tl;dr The EU cookie law encourages website operators to reconsider how they use cookies.
I created package with a standalone script to display a cookie consent according to EU cookie law. During the collection of all requirements I read about the cookie specifications written by the EU Commission.
Preliminary considerations
The most obvious reason for the EU cookie law is to inform the user about cookie usage. But even more important is the constraint for website operators to think about cookie usage. They should ask themself how intrusive a cookie is, what data does each cookie hold, is its lifespan appropriate to its purpose, is it a first or third‑party cookie, who controls the data?
Instead of saying “we use all kinds of cookies, I don't even know which and why” a website owner should be able to tell why and when cookies are used.
A website needs to differentiate…
- between first-party and third-party cookies,
- between session and persistent cookies and
- between necessary and non-necessary cookies.
A cookie is »necessary« if it is required by the service for the sole purpose of communication and storing stateful data. A first-party cookie whichs stores a login state or items in a shopping cart and is limited to a session only (erased when the user closes the browser), may be necessary.
Not all cookies requires a consent, see European Commission - Internet Handbook.
- First‑party session cookies DO NOT require informed consent.
- First‑party persistent cookies DO require informed consent.
- Third‑party session and persistent cookies DO require informed consent.
Origin | Duration | Requires consent |
---|---|---|
First‑party | Session | ❌ |
First‑party | Persistent | ✔ (except »necessary« cookies limited to a few hours, like shopping carts) |
Third‑party | Session | ✔ |
Third‑party | Persistent | ✔ |
Although not mandatory it may be helpful to futher differentiate between different usage types of cookies.
- Necessary cookies = storing stateful data, like a shopping cart or a login status
- Experience cookies = user preferences, like data previously entered into forms
- Analytical cookies = target user behaviour, like how often an item was clicked
There are diverging views about how to gain consent from a user.
- Agreement due to continued usage (most often used) → Inform user about cookie usage and that the website will continute to do so if the user continues to use the website
- Opt-Out → Inform user about cookie usage, but let the user disagree to usage of cookies with a click on a button, after that no cookies (except the denied consent) are stored
- Opt-In (recommended) → User aggrees to usage of cookies with a click on a button, until then no non-necessary cookies are stored
The cookie consent bar should link to a page informing about cookie usage (eg. privacy notes)…
- in plain, jargon‑free language
- why are cookies used (to remember user actions, identify users etc)
- types of used cookies (eg. session or permanent, first or third‑party)
- who controls/accesses the cookie‑related information (first or third‑party)
- how users can withdraw consent (eg. close browser, clear browser cache)
The different origins, usage types and ways to gain consent are considered in this repository. It uses »levels« for this, see sections »Usage & Levels«.
Cookie Consent Package
As said above I made a package to integrate a cookie consent bar into a PHP app.
I know what you think now. “Yet another cookie consent bar… Whyyyyy❓❓”
Well, most of the popular existing solutions have issues like…
- require loading the JavaScript trough a CDN → which may track visitors and therefore signifies a privacy issue
- require a JavaScript framework like jQuery → which may not exist if the current site only adds a cookie because of one tracking tool
- add advertisments
- add trackers
- are hard to modify
- set inline styles → don't allow separating scripts & styles, which makes it harder to add custom stylesheets
- have to many styles or no styles at all
- hardcode labels/text in the JavaScript → limit translations & text changes
- are too big/complex (mostly because styles, scripts & labels are mixed, and the options to change all of them are more complex than the cookie logic itself)
That's why I build my own KISS solution instead.
The package may be installed via Packagist or Git
The main concept is setting consent »levels«, triggered by different events. All other scripts which want to write cookies, must read the given consent level to continue or break up.
For example if a user opens the website the level may be set to 1. If the user keeps using the website, the level may rise to 10. If the user clicks an Opt-In button in the cookie consent bar the level may raise to 50 or more.
A JavaScript script depending on the consent, like a tracker, could read the value like this:
if ($.cookie('cookie-consent') !== null && $.cookie('cookie-consent') >= 50) { /*opt-in consent given*/ }
The README describes the technical integration in great detail.
Update: Please note that the EU considers »continued usage« not as valid consent anymore since 2020. This means that you need to raise the levels in the triggers and the consuming scripts to comply with latest provisions. Other than that you may continue using the script.