All posts in Cookies

EU Cookie Law & SharePoint – (ICO UPDATE)

by Christopher Pettigrew on May 28, 2012 in Cookies, SharePoint with 4 Comments
cookies

What has Changed?

Following on from my last blog post the 26th of May has passed and according to a recent KPMG study, 95% of companies have yet to comply with the legislation. However, things DID change only hours before the compliance was due to come into force. As I mentioned in my previous post, a user must give informed consent before a website operator is allowed to set cookies on your browser. The ICO has now changed its stance and allows “implied consent” for web users. For UK site owners, implied consent moves some of the burden away from the site operator and towards the site visitor.

The ICO has released an updated guidance document which has a section which outlines the new implied consent section which is shown below:

“Much of the debate around the so-called “consent for cookies” rule has focussed on the nature of the consent required for compliance. Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices. While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant. Website operators need to remember that where their activities result in the collection of sensitive personal data such as information about an identifiable individual’s health then data protection law might require them to obtain explicit consent.

Early reporting on the new rule led some to believe that an explicit, opt-in style consent would be required for every cookie each time it was set. The Information Commissioner’s guidance made it clear that although an explicit opt-in mechanism might provide regulatory certainty it was not the only means of gaining consent. In some circumstances those seeking consent might consider implied consent as an option that was perhaps more practical than the explicit opt-in model.

Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for “doing nothing”. In many cases, to create a situation in which implied consent is acceptable to subscribers, users and the regulator it would still be necessary to follow the steps set out in the Information Commissioner’s existing guidance.

To explain further it might be useful to unpack what we actually mean by the term “implied consent” remembering throughout that consent (whether it is implied or express) has to be a freely given, specific and informed indication of the individual’s wishes. For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

There is quite alot to take in from this but I think the most important section is in the last paragraph.

For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button.

What do I need to do now?

To accommodate implied consent, you need to notify the user in a clear manner which cookies are in use. You should have a link to a privacy policy page, which goes into greater detail about the cookies you use and why you are using them. The Information Commissioner makes it clear that this is not an excuse to do nothing, users must be able to make a conscious and informed decision about cookies when using your site.

The BBC website has a notice at the top of their page which informs the user that by navigating to another page, they are giving their consent and the action of clicking another link or the dismiss / OK button on the banner is sufficient.

However, if you

would like regulatory certainty (if you are setting detailed tracking cookies etc), then it is recommended to provide users with the full ability to give explicit consent or opt out completely as described in my previous post. If I get some time, I may come up with a simple SharePoint WSP providing the “basic” functionality if enough people want one.

I hope this update helps as there is a lot to take in.

EU Cookie Law & SharePoint – What’s affected?

by Christopher Pettigrew on May 10, 2012 in Cookies, Javascript, SharePoint, SharePoint 2010 with 4 Comments
cookies

What is the new EU Cookie Law?

The EU Cookie Law is intended to prevent information being stored on people’s computers, or to be used to recognise them through the device they are using, without their knowledge or agreement. The rules are not intended to restrict the use of particular technologies.  The deadline for compliance with the Cookie Law is the 26th May 2012. All websites in the UK must comply with the Information Commissioner’s Office guidance on the use of cookies, gain informed consent from your site visitors, or face up to a £500,000 fine.

What Kinds of Cookies are affected?

There are different types of cookies, and this new law applies to all of them:

Session cookies
These save information about your current viewing session – for example:

  • If you are logged in
  • If you have added items to the shopping basket

These are often less of a privacy concern as they only last for the duration of your browsing session and are generally required for the function of a website.

Persistent Cookies
A persistent cookie is stored on your device and generally remembers your preferences across one or many websites. Some examples are:

  • Whether you want to view comments in threaded or flat view
  • What font size you want to view the site in
  • What language you want to view the site in

First party cookies
First party cookies are set by the same domain that you are visiting – for example to authenticate you with that site.

Third party cookies
Third party cookies are set by websites other than the one you are visiting, and these tend to be in the ‘shady area’ when it comes to privacy. For example, when you visit a site it might store a cookie called ad.myadvertisingcompany.com. When you visit another site, it might store another cookie similar to this. Eventually the information is sent back to My Advertising Company to build up a profile of your web activity. (Note most browsers allow you to block 3rd party cookies)

What will happen if i do nothing?

The first thing to remember is that there are millions of websites on the internet, and many of them are personal blogs such as this one.  There are going to be millions of casual bloggers who have no idea what a cookie is, let alone how to comply with the new law.  Below is an extract from the ICO website explaining what they can do if they are not compliant.

Information notice: this requires organisations to provide the Information Commissioner with specific information within a certain time period.

Undertaking: this commits an organisation to a particular course of action in order to improve its compliance.

Enforcement notice: this compels an organisation to take the action specified in the notice to bring about compliance with the Regulations. For example, a notice may be served to compel an organisation to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence.

Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, for example, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition, the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

How do i know what Cookies my site uses?

Many companies on the internet are providing services which are called Cookie Audits.  Having not paid for one of these, I can only assume they deliver on the price tag being asked for (some of them are £300+). Most will promise to analyse your website and inform you of all the cookies your site uses, comparing them with a reference database to provide you with a report.  If you have a very large site, with hundreds if not thousands of pages, then this may be money well spent.  On the other hand, if you have a smaller site then you can do some of the research very easily with a free Firefox extension called View Cookies.  After installing View Cookies, you will find a new Cookies-tab in the Page Info dialog box. You can open the Page Info dialog box by selecting Page Info in the Tools menu. You can also right-click on the webpage and select View Page Info from the drop down menu.

Using this extension should help the majority of users on the internet get a general view of the scale of the cookies.  This blog for example has three cookies for Google Analytics. As of the deadline, these cookies will require the user to “allow” these to be used and set.

IMPORTANT: The UK law does not allow you to retrospectively set cookies and then delete them if the user opts out.  You have to ensure that they are only set after user confirmation.

How does this affect my SharePoint Site?

It is important to know that technically, even Intranets are covered by this law.  The framework will insist that websites ask their users for permission before recording their activities online. The implication is that if you use cookies on your intranet, you may have to ask for your employee’s permission first.

I have done some initial research, and I will try my hardest to keep this updated on cookie usage information. SharePoint 2010 uses cookies to log session information, Web Analytics, and FBA Login information.  There is a cookie called “OfflineClientInstalled” which is set on the settings pages, which I can assume could be something to do with SharePoint Workspace Manager or possibly Office?  Others found on list view pages are “stsSyncAppName” and “stsSyncIconPath”, which I am still investigating.

If you find any commonly set cookies or have any information on the ones listed above, please leave a comment and we can try to build up a repository of cookies and their purpose.

How do I make my site EU Cookie Compliant?

One of the most common solutions for becoming compliant will be through the use of Javascript code. The code will create a cookie to store the users preference and then depending on their response, additional Javascript code would set or remove cookies.

There are many different solutions you can use to present the user with the information:

  1. Modal Dialogue
    Using a modal dialogue would be the most intrusive method to ask users for permission.  It is a simple enforced call to action which will outline the reasons for the cookies you would like to set.  The problems with this method is that it will prevent users from interacting with the website and could increase the bounce rate from your site.
  2. Status Bar
    Subtle status bars on the top or bottom of a website can be included to inform users about the cookie policy.  This would remain on all pages until they either accept or decline cookie usage.  While this is less intrusive than the previous solution, it could be so subtle that a user never opts into the usage agreement, and functionality may be reduced for the visitor.
  3. Warning Panel
    A warning panel is similar to the previous option however it has the advantage of informing the visitor to your site what setting the page is using.  Downsides however are that a user may not decide to opt in and a warning bar would obscure parts of the page.

Which option you decide to go with is up to you, as all options have pros and cons.  If you have any other suggestions for how you could accomplish the task, please feel free to share your ideas.

After some quick searching online, one of the better solutions I found was “Simple Cookie Prompt” (http://www.pandadoodle.com/cookies/)  This lightweight Javascript code places a subtle status bar message for users at the top of each page and then sets one of four options depending on answer.

There are 4 possible returned values:

  1. The user has actively opted out of all cookies on the site. Shows the red notification.
  2. The user has seen a warning about cookies, but neither accepted nor declined, this is classed as inferred acception. Shows the blue notification
  3. The user has accepted all cookies to the site. Shows the green notification.
  4. The user’s first visit to the site, no cookies accepted or declined. Shows the yellow notifcation

Using a small piece of JS code to wrap around your existing code is as simple as this:

Summary

The EU Cookie Law itself is nothing new, however with the pending deadline, companies are becoming increasingly worried about their compliance.  I have noticed only a handful of UK taking steps to become compliant e.g. (http://www.bt.co.uk/) and I’m sure that in the coming months all the big players will be compliant.  If you have a simple website, then becoming compliant will be relatively straight forward, however if you are running a highly complex e-commerce site or one with detailed user customisation, then you will have a much tougher battle on your hands.  Please give me your feedback on your thoughts about this issue, and how you are going to make your SharePoint website / intranet EU Compliant.