EU cookie law compliance

From The Smartest Wiki
Jump to: navigation, search

Directive 2002/58/EC of the European Parliament and of the Council, requires that the use of cookies and other tracking "devices" on end-user machines be made only with informed consent:

"Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose." (Recital 25, Preamble)
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. [...]" Article 5(3)

As of May 2011, EU Directive 2009/136/EC, which further requires consent to be obtained for the setting of any cookie that is used for tracking purposes, is binding on all EU member states:

"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user." (Recital 66, Preamble)

As of revision 669, Smartest allows its users to comply with this law by showing a notification to users that cookies are used, and obtaining their consent.

Ironically, this functionality uses cookies in order to know whether or not to show the message or not. However, cookies are only set once permission has been given, and the use of cookies strictly for functionality purposes, in ways that do not represent any compromise in the privacy of the user, are in any case permitted. Session cookies, and cookies that help to know whether other cookies are allowed or not, are therefore permitted, but Smartest will only set session cookies if cookie permission has been given, or if a functionality is used that requires an active session, such as logging in to the back-end.

How it works

When this functionality is enabled, it will check for a cookie called SMARTEST_COOKIE_CONSENT, with a value of 1. If this cookie is found, a session will be initiated. If not, no cookies are set by Smartest, and user permission to set cookies is sought. In order to get user permission, Smartest will try to display one of the following templates:

  • Sites/CURRENT_SITE_NAME/Presentation/Special/eu_cookie_warning.tpl, or if this file does not exist,
  • Presentation/Special/eu_cookie_warning.tpl

If neither file exists, Smartest will display its own internal default template, containing the following:

We would like to place cookies on your machine to help make this website better. <a href="#cookie-warning-dismiss" id="sm-cookie-warning-dismiss">I understand.</a>

The only thing that Smartest needs in order to start setting cookies, is for a cookie to be set on the machine called SMARTEST_COOKIE_CONSENT, with a value of 1. Clicking the link in the default template uses Javascript to set this cookie, meaning that the notice will disappear from future requests.

If you use your own template, how you communicate with the user about their consent to allow cookies on their machine is up to you, but you will still need to make sure that the cookie is correctly named.

More information