Has anyone else started to think about how this affects euorpean sites and standard umbraco installs....
My initial investigations seem to suggest that Umbraco stores a few cookies for the enduser... several of which can be claimed to be "required for site functionality" - like the asp.net session state cookie.
However, there are also others, like the check for umbraco update etc that could be construed should be able to be suspended if the end user says no to none essential cookies... Should there be a mechanism to turn off all none essential cookies?
UMB_UCONTEXT, UMB_UPDCHK are the two that look to be umbraco...also seeing a X-Mapping-hinipbnn anyone know if this is umbraco...
Mabe a wiki on umbraco and cookie usage is required so us EU sites can use that as our response to the new EU law.
The basic cookies that Umbraco sets are I believe all exempt from the legislation.
The ASPNet session id cookie is exempt, as without it, cookies and sessions (as well as several key features of asp.net) won't work, limiting you to the simplest of applications (as without them you can't store state).
UMB_UCONTEXT stores an id, which is needed to use the CMS, so again its ok. Also, it doesn't store anything personally identifiable about the user.
UMB_PANEL stores the dimensions of the UI panel, so again its exempt, as there's nothing personally identifiable about it and it's needed for the correct functioning of the CMS the user is accessing.
UMB_UPDCHK is another cookie that just stores on-identifiable config info, and you can disable it in the umbracoSettings if you really want to, all it does is let the system know the next time to check for updates
The X-mapping cookie is nothing to do with Umbraco as far as I know.
A few of the 3rd party data types also set cookies, but again they are just settings etc and are required for the correct operation of the data types (the Multi Node Tree Picker in uComponents is an example of this).
I think the key is section 4 of the rulings, which state that the cookies are exempt when:
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
The cookies are set by the back office, and if you're using the CMS, you want to use the "service" that it provides. As all of the cookies set by the back office are to do with the functionality of the CMS, you're covered.
Great reply Tim. I wasn't aware of the uComponents MNTP cookie (since I'm not the original dev for it). :-)
Interested fact here is that the cookielaw.org website itself is powered by Umbraco... which would suggest that the CMS is very capable of controlling its cookies.
I've done a lot of looking into this, as several of my larger corporate clients have carried out checks and investigations into the law as part of their compliance checks!
Front end cookies are a different matter entirely of course! But for the most part a CMS back office is exempt as you can't really argue that anyone using it doesn't want to use the service provided!
It is true that any cookies that are only going to be encountered by people logging into the back end are unlikely to require consent - presuming that those using the back end are doing so as part of their responsilbilities to maintain a site. The law is designed to protect the privacy of people visiting the front end of the website.
As regards the ASP.NET Session ID - there is currently some uncertainty as to whether you need consent for this in certain countries. France have suggested that it does meet the 'strictly necessary' rule, but the UK is perhaps less clear on that at the moment - we are waiting from some revised guidance from the UK authorities on this.
However guidance does suggest that in some cases even where a cookie is strictly necessary it would be good practice to tell visitors about it.
What would I think would be very useful is if the umbraco team could publish a list of all umbraco generated cookies and what their purpose is. It would also help to have this from any plug-in/add-on providers - it would help umbraco users ensure their sites are compliant with the law.
@Richard, useful info, thanks! I think the cookies that we mention here are the only ones that are set by the core Umbraco Back office (that I'm aware of). Maybe set up a thread on the forums an publicise it on Twitter and see if you can get the package devs to list the cookies that they use?
The law is becoming a lot clearer on this issue now. We believe that core server side cookies, without which the site would not work, would fall into the 'strictly necessary' catgegory under the law. This means that you don't need to get consent to use them, so they don't need to be disabled. However it is still a good idea to tell people about them.
However, these cookies must only be used for the purpose of making the site work. If they are used to collect user data in any way that is not part of core functionality - then consent is still needed.
What we still need however is more infomtion about what all these cookies actually do.
I wasnt referring to the legal part, but the technical. How does http://www.cookielaw.org/ run without any cookies, and still make the Umbraco backend work?
If I configure the site to run cookieless or without sessionstate umbraco wont work.
Besides I'm not sure if all countrys' legal texts includes the 'strictly nessesary' category!
Short answer, it doesn't. The Umbraco back office won't work without cookies (and neither will any other CMS for that matter). The key here is that you can set cookies that are essential to provide a service that a user has signed up for.
The back office cookies are only set in the back office of Umbraco. If you're using the back back office, you're wanting to use the CMS, so you can set cookies (as long as they're just for making the back office work, which in Umbraco's case they are).
I don't have access to their server, but I'd guess they have session state disabled on the front end and enabled just for the back office folder. Then for al the other bits of code that set cookies (google analytics etc) they're only adding the code to the page if you've said yes to cookies.
I'm aware that the backend cannot function without cookie, which is fine. I want to do a similar setup where the frontend users will not be getting any cookies at all.
You might not be able to answer this, but how do you set up IIS to not use cookies for frontend, but allow them for umbraco backend?
I have only been able to either enable or disable cookies for the entire site.
The strictly necessary category is in the original Eu directive so it should be transposed to each local law.
the http://www.cookielaw.org site does not run completely without cookies - the front end of the site only loads strictly necessary cookies unless consent is given.
How that is done is via our Javascript consent bar - which is available to licence on any website. :)
Anyone logging in to the back end will have cookies set - but as that would be a site admin doing their job, then it is not necessary to block these cookies.
Still not sure Im conviced though. Using Chrome Dev tool Im not able to detect ANY cookies at all from cookielaw.org, until I press allow. Then I can detect the usual __utmX cookies, a pid and the CookieLawCompliance, which indicates that I have accepted.
Before pressing allow, there is no cookies at all. I would like to replicate this exact behaviour, but the only way I can think of is disabling sessionstate, which breaks umbraco backend!
Hmm after going back to my test setup it seems I had made a mistake.
For some reason I had concluded that even on the frontend the session cookie was always used when running with sessionstate on, but that must have been a mistake. I am now able to reproduce the same behaviour used cookielaw.org, without breaking umbraco. :)
We have an Umbraco-developed website. Provided I clear cookies after using the Umbraco editor, the only cookies that I can then see are those associated with Google Analytics on our website, i.e. _utma, _utmb, _utmc and _utmz.
Lots of people seem to think that the Google cookies are a problem, which would appear to kill off Analytics!
On page 27 there is a very interesting section, which ends with "Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
This sounds like a "Google get-out" clause to me but I would be very interested to hear what others think of the whole paragraph.
Regards, George
Apologies, I posted this on another thread and then realised this one is more appropriate and still alive.
I'm pretty sure this cookie law is for 3rd party cookies only as stated on the cookielaw.org website. Though TBH I haven't read a ton more. Umbraco only sets cookies for what it requires, doesn't set things for other domains, etc...
"The issues surrounding the new EU Privacy Directive are far reaching, however most websites simply need to offer opt-in consent to set 3rd party cookies on user PCs"
"On 26th May 2012 all UK websites must offer users opt-in consent tools to allow cookies that pass information about your browsing activities to 3rd parties"
Reasonably certain these laws only pertain for those cookies that specify access from and to multiple domains... this is how tracking works. If domains are specifically specified on creation, then only the current domain can access (not even a sub domain).
Umbraco and the new EU Cookie law/directive
http://www.cookielaw.org/the-cookie-law.aspx
Has anyone else started to think about how this affects euorpean sites and standard umbraco installs....
My initial investigations seem to suggest that Umbraco stores a few cookies for the enduser... several of which can be claimed to be "required for site functionality" - like the asp.net session state cookie.
However, there are also others, like the check for umbraco update etc that could be construed should be able to be suspended if the end user says no to none essential cookies... Should there be a mechanism to turn off all none essential cookies?
UMB_UCONTEXT, UMB_UPDCHK are the two that look to be umbraco...also seeing a X-Mapping-hinipbnn anyone know if this is umbraco...
Mabe a wiki on umbraco and cookie usage is required so us EU sites can use that as our response to the new EU law.
The basic cookies that Umbraco sets are I believe all exempt from the legislation.
The ASPNet session id cookie is exempt, as without it, cookies and sessions (as well as several key features of asp.net) won't work, limiting you to the simplest of applications (as without them you can't store state).
UMB_UCONTEXT stores an id, which is needed to use the CMS, so again its ok. Also, it doesn't store anything personally identifiable about the user.
UMB_PANEL stores the dimensions of the UI panel, so again its exempt, as there's nothing personally identifiable about it and it's needed for the correct functioning of the CMS the user is accessing.
UMB_UPDCHK is another cookie that just stores on-identifiable config info, and you can disable it in the umbracoSettings if you really want to, all it does is let the system know the next time to check for updates
The X-mapping cookie is nothing to do with Umbraco as far as I know.
A few of the 3rd party data types also set cookies, but again they are just settings etc and are required for the correct operation of the data types (the Multi Node Tree Picker in uComponents is an example of this).
I think the key is section 4 of the rulings, which state that the cookies are exempt when:
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
The cookies are set by the back office, and if you're using the CMS, you want to use the "service" that it provides. As all of the cookies set by the back office are to do with the functionality of the CMS, you're covered.
:)
Great reply Tim. I wasn't aware of the uComponents MNTP cookie (since I'm not the original dev for it). :-)
Interested fact here is that the cookielaw.org website itself is powered by Umbraco... which would suggest that the CMS is very capable of controlling its cookies.
Cheers, Lee.
@Lee haha, I didn't spot that!
:)
I've done a lot of looking into this, as several of my larger corporate clients have carried out checks and investigations into the law as part of their compliance checks!
Front end cookies are a different matter entirely of course! But for the most part a CMS back office is exempt as you can't really argue that anyone using it doesn't want to use the service provided!
:P
Great post and great answers thanks as a newbie to umbraco I must say i find the forum a fanstastic resource , well done all
I am responsible for the www.cookielaw.org website.
It is true that any cookies that are only going to be encountered by people logging into the back end are unlikely to require consent - presuming that those using the back end are doing so as part of their responsilbilities to maintain a site. The law is designed to protect the privacy of people visiting the front end of the website.
As regards the ASP.NET Session ID - there is currently some uncertainty as to whether you need consent for this in certain countries. France have suggested that it does meet the 'strictly necessary' rule, but the UK is perhaps less clear on that at the moment - we are waiting from some revised guidance from the UK authorities on this.
However guidance does suggest that in some cases even where a cookie is strictly necessary it would be good practice to tell visitors about it.
What would I think would be very useful is if the umbraco team could publish a list of all umbraco generated cookies and what their purpose is. It would also help to have this from any plug-in/add-on providers - it would help umbraco users ensure their sites are compliant with the law.
Richard (@TheCookieCrunch)
@Richard, useful info, thanks! I think the cookies that we mention here are the only ones that are set by the core Umbraco Back office (that I'm aware of). Maybe set up a thread on the forums an publicise it on Twitter and see if you can get the package devs to list the cookies that they use?
One of our own websites has these cookies that I think are all Umbraco - slightly more than listed above:
UMB_PANELSession
UMB_PREVIEWPersistent
UMB_UCONTEXTPersistent
UMB_UPDCHKPersistent
umbPanel_pHeightSession
umbPanel_pWidthSession
Would we expect all umbraco cookies to have the 'umb' prefix? It would be very helpful for identification purposes.
@Richard:
How do you disable frontend cookies including the session cookie, without breaking the Umbraco backend?
Regards
Nicolai
@Nicolai
The law is becoming a lot clearer on this issue now. We believe that core server side cookies, without which the site would not work, would fall into the 'strictly necessary' catgegory under the law. This means that you don't need to get consent to use them, so they don't need to be disabled. However it is still a good idea to tell people about them.
However, these cookies must only be used for the purpose of making the site work. If they are used to collect user data in any way that is not part of core functionality - then consent is still needed.
What we still need however is more infomtion about what all these cookies actually do.
@Richard
I wasnt referring to the legal part, but the technical. How does http://www.cookielaw.org/ run without any cookies, and still make the Umbraco backend work?
If I configure the site to run cookieless or without sessionstate umbraco wont work.
Besides I'm not sure if all countrys' legal texts includes the 'strictly nessesary' category!
Nicolai
@Nicolai,
Short answer, it doesn't. The Umbraco back office won't work without cookies (and neither will any other CMS for that matter). The key here is that you can set cookies that are essential to provide a service that a user has signed up for.
The back office cookies are only set in the back office of Umbraco. If you're using the back back office, you're wanting to use the CMS, so you can set cookies (as long as they're just for making the back office work, which in Umbraco's case they are).
I don't have access to their server, but I'd guess they have session state disabled on the front end and enabled just for the back office folder. Then for al the other bits of code that set cookies (google analytics etc) they're only adding the code to the page if you've said yes to cookies.
Thanks Tim
I'm aware that the backend cannot function without cookie, which is fine. I want to do a similar setup where the frontend users will not be getting any cookies at all.
You might not be able to answer this, but how do you set up IIS to not use cookies for frontend, but allow them for umbraco backend?
I have only been able to either enable or disable cookies for the entire site.
Nicolai
The strictly necessary category is in the original Eu directive so it should be transposed to each local law.
the http://www.cookielaw.org site does not run completely without cookies - the front end of the site only loads strictly necessary cookies unless consent is given.
How that is done is via our Javascript consent bar - which is available to licence on any website. :)
Anyone logging in to the back end will have cookies set - but as that would be a site admin doing their job, then it is not necessary to block these cookies.
Thanks for the reply Richard.
Still not sure Im conviced though. Using Chrome Dev tool Im not able to detect ANY cookies at all from cookielaw.org, until I press allow. Then I can detect the usual __utmX cookies, a pid and the CookieLawCompliance, which indicates that I have accepted.
Before pressing allow, there is no cookies at all. I would like to replicate this exact behaviour, but the only way I can think of is disabling sessionstate, which breaks umbraco backend!
Nicolai
Hmm after going back to my test setup it seems I had made a mistake.
For some reason I had concluded that even on the frontend the session cookie was always used when running with sessionstate on, but that must have been a mistake. I am now able to reproduce the same behaviour used cookielaw.org, without breaking umbraco. :)
Anyway thanks for the replies.
We have an Umbraco-developed website. Provided I clear cookies after using the Umbraco editor, the only cookies that I can then see are those associated with Google Analytics on our website, i.e. _utma, _utmb, _utmc and _utmz.
Lots of people seem to think that the Google cookies are a problem, which would appear to kill off Analytics!
However, I have just noticed that, on www.ico.gov.uk/.../cookie_rules_prepare.aspx,
the ICO has recently (13 Dec 2011) updated it's advice on "the new cookies Regulations" in a 27-page PDF file, atwww.ico.gov.uk/.../...new_cookies_regulations.ashx
On page 27 there is a very interesting section, which ends with "Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
This sounds like a "Google get-out" clause to me but I would be very interested to hear what others think of the whole paragraph.
Regards, George
Apologies, I posted this on another thread and then realised this one is more appropriate and still alive.
I'm pretty sure this cookie law is for 3rd party cookies only as stated on the cookielaw.org website. Though TBH I haven't read a ton more. Umbraco only sets cookies for what it requires, doesn't set things for other domains, etc...
"The issues surrounding the new EU Privacy Directive are far reaching, however most websites simply need to offer opt-in consent to set 3rd party cookies on user PCs"
"On 26th May 2012 all UK websites must offer users opt-in consent tools to allow cookies that pass information about your browsing activities to 3rd parties"
Reasonably certain these laws only pertain for those cookies that specify access from and to multiple domains... this is how tracking works. If domains are specifically specified on creation, then only the current domain can access (not even a sub domain).
is working on a reply...