143 replies to this topic

[Dll]

Further to the thread in the customer lounge, it's seriously disappointing to see that IPB have backtracked on their published plans to comply with EU cookie legislation without any notice or announcement.

What this effectively means is that every single IPB site who have visitors from the EU are now in breach of the new cookie directive from tomorrow unless they take action to remedy it. Having been lead to believe upgrading to 3.3.2 would be all the action that was required, it's a serious problem.

When you look at what many of the major UK based websites have done, they're taking the new law seriously, and I'm shocked that IPB have decided neither to take any action or offer any guidance to their customers on what they need to do, particularly when taken in context with what Matt said in late April:

It technically doesn't matter where you are in the world. The EU would like for you to offer EU visitors the opt in/opt out/info regardless of where you are hosted.

I agree that it's all really dumb but as a software vendor we have a responsibly to ensure our software complies with these things.

I've done a lot of research into this and there are many exemptions where you don't have to ask for opt in permission and that's when the cookie is used in such a way that makes it vital to the application.

Really this is a browser level problem and it's utterly ridiculous to expect internet apps to 'fix' this but there you are. At some point browsers will have to include these rules and we can stop messing about with pointless javascript.

However, here's what I've done for IP.Board

Guests only get served a session cookie which is essential for the application and contains no identifiable information unless they decide to change themes or languages, etc. This means there isn't a need for pop-ups, overlays, banners, swooshing nag panels or any other of the head slappingly stupid suggestions the ICO offer.

When you log in, you make the user aware that doing so will set cookies and there is a link to the cookie policy. Same when registering.

At the bottom of the board there is a message "This site uses cookies: Cookie policy". Upon clicking this you're taken to a description of every cookie IP.Board will try and set along with a 'show contents' button if the cookie is set so you can review what is stored.

This barely scrapes in above the bare minimum needed to comply but lets be honest. The internet is a massive place and there are millions of websites. The EU law is almost impossible to police let alone effectively punish offenders. In addition, the ICO has said that it will not target sites that make an effort and have a clear cookie policy. Indeed, almost all the cookies IP.Board sets are exempt and contain zero tracking data and aren't shared with other sites so our software is very low risk.

My hope is that either the EU forces browsers to implement something or the whole thing is discarded as unworkable.

[Steven UK]

The sooner the UK move away from being directed by the EU, the better.

These directives are definitely coming into force? I have seen many similar situations regarding directives, and I would estimate that 99% of UK websites do not comply with them, mainly through lack of knowledge that they even exist.

Apparently from April this year, every single website in the UK had to have an SSL certificate if they are storing customer details. This was mentioned to me by a company who work directly with the government in the UK. Nobody has heard anything about it since.

To enforce such changes, would be near impossible.

[Dll]

Have a read of this:
http://www.ico.gov.u...de/cookies.aspx

[Steven UK]

Have a read of this:
http://www.ico.gov.u...de/cookies.aspx

Yes, but where did you see that link to the directive? How was it brought into your awareness? This is the first I have seen of it, and even in another 12 months 95% of website owners will still not have read it.

Ignorance is no excuse, of course, but to implement such rules amongst millions of websites, billions worldwide would be an impossibility.

Also, there are grey areas too. Trading in the UK, websites hosted in the UK, or using proxy international servers, etc. etc.? Most of the larger 'UK' websites, are not even UK based, nor is UK their first country, so clarification, and mass awareness is required for such directives to work, or even become public knowledge.

Governments all over the globe are still clueless on how to implement such regulations.

[Charles]

IPBs are not breaching EU law or any other law.

Software cannot violate a law: it is up to you to comply with your local laws. We provide a terms of service and privacy policy settings group in the AdminCP that you are free to edit to comply with anything you need to do.

IPS cannot and will not try to sort through all the myriad of laws around the world (especially one like this where no one is 100% clear on what to do or how it applies). It is nothing something we can do and, as I said, the requirement is on the site owner to ensure their entier site complies with any law or even business requirements they have.

This is why we provide policy pages you can easily edit in the AdminCP to include any notices or wording you, your attorney, or your company legal department advises are needed.

[Dll]

But that rather ignores the point made in my original post - Matt had clearly spelled out what IPB was doing to stay within the new EU directive, yet without any further announcement IPB have backtracked.

You're quite right, website owners need to make sure their sites comply, but since Matt said what he said, the very least you may have done is let your customers know that wasn't going to be the case and that they would need to implement their own strategy. Not a lot to ask I don't think, although I'm sure you'll disagree.

Us paying customers are just way too much of an inconvenience to IPB at times I think

Oh and fwiw, I assume IPB will be implementing something in the next 24 hours to comply on their own website, as it's down to them to comply with EU laws if people from Europe use their websites...

[Steven UK]

Charles is 100% correct. And I suspect such a stance will also be in the terms of usage policies for IPB customers. My company also supplies software that is used by end-users, and it is the responsibility of the USER of that software to comply.

[Charles]

Two more points: no one is really clear on this law. One person will tell you our software is already compliant someone else will tell you another. Reminds me of SEO

For example: the only cookies our software stores are temporary cookies needed for the software to function. They contain no personal information. The only time personally identifiable cookies are permanently stored in IPS software is if a user logs in and check the "remember me" box. I would say that's consent seeing as they checked a box specifically telling the software to remember, personally, who they are.

Going beyond that point: sure we could include all sorts of complicated language and options in the Suite standard but what happens the instant someone customizes anything? When you install a hook, application, alter the skin to put in ad code, etc. you are changing how our software behaves out of the box. Therefore anything we might include to try to comply with this, or any other random law around the world, becomes fruitless.

Therefore I still go back to the fact that compliances with your laws is something only you can do. We provide tools to help you do that of course.

[Dll]

That entirely contradicts Matt's post though Charles and tbh shows that you probably haven't read the guidelines either.

[Charles]

That entirely contradicts Matt's post though Charles and tbh shows that you probably haven't read the guidelines either.

Matt's post was made before we made in-depth research on this law, its implications, and the total lack of clarity throughout the EU on what it really entails.

I am afraid your simple link to a PDF does not really touch on the broader picture here

As I said, there are tools in the AdminCP for you to provide any sort of legal notices or disclaimers you may feel are needed for your locality.

[Dll]

Charles, I'll try to make this as clear as possible for you

1. The lack of communication is my issue, if further to Matt's post you researched further and decided to do nothing, then why not let your customers know? I've made this point several times now, would it be too much to ask you to address it, acknowledge you ought to have done or at least stop ignoring it?

2. My link was to the ICO website which has all the legislation and a whole range of guidelines, not just as simple pdf, it also has their cookie compliance implementation. Did you actually bother to click the link before commenting??

3. What is the broader picture you speak of? If you have that available to you and know more than the BBC, British Govt, and various other huge media companies with highly paid and qualified legal depts who have decided to take some form of action, please feel free to share it!

[Charles]

some form of action

We have never posted an announcement one way or the other about this. Matt's, or any other staff's, conversation in a topic is not really gospel ... IPS is very communicative with clients and we cannot always know what is said in conversation might be something we change our mind about later.

That is the key here. No one knows, exactly and without any sort of confusion, what should be done. In fact many people we have spoken to on the matter say IPB isn't even something that needs to comply and others say yes it is. Until the situation in the EU matures we cannot justify doing anything.

I of course hope that you are able to decipher it all and sort out what is best for your site.

[Alexia Smith]

For all our IPB sites that must comply with the EU cookie law all we had to do was provide a list of all the possible cookies that could be set to put on file. Everything else was in compliance.

[Charles]

Let me clarify that I am not being flippant about this law. I am merely saying that until the EU community can figure out very clearly what to do then IPS cannot justify any action . Do a search and you'll see a million legal opinions going in all different directions.

I would say if someone like Dll who has researched the law were to post clear things we should do that someone else would come along instantly and disagree. That is where our predicament is: clarity and agreement.

[Ryan H.]

I'm not sure what you're looking for... it seems to me they've already implemented most of what Matt stated unofficially back in April.

Login has an opt-in box for cookies, and a link to the privacy policy...


That link is also reproduced in the site footer...


and the policy contains a note on cookie usage.


What's missing that has you so upset?

[Dll]

That's not what matt described though, and doesn't conform to the new directive.

The directive is filled with grey areas and as Charles says, there are many differing opinions, guides and solutions out there, but it's also clear on many points mainly that sites should offering users clarity as to what cookies are, what they're being set for and how to block them.

Whether permission to set cookies is implied or explicit is a grey area, whether a website should offer a method of blocking cookies (other than telling users how their browser settings work) is another grey area, and I'm sure there are many other points which could be argued around, but from the guidelines it's clear that ICO want websites to at least do something - even if in the first instance that is providing a clear link with info on what cookies are being set and how to block them. (which is what Matt described)

A quick glance around major sites in the UK shows a range of options being taken on, but I still don't think that's a reason to do nothing.

[Ryan H.]

So you want the default policy to explain cookies and how they're used a little better.

[Rimi]

Originally 3.3.2 had a link to a cookies page which listed all the cookies the site uses. It was on one of the betas on IPS. In the corner it said "This site uses cookies" and had a link to that cookies page. It's gone now though and was replaced with the privacy policy. I prefer it this way honestly.

[Dll]

Originally 3.3.2 had a link to a cookies page which listed all the cookies the site uses. It was on one of the betas on IPS. In the corner it said "This site uses cookies" and had a link to that cookies page.

We have never posted an announcement one way or the other about this. Matt's, or any other staff's, conversation in a topic is not really gospel ... IPS is very communicative with clients and we cannot always know what is said in conversation might be something we change our mind about later.

?

[PSNation]

I have just put a big red box on my registration form explaining this and stating that by clicking the register button you are consenting to the website storing cookies.

Sorted.