In Europe, and especially the Netherlands, there are stricter legal requirements for the privacy of consumers than in most other countries. There is the well-known european “cookie law”, that was implemented very eagerly by the Dutch government in the “cookiewet”, requiring websites to explicitly ask visitors for permission before they start tracking them and share data with third parties. In the Netherlands there are also legal requirements for storing and processing of any personally identifiable data: every company that collects such data must register this with a government organization (“college bescherming persoonsgegevens”) or a recognized trade association. Companies must also clearly communicate the purpose for collecting consumer data and may not use the data for anything else than this stated purpose.
I think this is all very well intended, however the problem is that the internet is developing on a global scale (with the US setting the norm) and countries outside of western Europe (especially the US) seem to not care as much for the privacy of citizens. Other countries have fewer regulations limiting what companies can do. Last year, when the cookie law went into effect, most Dutch websites implemented it by showing a popup or notification simply telling the user to accept cookies or go away (in somewhat nicer words). Users quickly learned that refusing cookies usually leads to a dead-end page so everyone now clicks the message away by accepting the cookies, feeling annoyed by it. Recently, the Dutch government announced the intention to relax their interpretation of the law somewhat: after the first page with the message, clicking anything other than the cookie refusal link may be interpreted as implicitly allowing cookies. This will make it less annoying.
Ok, so before we start implementing Facebook Like buttons and other features that come with a privacy cost to our visitors, we need to make sure we can comply with this cookie law. The funny thing is, to implement the cookie law, we will use a cookie! It is important to understand that the cookie law actually does not even mention the word cookie, it applies to every technical means available to identify a user. So you cannot code around it, using Local Storage, Flash Shared Objects or similar techniques. The law by itself is not unreasonable: it does not require consent for cookies that are technically required for the primary function of the website. Session cookies are allowed for login or multipage forms and we can also use a persistent (first party) cookie to remember cookie-consent, without asking consent for that.
We’ll implement the cookie law like this:
- On every incoming request, we will check for the presence of a cookie named CookieConsent
- If the cookie is not found, we check for presence of the Do Not Track header
- If the user sends a Do Not Track setting in the request headers, we respect it silently and don’t ask for consent and don’t set the ConsentCookie
- If Do Not Track is not set, we’ll set a session cookie CookieConsent=asked and show the consent buttons
- We will handle the user response to the cookie consent message accordingly. If the user allows or denies consent, we will set the ConsentCookie value to true or false, with an expiration of 1 year
- If we do not get an explicit response to the cookie consent message, on the next incoming requests, we’ll check for this cookie:
- If the value is “asked”, we set it to “true” in the next response, interpreting this as implicit consent
- If the value is any other value, we’ll leave it unchanged and assume no consent
- To the application, we’ll make available a static utility function indicating the CookieConsent value so the Views can easily decide whether to include impacted functionality
I think this is a very fair way of handling user privacy on a website. Websites that are dependent on advertising income and affiliate marketing may feel this implementation is unfavorable to them, and drag their feet a little bit, i.e. by ignoring the Do Not Track header or by not allowing their users to view content when they deny consent. You can easily do that if you wish and you’ll probably get away with it, too. But I think this implementation is the most user-friendly and “right” way to do it.
In ASP.NET, the best way to implement a system wide function like this is with a FilterAttribute. Here is the CookieConsentAttribute class:
We can use the attribute by simply setting it on the HomeController:
Now we have our environment working and we can implement the message and handle the responses. I am going to implement it the way the law is intended, and will try not to sabotage it. This means I will still allow users who declined cookies on my site, and will disable any functionality that might compromise privacy, like Tracking Cookies, Affiliate Marketing programs and Social Buttons.
I will include the cookie consent message in _Layout.cshtml, so that it will appear on every page. I placed it on the top of the page, right below the menu:
[This post is part of the series Development of a mobile website with apps and social features]