I know a new cookie law was suggested (see here). But did it ever become required? And what's the penalty for not complying?
We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.
The ICO's website now shows that users must opt out, not opt in. The quote above shows how they have implemented it on their site.
This means that the best idea is probably to have a banner at the top of your site showing a similar message to theirs. If the user doesn't want to use cookies, they can disable them in the browser themselves. It's not up to the site owner to implement a cookie deletion policy, it would seem.
Related
When you go to a website, if they are GDPR compliant they ask whether you consent to them tracking you. If as a user, I click "Deny", how does that website comply with that request? I as the user am not asked again, which to me indicates they have stored something somewhere, probably via a cookie.
Is this the correct way to obtain and work with GDPR? I would have thought by denying tracking, this would include any cookies.
GDPR legislation pertains primarily to Personally Identifiable Information (PII). Storing dissent in a cookie or localStorage doesn't violate that assuming there isn't anything that identifies the particular user, like trackingConsent=false.
Cookies are not only related to "tracking". They are mostly used to persist the state of the application, like session information or cookie acceptance. It is not gonna work otherwise, only option is to disable them on the browser level, but the legislator chosen to force page owner to do it.
You may provide the page that you are asking about. It quite probably stores your refusal in a cookie or some modern persistent storage. Personally I saw page that after refusal was simply asking again and again.
You may also check by yourself if there are some cookies stored. Depends on the browser, but quite probably f12 button and storage tab.
I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.
I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !
Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.
I would like Akamai not to cache certain URLs if a specified cookie exist (i.e) If user logged in on specific pages. Is there anyway we can do with Akamai?
The good news, is that I have done exactly this in the past for the Top Gear site (www.topgear.com/uk). The logic goes that if a cookie is present (in this case "TGCACHEKEY") then the Akamai cache is to be bypassed for certain url paths. This basically turns off Akamai caching of html pages when logged in.
The bad news is that you require an Akamai consultant to make this change for you.
If this isn't an option for you, then Peter's suggestions are all good ones. I considered all of these before implementing the cookie based approach for Top Gear, but in the end none were feasible.
Remember also that Akamai strips cookies for cached resources by default. That may or may not effect you in your situation.
The Edge Server doesn't check for a cookie before it does the request to your origin server and I have never seen anything like that in any of their menus, conf screens or documentation.
However, there are a few ways I can think of that you can get the effect that I think you're looking for.
You can specify in the configuration settings for the respective digital property what path(s) or URL(s) you don't want it to cache. If you're talking about a logged on user, you might have a path that only they would get to or you could set up such a thing server side. E.g. for an online course you would have www.course.com/php.html that anybody could get to whereas you might use www.course.com/student/php-lesson-1.html for the actual logged on lessons content. Specifying that /student/* would not be cached would solve that.
If you are serving the same pages to both logged on and not-logged on users and can't do it that way, you could check server-side if they're logged on and if so add a cache-breaker to the links so when they follow a link a cache-breaker is automatically added. You could also do this client side if you want, but it would be more secure and faster to do it server-side. As a note on this, this could be userid-random#. That would keep it unique enough when combined with the page that nobody else would request it and get the earlier 'cache-broken' page.
If neither of the above are workable, there is one other way I can think of, which is a bit unconventional to say the least, but it would work. Create symbolically linked directory in your document root with another name so that you can apply the first option and exempt it from cacheing. Then you check if the guy is logged on and if so prepend the extra directory to the links. From akamai's point of view www.mysite.com/logged-on/page.html can be exempt from cache where www.mysite.com/content/page.html is cached. On your server if /logged-on/ symbolically links over to /content/ then you're all set.
When they login you could send them to a subdomain which is set up as a ServerAlias, so on your side it's the same, but on Akamai has differnt cache handling rules.
Following the same answer than #llevera, you can use the cookies on CloudFlare without intervention of engineers to make the change for you.
Having that sort of cookies to bypass content is a technique that its becoming more popular with the time, and even bug companies like Magento are using it for Magento 2 platform.
But solutions from above still valid, Maybe Akamai supports that that already now, we are in 2017!
According to new EU laws I have to ask my users to opt into having cookies installed on their computers.
So every time I want to set a cookie I have to see if the user has opted in and if they haven't I shouldn't set the cookie.
When they come to the website a popup will ask if they want to opt in. Should they click "no" I cannot put a cookie on their computer to say they've clicked no. How do I then know, as they go through the website, that they've clicked "no"?
Do I just have to show the popup every page they go to? Or store it in a session variable? (is using sessions still ok under the new law? I assume a cookie is set with the session key?).
Thanks
I'm not a lawyer but I've been reading up on this recently and it is quite clear under the new regulations not every cookie is considered equal and opting in is not required for all of them.
The regulations are most keen on ensuring that cookies that allow tracking of users actions/data between websites must have an opt in, at the other extreme, cookies that contain no personal information and are, for example, only used for security on one particular site (like a session cookie) may not need permission at all.
The UK ICO website has some very clear pages & PDFs (including: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx) on the subject and is definitely worthwhile visiting.