1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EU PECR rules on getting permission to use cookies - how can XF help make me compliant?

Discussion in 'General XenForo Discussion and Feedback' started by CyclingTribe, Mar 26, 2012.

  1. CyclingTribe

    CyclingTribe Well-Known Member

    Not sure if the XF team are aware of the upcoming introduction of the cookie requirements of PECR (http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx) and whether XF will be updated in time to help me manage getting permission from my visitors and members?

    From May 26th 2012 it will no longer be sufficient to tell people about the use of cookies on your site, you will now be obliged to get consent from your visitor's to use them.

    Since XF is my site I need it to manage this for me (or at least have an add-on that helps me manage it).

    Are the XF team aware of the PECR changes and are there any plans for XF to include a built-in system for dealing with getting visitor's permission to use cookies?

    Shaun :D
  2. RobParker

    RobParker Well-Known Member

    Is this not being pretty much ignored by everyone (even the government websites) and they're just hoping it all goes away?
  3. Biker

    Biker Well-Known Member

    Are you willing to risk the fine if they don't ignore it?
  4. RobParker

    RobParker Well-Known Member

    We will be producing guidance on the way in which we intend to use these powers. The monetary penalty powers will apply only to the most serious breaches, such as cases where a large number of individuals have suffered distress as a result of persistent automated marketing calls.

    From the quote taken from the site linked above and the fact that most (all?) government sites aren't currently compliant I don't think there's anything to worry about.

    Having said that I assume someone could make a simple disclaimer that reroutes any link on your site to a disclaimer/confirmation page until you click ok and set a cookie to say you accept that the site uses cookies ;-)
  5. feldon30

    feldon30 Well-Known Member

    It will be funny to watch the EU try to fine every website on earth. ;)

    I thought only the US took unilateral action like this, acting like they "own" the internet.
  6. Hackfall

    Hackfall Member

    The ICO guidance says:

    So it could be that the developers of blogging and forum apps are responsible in this. Xenforo developers take note!

    I see that sites like First Direct (bank) and Virginmoneygiving have made it a condition of use of the site that cookies are accepted. Therefore if you continue to use their site you have given consent. If you were to decide to use this approach all you need is a Privacy Policy that includes a detailed explanation of what cookies are set by your site, a notice in a reasonably prominent position pointing this out and that's it. The notice could have <<read more>> and <<don't show me again>> links. This would be a really easy add on. I might even do one myself if no-one else is in the process of making one.

    Some sites have a simple Javascript cookie writer that over-rights existing cookies, from that domain, with an expiry date prior to the current date and this in effect deletes those cookies. Again this would be a simple add on.
  7. CyclingTribe

    CyclingTribe Well-Known Member

    First Direct and Virgin appear to be using a simple on-page HTML notification with a link to their privacy policy - presumably when you click "Don't show me this again" you accept the policy and a cookie is set that stops the notice appearing the next time you visit.

    Is this something XF could do easily enough?

    Maybe a <xen:if is cookie set?> test in the page_container template and if the cookie is set, don't show the message?
  8. Slavik

    Slavik XenForo Moderator Staff Member

    Wayyyyyyyy ahead of you here. I approached several developpers regarding making an addon for this, however to be truely compliant it would require edits to the XenForo core, as such, I forwarded the details onto Kier.
    MYstIC G, RobParker, zappaDPJ and 5 others like this.
  9. Hackfall

    Hackfall Member

    If you make it a condition of use for your site you actually don't have to do anything fancy. All you need is a notice to that effect and a privacy policy page explaining it. That's all.

    You could make the notice disappear if the user clicks <<don't show again>> but that is not consent to setting cookies it is exaclty what it says "don't show again". In effect they are saying this site uses cookies, take it or leave it!
  10. Adam Howard

    Adam Howard Well-Known Member

    Seriously, we're going to ignore this.

    The clause of "unless being necessary of use of site" applies to everything we add.
  11. Hackfall

    Hackfall Member

  12. CyclingTribe

    CyclingTribe Well-Known Member

  13. lazer

    lazer Well-Known Member

    Not too worried about this. We have always been up-front (via a Privacy Policy statement) about 3rd party cookies.
  14. Ingenious

    Ingenious Well-Known Member

    I don't think it is necessary to be too worried about this. I am not sure most forums would even be within the scope of the law, but you do need to think about any third party use of cookies like adverts. It is prudent then not to panic but do include some cookie use statement.

    For new members you can just change your "I agree to the terms" statement to "I agree to the terms and consent to the use of cookies as detailed in these terms."

    I actually changed my wording to this (the age thing is specific to my forum):

    Then changed my site terms to include a statement that covers both new users existing users by way of implied consent:

    For the implied consent part I have posted about this in my forum so people are aware. You could also do it with a notice, but since I doubt whether the law applies to me I don't want to ram it down people's throats and worry them.

    Note you would need to edit the above statement if you use other advertising services which use cookies.

    I am not a legal expert and don't take this as being a definitive statement on this, but even if the law does not apply it's a welcome thing in any forum to disclose cookie use (and at the same time, cover your ass with T&C and consent even if you may not need it).
    Doctor and Neal like this.
  15. Floren

    Floren Well-Known Member

    Since this is a site located in UK, are there any steps being taken into current XenForo software to comply with the new UK cookie regulations? I might be wrong but technically, XenForo could be sued by any UK users for not enforcing the Cookie public information.

    What XenForo (or any UK registered company) should do, in order to stay legal (based on what I read into official site):
    - inform any UK based resident about the cookies used and their nature
    - provide an option to disable/delete those cookies to user, if he/she would like to

    Right now, there is a grey area into legal format of the law. They mention this should be enforced for any UK residents, but they don't mention anything about users located outside UK. I guess is time to add few fancy GeoIP classes into XenForo. :)
  16. lazer

    lazer Well-Known Member

  17. Chris D

    Chris D XenForo Developer Staff Member

    I meant to post about this:


    This widget in theory could be turned into an add on but would require a good understanding of cookies and how to put measures in place for them to be disabled until a user specifically opts in.

    Scarily enough including analytics.
  18. Floren

    Floren Well-Known Member

    The problem is: You have to explicitly list the cookies you install in my computer and give me the choice to remove them if I want to. I'm actually working with a large web store that want to become 100% compliant in UK and use as solution TrustE to clean their cookies. Their lawyers said that you have present to the user a popup that notifies him/her about all cookies and let them choose if they want to remove ads related cookies and keep only the minimal required cookies for site functionality. If by any chance you say you remove the cookies but you don't, there it comes the big boy hammering you with a large fine.

    From that perspective, all the cookies related to trackers and ads will 100% be deleted by users making you lose important revenues. That is enforced only if your company is registered in UK.
    At least that is what their lawyers say. :)
  19. Floren

    Floren Well-Known Member

    lazer likes this.
  20. CyclingTribe

    CyclingTribe Well-Known Member

    The rules were changed at the last minute to allow implied consent by informing people you use cookies, explaining what they are used for, and advising them that continued use of your site is an acceptance of said cookies.

    That being said, it'll be an interesting technical challenge to try and manage individual cookies - especially those set by third-parties such as advertisers. (y)

Share This Page