EU cookie law

2 posts, 0 answers
  1. Clive Hoggar
    Clive Hoggar avatar
    342 posts
    Member since:
    Nov 2008

    Posted 02 Aug 2012 Link to this post


    I have seen it said that the cookie which saves the state of the open items etc is a 'session' cookie.

    Does this really mean that it is stored on the server (and therefore not relevant to the EU cookie law) , or is
    it stored on the visitor's hard drive (in which case I will have to get permission from the visitors at least for the first visit)?

    For most of my client websites, the PanelBar cookie is the only cookie on the site, so it would be handy if I could
    forget about it.


  2. Philip
    Philip avatar
    1 posts
    Member since:
    Aug 2012

    Posted 02 Aug 2012 Link to this post

    Hello Clive,
    Session cookies are set and stored on the user's device, but expire (and therefore are deleted) usually when the session closes, i.e. at the longest this would usually be when the browser is next quit.

    You need to assess the invasiveness of the cookie, whether it is strictly necessary for the operation of the site etc. but if it is a simple session cookie it is likely that it may be either:

    1) exempt as it is necessary (for instance maintaining a log-in, or keeping things in your shopping cart would be such)
    2) sufficiently simple and not overly invasive such that you may rely upon implied consent, which means you wouldn't need to ask first, but you would need to provide sufficient understandable information about your cookie use and use of private information, offer opt-outs if possible and links to third party policies if need be to enable choices that safeguard your users' online privacy.

    So, you can't forget about it, you should explain it, and make sure your users know the information is there.  The reason for this is that all consent must be informed consent (implied or explicit, the latter being the ask-before-placing-version). There's a strong element of education and awareness in the legislation and the onus falls on owners and designers, but you may be able to use implicit consent.

    I'd also be careful about assuming it is the only cookie being dropped unless you've actively checked.

    I'd better explain that this answer is based in this experience ( ) , and that we've found that most designers, SEOs, VAs and other web management people were way off when assessing whether their client sites had cookies. If you've installed any social sharing, videoplayers, analytics, comment systems, etc. through plug-ins, modules or widgets it's almost certain you're serving tracking cookies or enabling them to be read (for instance if a user is logged in to FaceBook when they visit your site, a facebook like button etc. may read the cookie that is already on the user's machine).

    Not only that, but for instance, if you use common aggregators that allow users to like, tweet, update statuses, post etc. across third party services you'll often find it's not just their cookies you're setting, but their third party analytics cookies (from some other company like Quantcast) that you're setting too. And that can mean you're setting tracking cookies used for behavioural advertising, the more of this that there is, or if you link that data to personal information such that it might be come identifiable, then the more likely it is you'll need explicit consent.

    If you've got a number of client sites you might find that an audit is a good idea and intro into compliance work for them, as it will provide the evidence you need to have a reasonable conversation about what work is needed to bring your client into compliance. There's a quick 90 second video on that link, and read the FAQ for a little more direct information for your situation as a provider.

    Hope that helps!

Back to Top