HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Cookie Consent

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#109236 (In Topic #21471)
TQ
Avatar

Honoured member

Hi All,

Today my inbox contained a message from Google insisting that I must comply with the EU user consent policy by 30th September 2015.

Is there a drop-in script for OCP that I can use to ensure compliance or will I have to work this out for myself?

TQ
Back to the top
 
Posted
Rating:
#109238
Avatar

Ergh, madness.

I just dug through this and I can see the EU is insisting Google insist that adsense users apply this.

I can see the EU now provide their own tool for cookie management:
Cookies - European commission
If you say you refuse cookies, it then stores a cookie to say you refuse cookies! I don't know how anyone can be expected to comply when even the EU's own tools can't comply with their own wording. I wish that someone technically minded had gone through all the legislation and proposals to ensure it was consistent, accurate, and feasible.

Ages ago we made our policy on this clear, that we would minimise our use of cookies and have explicit opt-ins whenever something sets them. We took session cookies as not the kind of things the EU directive talks about, only permanent cookies.

If you're using adsense then I suppose it is prudent to try and integrate one of the cookie control kits (which really should be a web browser feature, not deployed haphazardly across each individual site…). I'll put a note on the tracker about it, but if anyone's responsibility it is adsense's to have better cookie configurability of its own JavaScript cookie control system.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#109267
TQ
Avatar

Honoured member

HI Chris,

Thanks for looking into to this ridiculous subject.

Google pointed me in the direction of Cookie Consent by SilkTide which I have implemented. I then ran their analysis which only gave my site a 8/10 rating (report attached)

So, I can chuck out the Facebook cookie as that is self serving, there are other ways to skin that cat. I guess Doubleclick is going be Google's Adsence cookie which I expected to be serviced by the Silktide script.

I suspect the two OCP cookies it found are going to be a problem and Google will surely threaten to cut me off. I haven't yet found a Google validation tool but I'm sure there is one out there somewhere.

The thing I like least about this method is that it seems to add another 2 seconds to my home page load time. It's already very slow because I have so much on it (which I must address), I don't need anything else clogging it up.

This method doesn't address the opt-out option, how could it without interacting with OCP itself?

This is a whole bunch of crap which I don't need, I hate that the EU have now found a way of dictating to me, when I run a site that people visit to get something for nothing and probably don't give a damn about cookies anyway.

OK, rant over, couple of questions...

I implemented the script at the end of HTML_HEAD.TPL, is this the correct place to add it?

Is there a generic cookie policy for OCP that I can copy?

Do you have a better way of doing this without going off-site with the script?

I'm open to any and all suggestions on how to address this issue, is there anything you would like to suggest?

Is a users ability to opt-in/out a feature I've missed?

Thanks

TQ

Attachment
EU cookie Consent report for Hamfiles
» Download: Hamfiles EU cookie consent report.pdf (56 Kb, 203 downloads so far)
Back to the top
 
Posted
Rating:
#109269
Avatar

I suspect the two OCP cookies it found are going to be a problem and Google will surely threaten to cut me off.

I think that is extremely unlikely.

Google are just doing what they have to do politically/legally, they're not going to start policing things.

I have never heard of the EU going after regular websites for cookies either. Maybe it's the kind of thing where a privacy rights group will rightly go after some company tracking users around the web.

i.e. It's really the ad companies who are the naughty ones, not cookies themselves. I think in the real world, that will and should be the target, and just the EU folks are incapable of writing the policies in a way that reflects the real intent, because they don't understand any of the technologies properly and hence write very reductive rules & guidance.

This method doesn't address the opt-out option, how could it without interacting with OCP itself?

I think the EU's script could delete cookies that were created, because JavaScript code can do that.
I don't know about SilkTide's.

I implemented the script at the end of HTML_HEAD.TPL, is this the correct place to add it?

Yes.

Is there a generic cookie policy for OCP that I can copy?

Should already be in default privacy page.

Do you have a better way of doing this without going off-site with the script?

For our default integration of Google Analytics we shortened the lifetime of Google Analytics cookies to something more reasonable. I doubt we can do anything regarding adsense though, and it's not something we have a default integration with.


Regarding the actual report…

Facebook and DoubleClick are exactly the kind of agents that the EU is rightly targeting. I don't like how they can track people around the web either, they should make better toolkits that handle more on local web servers rather than their own (e.g. Facebook should not have to run a Facebook JS script from a remote server unless you are actually logged in with it, they should provide a local script to run that sits in front of all that). But, it's part of these companies business model ("if you're not a customer, you're the product").

has_cookies is trivial. We have to interpret the spirit of the regulation given that the wording is totally off. has_cookies is set to 1 if you have cookies, it doesn't contain any kind of personal or tracking data.

ocp_session is a session cookie, not a permanent cookie. It is deleted when you close the browser. SilkTide should flag it as such. On pretty much any site sessions are implemented so that from one page to the next the site knows that it's the same user. That's tracking, but a necessary and very mild form of it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: