EU Cookie Legislation and ExpressionEngine

In 80 days the new EU legislation on web browser cookies grace period will end in the UK. As of May 26, 2012 “if you are not compliant or visibly working towards compliance, you run the risk of enforcement action, which can include a fine of up to half a million pounds for a serious breach.” (via EU Cookie Law Explained)

In short, you need to get consent from your website visitors to store cookies on their computer. From The Cookie Collective:

It has been designed to protect online privacy, by making consumers aware of how information about them is collected by websites, and enable them to choose whether or not they want to allow it to take place.

It started as an EU Directive that was adopted by all EU countries on May 26th 2011. At the same time the UK updated its Privacy and Electronic Communications Regulations, which brought the EU Directive it into UK law.

Each EU member state has done or is doing the same thing. Although they all have their own approach and interpretation, the basic requirements of the directive remain the same.

EE developer Andy Marshall (you might know him as “moogaloo”) wrote about this on his blog and the implications it has for users of ExpressionEngine.

The law requires all non-essential cookies not be dropped until the user explicitly opts in. The definition of non-essential seems pretty vague - some people see eCommerce cart cookies as essential and therefore exempt from the laws, but I’m not sure if that’s been categorically confirmed. And what about ones that are hard coded into a CMS that, whilst largely benign, would be hard to argue are essential to the site’s functionality.

ExpressionEngine - our CMS of choice - for example uses 3 cookies to track a users recent activity, last visit and general site movements. None of these record a person’s email, name or other identifiable details, merely their browser session on your site, but are all non-essential to the site.

I do not live in the EU and I am not an expert on this law but it seems like is a lot of gray area here in how the law requirements are interpreted.

So, what is going to happen to sites running ExpressionEngine? I don’t know but hopefully everyone will be able to comply before the May deadline. In another blog post today, Andy Marshall again covers the topic of the legislation and EE. He wonders what EllisLab is doing about it (if anything).

The problem is, ExpressionEngine uses 3 cookies by default and they can’t be turned off. They don’t do anything that concerns me, but the fact they can’t be removed from the core EE installation does. By using an ExpressionEngine site, I am now making a site uncompliant with a very real law that will require sites to run without non-essential cookies.

Andy called on EllisLab to address this problem. In the comments Steven Grant linked to a EE support thread that shows that EllisLab is aware of the problem and, as of the last update in January, plan to work on the issue and address it so everyone who in affected by the EU leglisation can comply. Robin Sowell, a software engineer at EllisLab replied:

We’ve reached the discussion stage on it- it was already on our radar. We haven’t started coding on it, and our plans aren’t currently firmed up, but we do know the deadline is looming. But yes- we do intend to give our users a way to comply with the cookie requirement. At least on the frontend, EE will need to be able to run cookie free, and I’m thinking some posts on different ways to honor the requirement will likely be needed as well. And yes- right now, there’s no way to totally disable cookie setting.

Hopefully in the next 80 days we’ll have more updates about the progress EllisLab is making on making the frontend of EE cookie free.