Blackbaud Europe: EU legislation changes around cookies

Posted by Robert McAllen to Blackbaud Europe on May 20th, 2011

I’ve had a lot of enquiries about the new changes to how websites can store cookies, which the European Union has announced and will be putting into place on the 26th of this month. I wanted to put something up here so that we can help allay fears of Blackbaud Europe customers around use of our Blackbaud NetCommunity product especially.

The government has issued some advice already on the subject which should help, but how does this affect your CMS? Well let’s look at the areas which use cookies in the Blackbaud NetCommunity product first of all:

Content Comparison
Suggested Content
User Login
Payment part (1 and 2)
Poll
Survey
User Networking Manager
Language Selector

Now the easiest thing to do is obviously not to use any of these parts, but that kind of defeats the purpose of buying the product, doesn’t it? So anyway, what you need to know is…

The information Commissioner, Christopher Graham, has this to say on the subject:

“The implementation of this new legislation is challenging and involves significant technological considerations. That’s why we’ve already consulted a wide range of stakeholders. But we want to spread the net as wide as we can and would welcome further comments from others who have practical examples to share. This advice is very much a work in progress and doesn’t yet provide all of the answers.”

Although we are only a few weeks away from this coming into effect, it seems like we’re not to panic. The Culture Minister, Ed Vaizey, also had the following to say on the subject:

“The Government is clear that it will take time for meaningful solutions to be developed, evaluated and rolled out. We recognise this could cause uncertainty for businesses and consumers. Therefore we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.”

So we’re not quite there with all options. First thing to consider is the fact that if a client signs up to your site (creates a user name) and has agreed to all of your terms and conditions, then this could be one of them. It needs to be an opt-in for this as the advice states that you cannot add it to the terms and assume that people have read them. So anything behind the login is fine and compliant under the regulations. So we’re just really talking about those who have not received a user name for your site and anonymous users.

The previous rules around cookies were that you had to tell people how to use cookies and tell people how to opt out. The new rules state that the user is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information and has given his or her consent.

Now if someone has a modern browser such as Firefox 4 which allows the user to choose which type of cookies they can use, then this will be deemed as express consent. But what if someone is using an older browser? What you have to realise at this point is that your organisation has an obligation to ask for permission from the end users.

So how does this directly affect our Blackbaud NetCommunity product? Well it’s worthwhile looking at the ways we store cookies and how they work/what they store:

1. Content Comparison – This area does not store any personal information and is purely used to decide which content is better received. The cookie is there purely to make sure that the user has the same experience each time, so it could be argued that this falls under the exception – for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

2. Suggested Content - Similar to content comparison; no personal details stored–just a way to make the experience better. What this cookie does do though is it remembers those who have been on the site from your machine and tries to tailor the content (so nothing about the use, just the info on what they have visited). If the user chooses to log in at this point, then it once again is no longer valid.

3. User Login – Only stores info when asked, so fits within the rules.

4. Payment part (1 and 2) -Info here is stored purely on a transactional basis and is covered under the exception that states that there is no need to do this if the info stored is ‘strictly necessary’ for a service requested by the user, such as a donation.

5. Poll - This cookie records whether someone has taken a poll so that they can’t skew results. No personal data again, and if the poll is behind the login we’re still fine.

6. Survey - Same as polls

7. User Networking Manager – Need to be logged in to use this area and thus behind the T&C’s

8. Language Selector – This is another area which could easily come under the ‘for the sole purpose of carrying out the transmission of a communication over an electronic communications network’. The purpose of this area is to remember which language the person used previously and not make them have to do it again.

I hope this helps to allay the fears people may have around this area and makes it a little clearer for you. I’m sure this is going to change as the government works more on this, but I believe this is where we are today.

Feel free to comment on this below and also – I suspect that no one will need to go to the extremes shown here by Dave Naylor.

http://twitter.com/heyjames James Heywood

Thanks for the info Robert. It’s a shame that we now have to hide some of these parts in the log-in area.
- http://twitter.com/robmcallen Robert McAllen
  
  It may come to that James but I think the government is trying to work out what this means for websites right now. We’ve had feedback from some people at the Information commisioners office which stated that things like the info on the donation form is fine as it’s neccesary for the functioning of the site. It’ll all come out in the wash I’m sure but it’s an area to keep an eye on as I suspect that things will change as it comes into effect.
Kirsty Shanahan

Hi Robert,
What happens if a user says no to cookies? Does their login attempt fail? Do we need to build a page that does this, or is it being put into the login functionality? I am not a techie so I am not clear how to implement this if a user declines – it’s all very well putting text on the site to say that we set cookies once they log in, but if they refuse the cookies where do they go next and what does the site do at the back-end?

Thanks.
- Robert McAllen
  
  Good question Kirsty. Importantly right now we’re still not completely clear on what needs to be done (as a continent not just Blackbaud).
  
  Some of the functionality is reliant on Cookies but not everything. User Login will only store info when it asks the user so that will be fine. If someone says they no longer want any cookies stored then they will severely restrict what they can and cannot do on the web from then on till new technology comes into place.
  
  This is the reason why there has been such a delay in implementing this stuff – Unless the EU can show a viable alternative for the functionality then it’s going to be hard to implement.
  
  It’s still a watch this space right now although you’ll find lots of info on the subject online which may bridge some more of the gaps.
Nick Moss

Hi Robert

We are currently creating a page explaining the use of cookies across our domains and we are explicitly listing each cookie, giving the name, typical value, expiry date/time and also which of the 4 categories listed in the ICO document the cookie falls into. Do you have this information on the cookies used by Blackbaud, as we use your product on our site?
I have found some by browsing, but you have listed 8 types above.
Any help would be appreciated.

Nick
- Robert Mcallen
  
  Nick,
  
  I will be publishing some info over the next couple of days on where we stand with this and I will make sure I update you as soon as I have the info we need.
  
  Thanks
  
  Robert
- Robert Mcallen
  
  Nick the new info is here -
  http://www.blackbaudvoice.co.uk/email/eu-cookies-and-blackbaud-software.htm
Kirsty Shanahan

Hi Robert,
What is your advice to your clients regarding Google Analytics? On our external website we will have to implement a cookie consent bar on the homepage otherwise we will have to switch off Google Analytics. Is that your understanding as well, and if so, are Blackbaud developing a cookie consent bar for NetC?
Thanks,
Kirsty
- Robert Mcallen
  
  Kirsty,
  
  Having looked at the Google response to this and spoken with people at Google they are very much taking the view that as these are analytic cookies they will not be top priority under the legislation. I have actually now published an updated version of the above post (in the last week) with more info. Please take a look here -
  
  http://www.blackbaudvoice.co.uk/email/eu-cookies-and-blackbaud-software.htm
  
  Hope this helps.
  
  Thanks