The new Cookie Law - is this web site compliant with it?

[Mark Tompsett]

I hate to be the bearer of bad news but, as I understand it, this web site (civicrm.org) now needs to comply with the New EU Cookie Law - see the ICO (Information Commissioner's Office) web site for full details... http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
This leglislation applies to any web site which serves users in the EU countries (which this web site quite clearly does) and, in the UK, it came into effect on 26th May 2011 but there was a 12 month grace period to become compliant, which expired over a month ago, ie on 26th May 2012.  I guess that means that this site is operating illegally by that legislation.

I have checked my browser and it is certainly storing several cookies for this web site.
To become compliant, it would need (1) a Privacy Policy, and (2) some code to ask the visitor if they want the site to store cookies on their browser.

I am working on Privacy Policies for the web sites for which I am responsible, and may be offer some advice on the subject, but if there is anyone in the CiviCRM community who is better qualified as a lawyer, particularly in this area of legislation, then I will graciously step aside and let them offer more authoritative advice than I can.

However, regarding the second point, this is a Drupal 7 site of course, and there are a couple of Drupal modules (see http://drupal.org/node/1153064 for a discussion) which are designed to address this specific requirement...

• http://drupal.org/project/cookiecontrol - which is for Drupal 7 only
• http://drupal.org/project/eu-cookie-compliance - which is for Drupal 5, 6 or 7.

As the sites I look after are a mixture of Drupal 6 and 7, I have gone for the second of these modules, to make my life easier.

Firstly, can someone please confirm or refute the point that this web site in particular needs to comply with this legislation?
Secondly, if so, someone with the appropriate authority needs to come up with a suitable privacy policy - I got the one I am using from here... http://www.seqlegal.com/free-legal-documents/privacy-policy for which I paid the £10 for their standard boilerplate privacy policy which I am tailoring to suit the various sites as appropriate.  (I looked for an existing Privacy Policy page on this site http://civicrm.org/search/node/privacy but could not find such a thing.)
Thirdly, someone with the appropriate rights needs to install one of these Cookie management modules on this site, with the appropriate link to the Privacy Policy page.

I hope I have posted this topic in the most appropriate Forum on this site, as I wasn't sure exactly where it should go.  It is not exactly Marketing and Promotion, for instance, but a compliance issue.

Mark   

[Mark Tompsett]

Having done just a little research I find that there are still an impressive range of high profile sites that do not appear to comply, eg amazon.co.uk, ebay.co.uk, google.co.uk are not compliant, and sites like that will be targeted by the regulator well before community sites like this.  In my very quick survey of high profile UK sites, the only site that I found to be actually compliant was bbc.co.uk
Indeed some 80% of sites are not compliant according to this.... http://www.computing.co.uk/ctg/news/2182328/eighty-cent-uk-organisations-compliant-eu-cookie-law
But see also http://www.computerworlduk.com/news/public-sector/3358554/ico-may-give-organisations-years-to-comply-with-eu-cookie-law/

My attitude now is that although this site probably does technically need to comply with the EU Cookie Law that it is so far back in the priorities for the regulator that we can afford to hold off implementing cookie management, but at the very least the site should have a Privacy Policy page somewhere.  I have tried searching for a Privacy Policy for this site... https://www.google.com/search?as_q=privacy+policy&as_epq=&as_oq=&as_eq=&as_nlo=&as_nhi=&lr=&cr=&as_qdr=all&as_sitesearch=civicrm.org&as_occt=any&safe=images&tbs=&as_filetype=&as_rights=#hl=en&lr=&as_qdr=all&q=privacy+policy+site:civicrm.org&oq=privacy+policy+site:civicrm.org&gs_l=serp.3...10495.12014.0.12907.7.7.0.0.0.0.52.240.7.7.0...0.0.qO8HTLNuwdE&pbx=1&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=a78cf0cc3a51342a&biw=1643&bih=891
.. but cannot find one, but at the very least I feel that it should have one.

Does anyone agree (or disagree)?

Mark   

[Hershel]

I am not a lawyer but in my opinion the EU Cookie Law can be ignored for now and a privacy policy is not important.

[EdP]

If anyone is interested in this, the UK Information Commissioner (enforcement body) has guidance here: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

However, the UK IC is generally the most relaxed of the Data Protection authorities in the EU and is unlikely to take firm action straight away. Other enforcement bodies in the EU are less relaxed.

As it happens the regulations are a nuisance, non-compliance is high and (as a general web user) I find all the "do you want cookies" pop-ups, banners etc very irritating, but that's just a personal view.

E