The EU cookie laws.

From what I understand, you only need to follow federal laws based on the country your site is based off of / where your servers are hosted.

For example, DaniWeb is a global community, which means we get traffic from some communist countries such as China and we even get some very minimal traffic from North Korea. Just because people from North Korea may visit DaniWeb can't possibly mean that we have to uphold North Korean internet and privacy laws!!

Basically any cookie that is not required for the site to work needs confirmation first, before placing. In most cases you are required to store the confirmation once given (IP and date), so if there is a concerned party, you will have a log showing it was explicitly granted by the user. There is some discussion still whether or not this will apply to tracking cookies (GA for example). Another drawback is that some rules differ per country. It's a law imposed by the EU, but countries still have a say in the actual legislation.

Next to that, there should be a description on your site of which cookies are used and what they are for.

A start could be: http://cookiecuttr.com/

Basically any cookie that is not required for the site to work needs confirmation first

Technically any cookie that the site uses is required for the site to "work", because lack of the cookie would be removing a "feature" of the site that would otherwise be provided. ;)

Ah, that's similar to the US laws regarding email spam where we have to permanently store confirmation about when the member joined and agreed to accept email from us along with a huge list of information about them (their IP address at the time, timestamp, etc.) That's why we can't permanently erase records of deleted members (even with zero posts) from our database: because even if we sent them one welcome email, we have to permanently prove we were granted permission to email them.

Regarding cookies though, that's just out of this world unbelievable!! OK, registered members that have opted in ... permanently store a record for them ... it takes up a LOT of space in our database but whatever.

But to permanently store confirmation from all users who receive cookies: we're talking about millions upon millions of people a month. We don't even come anywhere close to having the server resources for that!

Plus, we don't directly store any tracking cookies (i.e. cookies not required for the site to work) anyways. We work with third parties (advertisers / Google Analytics / etc) that do, but the cookies are from their domain and not ours, and are initiated via Javascript on their servers, so ultimately I'm guessing it would be up to them to have their same javascript that sends their cookies ask for confirmation.

From what I understand, you only need to follow federal laws based on the country your site is based off of / where your servers are hosted.

I actually consulted a lawyer firm about this, hoping to avoid the laws because my server is in the US... wrong. It's about your target audience (at least it is here in The Netherlands). Most of this is not governed though, an not all laws are yet figured out fully (even though they should've been already). They are now considering to allow analytics cookies to be placed without confirmation.

it would be up to them to have their same javascript that sends their cookies ask for confirmation.

Wrong, you are using the third party plugins, it's your choice, so your responsibility. You can quote that you cannot control them, but technically you should be able to disable the plugins if a user chooses not to want them.

All-in-all, there's still A LOT of discussion going on here about the subject.

But how can you be legally responsible to uphold all laws worldwide? There might even be explicitely conflicting laws between two different countries?

It's also very contradictory,

They want you to store all this information about users, so that if it is needed it can be recalled, and also to protect both parties but this undermines many Data Protection and Privacy laws.
You can't store most of that information without registering as a Data Controller (applies to the UK, not sure about elsewhere), which is something that isn't practical and is costly for most people. So you can't really win... laws cannot keep up with changing and advancing technology.

True, but it's about target audience. In DW's case, if your target is US, you won't have to abide by the EU laws.

So it's best to supply information on why and how cookies are being used?

Yes, definitely a good choice. What kind of cookies would you be using? For example, in case of eCommerce, a shopping cart without cookies will never work as good, hence they are allowed.

We can say that we're a US-based site that aims to target a majority US audience. But at the end of the day, more than half of our moderators are non-US based, so what is the criteria that we're being judged on that gives us the ability to say we're targeting a US audience??

Targeting US does not mean you have block other users. Users are free in what they visit, knowingly accepting that those sites are not bound by EU regulations.

If you are building daniweb.nl then you have no choice about it.

They will be used for standard sign in features, they will just contain a hash. I was informed of this law and was a bit concerned, that's all.

A login (remember me) feature cannot work without it. You can mention that by logging in you accept the cookies, as you won't be able to login and use the website otherwise.

A good example here in The Netherlands was the website of public TV. It's a government institution, but in order to comply, they created an opening page which you would have to click/accept cookies to continue. If you didn't, you couldn't use the website. In the eyes of the rules, that's perfectly valid. Caused quite some controversy too.

Alright sounds good, thank you everyone!

Pritaeas, I understand that, but what I'm saying is how can I legally prove that we primarily target US visitors when just about all of the top members and staff are not from the US? Sure, maybe one or two ... but nearly all of them?

Proving? Don't know. Not sure you are required to do that. Staff is not your target audience, and mods/members are there by choice. They don't have anything to do with that. Your staff, volunteers are not the issue. There are no laws stating they can't be there.

Just was wondering whether you felt the burden to uphold the law would be placed on the publisher or the website visitor. For example, the United States has the COPPA act which states a publisher cannot knowingly collect information from anyone less than 13 years of age. In this case, it's the publisher's responsibility to ask your age. It's not the visitor's responsibility to know not to submit information if they are less than 13.

You're essentially saying that the burden lies with the website visitor to not visit a non-compliant website if they don't want there to be a law violation on anyone's part.

The visitor is never breaking the law.

The problem now is in the fact that the law makers have no idea how it all works. By trying to control spam etc. they hurt regular websites collecting only statistics. Basically the site's owner is responsible. He "owns" the website and should be responsible for what's on it. In my experience, a lot of people have their websites built for them, not even knowing about these laws. If the web builders do not address this, the owner's are the ones taking the risk. Very strange.

These laws are not enforced even, because of the dubiousness surrounding it all. Should they start enforcing this, I'm abandoning building websites, or removing any cookie use.

we even get some very minimal traffic from North Korea. Just because people from North Korea may visit DaniWeb can't possibly mean that we have to uphold North Korean internet and privacy laws!!

But it does mean that the site should be usable from a Windows 95 computer. ;)

Interestingly, I've just been looking at the ICO website and their Cookie Notification is:

We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

So it looks like simply telling users they can change their cookie options in browser if they want to should suffice, without the need to add opt-out code and handle silly things like this.

As it is as simple as adding a small message, I would add it to be on the safe side. It can't do any harm, can it?

I wish the laws would just educate the people on how to use the browser. These settings have been there all along, yet nobody uses it.

AHarrisGsy, I have a feeling that when they said "You can change your cookie settings at any time" they meant that the user's profile on the website gives them an option to change website-specific cookie settings.

But how can you be legally responsible to uphold all laws worldwide? There might even be explicitely conflicting laws between two different countries?

yes, that is a problem that website operators (and others) on the internet can face.
For example Linden Lab was sued in criminal court by German and French prosecutors for allowing sexual activity in places where avatars modelled to look like minors can enter (in Germany and France it is illegal to have images of sexual activity being witnessed by a child, even if hat image is a cartoon or other non-photographic depiction. In the US only photographic depiction is illegal).
As a result they changed their TOS to disallow that combination, the alternative being blocking access to their service to those countries.

Another case I am familiar with had a Spanish national upload pirated content stolen from a UK company to servers in Italy where US citizens could download it.
The resulting criminal and civil cases stretched for months, nobody could agree on which law was applicable in this case (UK where the content had been stolen, Italy where it was hosted, Spain where the pirate resided, or whatever country the people who downloaded that content were residing).
In the end the hosting provided gave in and removed the content to avoid being driven out of business by the legal cost, but it soon reappeared in yet another country with no respect for IP ownership at all.

So it looks like simply telling users they can change their cookie options in browser if they want to should suffice, without the need to add opt-out code and handle silly things like this.

yes, that's sufficient under the letter of the law. Under the spirit of the law you have to actively get their agreement and log that, which of course is impossible without cookies, so if people decline they get that popup on every page, every visit, which is why the entire thing is currently under review as it is clearly impossible technically to comply with and still give users a decent user experience.

Yea it's ridiculous. I only used session cookies to track login's at 1 part of my website. Now I need to add a timed cookie to remember if a user lets me use session cookies!