
http://drupal.org/project/eu-cookie-compliance now has releases for D5, D6 and D7

Both modules give you an explicit option to accept cookies but how they handle users who don't want cookies is different. Both have demos which are helpful.

As of the date of writing this (26 May), with eu-cookie-compliance, if you don't want cookies then it looks as if you need to not use the website in question (or, presumably, change your browser settings).

cookiecontrol seems to inhibit the setting of cookies (e.g. from Google Analytics) until you consent, though on the demo site a couple of cookies *are* still set on your first page view. Possibly these are exempt from the restrictions (essential for functioning of site).

jpcwebb’s picture

I too am looking at this - I think all CMS systems will need to be aware of and adapt to this because many many modules use cookies as well as the core functionality of systems like Drupal. Ideally what you need is a module that displays a user acceptance box as the user enters the site for the first time and explains what cookies will be placed on their computer and what they're for (and each plugin module will need to feed into this so that the cookies list is generated automatically by the system), and that asks the user to click yes to accepting the use of cookies which is then recorded in the database with their ip address, the date and time and then you have a traceable record of their acceptance if they ever decided to complain to the contrary (plus if they say no, the site can redirect them to where they came from).

I don't think this has been very well publicised until it made it to the news today. I also think it will be un-policable and be done on a reactive basis only - but that does leave all websites potentially vulnerable and liable.

MakeOnlineShop’s picture

Host your websites abroad !

MakeOnlineShop’s picture

I would really like to understand why you care about so stupid rules...

Daemon_Byte’s picture

Because failure to comply carries a £500,000 fine. Not something easy to overlook even if it is a stupid law created by ignorant people desperate to look they have are doing something.

andrewmacpherson’s picture

No, I'm afraid hosting your websites abroad won't get you off the hook. If your organization is based in the EU jurisdiction then you are affected by the directive and its implementations, regardless of where your web server is.

ottawadeveloper’s picture

Source? I was pretty sure your website is principally bound by the legal requirements of where your servers are hosted (ie a site hosted in Canada has to follow Canadian privacy laws, Canadian spam laws, Canadian IP laws, etc). There was a case about Yahoo Auctions! selling Nazi memorabilia a while back that settled that I thought.

In the EU, complaints against somebody online (harassment, etc) have to be filed in the defendant's jurisdiction. That's kindof vague when it comes to corporations though (at least, if they're multi-national).

Daemon_Byte’s picture

I believe the way they see it is that if the website can be used by people in Europe then effectively the company owning the website has to comply with EU laws. That goes for cookies but also for anything else like e-commerce, if you target EU citizens then you have to obey the EU laws. And if your company is in the EU you certainly won't escape by saying Amazon US hosts my site.

http://searchsecurity.techtarget.com/tip/For-US-companies-EU-cookie-comp...

morbiD’s picture

(Here's a link to the actual advice document: http://www.ico.gov.uk/%7E/media/documents/library/Privacy_and_electronic...)

This law is a complete mess in terms of providing adequate compliance instructions. I've been following the news about it for months, waiting for some actual, useful information to emerge. I'm still none the wiser...

As previously mentioned, the ICO document states that the only exception is if "what you are doing is ‘strictly necessary’ for a service requested by the user." The example given is a shopping cart, but that's as far as it goes. There is no specific guidance on whether this exception applies to login sessions. Can that be considered a service requested by the user?

The document does state, "The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website." Perhaps staying logged in is considered to be a user preference. Who knows?

Anyway, with regard to Drupal specifically, it creates a session cookie and a "has_js" cookie at the moment someone hits any page. At that point the user has not specifically requested any service whatsoever, and the cookies are being created before any form of consent can be provided by the user, so as I understand it, Drupal websites break this law by default.

There seems to be a dev module for Drupal 6 to disable anonymous sessions which would give you a chance to get the user's consent before cookies are created. However, it breaks certain things, as mentioned on the project page. See http://drupal.org/project/no_anon

Apparently Drupal 7 has something similar built into core and on my test server I don't get any anonymous session cookies. However, I do still get the "has_js" cookie which means we basically still have the same problem.

As for the suggestion to host sites outside the EU; I can't see that holding water. If a company is based in the UK, it is presumably liable for its websites, regardless of where they are hosted. The authorities couldn't take down the site, but they could still fine you.

bib_boy’s picture

yes, something is urgently required for EU sites. I run multi Drupal sites and have to conform to the new regulations very shortly. Cookies as morbiD says above (session and has_js) are created for anonymous users so not just logged in users. Other modules create cookies as well for anonymous users e.g. DHTML menu.

By the time a user has entered a site the cookies are already deployed so we need to catch this somehow as a person enters the site.

I think that having a pop-up before entering a site is rather off-putting and looks suspicious to a user. So as a preference it would be better to 'turn off' all cookies for anonymous users. For logged in users we can catch and warn them easily before they log in.

What do we do Drupal?

[to view cookies used by a webpage in firefox i use the web developer tool under: tools->web developer->cookies->view cookie information]

Patroclas’s picture

I don't agree with the interpretation of the regulations being discussed here. In the advice document referenced above, paragraph (2) talks about the user giving consent for cookies to be set and then...

(3A) For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which
the subscriber uses or by using another application or programme to
signify consent.

So I interpret that as saying that if a user has their browser set to accept cookies, they have consented to accept cookies. And if they have blocked cookies in their browser, they have not consented.

So this is not a problem for Drupal IMHO.

morbiD’s picture

That paragraph sounds nice in theory, but if you read the rest of the document, you will find a section titled, "I have heard that browser settings can be used to indicate consent – can I rely on that?" That section states:

At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.

The section after that (see page 6) goes on to describe various options for gaining consent.

The fact that most browsers default to allowing all cookies doesn't help in this respect. If browsers defaulted to blocking all cookies then you could much more easily assume that the users with cookies enabled have consented.

dwigglesworth’s picture

Subscribe

Patroclas’s picture

Even the advisory document quoted does not know how to implement this. It makes some suggestions but has no solutions. I can see that telling someone who registers on a Drupal site about cookies may be a requirement - and that is not difficult to implement - but there is no need for anything stronger than that.

rachelf’s picture

I see that the Information Commissioner's Office have today updated their website with some further info on this. Also, they've given businesses 12 months to comply, and they've explained how they've made their own website comply with the regulations. You might want to take a look at their website www.ico.org.uk or take a read of their news release from today www.ico.gov.uk/~/media/documents/pressreleases/2011/enforcement_cookies_...

This is my own interpretation (apologies - the first few points state the obvious, but my intended audience was my non-techie clients):

1. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

2. The UK government has revised the Privacy and Electronic Communications Regulations, which come into force in the UK on 26 May 2011, to address new EU requirements.

3. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.

4. Organisations and businesses that run websites aimed at UK consumers are being given up to 12 months from 26 May 2011 to ‘get their house in order’ before enforcement of the new EU cookies law begins.

5. The ICO advises that businesses with websites should:
"a. Check what type of cookies and similar technologies you use and how you use them.
b. Assess how intrusive your use of cookies is.
c. Decide what solution to obtain consent will be best in your circumstances."

6. The ICO state:
"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."

So, so far I've informed my website clients of the above, and I'm leaving the ball in their court as to how or if they want to address this.

For this sites I've got up and running the only cookies I've found (for anonymous users) are:
1. session id cookie - I would class this as 'essential for the running of the site', but I might go into the settings.php file and change the lifetime to zero so that the browser cookie is deleted on browser close: ini_set('session.cookie_lifetime', 0);
2. 4 cookies set by google analytics
3. 1 cookie called has_js which is deleted on browser close

but I know this number of cookies will be depend on which modules you have installed.

If my clients want full compliance, I'll probably do something similar to the ICO site, detailing these cookies in the privacy statement, and using a tick box for consent (although I think I'll try and avoid putting it into my html content ahead of everything else...). But my gut feeling is that the ICO is giving businesses a year so that browser technology can catch up and this can be dealt with under the catch all of browser settings.

(For any sites with registered users, I think I would add something into the registration process that explains the cookies and obtains consent, as morello80 suggested in the initial question).

Just glad I'm not involved with any cross-site advertising...

carl.brown’s picture

When I first read about this, i did a brick, but the more I think about it, it's seems that for the vast majority of 'legitimate sites' the process of informing users about cookie useage will be pretty straight forward: privacy policy coverage and a few tick boxes. The whole 3rd party cookie thing will be a bit more of a pain.
Sure, it will ruin the look of our uber-clean registration forms and make OpenAuth difficult I guess, but it will also be the norm.

The User's granular control over these cookies could prove problematic since it will obvisouly break certain functionality on the site. In many cases, you may have to assert that the user HAS to accept cookies A, B, C, and D but can disable E (where E is for analytics, for example), and so there are only 2 checkboxes.

I wonder what the default state of the checkboxes should be in this user account example for best practise? Could one assume that since the user is trying to create an account on your site, that you could have the boxes already ticked because the cookies are necessary for what they're trying to do?

You never know, this move might help with moving users with older browsers into the 21st century too. One can only hope.

Zapple’s picture

Subscribing

morbiD’s picture

Thanks for posting the update.

It still doesn't make any specific statement about how session cookies are regarded in the eyes of the law, BUT, the ICO have updated their own website with a consent checkbox and the really interesting thing to note is that their site still sets a session cookie before you give consent. This cookie is set to expire when the browser closes.

I would take that as an indication that Drupal's cookies are fine, especially if you set them to expire when the browser closes.

no longer here 578402’s picture

It also sets a cookie saying you've said no to cookies and seen the warning - although both of these seem to be session as they disappeared on browser close! I'd be interested to see how enforcable parts of this are as (for example) I don't want to have to "say no" every time I don't want to store a sites cookies - and if I use a database to store the note that A.N Other has said no to cookies - what happens when their IP changes? And if they aren't using IP what are they using?

Dave

NancyDru’s picture

Most of us use service providers who cannot guarantee your IP; you simply "lease" one of the range that they have for, usually, 24 hours. And if you use a laptop, it can vary by your location. And IPV6 makes this even more difficult to track. Forget IPs as any kind of indicator.

csc4’s picture

First up - thanks for the information and remarks not really addressed to you!

The ICO seem as confused as anyone - problem is not sure that's a legal defence.

The other obvious ICO issue is presumably they've never read the legacy browser stats on their site - the idea that everyone who visits or may ever visit your website will update to a browser version with this built in which doesn't exist yet within an arbitrary year when most browser development is US based and they don't have this law.... well I'm sure there's a word to describe that idea!

I'm also curious what the mobile device that's reading the website and can accept cookies and isn't a browser is? Isn't that a mobile browser?

tchurch’s picture

Subscribing

swilsondesign’s picture

Subscribing

mike dodd’s picture

I have had my first client request through now to update this site.

GA is setting some and I have the Has JS cookie and a mobile site plugin sets one as well. Not really sure what I am going to do this. perhaps wait and see but I might try and take these 2 cookies off and just let it run its checks on each page load, slower page times but then its Only GA issues not Drupal and I can't see anyone being that worried about GA.

If Windows is the answer, it must have been a stupid question. -- Filip Van Raemdonck

david.a.king’s picture

sub

Vali Hutchison’s picture

Subscribe

darrenmothersele’s picture

John Yates’s picture

This may be helpful: http://www.advomatic.com/blogs/marco-carbone/drupal-privacy-configuring-...

CONFIGURING YOUR DRUPAL 6 SITE TO WORK WITHOUT COOKIES FOR ANONYMOUS USERS

Daemon_Byte’s picture

As far as I am aware Session cookies are allowed. This is to allow logins, shopping carts etc. However any cookie that is persistent requires permission. Basically every website in the EU over the next 12 months will be losing the ability to save answers or even logins all for the misguided idea it will stop a handful of advertising companies from not being able to track users. Given than google and pretty much every other type of tracking software already has non cookie versions it's causing us headaches for no gain. Gah!

andrewmac’s picture

Subscribe

alexpeterson’s picture

Is anyone here planning on developing a module to tackle this issue? A pop up form could appear on site load (like ICO) to allow users to opt in/out of cookies on page load. Then based on this decision the site functions with or without cookies. Subscribe!

darrenmothersele’s picture

I believe it may be more than just a simple module install, as you'll need to make changes to session.inc where anonymous cookies are created.

skizzo’s picture

subscribing

Daemon_Byte’s picture

There is this module http://drupal.org/project/no_anon

That said drupal 7 I think already doesn't use cookies for anon users. If you want to do something like GA using this method is rather nice. http://cookies.dev.wolf-software.com/

aiypz’s picture

subscribing

Anonymous’s picture

subscribing

Anonymous’s picture

Just a drop in the ocean but thought this looked quite good for getting users consent for Google Analytics...

http://cookies.dev.wolf-software.com/

izmeez’s picture

subscribing

kumardevan’s picture

subscribing

suthagar’s picture

subscribing

DerekAhmedzai’s picture

The ICO have just released a new guidance report:
http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Pr...

If you don't have a PDF reader, here's a Google docs version:
https://docs.google.com/viewer?url=http%3A%2F%2Fwww.ico.gov.uk%2Fnews%2F...

WolfSoftware’s picture

At Wolf Software we have created a totally compliant plugin for ALL cookies, which will work with javascript and NON javascript web enabled devices, including all mobile devices and smart TV etc.

A demo is available at:
http://jpecr.dev.wolf-software.com

This will be on general release from Monday 19th Dec.

joachim’s picture

Looks good. Is that a Drupal module?

thetoast’s picture

Just wondering if the wolf-software pluggin for google analytics should be included with the google analytics module.

thetoast’s picture

I had a look at the google analytics module and I don't think it can be adapted to use the wolf-software plugin because the GA module adds the js inline on hook_page_alter, so it's no good for cached pages.
One of the setting in the GA module under the Privacy tab is Universal web tracking opt-out, don't bother looking for it because it says "This feature is currently limited to logged in users and disabled page caching." Probably because of adding the js on hook_page_alter.
So anyway, this has come up on a contract I'm on and I need this functionality, so I'm thinking to bite the bullet and try and make a module out of the wolfs plugin. The challenge will be to get the same admin functionality like the GA module, by that I mean being able to do to stuff like not adding ga on certain pages and user roles and all those other nice settings provided in the GA module. But I've got an idea for that. If I return those kind of admin settings in the Drupal.settings object I can then manipulate them on the client side to do stuff like when to execute the wolfs plugin, which looking at their code that would be somewhere before insertGA(). But there are some unknowns for me on how settings like Tracking links and downloads woud need to be add (I'm unfamiliar with ga because I've always just used the GA module :-) ). It would mean adapting wolfs code but it states in the plugin it's GNU General Public License so we're alright to change it.
That's kind of the theory anyway. It's really down to my employees whether I can develop a module with that functionality or if they're happy with just using the wolfs plugin as is with a bit of customisation.
Thanks to wolf-software for making their plugin public.

btw, I'm referring to the jquery plugin from their site here http://cookies.dev.wolf-software.com/

thetoast’s picture

update....after a fresh look at it again this morning :-) I think the GA module can be patched, I've added some cookie checking code in the hook_page_alter when to execute the ga stuff and it seems to be working, I can't be 100% sure because the proof will be if the statistics have been/or not been added to ga. I'll need to tidy the code up and put an on/off switch in the admin setting, but once I've done that I'll find a suitable place for others to download and review. This isn't using wolfs plugin.

thetoast’s picture

I've got something working for this. There's just 5 lines (or is it 4) that need to be added to the googleanalytics module file (which isn't too bad), and the rest is handled by my module. I'll create a sandbox project for this so others can take a look at it, i'll try and create a patch for googleanalytics, if I can't I'll just add the updated module to the sandbox. Just a little bit of tidying up to do (coder etc).

thetoast’s picture

after using my brain a bit more i realised i can add my cookie check wrapper to the ga javascript with hook_js_alter, which now means I don't need to do any patching to the ga module :-), never did like the idea of having to patch that module.
Will run my module through coder, and just need to do some basic theming on the message, and then I'll create that sandbox project and hopefully get some feedback from those interested.

Daemon_Byte’s picture

sounds good. We just ended up removing GA since we don't really use it but could be useful in the future :)

thetoast’s picture

So here it is, my sandbox module http://drupal.org/sandbox/thetoast/1414160 , there's a dependency on the googleanalytics module for my module to work and when you've installed my module please visit the configuration page. Feedback is more than welcome.

DrupalGideon’s picture

Hi Nikos

Just downloaded the module but saw the install file is named gs_opt_out.install when all the other files are ga_opt_out.xxxx

Not tried it yet, but would there be much work needed to get this working on D6 at all? If you want help with it, let me know.

Formerly SkidNCrashwell. Changed my username to reflect my Twitter handle.

thetoast’s picture

Hey Gideon :-)
thanks for spotting that, I've updated git to reflect the file name change.
As for back porting it to D6 I think I might struggle because one of the key hooks to get this working was hook_js_alter which isn't available in D6.

ludo1960’s picture

subscribe

no_longer_active_123’s picture

subscribing

etlsnhy’s picture

This looks like a great discussion about the general privacy policy, but I'm not sure anyone has answered the original question. What cookies does Drupal set, and what is their purpose? Google has a good description of their cookies online here (http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.ht...). Does anyone know of a similar document for Drupal?

Daemon_Byte’s picture

It depends on modules set but as far as I am aware vanilla Drupal only sets the one session cookie. In D7 this is only created when the code requires a session so vanilla Drupal will not set a cookie for anon users at all.

budda’s picture

Some additional guidelines have been published in 2012 ahead of the enforcement date.

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communica...

ice70’s picture

hmmm.....

'Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided.'

But the stats at the start of the document state that 37% of surveyed users know what cookies are. So why would the majority of EU users be expecting information on something they are not aware of?

There were lots more similar contradictions in the pdf, but pointing them out isn't really going to help anyone.

This does have the feel of the accessibility guidelines and what sites 'must' and 'should' adhere too to prevent prosecution under The Equality Act [or the old Disability Discrimination Act (DDA)]. There was a lot of concern over prosecution and confusion as to what some of the guidelines actually meant.
As of 1 February 2012, the RNIB stated: We are not aware of any case which has been brought to court in the United Kingdom to date.

Looking at the section

Enforcement and penalties

It looks like if you are targeted, you will be asked to provide information. Based on that information suggestions will be made as to how you will improve the situation on your site. Failing to carry out those improvements will result in an enforcement notice. Ignoring that will lead to court which may lead to a fine. I think you are going to have to try quite hard to get a fine of £500k and those that do get the fine are probably doing something that encouraged it, by...

seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress

A little more serious: The site I have in mind requires people to register to use it fully. From my limited understanding of Drupal cookies, the anonymous session cookies should go once the browser is closed?
For those that sign up to the site we can simply add a checkbox to the registration to state they are happy for the use of cookies. It's not checked, then no registration. I think there is a T&C module for D7

But for those who are already signed up... ?? A mailer to each of them asking for their consent? Disable their accounts until they have consented? What would be the best approach to make current users aware that they have to read and accept the new cookies info, before they can carry on with using the site?

Thank you
ice70

cjeyes’s picture

subscribe

ludo1960’s picture

So what's the solution? Anyone? Don't have a spare £500K at the moment...

Daemon_Byte’s picture

completely depends upon what type of website you have, what functionality it has, what version of drupal you have etc. etc. For me it was easy since I use drupal 7 and it's an e-commerce site session cookies are allowed for baskets and that's all I use. Meant dropping GA but the website owner never used it anyway.

versantus’s picture

D7 sets a has_js cookie for anonymous users before they've done anything else. Do you deal with this at all?

versantus’s picture

I think we have a solution that works well for D7. It's comprised of two parts
1. Wrap the Google Analytics (or other tracking/breaching code) inside Cookie Control (http://civicuk.com/cookie-law/index) which is a neat little widget that you can easily add
2. Deal with the has_js cookie with a custom module which will strip out the offending code unless the user has allowed cookies (or is logged in). The has_js cookie is set in ROOT/misc/drupal.js and so a bit of jiggery-pokery is needed to remove it.

The custom module is almost ready, but has some bugs. If anyone's interested I'll post it here when it's done.

thetoast’s picture

I'll be interested versantus to have a go with your module, I've come up with another solution which bolts onto the google analytics module and works with page caching http://drupal.org/node/1153064#comment-5508578

versantus’s picture

Thanks, thetoast.

I like the idea of having a bolt-on to Google Analytics, but I'm not sure if your code also addresses the 'has_js' cookie, which is set by Drupal before any modules kick in?

The code below checks whether you've already got a cookie, and if not it removes the line in misc/drupal.js which would set a 'has_js' cookie. It doesn't specifically deal with preventing loading of any other scripts such as GA (that's dealt with by Cookie Control at the moment - this module is specifically intended to clean up the 'has_js' cookie).

I'm sure there are lots of improvements we could make here, not least:

  1. I'm not sure if removing this 'has_js' cookie will break anything important?
  2. Like in your module, we could make this user or role specific
  3. Rather than just saying "You have enabled cookies", we could actively invoke the other cookie-setting code (Google Analytics or whatever), and obviously this would need to be set in an admin interface somewhere.... This would mean Cookie Control was benig used purely as a prompt to the user (and so in theory you could use anything else to set the initial 'I want to allow cookies' cookie.)

Feedback very welcome!

I'll also have a proper look through your module. This is an impending problem for many of us, so it would be good to work together on a good solution, if you think we can.

<?php
  /**
   * if anonymous user, check whether they have accepted cookies
   * already, and if not remove the 'has_js' cookie.
   *
   */
function nohasjscookie_js_alter(&$javascript) {
  if (!$_COOKIE) {
    $misc_drupalJS = file_get_contents(DRUPAL_ROOT . "/misc/drupal.js");

    // strip out the cookie setter
    if ($misc_drupalJS) {
      $pattern = '/(document.cookie = \'has_js=1; .*?)/i';
      $replacement = '//removed by nohasjscookie: ${1}';
      $misc_drupalJS = preg_replace($pattern, $replacement, $misc_drupalJS);
      $javascript['misc/drupal.js']['type'] = 'inline';
      $javascript['misc/drupal.js']['data'] = '';
      $javascript['misc/drupal.js']['data'] = $misc_drupalJS;
    }
    drupal_add_js('jQuery(document).ready(function(){alert ("You have not accepted cookies");})', 'inline');
  }
  else {
    drupal_add_js('jQuery(document).ready(function(){alert ("You have accepted cookies");})', 'inline');
  }
}


thetoast’s picture

This is just a hunch, but has_js might be used for ajax stuff. But to be honest, I don't know how the has_js cookie has an effect on that privacy law. Ideally, what I'd like to see in the google analytics module is the "Universal web tracking opt-out" option working for anonymous users, that option is found under the Privacy tab on the google analytics config page admin/config/system/googleanalytics .

guybrush’s picture

Some cookies are exempt from the ruling, and an example given at http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Pr... is:
"Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers."

It might be possible to argue that detecting Javascript is necessary to provide faster page loads through the use of Ajax by distributing the workload between the client and server, and therefore qualifies as an exception.

BenWrighton’s picture

"[has_js cookie] is used only by the batch processing API so that it can know when to show a fancy progress bar while processing batch jobs." - source

carl.brown’s picture

Would it be fair to say that this approach wouldn't work with Page caching and JavaScript aggregation enabled?

There has to be a better way to stop the setting of this cookie without having to overwrite the drupal.js file?

From a quick grep of Drupal core, it seems that this cookie is only used by the Batch API. Administration Menu contrib module seems to use it quite a bit but nothing else that i've come across so far. I thought that Views' ajax bits would, but there's no checks for it that I can find.

scottml’s picture

subscribe

Joe90’s picture

Well this doesn't make sense. I visited the ICO website, ignored the Cookies opt in, and was able to browse all over their site. Yes, the banner remained on view, but didn't stop me viewing (or I assume receiving cookies from the site). The irony of it all is that by opting in, I am guessing that the site must set a cookie to prevent a re-appearance of the banner on subsequent visits! (Apologies if I have missed the point somewhere along the line)

Nevertheless the threat of an up to £500K fine on my charity's website will be enough for me to do much the same.

Hackfall’s picture

The ICO website cloaks the Google Analytics code unless you accept cookies. If you do accept cookies then one is set that is checked for on each page. If it is present then the GA code is not cloaked and you are tracked.

FWIW and I might be wrong but my interpretation of the EU law is that cookies that are essential to provide functionality to the website such as for shopping carts, navigation, user options etc are allowed without opt in. Cookies that are or may be used by the website owner or others to track or analyse user behaviour or to make changes not requested by the user such as displaying different ads based on behaviour do require opt in.

Exemptions from the right to refuse a cookie

The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

If you use Google Analytics or a similar service that uses cookies created (in part) by code triggered by a script on your website or web page, or you set other cookies for some none "essential" purpose then you will have to get explicit opt in from that user.

swilsondesign’s picture

This has extended well beyond D6 but you should read this http://www.ixis.co.uk/blog/european-cookie-issue - there's a module for that!

S

Marcin Pajdzik’s picture

I need at least a temporary solution as soon as possible for Drupal 6. Unfortunately the Cookie Control module http://drupal.org/project/cookiecontrol is only working with Drupal 7. It requires a minimum of jQuery 1.4.4 which is not supported for Drupal 6.

I created this module for Drupal 6: http://drupal.org/sandbox/marcin_pajdzik/1538032
It needs reviews at: http://drupal.org/node/1538196

BenWrighton’s picture

You can include a later version of Jquery in your user facing theme. Jquery handles two versions of itself pretty elegantly. As long as your admin theme doesn't have a newer version of jquery there shouldn't be any ill effects, that's been my experience anyway.

But the Cookie Control module still needs some work IMHO.

In any event the Cookie control solution is not hard to impliment without the module.

budda’s picture

All issues fixed for Cookie Control (D7). Dev snapshot has all the latest in, and a sub-module for sorting out Google Analytics too.

Needs testing before I roll a full release please.

homebrewruss’s picture

Has anyone considered using a server side implementation of Google analytics eg PHP-GA
http://techpad.co.uk/content.php?sid=205
http://code.google.com/p/php-ga/

Seems like it might be a good solution if you're already using Google analytics

dagomar’s picture

@homebrewruss
I was wondering the exact same thing.

Dagomar Paulides
B.A. Digital Media Design
Partner @ Online Agency

Matt B’s picture

Me three! This would mean I was not setting a cookie for Google Analytics, meaning in general my sites only use the session cookie, which I can put a notice on the registration form about.

Daemon_Byte’s picture

exactly the reason the cookie law is so stupid. It's using a broad weapon to try and tackle a method rather than the actual behaviour itself so everyone just moves to another method and that actually leaves the user under the illusion they are no longer being tracked.

Matt B’s picture

Depends if you tell them or not. You can put something in the site terms that you are tracking their usage of the site.

Daemon_Byte’s picture

Oh of course you could do that but those who are unscrupulously using tracking for whatever reasons the EU has decided is wrong without informing the user of the cookies will still be doing whatever it is that was wrong and still not having to inform the user.

Matt B’s picture

provides very basic support for php-ga...

http://drupal.org/node/1615768

Marcin Pajdzik’s picture

A module for Drupal 6 available here: http://drupal.org/project/eu-cookie-compliance. Backport for Drupal 5 will be available soon.

ludo1960’s picture

Thank you very much, one less problem in life to deal with. Got to give the heads up to a description of the issue from a respected colleague "just another case of Brussels trying to straighten our bananas" Quite right me thinks!

DerekAhmedzai’s picture

ICO have updated their guidance to say that implied consent is going to be OK.

From http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-priva...

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-imp...
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communica...

rachelf’s picture

Thanks for that update - that's a pretty last minute climb down.

Having followed the link to the Guardian's site, I see that that's the approach that they adopted. Has anyone come across a module that implements a similar solution to the Guardian? (i.e. displays something like "This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more about our use of cookies here", which you can then hide).

gpk’s picture

Try the eu-cookie-compliance module. See comment by greggles near the top of this page.

I must say that the Guardian's notice was so unobtrusive I didn't see it...

Daemon_Byte’s picture

The bbc is doing the same thing although you will definitely notice that one. I believe however putting it in say a privacy page that is linked in a footer menu wouldn't count.

aiypz’s picture

I've just been to the HSBC site, at the time of writing this comment, they just have a small text block on their business homepage and nothing on their Personal homepage.

See: HSBC business cookie notice

nickbits’s picture

Hi All,

In my opinion this is a dumb law, however it is here and we have to follow it. I like the look of the Cookie Control Module, but most of my sites are D6 and hence am using the EU Cookie Compliance module.

Not a problem, what I do worry about is that there is no common methodology/interface. So for example to see if the user has accepted cookies or not there are different variables/settings/functions between the two modules.

Here comes why that is an issue:

  • I submit a patch to the "Google Analytics" module (or any other that uses cookies).
  • My patch checks to see if a "Cookie Control Module" such as the two named are installed. (there needs to be a common call or function for this rather than checking for say 10 different modules).
  • If there is a module installed then:
    • My patch then checks if the visitor is in the EU or assumes they are (common call here?)
    • If in the EU, then display popup (what ever) to ask for approval
    • If given, run additional code (insert GA, etc.)

The problem is if there are multiple modules for checking for authorisation, then you have to check which module is installed, run the correct code, etc. Soon every module with cookies will be bloated.

This may already be there and I and others have missed it, but what I think we need is a common way to add cookies, a hook or something similar (in JS) where by they can be controlled by another script. Can anyone tell me if that has been done, or is being done? Would make life a lot simpler especially if it got into core for 8.x.

------------oOo----------------------
Nick Young (www.nickbits.co.uk)

yang_yi_cn’s picture

subscribe

GinaF’s picture

Sorry for the really basic question...
Am I right in thinking that the module eu-cookie-compliance just informs you the first time you visit the site that it uses cookies?
So, if I don't agree to allow cookies, I would simply have to go away and not use the website. But if I happen to go to the site again (not remembering that I visited it before), there is no cookie alert.
Does that count as an acceptable warning of cookies? (I really hope so)

nickbits’s picture

That is a question probably better asked on the eu-cookie-compliance issue queue. That is my understanding of both the eu-cookie-compliance and cookiecontrol modules. From my understanding, and I am by no means an expert, if you have explicitly said okay, then if you come back to a site then you have already acknowledged you are happy with cookies. The latter module, cookie control, does at least keep a permanent visible box (a diamond or triangle) that let's you change your mind. It is Drupal 7 although there is a Drupal 6 patch in the issue queue.

It is worth noting that neither module, as far as I am aware, actually does anything other than display a warning, you still have to use the code to disable or enable cookies as appropriate.

Hope that helps.

------------oOo----------------------
Nick Young (www.nickbits.co.uk)

GinaF’s picture

Thanks for your reply.
I do think, though, that my question is relevant to the whole cookie law debate & how to comply...

I was asking - If you leave the site because you don't agree to cookies, when you next return there is no longer a cookie warning notice. Is that OK, or should you be warned again because you hadn't given any response?

EDIT - Sorry, I was wrong - the popup is still there if you re-visit the site.