Privacy_XH

[Hugorm]

Hi Christoph

Thank you for bringing back the demo.

You wrote: "Wouldn't that satisfy the Danish cookie law, if the Privacy Notice were conforming (it's just a normal CMSimple page)?"
IMO a clear "NO"! there are no information about cookies (informed acceptance).

Have a look at:
jyllands-posten.dk/service/policy/ (on perpose not a direct link).
I know it is in danish, but it indicates a process - with a lot of words.
Some danish technicians claime it is not enough to fullfill the law.
IMO it allso does not informe clearly about third party cookies.

Kind regards
Hugo

[cmb]

Hi Hugo,

IMO a CMSimple plugin shouldn't deliver any kind of extensive data privacy statement. This is something that has to be left to the webmaster. Only he know's about what's going on on his site. He may well have added external extensions (e.g. Google analytics or a Facebook like button), which might be have to be announced explicitly.

And of course delivering any form of privacy statement might be treacherous. I'm not a lawyer and so I can't guarantee that the text would conforming to current laws (even lawyers might not be able to guarantee that).

That's why I placed a link in the short message (can be changed in the language settings). So every webmaster can set up a privacy statement which is conforming to the laws he has to adhere to, and which can be adapted to his particular website.

BTW: the site you've posted is in no way conforming to any EU cookie law. I have no chance to tell them, that I don't want the Google Analytics cookies. There are automatically set with the first visit!

The law is amended privacy legislation that requires websites to obtain informed consent from visitors to store or retrieve any information on a computer or any other web connected device.

And that's what Privacy_XH is meant for: the technique to obtain this consent. The information has to be given by the webmaster.

Christoph

[Hugorm]

Hi Christoph

In many ways I agree with you.
A plugin is maybe the only possibilitet if one does not modify the core.
What ever the webmaster wants to show the informed acceptance must be the first to meet the visitor.
If the visitor does not accept cookies and you still want to show your pages you must remove any cookie - which is inpossible. Therefore if visitor does not accept then goodbye.

' This is something that has to be left to the webmaster. Only he know's about what's going on on his site. He may well have added external extensions (e.g. Google analytics or a Facebook like button), which might be have to be announced explicitly.'
Please: I'm the end user (webmaster) of the site - and I'm using CMSimple!?!

This is a good solution:
'That's why I placed a link in the short message (can be changed in the language settings). So every webmaster can set up a privacy statement which is conforming to the laws he has to adhere to, and which can be adapted to his particular website.'

BTW: the site you've posted is in no way conforming to any EU cookie law. I have no chance to tell them, that I don't want the Google Analytics cookies. There are automatically set with the first visit!
They don't comply with the danish law either - but they indicate a proces: first consent, then information and then an informed consent.

Problem:
1. how to make a concent reguest first object shown.
2. how to make linked information available securing no cookies.
3. how to optain a informed concent.
All to be done before you see the contents of the site.

Wish:
To have a CMSimple without cookies that require concent.

Kind regards
Hugo

[cmb]

Hi Hugo,

If the visitor does not accept cookies and you still want to show your pages you must remove any cookie - which is inpossible.

It is possible. It's only necessary to "guard" every plugin function you use (in the template or on a page) with some additional code. I have adjusted my demo to show that better. Please

• clear your browser cache (actually delete all cookies from 3-magi.net)
• surf to http://3-magi.net/demo/test/?Languages; you see the message, but no cookie is set
• surf to http://3-magi.net/demo/test/?Welcome_to_CMSimple_XH mark the checkbox and agree to the cookies; two cookies are set: "privacy_agree" and "tracker"
• surf back to http://3-magi.net/demo/test/?Languages; now a third cookie is set: "languages"

This 3rd cookie is set by the following plugin call on a page:

Code: Select all

{{{PLUGIN:privacy_guard('setcookie', 'languages', 'just a demo');}}}

The idea is the following: CMSimple_XH doesn't set cookies. So cookies could only be set by plugins. These plugins are called on a page or in the template. To avoid letting them set a cookie, one can simply avoid calling them at all, when the user has not yet agreed to use cookies.

A more practical example. Consider you're using Chat_XH on a page. Chat_XH stores some information in the session, which will typically set a cookie. So instead of calling:

Code: Select all

{{{PLUGIN:chat('my_chat');}}}

you call:

Code: Select all

{{{PLUGIN:privacy_guard('chat', 'my_chat');}}}

As long as the user has not agreed to accept cookies, the chat simply isn't displayed, but the rest of the page (for example some introduction to the chat). As soon as he agrees, the chat is displayed and the cookie is set.

The advantage of this method: a user can surf the site and look around even without agreeing to accept cookies. Maybe he notices that the site seems to offer a chat, which he is interested in (as he reads "Welcome to our chat; you have to accept cookies to use it"). So he agrees to accept cookies and is able to chat along. Compare that to a site where he has to agree first, before he even can see parts of the site. Agreeing to accept cookies might seem to buy a pig in a poke.

Please: I'm the end user (webmaster) of the site - and I'm using CMSimple!?!

CMSimple can't know, if you've manually included Google Analytics to the template. But if you have, you know, and you can add the necessary information to the privacy statement.

Problem:
1. how to make a concent reguest first object shown.
2. how to make linked information available securing no cookies.
3. how to optain a informed concent.
All to be done before you see the contents of the site.

You can replace the index.php in the installation folder of CMSimple with the following:

Code: Select all

<?php

if (isset($_COOKIE['cookies_agreed']) && $_COOKIE['cookies_agreed'] == 'yes') {
    include('./cmsimple/cms.php');
} elseif (isset($_POST['cookies_agree'])) {
    setcookie('cookies_agreed', 'yes');
    header('Location: .');
    exit;
} elseif (isset($_POST['cookies_noagree'])) {?>

<!DOCTYPE html>
<html>
    <head>

    </head>
    <body>
        <p>As you don't agree to accept cookies, you can visit our site!</p>
        <p>Bye!</p>
    </body>
</html>

<?php } else { ?>

<!DOCTYPE html>
<html>
    <head>

    </head>
    <body>
        <p>HERE COMES THE PRIVACY STATEMENT</p>
        <form action="./" method="post">
            <p>Do you agree to accept cookies?</p>
            <input type="submit" name="cookies_agree" value="Yes">
            <input type="submit" name="cookies_noagree" value="No">
        </form>
    </body>
</html>

<?php }?>

Wish:
To have a CMSimple without cookies that require concent.

If you have a plain CMSimple_XH 1.5.5 (without additional plugins or extensions) there are no cookies (I'm about 99% sure; this has to be checked thoroughly). And if I'm not mistaken that's the same with CMSimple 4.0.x. Only the admin will get cookies, but as the admin is the webmaster, he doesn't have to be explicitly informed.

Christoph

[Hugorm]

Hi Christoph

Thank you for the effords and considerations.

Somewhere I get lost. I can easealy understand the ideas - but.

I tried 3-magi.net/demo/test/?Languages.

I see the intro requisting 1. cookie and I see the description beneath the intro.
I press Welcome.. and the languages part is changed to the oiriginal start page.
I press languages and the text is the same as first time.

I find no description of a cookie and it's removal.

If I press continue on the cookie intro nothing seems to happen, no warning that I agree is not selected.

Could it be an idea to show the cookie contents on the test site?

Im using Firefox 18.0.1, Private browsing, allow cookies, no tracking.

Kind regards
Hugo

Ps. I wrote: inpossible - ofcource I mean IMPOSSIBLE. Quard maybe - what about links to third party they are too 1.webmaster's responsibility

[cmb]

Hi Hugo,

If I press continue on the cookie intro nothing seems to happen, no warning that I agree is not selected.

Yes. That's something I should improve.

Could it be an idea to show the cookie contents on the test site?

Good idea! I've done this in the newsbox on the right hand side on the bottom of the page.

Somewhere I get lost.

I tried to improve the demo a bit. The basic idea is, that on the "Languages" page there's a plugin call. This simulated plugin would set a cookie, when actually called. So the call is guarded, and will only be done, after the visitor has agreed to accept cookies.

You can see this when you delete all domain cookies from 3-magi.net and go to http://3-magi.net/demo/test/?Languages. Below the short privacy message you see:

Languages

The standard download of CMSimple_XH from version 1.5 onwards comes with English and German language files only.

When you agree (mark the checkbox and press the button), you will see the "plugins" output:

Simulated Plugin

Without having agreed to accept cookies, you will not see this paragraph.

I find no description of a cookie and it's removal.

As I said: this has to be added manually by the webmaster on the page which is linked from the privacy message box. I'm just too lazy to do now.

what about links to third party they are too 1.webmaster's responsibility

Do you refer to third party cookies? These are actually invisible to CMSimple (as Collusion shows, they could be seen; but that requires much effort). Let me explain: for security reasons cookies are handled completely separate for each domain. So when CMSimple runs on http://example.com it neither can read nor write cookies from any other domain (e.g. facebook.com). The cookies used by third parties are usually set in an IFrame that points to the third parties domain. The only ones who know which third party cookies are used, are the third party and the webmaster who embed such an IFrame (actually mostly some JavaScript, which will embed the IFrame).

BTW: there are no third party cookies in use on 3-magi.net, unless you click the greyed out buttons in the header of http://3-magi.net.

Christoph

[Hugorm]

Hi Christoph

I really like what I see on the demo.
I fully agree with the laziness (only once please)

There are a couple of things on my mind at the monent:
Can we find a clever sign showing the status of 'informed concent' (in the header like the search box maybe).
(Maybe just a switching color change)

Third party pages/plugins - OK for 1.webmaster to have to find out - but what about links?
So far I choose to show links with no direct linking (even for legacy).


Kind regards
Hugo

[cmb]

Hi Hugo,

Can we find a clever sign showing the status of 'informed concent' (in the header like the search box maybe).

Do you mean signalling, that the user has already agreed to accept cookies? This could be easily added, either in place where the privacy message is shown, or as a separate plugin call.

but what about links?

Do you mean links to external websites? There is another plugin ExLink_XH. After clicking a link a message is shown that the visitor leaves the site and he has to confirm. As the text of this message can be configured in the language settings, you can change it to some kind of disclaimer.

Christoph

[Hugorm]

Hi Christoph

Yes, I mean signalling 'cookie accept status' (both yes and no) in as small yet visible a space as possible.

And yes I talk about links to external websites.
IMO I (the 1.webmaster) am responsible for the complience of the cookie law on any external links.
I will get the fine if the external website (I link to) do not comply to the cookie law of the country of its origin.

Somehow I have to secure that I'm not at any risk when linking to other websites.
When I don't do a hyberlink I'm not to blame - but it is poor service to the visitor.

Kind regards
Hugo

[Hugorm]

Hi Christoph

Now I have tried to set up your code (for the time being) at: 114pc.dk/edbtst.

2 points:
1. notice what IMO have to be informed BEFORE the cookie question yes/no.
2. notice the amount of data in the sample link.

How to integrate all this in to a (CMS)simple site?

Kind regards
Hugo