Ask HN: Do you ask to use cookies or check IP?
Until today I had no problem throwing Google Analytics on a site, same with Facebook for a share button (not sure if this uses a cookie).
Recently when I figured out how to use cookies and now use it for tracking/faster lookup for site usage... I came across the thing of "asking for permission to use cookies" ahh... this is like the noscript/accessibility/modifying social media buttons thing...
Is this something to be concerned about? For me it's not a credentials thing, though it is an identifying thing, just for easier database lookup to update the user's interaction with a site ie. pages visited, scrolls, stuff clicked on... for data driven dev.
I do intend to put the question but it seems like an annoying thing for them to deal with. When I see it I'm like "Ahh..." and don't click them myself. But I've seen very few sites ask.
Edit: I think the most useful thing I've found for cookies is the persistence for example using guides to use your website to help people get used to how it works. Then they only see it once until the cookie expires.
I realize that's probably the definition/reason for cookies is persistence.
58 comments
[ 3.2 ms ] story [ 109 ms ] threadThis is exactly what the law is targeting, using cookies to track users.
Realistically, as long as you don't and have no plans to do business in the UK (Edit: EU, not just the UK) you should be fine. But it can't hurt to put small notice to be safe.
Our site is deployed in the Philippines (though does no use a .ph domain) so I wonder if the UK thing would even apply. Currently no products/associated with the site so no "business" not even ads at this time.
https://www.cookielaw.org/the-cookie-law/
> It started as an EU Directive that was adopted by all EU countries in May 2011. The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then updated its own laws to comply. In the UK this meant an update to the Privacy and Electronic Communications Regulations.
...
> All websites owned in the EU or targeted towards EU citizens, are now expected to comply with the law.
Interesting... it's like when you sign up for those discount cards at stores, do I see some law somewhere that says "By the way we collect and sell your data for money which can potentially be used against you in the future to deny you health care..." I don't know... out of my field here... but. Interesting, probably worrying about nothing as usual.
Like worrying about modifying the icons of big social media sites... what blog/website doesn't create their own version/theme of those buttons...
Yeah I'm not clear on that definition of business, if your site has ads, it's meant for the Philippines, and a person in the EU visited your site, and you made money from those ads... is it my fault? Doesn't Google Adsense have to know the content of my site and the visitor to serve ads... Ahhhh
It's mostly to update tracking data regarding site usage and not overwrite existing entries
What does that mean to "track" haha, I don't mean location. Identifying... unique
that's how you make money... if only I could read people's minds as they dreamt... cue the exploding egg (Futurama)
"You don't have to respect it if you are not in the EU."
Like most of these silly laws, it depends how big you are, Google couldn't get away with it but 99.9% of smaller websites could.
It's no different than physical products. If you produce and ship your product locally to the local market that is not part of the EU and someone exports your goods to the EU, it's their problem if they need to comply with EU law, not yours. If you want to distribute your product in the EU directly and maybe even create a separate company within the EU to do so, you have to comply with EU law or face consequences.
Originally it looked like you had to give the users an option to decide if they allow the use of tracking cookies or not, potentially having to deal with NOT pushing such cookies in case the user did not consent. In reality, most of the implementations I've seen are just informing the customers that tracking cookies are used and let them know that usage of the site represents consent of such usage, adding that they can modify the browser preferences if they want to modify their cookie preferences. Additionally, you have to link to a cookie policy that you publish on the site.
As a clarification, this law does not apply to cookies in general: certain cookies, sometime referred as technical cookies (e.g. session) are exempted as long as they're not used for tracking purposes.
That's good to know. Any chance you know/can link to the specific section that makes that exemption?
Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 [1] include:
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- load‑balancing cookies, for the duration of session
- user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
[0] http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
[1] http://ec.europa.eu/justice/data-protection/article-29/docum...
First party session cookies (e.g. login cookies) and several other reasonable uses are exempt.
The law is most strongly targeted at google analytics / facebook / omniture / etc cookies, which are third-party tracking cookies that follow the user around the Internet.
In your case, if you are setting a first-party non-persistent cookie which does not "identify" the user (except to determine usage patterns on the site) then it would be pretty reasonable to consider it exempt from notification.
However, you should throw up a cookie warning if you are setting a persistent cookie or using third-party tracking scripts (which will go ahead and use third-party tracking cookies).
>...follow the user around the internet
that is interesting, I'm not even sure how that would work once they leave your site (I am not aware at this time).
The intention is mainly to prevent tracking without permission (so maybe 'no-tracking law' may have been a better name), no matter how you technically implement that. Obviously this concerns social media and analytics (not only third-party).
It's weird how the law states that a website must ask specific permission, given that (modern) browsers support the Do Not Track HTTP header [1]. IMO this would've been much more friendly to visitors (i.e. decide once if you want to get tracked or not; it's mostly the same few parties (Facebook, Google, et al) tracking you anyway).
[1] https://en.wikipedia.org/wiki/Do_Not_Track
The ips are normally dynamic/I wouldn't think you could reliably use them to target them for whatever.
Something to address though as we log IP's though servers in general know IP's by connecting right? How is that different? "Not logged"
http://privacylawblog.fieldfisher.com/2016/can-a-dynamic-ip-...
It's been made clear in the General Data Protection Regulation ("GDPR") that IP addresses should be considered as personal data as the text includes "online identifier", in the definition of "personal data". Recital 30 clarifies that "online identifier" includes IP addresses."
So will need to add that to a future ToS
You can find Terms of Service generators online and you just modify it to be even more simple terms. If I were a large corporation, like Apple, I'd probably have lawyers writing it for me, but I do my best not to store too much personal data, while informing my users of the data collected from them. And if I do store it, its encrypted. I can't read it or recover it.
It is good practice to spend a few hours, at least once before you develop a good program, to check out the terms of services on a bunch of websites. It helps to understand the types of language to use and what to mention or not mention, especially those websites closely related to whatever you are doing.
My personal opinion is that the shorter your privacy policy and terms of service, the better. No reason to put up content that you can't even understand, so you may as well write something that you and your visitors can easily understand.
Terms of Service: information about the usage of your product.
Privacy: information about your considerations when collecting and storing data from your visitors.
Interesting point about the encryption. Do you think IP's need to be encrypted? I sometimes get IPV6's but mostly IPV4. We don't collect/ask for emails yet at this point... pretty much just using IP (not even sure why we collect it) and generate a 12-char unique string set to cookie for analytics upload/lookup.
I will have to take a look at some generators.
edit: wait that part about encryption, if I can't read it, what use is it? You're talking same thing with passwords like don't store it as plaint text, store the hash? If that's the case yeah... but then the cost server-side to decrypt/run batch processing... I guess part of the job...
Also, if you think about all the major companies that have gotten hacked in the past, with sensitive data leaks, you have to wonder how that data was able to get breached and then deciphered. At least if that happens to you, you can at least make it harder for the hacker. And people know about these data breaches.. yet it doesn't stop them from using those products, but that is because those companies are huge. A small business cannot afford to have a data breach and expect its reputation to remain stable.
Edit: The thing about data encryption is that for some methods, you can encrypt two strings so they end up being the exact same thing when encrypted. Then you compare that data for a match or an unmatch. It is just a more secure way of doing things. It is up to you on how you want to store your data. Databases do come with some protection themselves, but encrypting data is just one additional step for security.
Not disagreeing with you. Encryption is something I have to learn/get into I think I was looking at AES256, I mean I use the standard bcrypt with openssl for password/login.
Although many high profile sites now show the cookie banner, it still seems like 99% of sites operating out of the EU don't show anything, even when they use Google Analytics or use ad networks that use cookies.
Good.
I can say from my own founding experience that you want to avoid being investigated, at least in Germany. While I am a big privacy fanatic, the current way rules are implemented is quite labor intense for small founder teams.
As a matter of fact, cookie laws will be your most benign issue to solve. The biggest challenge is that most tech startups that deal with personal data need to appoint a certified privacy officer, which can be ridiculously expensive.
Side note: I personally hate this kind of thing where good meaning people force me to consent to or decline something. I liked the grey area where I didn't consent nor forbid tracking, and could be morally outraged and use a website at the same time. I think there is little use in displaying terms of service that nobody reads or understands, and especially terms that you have to accept if you want to use a service (which you most of the time not strictly have to use to live, but realistically, to take part in out society... yes, I have to access most of the services I do).
Then I can configure my browser for Always/Never/Ask or whatever.
That would've been too simple, of course.
"Accept the session cookie but not the Google Analytics one."
The whole point imo of blocking cookies for privacy reasons is so that things like that can't track me around the web - explicitly visited or not.