Using a content management system (CMS) helps stay on the right side of the law, and our CMS offers several different options for dealing with cookies. You probably want to stay on the right side of the law, but don't want to frighten off your visitor with unnecessary warnings, right? So here's how.
To follow the letter of the law, your website needs to gain prior consent from your website users before setting cookies.
There are some exceptions to that, for example, that cookies that are essential to the working of your site can be excluded; but nevertheless you need to make visitors aware of the use of such cookies.
Depending on the nature of the cookies being used, and what those cookies are used for, you may be able to get away with a notice on your home page which basically states that by continuing to use the site, visitors are implying their acceptance of your site's cookies. (At least, that is how the UK ICO sees things, though other European countries take a slightly different view).
So effectively you have a choice between "explicit consent" and "implied consent".
The options for cookie consent can be found under Administration -> SIte Settings -> Cookies.
There are three different policies:
This is the default option:
All cookies that your site uses will be placed on a visitor's computer straight away, and visitors will not see any warning on the site that they have been placed.
This option is for you if you don't want to use the consent system; if you're not addressing an EU audience, your site isn't hosted in the EU, or if your site doesn't set any cookies.
Session cookie set by the Apache / PHP web server count as essential cookies, and don't store or pass on to another site any personal information about a user, so if your site only uses these you can use this option.
Visitors arriving on the site's home page will see a banner at the top of the first page that they visit:
This message will go away if they click the "Continue" button, or if they visit another page within the site. Visitors will only ever see the message once, unless they clear their cookies, use a different browser, or visit your site on a different machine.
Any cookies that your site uses will be placed on a visitor's computer straight away; the CMS will not wait for them to press the "Continue" button.
You can set the site to require explicit consent like this:
The visitor will be shown a different message, this time with both Accept and Reject buttons:
The message will not disappear (even if the visitor navigates to a different page) and the CMS will not set any cookies until the Accept button is pressed.
Any HTML Snippets, Head Slots or Foot Slots that you have marked as setting cookies will also not display until cookies are accepted.
The cookie regulations only apply to sites that are for the general public, so that if you have a members' area on your website you can require that your users accept cookies when entering this area.
You may wish to put further cookie-related controls on your site. Here's a simple Plugin for our CMS that allows users to see what their opt-in status is, and which allows them to change it:
If you are writing a Module that sets a cookie and you wish to add support for the Explicit Consent option, then you may do so using three API functions.
You can use the canSetCookie() function to check if the visitor has given permission to set cookies. If they've not yet done so, you can also use the hideCookieConsent() and requireCookieConsent() functions to control whether the consent message should be shown.