The cookie law in the EU
Marc Worrell
The cookie law is getting serious.
Users really need to give consent before accepting cookies.
This is also true of session cookies.
Exceptions are 'indirect consented cookies', like cookies to track a shopping cart.
The site below gives more detail for the UK case and also an example how the consent can be requested.
> http://www.cookielaw.org/blog/2011/7/22/defining-consent-for-cookies.aspx
I expect that we will need to tackle this issue in the near future.
- Marc
Michael Connors
http://www.dataprotection.ie/documents/guidance/Electronic_Communications_Guidance.pdf
I am not even sure what the position is on this in France, but there
have been similar laws in France since before cookies existed.
I suppose the first thing to do is have an idea what your cookies
actually do. What is all the data in the context used for? I guess a
lot of it is there because it was available and it could be useful
later?
If the session cookie is for a logged in user, then it is necessary to
facilitate a communication that was specifically requested by the
user.
For a non-logged in user, if they specifically request a language from
the language chooser (or a currency), storing that would also be
necessary to facilitate a communication that was specifically
requested by the user.
Michael
Marc Worrell
On 19 apr 2012, at 11:54, Michael Connors wrote:
> Here is guidance from the Irish data protection on cookies:
>
> http://www.dataprotection.ie/documents/guidance/Electronic_Communications_Guidance.pdf
>
> I am not even sure what the position is on this in France, but there
> have been similar laws in France since before cookies existed.
it comes down from the EU, so we all have to deal with it at some point in the near future.
> I suppose the first thing to do is have an idea what your cookies
> actually do. What is all the data in the context used for? I guess a
> lot of it is there because it was available and it could be useful
> later?
Right now we start a session, because it is always handy to have one around.
We store things like the device classification in the session, so that other processes that want to push information can use that.
It could be possible to
Current cookies are:
z_sid session id (valid till browser quits)
z_pid persistent id, used to store information in the database for when user returns (valid for 10 years)
z_ua the device category that is manually selected by the user
What is stored with the pid depends on the web site built with Zotonic.
Zotonic itself stores the language selection.
Though we could use another cookie for that and keep the persistent store for more application centric information.
> If the session cookie is for a logged in user, then it is necessary to
> facilitate a communication that was specifically requested by the
> user.
That is true, the consent can be coupled to the checkmark for the t&c when you sign up.
So every log on from then on automatically agrees to cookies.
- Marc
Arjan Scherpenisse
wondering, does this law also apply to the HTML5 localstorage API?
Marc Worrell
On 19 apr 2012, at 12:56, Arjan Scherpenisse wrote:
> I'm not entirely up to date with the legal issues here, but I was
> wondering, does this law also apply to the HTML5 localstorage API?
Yes it does. It applies to any kind of client-side storage.
So also the flash- and html5 storage.
- Marc
Michael Connors
> I'm not entirely up to date with the legal issues here, but I was
> wondering, does this law also apply to the HTML5 localstorage API?
>
Based on the wording I have seen, it does. It is not really a cookie
directive. It is an eprivacy directive.