How to deal with Cookie Consent in your CMS

If your site is hosted in the European Union (or your target audience is in the EU) and you use cookies on your site, then by law you must offer some form of consent message to visitors.

Using a content management system (CMS) helps stay on the right side of the law, and our CMS offers several different options for dealing with cookies. You probably want to stay on the right side of the law, but don't want to frighten off your visitor with unnecessary warnings, right? So here's how.

Decide on what sort of consent you need

To follow the letter of the law, your website needs to gain prior consent from your website users before setting cookies.

There are some exceptions to that, for example, that cookies that are essential to the working of your site can be excluded; but nevertheless you need to make visitors aware of the use of such cookies.

Depending on the nature of the cookies being used, and what those cookies are used for, you may be able to get away with a notice on your home page which basically states that by continuing to use the site, visitors are implying their acceptance of your site's cookies. (At least, that is how the UK ICO sees things, though other European countries take a slightly different view).

So effectively you have a choice between "explicit consent" and "implied consent".

Changing the options for Cookie Consent in Tribiq CMS.

The options for cookie consent can be found under Administration -> SIte Settings -> Cookies.

There are three different policies:

  • No consent (the "off" switch)
  • Implicit Consent and
  • Explicit Consent, which also has several different sub-options.

No Consent

This is the default option:

FirefoxScreenSnapz008.jpg

All cookies that your site uses will be placed on a visitor's computer straight away, and visitors will not see any warning on the site that they have been placed.

This option is for you if you don't want to use the consent system; if you're not addressing an EU audience, your site isn't hosted in the EU, or if your site doesn't set any cookies.

Session cookie set by the Apache / PHP web server count as essential cookies, and don't store or pass on to another site any personal information about a user, so if your site only uses these you can use this option.

Implied Consent

In Tribiq CMS 6.0.5 you can use the implied consent system, go to your Site Settings and set the cookie policy like this:  FirefoxScreenSnapz009.jpg

Visitors arriving on the site's home page will see a banner at the top of the first page that they visit:

FirefoxScreenSnapz012.jpg

This message will go away if they click the "Continue" button, or if they visit another page within the site. Visitors will only ever see the message once, unless they clear their cookies, use a different browser, or visit your site on a different machine.

Any cookies that your site uses will be placed on a visitor's computer straight away; the CMS will not wait for them to press the "Continue" button.

Explicit Consent

You can set the site to require explicit consent like this:FirefoxScreenSnapz010.jpg

The visitor will be shown a different message, this time with both Accept and Reject buttons:

FirefoxScreenSnapz011.jpg

The message will not disappear (even if the visitor navigates to a different page) and the CMS will not set any cookies until the Accept button is pressed.

Explicit Consent has the disadvantage that scripts that use cookies cannot run immediately; this may cause problems for some tracking programs (for example, Google Analytics), as the first page-view and the referrer information are lost.

Any HTML Snippets, Head Slots or Foot Slots that you have marked as setting cookies will also not display until cookies are accepted.

Using an extranet?

The cookie regulations only apply to sites that are for the general public, so that if you have a members' area on your website you can require that your users accept cookies when entering this area.

Even so, it is a good idea to inform the user of the use of cookies on the registration and login pages.

Further control over cookies

You may wish to put further cookie-related controls on your site. Here's a simple Plugin for our CMS that allows users to see what their opt-in status is, and which allows them to change it:

FirefoxScreenSnapz013.jpg

Developing Modules that interact with Explicit Consent

If you are writing a Module that sets a cookie and you wish to add support for the Explicit Consent option, then you may do so using three API functions.

You can use the canSetCookie() function to check if the visitor has given permission to set cookies. If they've not yet done so, you can also use the hideCookieConsent() and requireCookieConsent() functions to control whether the consent message should be shown.

Further Reading

The information given here is not legal advice. For more information, see the ICO's page on cookie regulations, or contact me.