Re: Django and the new EU anti-cookie law
Here's a good summary of the issues: http://www.torchbox.com/blog/eu-law-cookies-and-ico You can skip to the section titled: 'What enforcement have the ICO announced?' It looks like enforcement will lean towards the pragmatic. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django and the new EU anti-cookie law
On 27/05/11 14:18, Hanne Moa wrote: > "From 26th May 2011 websites in the UK need to ask for permission > before they can set cookies not required for ‘essential’ means" > > http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ > > What cookies in Django are "essential"? When not logged in I see that > the csrf-token cookie is set, and when logged in there's the > session-cookie. Should one strive only to use csrf-protection (and > thus the cookie) only when it is needed? Are there other cookies set > by contrib apps? Should there be something about this in the docs? > " cookies is essential, you need need to get consent for these > other ones: " As the silktide blog points out [1], the ICO site itself [2] is still setting an ASP.NET session cookie before any 'opt-in', and clearly considers this 'essential'. It is also clearly *not* essential for some users - I could browse the site perfectly well with cookies blocked. So, they obviously consider it 'essential' for technological reasons - they do not have the technological/financial resources to produce a solution that doesn't automatically set a session cookie. On that grounds, we can easily argue the same for our sessions cookies. We can also argue that the CSRF cookie is essential for security reasons. It is also only sent when necessary - if you don't have a form that uses the token, it isn't sent. The only other cookie we send, as far as I know, is the language cookie. My interpretation of what I've read is that a site has to get consent for setting that. In theory I guess a site might need permission any time it puts anything in the session, since that is equivalent to setting a cookie. It's fairly depressing to think about the amount of money wasted by my government and EU government on making/complying with this new law, which will do nothing but waste the time and money of many more people. I'm hoping, however, that the first time this is properly tested in court, the law will be forced to turn into something more rational. Also, the previous set of UK laws regarding cookies were basically ignored by everyone. They apparently stated that you had to: * tell people how you use cookies, and * tell them how they could ‘opt out’ if they objected. I don't think I've been involved with making a site that was compliant with that, and I've never heard about anyone being prosecuted under those laws. Regards, Luke [1] http://blog.silktide.com/2011/05/cookie-law-delayed-for-one-year-first-example-of-new-laws-in-effect/ [2] http://www.ico.gov.uk/ -- "The one day you'd sell your soul for something, souls are a glut." Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Django and the new EU anti-cookie law
On 05/27/2011 08:18 AM, Hanne Moa wrote: > "From 26th May 2011 websites in the UK need to ask for permission > before they can set cookies not required for ‘essential’ means" > > http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ > > What cookies in Django are "essential"? When not logged in I see that > the csrf-token cookie is set, and when logged in there's the > session-cookie. Should one strive only to use csrf-protection (and > thus the cookie) only when it is needed? Are there other cookies set > by contrib apps? Should there be something about this in the docs? > " cookies is essential, you need need to get consent for these > other ones: " Django itself sets only these cookies: CSRF, language, contrib.sessions, and contrib.messages (if you're using one of the cookie-using backends). I am not a lawyer, and I haven't read the new EU guidelines in depth. Based on the description in the blog post you link, ISTM that CSRF and language cookies are likely defensible as "essential" to the user-requested service. I think the status of the session cookie (and probably the messages ones as well) are very much dependent on how they are used by the specific site in question. I'd be fine with a documentation patch listing more clearly what parts of Django may set cookies, to make it easier for Django users to comply with this ruling. I'd be opposed to any specific mention of this ruling in the patch, and certainly opposed to any attempt in the documentation to define which Django-set cookies are "essential" and which require user consent - legal advice related to particular legal jurisdictions is WAY out of scope for Django's documentation. Carl -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Django and the new EU anti-cookie law
"From 26th May 2011 websites in the UK need to ask for permission before they can set cookies not required for ‘essential’ means" http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ What cookies in Django are "essential"? When not logged in I see that the csrf-token cookie is set, and when logged in there's the session-cookie. Should one strive only to use csrf-protection (and thus the cookie) only when it is needed? Are there other cookies set by contrib apps? Should there be something about this in the docs? " cookies is essential, you need need to get consent for these other ones: " yet-another-proof-that-politics-and-tech-don't-mix-ly yours, HM -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.