Introduction to law: There has been a lot of talks about EU Cookie legislation on websites. Everybody that does websites probably got at least few call from clients with questions and requests to make their websites comply. Cookie legislation also changed in the meantime which confused some. In short, what we have been getting from our client (UK client!) and their lawyers is:
There are 4 cookie categories, in broad terms:
- Strictly necessary cookies (make the website work so no opt-in required)
- Performance cookies (includes analytics – opt-in required)
- Functionality cookies (remembering visitor actions etc. – opt-in required)
- Targeting or Advertising cookies (self-explanatory – opt-in required)
The first does not require an opt-in and no’s 2 & 3 do not require a proper opt-in according to the ICC guide, with only the targeting/advertising cookies requiring the ‘tick-box’ option or similar.
One thing remains interpreted differently among our clients and that is if “Implied consent” is acceptable (for 2 & 3 at least). This means that after displaying opt-in popup message to visitors, if they ignore it and click any other link on website, this is interpreted as “implied consent” to accept cookies (and opt-in popup states that!).
What we needed to do
In short, what was requested from us was:
- “Strictly necessary cookies” for a service requested by user (like .NET session cookies) can be listed on cookie privacy page but you do not need to block those
- Cookies that contain personal data and/or are NOT necessary for service requested by user (like Google Analytics) must get visitor’s consent to be stored!
- Implement implied consent
In most of our cases, only Google Analytics cookies were an issue to deal with.
Idea is simple. On first visit to our website we check if cookieOptIn cookie is set on visitor’s browser. If it is not set, it means visitor is here for the first time and we need to display a cookie opt-in message (we also store value “1” to the cookie now). If cookie cookieOptIn exists, we check it’s value. Value can be “2” (cookies accepted), “0” cookies refused. Depending on that value, we output Google Analytics code or not.
If cookieOptIn exists and value is “1”, as stated above this means it is a new visitor which still hasn’t opted in nor out. For clients that want “implicit consent” to be applied on their websites, we do one more check. We check if cookieOptIn is “1” AND if they came here through internal link (we check referral server variable and compare domain names). In this case we set cookieOptIn value to “2” which is the same as opting in.
Notes on implementation
- Macro should be put in master template, right where Google Analytics code is outputed, just before closing of HEAD tag.
- macro parameter “customStylesheet” (true/false) is used. If set, Macro will also use stylesheet “/css/cookiesOptIn.css” where you can store CSS to format opt-in message, or you can set it to false and do it in your main CSS.
- Macro uses dictionary items: GoogleAnalyticsCode (to store GA code) and cookiesOptInMessage (to store HTML of the opt-in message)
<a href="?cookieOptOut=1">refuse</a>) or to accept cookies/continue (in example
Code is a bit messy but more than usable. Feel free to use it.