• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

EU PECR rules on getting permission to use cookies - how can XF help make me compliant?

CTXMedia

Formerly CyclingTribe
#1
Not sure if the XF team are aware of the upcoming introduction of the cookie requirements of PECR (http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx) and whether XF will be updated in time to help me manage getting permission from my visitors and members?

From May 26th 2012 it will no longer be sufficient to tell people about the use of cookies on your site, you will now be obliged to get consent from your visitor's to use them.

Since XF is my site I need it to manage this for me (or at least have an add-on that helps me manage it).

Are the XF team aware of the PECR changes and are there any plans for XF to include a built-in system for dealing with getting visitor's permission to use cookies?

Thanks,
Shaun :D
 

RobParker

Well-known member
#4
Are you willing to risk the fine if they don't ignore it?
We will be producing guidance on the way in which we intend to use these powers. The monetary penalty powers will apply only to the most serious breaches, such as cases where a large number of individuals have suffered distress as a result of persistent automated marketing calls.

From the quote taken from the site linked above and the fact that most (all?) government sites aren't currently compliant I don't think there's anything to worry about.

Having said that I assume someone could make a simple disclaimer that reroutes any link on your site to a disclaimer/confirmation page until you click ok and set a cookie to say you accept that the site uses cookies ;-)
 

feldon30

Well-known member
#5
Not sure if the XF team are aware of the upcoming introduction of the cookie requirements of PECR (http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx) and whether XF will be updated in time to help me manage getting permission from my visitors and members?

From May 26th 2012 it will no longer be sufficient to tell people about the use of cookies on your site, you will now be obliged to get consent from your visitor's to use them.

Since XF is my site I need it to manage this for me (or at least have an add-on that helps me manage it).

Are the XF team aware of the PECR changes and are there any plans for XF to include a built-in system for dealing with getting visitor's permission to use cookies?

Thanks,
Shaun :D
It will be funny to watch the EU try to fine every website on earth. ;)

I thought only the US took unilateral action like this, acting like they "own" the internet.
 
#6
The ICO guidance says:

Companies who design and develop websites or other technologies for other people, must also carefully consider the requirements of these Regulations and make sure the systems they design allow their clients to comply with the law. The Information Commissioner would expect that any development of new software, or upgrades to existing software, would take into account the need to ensure products are compliant with these rules and broader data protection requirements.
So it could be that the developers of blogging and forum apps are responsible in this. Xenforo developers take note!

I see that sites like First Direct (bank) and Virginmoneygiving have made it a condition of use of the site that cookies are accepted. Therefore if you continue to use their site you have given consent. If you were to decide to use this approach all you need is a Privacy Policy that includes a detailed explanation of what cookies are set by your site, a notice in a reasonably prominent position pointing this out and that's it. The notice could have <<read more>> and <<don't show me again>> links. This would be a really easy add on. I might even do one myself if no-one else is in the process of making one.

Some sites have a simple Javascript cookie writer that over-rights existing cookies, from that domain, with an expiry date prior to the current date and this in effect deletes those cookies. Again this would be a simple add on.
 

CTXMedia

Formerly CyclingTribe
#7
First Direct and Virgin appear to be using a simple on-page HTML notification with a link to their privacy policy - presumably when you click "Don't show me this again" you accept the policy and a cookie is set that stops the notice appearing the next time you visit.

Is this something XF could do easily enough?

Maybe a <xen:if is cookie set?> test in the page_container template and if the cookie is set, don't show the message?
 
#9
If you make it a condition of use for your site you actually don't have to do anything fancy. All you need is a notice to that effect and a privacy policy page explaining it. That's all.

You could make the notice disappear if the user clicks <<don't show again>> but that is not consent to setting cookies it is exaclty what it says "don't show again". In effect they are saying this site uses cookies, take it or leave it!
 

Ingenious

Well-known member
#14
I don't think it is necessary to be too worried about this. I am not sure most forums would even be within the scope of the law, but you do need to think about any third party use of cookies like adverts. It is prudent then not to panic but do include some cookie use statement.

For new members you can just change your "I agree to the terms" statement to "I agree to the terms and consent to the use of cookies as detailed in these terms."

I actually changed my wording to this (the age thing is specific to my forum):

I am over 18 years of age and agree to the terms and rules. For the purposes of the new UK law on cookies I also consent to the use of cookies on this website as detailed in these terms.
Then changed my site terms to include a statement that covers both new users existing users by way of implied consent:

Statement on cookies and their use:

Whilst it is unlikely that our limited use of cookies falls within the scope of the new laws which have come into place in the UK we would nonetheless like to disclose how and when these are used here:
  • We do not place or track cookies ourselves, the only cookies in use are those placed by third party software such as the forum and any advertisers using cookies.
  • When you register and log in, a cookie is used by the forum to ensure you remain logged in when moving from page to page. The cookie is only used for purposes essential to your time online and logged in.
  • Advert banners for sponsors are placed "as is" without any use of cookies. However in the event we fill other spaces with Google Adwords adverts, please note that Google may use cookies to track your viewing of those adverts. This is beyond our control or access and we would refer you to Google's privacy and cookie policy. We do not use any other advertising service other than directly sold banners (no cookies) or Google.
  • We log, aggregate and view overall visitor stats from the internal server web log - as per industry standard practice - but please note this is done from our server log and does not use cookies. That data does not identify individual visitors.
  • Your acceptance of these terms and conditions and/or continued use of this website will be taken as consent from you that we can use cookies as detailed above.
For the implied consent part I have posted about this in my forum so people are aware. You could also do it with a notice, but since I doubt whether the law applies to me I don't want to ram it down people's throats and worry them.

Note you would need to edit the above statement if you use other advertising services which use cookies.

I am not a legal expert and don't take this as being a definitive statement on this, but even if the law does not apply it's a welcome thing in any forum to disclose cookie use (and at the same time, cover your ass with T&C and consent even if you may not need it).
 

Floren

Well-known member
#15
Since this is a site located in UK, are there any steps being taken into current XenForo software to comply with the new UK cookie regulations? I might be wrong but technically, XenForo could be sued by any UK users for not enforcing the Cookie public information.

What XenForo (or any UK registered company) should do, in order to stay legal (based on what I read into official site):
- inform any UK based resident about the cookies used and their nature
- provide an option to disable/delete those cookies to user, if he/she would like to

Right now, there is a grey area into legal format of the law. They mention this should be enforced for any UK residents, but they don't mention anything about users located outside UK. I guess is time to add few fancy GeoIP classes into XenForo. :)
 

Floren

Well-known member
#18
Not too worried about this. We have always been up-front (via a Privacy Policy statement) about 3rd party cookies.
The problem is: You have to explicitly list the cookies you install in my computer and give me the choice to remove them if I want to. I'm actually working with a large web store that want to become 100% compliant in UK and use as solution TrustE to clean their cookies. Their lawyers said that you have present to the user a popup that notifies him/her about all cookies and let them choose if they want to remove ads related cookies and keep only the minimal required cookies for site functionality. If by any chance you say you remove the cookies but you don't, there it comes the big boy hammering you with a large fine.

From that perspective, all the cookies related to trackers and ads will 100% be deleted by users making you lose important revenues. That is enforced only if your company is registered in UK.
At least that is what their lawyers say. :)
 

CTXMedia

Formerly CyclingTribe
#20
The rules were changed at the last minute to allow implied consent by informing people you use cookies, explaining what they are used for, and advising them that continued use of your site is an acceptance of said cookies.

That being said, it'll be an interesting technical challenge to try and manage individual cookies - especially those set by third-parties such as advertisers. (y)