CPG needs to comply with the new EU cookie Directive CPG needs to comply with the new EU cookie Directive
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

CPG needs to comply with the new EU cookie Directive

Started by papukaija, May 25, 2012, 03:50:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

papukaija

The EU Cookie Directive (Directive 2009/136/EC) is an amendment of the Directive 2002/58/EC, which concerns the protection of data and privacy on the web. The Article 5.3 states the following on the use of cookies:

Quote
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;

The new UK law based on the above Directive will become effective from tomorrow. As a live example, check out the ico.gov.uk which displays a top banner asking for allowing cookies.

It's clear that the cookies used by CPG don't fall under the category of "strictly necessary" expect the login status. Settings options in a cookie, like album sortings, toggling of picture's info box, language,etc need a consent from the user. As of now CPG doesn't not ask my permission to set a cookie and is thus illegal in the EU.

Fixing this bug (I consider legal issues as bugs and not feature requests):
Investigate whether a cookie is really needed for non-login status related features, if:

  • yes: need to add, as a core feature/plugin, a way to ask user's permission for the cookies
  • not: limit the cookie to the login status only

Until this bug is fixed I need to ask my site's visitors' permission for the cookies just because of CPG, as all other software on my site is fixed or in the process of being fixed.

This Directive is a nightmare for web developers but the law is the law.

Αndré

Adding such a check shouldn't be that hard, but I think it's currently not possible to do it with a plugin.

I assume adding a new function like cpg_setcookie, which adds some additional checks and shows something like your example site will be the best solution.

Αndré

Prepared code for user cookie consent in SVN revision 8433. Now we just need a plugin that displays a message like ico.gov.uk if the "accept cookies" cookie is not set which does something like
setcookie($CONFIG['cookie_name'].'_accept_cookies', true, time() + (CPG_WEEK*52), $CONFIG['cookie_path']);
on consent.

I'll create it as soon as possible, probably tomorrow.

Αndré

Changed the approach and cookie name in SVN revision 8439. Coppermine now checks for the cookie name $CONFIG['cookie_name'].'_cookies_allowed'

Αndré


Αndré

Feel free to test the plugin, as far as I can tell it already works as expected. Don't forget to apply the above mentioned changes from the SVN repository and then update your Coppermine database (update.php). Additionally, you have to replace
$plugin_cpg_version = array('min' => '1.5.22');
with
$plugin_cpg_version = array('min' => '1.5.20');
in configuration.php to be able to install the plugin at the plugin manager.

papukaija

Thank you for working on this so quickly and making a great plugin. There's just few things that I'd change. Firstly, the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work. Or is the session cookie used for something else than just the login status?

I also noticed that you're going to add some kind of "don't show this message again" link. For a short-run fix, what about a jQuery hide link or auto-hide (in 1 minute, for example)? I've also noticed that some websites remember the hidden status of the consent box and thus denial of cookies by a cookie... Finally, is it possible to make the "32 bit MD5 hash" translateable?

Otherwise, the plugin works very well. I've attached the Finnish translation to this message.

Αndré

Quote from: papukaija on June 02, 2012, 05:04:34 PM
the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work.
For public accessible galleries the session cookie isn't necessary to provide the service IMHO. I'm no lawyer and I don't see a reason why we should care about users who fear cookies.


Quote from: papukaija on June 02, 2012, 05:04:34 PM
a jQuery hide link or auto-hide (in 1 minute, for example)?
Never heard of that and don't know how it's supposed to work. Do you have some links?


Quote from: papukaija on June 02, 2012, 05:04:34 PM
is it possible to make the "32 bit MD5 hash" translateable?
Sure. But maybe someone has also a better (= less technically) explanation in general, like "32 digits string"?


Thank you for your contribution.

phill104

My personal take on this is it is not up to the application providor to provide the warning messages or checks. You as the webmaster should decide on your take on this and how you want to warn or deal with the cookies. IMHO, we should provide a list of cookies we set and what they do but that is as far as it should go.

This is especially so as CPG is often only a part of a website, not the whole website. In that instance we do not need a warning for each application the website loads. Not trying to put down what Andre is creating here with a plugin, that is a great idea. I just think that it should not be part of the core nore should CPG be under any obligation to provide scripts to advise users regarding the new laws. There are hundreds of free scripts to provide the message for you which you simply need to add to your theme if required.
It is a mistake to think you can solve any major problems just with potatoes.

Αndré

As far as I understand that directive nobody is allowed to store cookies without the users' consent. It's too late to display a message with your theme, as Coppermine already created at least 2 cookies at that point (the session cookie and the data cookie). It's up to the webmaster if he wants to use the plugin (which disables all Coppermine core cookies by default), display a message via the theme engine, use a separate page before the Coppermine gallery is displayed or ignore the directive generally.

I think we should provide a possibility to comply the EU directive (e.g. for Coppermine gallery-only websites and people who don't want to mess with that stuff themselves), especially as the plugin in combination with the code change already works.

phill104

I think we are working towards the same aim Andre, a plugin that users can choose to use or not. What is also interesting to note is a) how few sites have yet to comply and b) how many of those sites that suggest they comply actually do not as many place cookies before passing on the message especially things like GA etc.

Not exactly well thought through this new law but that is a discussion to be held elsewhere.
It is a mistake to think you can solve any major problems just with potatoes.

papukaija

Quote from: Αndré on June 20, 2012, 09:04:42 AM
Never heard of that and don't know how it's supposed to work. Do you have some links?
An element can be hidden by the .hide() function. Making it automatic is a bit more complicated, but this answer on Stack Overflow has a working code.

Αndré

That doesn't help, as the message will still be displayed on each page load. Additionally I don't see an advantage if the message hides itself after 1 minute. What we want is that the users concern themselves with that topic and then actively decide if they accept cookies or not.

Αndré

Please check SVN revision 8454. It adds the album password cookie and made the "32 bit MD5 hash" string translatable.

papukaija

The new revision works perfectly! Attached is the updated translation.

Αndré


Αndré


Αndré

Please post everything regarding the plugin (contributions, bugs, etc.) in the plugin announcement thread. Thank you.