Virya Technologies Blogs
Blogs from Virya Technologies staff
Making your Joomla site comply with the EU Cookie Law
Enforcement of the cookie element of the EU Privacy Directive began recently in the UK. However, there still seems to be a lot of uncertainty about how best to ensure compliance.
I'll start by saying that although we have developed our own component, this post is intended as an informational resource and not a marketing piece! I've deliberately avoided directly comparing components purely because I want to mitigate any chance for bias.
The intention of this post is to take a look at the various options available (including our own Virya Cookie Monster) to see what's available. There do seem to be quite a number of solutions available that promise they will bring sites into compliance whilst appearing to do very little (based on the Demo's available as well as some basic testing).
For each component, we'll look at what it claims to do, what it actually does and whether this will be sufficient for compliance.
The components we'll be looking at are
- Cookie Alert
- Cookie Control / EPrivacy Plugin
- Kookie Grab
- Virya Cookie Monster
We'll conclude by examining the steps you should take when selecting a solution. The best choice of solution is, as it should be, left to the individual administrator.
Available from http://pulseextensions.com/vmchk/X-Modules/Cookie-Alert/flypage.tpl.html charged at $9.99 USD.
Support: Supports all versions of Joomla from 1.5 onwards.
A rather simplistic looking banner that should appeal to a wide range of site operators, if only because it's very unobtrusive by nature.
Also offers a 'Europe Only' option so that the banner is not displayed to non-European browsers.
The documentation states that cookies will only be set if a user has agreed to allow cookies, unfortunately when tested the demo site (http://demo.pulseextensions.com/cookie-alert.html) was setting all cookies regardless (including Google Analytics cookies).
Verdict: Because the demo site does not appear to do as stated in the documentation, I can't recommend using this component at all. The current incarnation simply gives the impression that a site is compliant when in fact it's not.
Cookie Control E/Privacy
Available from http://extensions.joomla.org/extensions/site-management/cookie-control/21043 for free.
Support: Joomla 1.6 onwards (Separate Joomla 1.5 version available)
A simple notification embedded within the page rather than as an obstrusive banner. When first checked, the demo site (http://eprivacymsg.richeyweb.com/) was blocking the Joomla Session and Google Analytics cookies. It was not, however, blocking any other cookies. At time of writing, Google Analytics is no longer used on the site, and whichever elements were also setting cookies have also been removed. It's therefore not entirely clear whether the original issue has been resolved or if the demo site has simply been updated to mask the issues.
In the interests of fairness the former assumption was used.
A little investigation showed that the component utilises the enqueuemessage function, meaning that the template must include a <jdoc:include type="message" />element to include system messages. Not all templates do (though in fairness, they should!), and in this case it still didn't resolve the issue even after the element was added to my template.
At this point, I ceased testing the 1.5 version out of frustration.
Verdict: Not recommended. Probably works well for some, but I couldn't convince it to work properly at all in Joomla 1.5 and needed to make a serious aesthetic sacrifice to get working functionality in Joomla 1.6 onwards.
Available from http://www.weblinksonline.co.uk for free.
Support: Joomla 1.6 Onwards
A good clean solution based on Joomla's internal ACL's. Requires some manual configuration in order to ensure that cookie-setting extensions are placed into the correct ACL but otherwise works very well.
The demo site (http://demo.weblinksonline.co.uk) correctly blocked all but the Joomla session cookie (some have debated whether or not the session cookie needs to be blocked anyway), but is not available at time of writing. You can, however, view the extension in use on the developers main site.
The component uses a module, so you will need to select an area on the page to display the notification in. Users are given a choice (which can be altered in the back-end) to accept cookies, decline cookies or log-in (and accept cookies at the same time).
The component works by logging a pre-configured user into the system. This user is assigned to the new 'View Cookies' ACL so that all extensions assigned to this ACL are displayed. Whilst effective, there are some limitations to this methodology. Some e-commerce sites may find it difficult to integrate due to a user being logged in as soon as the reader clicks Accept.
Kookie Grab was previously in the Joomla Extensions Directory, but is no longer listed due to the author no longer utilising the JED. All components remain available from his homepage though.
Verdict: A good, comprehensive, free extension. Whilst it does require the site administrator to conduct a thorough audit of his/her site to identify cookie setting extensions, this should be expected from a responsible administrator anyway. As the extension is free it's well worth at least trying!
Available from http://labs.pixpro.net/extensions/pixcookiesrestrict charged at $19.00 a year, per site.
Support: Joomla 2.5 onwards
When first tested, the plugin was in use on the developers site but was not blocking Google Analytics (perhaps they hadn't installed the plugin?) but at time of writing this issue was resolved.
I was unable to test on a local install as I was unwilling to spend $19.00 just to test something I may not use again!
Verdict: Some issues when first tested, but appears to be working correctly. A demonstration of the back-end functions would be helpful however! Potentially a good commercial solution.
Available from http://chris-potter.co.uk/2012/05/eu-cookie-directive-joomla-plugin/ for free.
Support: Joomla 1.5 and Joomla 2.5
Presents a banner at the top of the page asking the user to accept cookies. Unfortunately on the developers site cookies appear to be being set regardless, including Google Analytics. Whilst the session cookie may be exempt from the regulations, Analytics cookies almost certainly are not.
This appears to be the result, however, of a plugin intended to specifically allow the Google Analytics cookies to be set. I really wouldn't advise utilising this option as it is almost certainly a contravention of the law (why bother striving for compliance if you're then going to undermine your own efforts?)
A number of other cookies are set when clicking 'Allow' which suggests that the extension is blocking some, if not all cookies.
Unfortunately I couldn't test the plugin as I couldn't seem to find a link to actually download the plugin itself. The only thing that downloaded (regardless of the link clicked) was the Google Analytics plugin which didn't seem to include the actual component (nothing appeared on the front-end when enabled).
Verdict: Potentially a good free solution if you manage to locate the correct installer.
VCM (Virya Cookie Monster)
Available from http://www.viryasoftware.com/virya-cookie-monster-joomla-eu-cookie-law charged at £10.00 per year.
Our own solution, based on Kookie Grab, works using ACL's. All subscriptions include access to the beta auto-configuration script.
Much like Kookie Grab, VCM requires that the administrator understand exactly which extensions are setting cookies. The auto-configuration script will, however, use our back-end database to help identify some of these (including a search for common modules, such as Google Analytics).
VCM is still in it's infancy, but works without issue on most sites. Those that do experience issues, however, can avail themselves of the support included in the subscription price. VCM includes a range of 'themes' and looks to allow tailoring to individual sites;
- A 'fun' lightbox
- A 'fun' banner
- A 'Corporate' lightbox
- A 'Corporate' banner
Support for page-peels is also planned.
One of the restrictions we observed with Kookie Grab was that e-commerce sites may find it difficult to integrate. This has been approached in VCM but the implementation of this feature should probably be considered experimental at best.
A demo of the 'Fun' banner theme is available at http://cookiedemo.viryasoftware.com
VCM does not currently block the Joomla Session cookie, but later releases are intended to address this.
Verdict: [Redacted to avoid bias]
Selecting a Solution
It shouldn't need saying, but begin by performing a thorough cookie audit of your site. If you haven't done this, how will you know which cookies need to be blocked? It's also a fantastic opportunity to decide whether any cookies are in fact being set un-necessarily.
The easiest way to do so is to browse to your site using the Chromium browser (or Google Chrome). Once the page has loaded, press F12 and choose 'Resources'. You should see an option labelled 'Cookies' on the left hand side. Click the arrow to display all domains that have set cookies for the current page.
Now, some of these may be historic, so click each cookie in the right hand pane and then press Delete on your keyboard. Once all cookies are cleared, refresh the page and see what's been set.
If you use Google Analytics then you will need to look for a solution that allows you to block this (you'll see cookies called _utma _utmb etc.). The suitability of the components discussed will depend entirely on how you've inserted the Google Analytics code into your site.
If you've added GA code directly to your template, my recommendation is that you rip it out and insert in by another means (using a module, or with a dedicated component), if only so that you can more easily control where it's included.
You'll notice that when discussing components, I've placed quite a lot of faith in the demonstration sites. Always check any demonstrations that are available, but don't blindly trust them. Demo sites are far better at highlighting the negatives (for example: a demo site that still sets cookies suggests that the extension either doesn't work, or is too hard for even the developer to configure) than the positives (it's too easy for a developer to 'tweak' the demo site.)
Search for reviews online, whether in the Joomla Extensions Directory or on the internet as a whole. If the developer has a public support forum, search to see what problems others have encountered.
Don't use the number of issues as the sole measurement. I'd personally rather encounter 100 issues that the developer helps resolve than 1 issue that receives no support whatsoever! Don't forget, though, that things change e.g. No doubt within a month, the issues I've highlighted above will be fixed) so make sure you note the date of any issues you do find whilst researching and check to see if they've since been fixed.
The ability to install a local server is something that should be capitalised upon. Especially where free extensions are available, this allows you to thoroughly test a solution before unleashing it on your users. Don't forget to check for User Stupidity (for example, if they click 'Accept' instead of 'Deny' is there an option to change their mind?).
Check the solution (even if it's just the developer's demo site) in a wide variety of browsers. Whilst I'm sure we'd all love to forget that Internet Explorer exists, a majority of users still rely on that particular mess. It's therefore important that you check whether the solution actually works in IE.
Similarly, don't forget some of the more minor browsers such as Opera and Safari. Whilst there may be less users of these browsers, the minority can be very very vocal.
If you do find that a specific browser isn't properly supported (and decide you can live with that), make sure the solution fails 'safe'. Does it fail to block cookies (exposing you to liability) or does it simply fail to give the user the option to allow cookies? You may find that the latter breaks your site for those users, but at least it won't expose you to complaints under the new rules!
Check Mobile Support
This should really have been self-evident in the preceding section, however it's such an important aspect that it really needs stating again! We're told that mobile internet usage is growing, as a result you need to ensure that your selected solution will work for mobile browsers.
Most of us will know someone with each variety of smartphone, take a quick look using their phone (and your own, obviously) to ensure that the solution works (or at least fails safely). This becomes especially important if your content is likely to be of particular interest to mobile users.
For better or worse, we all need to be seen to be making efforts to comply with the new rules. Whilst it may seem impossible to enforce, no-one wants to be the example. It is important, however, to ensure that you carefully select a solution. There does seem to be a proliferation of 'solutions' that appear to work but don't actually block anything at all! Why waste time (and possibly money) on a solution that doesn't do what it says on the tin? Ultimately, it's the webmasters responsibility to ensure compliance, and pleas of 'I thought it was working' may fall on deaf ears.
Much of the information included here should be common sense, and I'd hope that many of the steps are followed whenever any solution is being selected. It's possible, however, that this is the first time that many webmasters have been directly exposed to the possibility of being liable under law for the way their website works, so it seemed wise to break the steps down a little.
Hopefully this post has been informative, and will help guide you in selecting a solution to help your Joomla based site in complying with the Privacy and Electonic Communications Regulations/PECR. Obviously, anyone wanting to use Virya Cookie Monster has my full support!
Finally, just a brief note on the idea of 'Informed Consent'. This is where a user is informed that the site sets cookies, browsing to another page signifies acceptance. This is the mechanism that has been utilised by big players such as the BBC and has been accepted by the Information Commisioners Office. There are many (including myself) that feel this is not necessarily in the spirit of the regulations, and it's not impossible that the EU may make a similar announcement sometime in the future. I'd therefore suggest that, where possible, relying on an Informed Consent mechanism may not be entirely future-proof. There are, however, circumstances where it may currently be the only available option.