The EU Cookie Crunch Update

Following on from last months initial release of the Cookie Control module for Drupal 7 there has been an increase in blog posts and talk both in and outside of the Drupal world about the implications and solutions to getting sites compliant in time for May 26th 2012.

This week the UK Government revealed that their own sites (some running on Drupal) will not be compliant in time for the deadline! While government websites do not carry advertising, cookies are still used to carry out various tasks, such as helping site administrators monitor levels of traffic.

If people listen to our advice and are prepared to take steps towards compliance there shouldn't be a problem," Dave Evans, the ICO's group manager for business and industry, told E-Consultancy last month. "However, if businesses deliberately stop short of total compliance, then there is a risk."

With under 10 days until the deadline we've been working on improving the Drupal Cookie Control module to provide a more flexible system and allow other Drupal modules which set cookies to be controlled by the central consent button in the Cookie Control pop-up.

Web Analytics now classed ‘Essential’ by UK Government?

As part of the latest Drupal Cookie Control release we've included a sub-module that disables Google Analytics tracking until a visitor gives consent to store cookies.

The other purpose of the Google Analytics sub module for Cookie Control was to demonstrate how to use the new callback integrations from 1.4+ and something I wanted to cover now to help get other modules conforming to the EU Directive too.

But it might not be needed now...

In a recent turn in the news it was suggested that analytics services may be exempt from the privacy directive after all. "It could, in some cases, be seen as an essential part of the relationship."

The UK’s Government Digital Service has taken a contrary stance on Analytics compared to the rest of the EU. It issued guidance to public sector websites that refers to analytics cookies as ‘minimally intrusive’ and ‘essential.’

The consensus was, especially in the case of first-party analytics cookies, these types of cookies are “minimally intrusive” (in line with the ICO guidance) and that the bulk of your efforts to rationalise your use of cookies should be focused on cookies classified as “moderately intrusive”.”

Integrating with Drupal Modules

Modules are most likely adding JavaScript code to the page using drupal_add_js() which in turn is adding cookies. This is how the Google Analytics module and AddThis module work. Other things modules often do is saving data in the global $_SESSION array.

To ensure your module isn't creating cookies on a users machine if they haven't given consent there's a few options. From the PHP side simply checking if the consent cookie has been set for the site works perfectly fine. Each site that has Cookie Control installed will use a unique cookie based on the site name. The cookie name can be obtained by calling the cookiecontrol_generatesitecookie() function. Wrap your code in some logic along the lines of:

<?php
if ($_COOKIE[cookiecontrol_generatesitecookie()]) {
  $_SESSION['a_variable'] = '...';
}
?>

The same logic and $_COOKIE[] check can be done in a theme to wrap around snippets of JavaScript if a module is not being used.

It is worth noting that the use of server side cookie detection logic will be useless for pages which are cached for anonymous visitors. And as an authenticated user has already had to give consent to just login - consent can be assumed for any non cached page for a logged in user.

If the module is laying down some JavaScript on the client side there's more options. The first thing to do is wrap the existing JavaScript up inside a function. The function name can be anything, although a convention of prefixing it with 'cc' is suggested.

<?php
function ccAddAnalytics() { /* original script code goes in here */ }
?>

If you're trying to modify the script implemented by another module then hook_js_alter() is your friend.

Once the original script code is wrapped in a new function it needs to be added to the list of callback functions to be executed depending on the visitors interaction.

A visitor can choose to to agree to cookies being used, or close the pop-up - effectively not agreeing.

Cookie Control provides three callback list integration points:

1. hook_cookieaccept_alter(&$callbacks)
   When a visitor clicks the consent button on the pop-up all functions registered here are executed and a consent cookie is created. The main use of this is to trigger analytics for the current page or to reveal on page content that may require cookies such as social widget buttons, Facebook Like buttons etc.
2. hook_cookiesallowed_alter(&$callbacks)
   If a visitor has a consent cookie set already then whatever functions are registered in this callback list are executed on page load. This is where analytics code should be run. The JavaScript functions registered here can often be the same as used in the hook_cookieaccept_alter() list.
3. hook_cookiesnotallowed_alter(&$callbacks)
   If a visitor has not given consent then any functions registered here are executed on each page load. This can be used to pop-up a reminder to the visitor about what they are missing, or redirect a user to an information page.

Registering a JavaScript function in any of the above hooks is simple:

<?php
function cookie_googleanalytics_cookieaccept_alter(&amp;$callbacks) {
  $callbacks[] = 'ccAddAnalytics();';
}
?>

Clearing Up The Cookies

Use of the Drupal module is growing steadily over the past few weeks and is expected to continue growing as webmasters realise how close the deadline is getting.

Drupal still has a few challenges in complying as a CMS. Anonymous visitors are sometimes allocated a session cookie. Something which might not be possible to fix fully soon. However just by installing the Cookie Control module shows that you are take steps towards compliance - and that's what ICO (UK) are wanting to see.

As more sites begin using the module support for more varied cookie control blocking modules may be needed - so get in touch with Ixis if you need assistance in complying.

Cookies in the photo baked by Dries and Karlijn back when Drupal was 6 years old.