All posts in Javascript

EU Cookie Law & SharePoint – What’s affected?

cookies

What is the new EU Cookie Law?

The EU Cookie Law is intended to prevent information being stored on people’s computers, or to be used to recognise them through the device they are using, without their knowledge or agreement. The rules are not intended to restrict the use of particular technologies.  The deadline for compliance with the Cookie Law is the 26th May 2012. All websites in the UK must comply with the Information Commissioner’s Office guidance on the use of cookies, gain informed consent from your site visitors, or face up to a £500,000 fine.

What Kinds of Cookies are affected?

There are different types of cookies, and this new law applies to all of them:

Session cookies
These save information about your current viewing session – for example:

  • If you are logged in
  • If you have added items to the shopping basket

These are often less of a privacy concern as they only last for the duration of your browsing session and are generally required for the function of a website.

Persistent Cookies
A persistent cookie is stored on your device and generally remembers your preferences across one or many websites. Some examples are:

  • Whether you want to view comments in threaded or flat view
  • What font size you want to view the site in
  • What language you want to view the site in

First party cookies
First party cookies are set by the same domain that you are visiting – for example to authenticate you with that site.

Third party cookies
Third party cookies are set by websites other than the one you are visiting, and these tend to be in the ‘shady area’ when it comes to privacy. For example, when you visit a site it might store a cookie called ad.myadvertisingcompany.com. When you visit another site, it might store another cookie similar to this. Eventually the information is sent back to My Advertising Company to build up a profile of your web activity. (Note most browsers allow you to block 3rd party cookies)

What will happen if i do nothing?

The first thing to remember is that there are millions of websites on the internet, and many of them are personal blogs such as this one.  There are going to be millions of casual bloggers who have no idea what a cookie is, let alone how to comply with the new law.  Below is an extract from the ICO website explaining what they can do if they are not compliant.

Information notice: this requires organisations to provide the Information Commissioner with specific information within a certain time period.

Undertaking: this commits an organisation to a particular course of action in order to improve its compliance.

Enforcement notice: this compels an organisation to take the action specified in the notice to bring about compliance with the Regulations. For example, a notice may be served to compel an organisation to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence.

Monetary penalty notice: a monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used in the most serious of cases and if specific criteria are met, for example, if any person has seriously contravened the Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition, the contravention must either have been deliberate or the person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

How do i know what Cookies my site uses?

Many companies on the internet are providing services which are called Cookie Audits.  Having not paid for one of these, I can only assume they deliver on the price tag being asked for (some of them are £300+). Most will promise to analyse your website and inform you of all the cookies your site uses, comparing them with a reference database to provide you with a report.  If you have a very large site, with hundreds if not thousands of pages, then this may be money well spent.  On the other hand, if you have a smaller site then you can do some of the research very easily with a free Firefox extension called View Cookies.  After installing View Cookies, you will find a new Cookies-tab in the Page Info dialog box. You can open the Page Info dialog box by selecting Page Info in the Tools menu. You can also right-click on the webpage and select View Page Info from the drop down menu.

Using this extension should help the majority of users on the internet get a general view of the scale of the cookies.  This blog for example has three cookies for Google Analytics. As of the deadline, these cookies will require the user to “allow” these to be used and set.

IMPORTANT: The UK law does not allow you to retrospectively set cookies and then delete them if the user opts out.  You have to ensure that they are only set after user confirmation.

How does this affect my SharePoint Site?

It is important to know that technically, even Intranets are covered by this law.  The framework will insist that websites ask their users for permission before recording their activities online. The implication is that if you use cookies on your intranet, you may have to ask for your employee’s permission first.

I have done some initial research, and I will try my hardest to keep this updated on cookie usage information. SharePoint 2010 uses cookies to log session information, Web Analytics, and FBA Login information.  There is a cookie called “OfflineClientInstalled” which is set on the settings pages, which I can assume could be something to do with SharePoint Workspace Manager or possibly Office?  Others found on list view pages are “stsSyncAppName” and “stsSyncIconPath”, which I am still investigating.

If you find any commonly set cookies or have any information on the ones listed above, please leave a comment and we can try to build up a repository of cookies and their purpose.

How do I make my site EU Cookie Compliant?

One of the most common solutions for becoming compliant will be through the use of Javascript code. The code will create a cookie to store the users preference and then depending on their response, additional Javascript code would set or remove cookies.

There are many different solutions you can use to present the user with the information:

  1. Modal Dialogue
    Using a modal dialogue would be the most intrusive method to ask users for permission.  It is a simple enforced call to action which will outline the reasons for the cookies you would like to set.  The problems with this method is that it will prevent users from interacting with the website and could increase the bounce rate from your site.
  2. Status Bar
    Subtle status bars on the top or bottom of a website can be included to inform users about the cookie policy.  This would remain on all pages until they either accept or decline cookie usage.  While this is less intrusive than the previous solution, it could be so subtle that a user never opts into the usage agreement, and functionality may be reduced for the visitor.
  3. Warning Panel
    A warning panel is similar to the previous option however it has the advantage of informing the visitor to your site what setting the page is using.  Downsides however are that a user may not decide to opt in and a warning bar would obscure parts of the page.

Which option you decide to go with is up to you, as all options have pros and cons.  If you have any other suggestions for how you could accomplish the task, please feel free to share your ideas.

After some quick searching online, one of the better solutions I found was “Simple Cookie Prompt” (http://www.pandadoodle.com/cookies/)  This lightweight Javascript code places a subtle status bar message for users at the top of each page and then sets one of four options depending on answer.

There are 4 possible returned values:

  1. The user has actively opted out of all cookies on the site. Shows the red notification.
  2. The user has seen a warning about cookies, but neither accepted nor declined, this is classed as inferred acception. Shows the blue notification
  3. The user has accepted all cookies to the site. Shows the green notification.
  4. The user’s first visit to the site, no cookies accepted or declined. Shows the yellow notifcation

Using a small piece of JS code to wrap around your existing code is as simple as this:

Summary

The EU Cookie Law itself is nothing new, however with the pending deadline, companies are becoming increasingly worried about their compliance.  I have noticed only a handful of UK taking steps to become compliant e.g. (http://www.bt.co.uk/) and I’m sure that in the coming months all the big players will be compliant.  If you have a simple website, then becoming compliant will be relatively straight forward, however if you are running a highly complex e-commerce site or one with detailed user customisation, then you will have a much tougher battle on your hands.  Please give me your feedback on your thoughts about this issue, and how you are going to make your SharePoint website / intranet EU Compliant.