Textpattern Forum

You are not logged in. Register | Login | Help

#1 2012-06-09 21:57:56

spiffin
Plugin Author
From: London, UK
Registered: 2004-06-08
Posts: 79
Website

spf_if_eu - serve content to EU visitors only

A conditional container tag to serve content to EU visitors only (e.g. a cookie-prompt: see usage notes below) or non-EU visitors (via <txp:else />) tag.

Can also be used to redirect EU/non-EU visitors to other pages/sites/sections.

Uses MaxMind’s GeoIP database to detect a visitor’s country of origin.

Latest version.

Installation

- DOWNLOAD and unzip;

- Upload the ‘geoip’ directory to your web root;

- Install and activate the plugin – spf_if_eu.txt.

Usage

  1. The plugin is intended to be used on page templates (e.g. to serve a cookie prompt such as cPrompt or my forked version) – but can also be used in articles and forms.
  2. Content within <txp:spf_if_eu> ... </txp:spf_if_eu> tags will only be served to visitors from the EU.
  3. The <txp:else /> tag can also be used to serve content only to non-EU visitors.

Notes

  1. Country detection is via MaxMind’s GeoIP database – it (very occasionally) makes errors.
  2. Not tested on Texpattern < 4.4.1 and PHP < 5.

Version history

0.2 – 26 August 2012

  • Optimised (thanks Jukka).

0.1 – June 2012

  • First release.

Last edited by spiffin (2012-08-26 13:18:46)

Offline

#2 2012-06-10 19:26:58

milosevic
Member
From: Madrid, Spain
Registered: 2005-09-19
Posts: 349

Re: spf_if_eu - serve content to EU visitors only

Mmm it is nice for instance, for sites using retargeting advertising cookies! Thanks for sharing it


<txp:rocks/>

Offline

#3 2012-06-11 06:54:01

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 1,943
Website

Re: spf_if_eu - serve content to EU visitors only

Nice. I tried it out along with your fork of cPrompt (with path =”/” added) and at first I got no response but it must have been one of those “very occasionally” cases – updating geoIP.dat with a new version from the net resolved the problem.

I thought the whole EU cookie thing would be easier – that’s no reflection on your plugin but to do the whole EU cookie setup requires quite a bit more, e.g. cookie detection at the least to switch off cookie-producing code if cookies have been declined (using either the cPrompt method added to the js or server-side with chs_cookie – I have a modded version of this). I hid the message once cookies had been accepted, but apparently you still need a way for people to revoke that on the cookie policy page, so I added the switch-facility to the cookie policy page.

This is now law and the 12 month grace period is over, but I’ve seen very few sites up to now that actually use it. If this is going to become standard practice (in the EU) I reckon your plugin would have the potential to become a full-blown eu_cookie plugin with a few more tags, for example with the following dreamt up tags:

  • spf_if_eu for starters
  • eu_cookie_js – insert js with attributes for the cPrompt options
  • if_eu_cookie – with a status attributes 0, 1, 2, 3, accepted, declined as a container that polls the cookie so that relevant code can be excluded if cookies have been declined. Essentially chs_cookie for the cPrompt cookie only.
  • eu_cookie_switch – with allow / disallow and type = input or link plus class, label etc. If you want to inform people of their current setting on the cookie policy page and provide the switches again.
  • perhaps an admin pane for the four custom message texts and cookie-policy page address.
  • the ability to not load any of it if cookies have been accepted.

You can do most/all of that with a combination of plugins and variables but a little “suite” of functions might make the whole thing more straightforward.

In general, there still seems to be plenty of confusion. Did I not find it, or has there been no official word on whether this is necessary for google analytics (aside from the fact that they’re unlikely to penalize for that)? I can’t see many stats systems working without cookies just yet.

How about third-party embedded players, e.g. vimeo / youtube videos or issuu doc players? Do we have to prevent these videos / players from loading and either leave them out or add a “to see this content please accept cookies – see our cookie policy page” if the visitor has declined cookies …

Last edited by jakob (2012-06-11 07:09:07)


TXP Builders – finely-crafted code, design and txp

Offline

#4 2012-06-11 11:59:15

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: spf_if_eu - serve content to EU visitors only

Let’s start by the obvious; this is the lamest set of laws and situation ever. Who ever came up with it is an idiot, and those that approved it, are ignorant and clearly uneducated on the subject.

jakob wrote:

This is now law and the 12 month grace period is over

Well, the thing is that each state needs to write their own law based on the regulations. Not every participant has done clear so and some took the set schedule on their own hands.

How about third-party embedded players, e.g. vimeo / youtube videos or issuu doc players? Do we have to prevent these videos / players from loading and either leave them out or add a “to see this content please accept cookies – see our cookie policy page” if the visitor has declined cookies …

Which EU state? Each state has their own laws you need to revisit, I suppose. But if we go by the general ruling, then you can’t show 3rd-party video players to those visitors that opt-out from cookies. Yes, that sucks. No YouTube, no Vimeo, no file or open-content services. No nothing.

In general, there still seems to be plenty of confusion. Did I not find it, or has there been no official word on whether this is necessary for google analytics (aside from the fact that they’re unlikely to penalize for that)? I can’t see many stats systems working without cookies just yet.

Aren’t tracking cookies the main reason why we got in to this situation? As Google goes, they don’t have to care and they probably do not give two cents on this situation or this limited market affected. It’s up to you if you want to go according the regulations. So no Google Analytics to those that opt-out from cookies.

The thing that annoys me most about even doing such opt-out integration is resource usage, storage and caching. To do any of this you need some sort of processing on each page view, and server-side storage is required. Makes content caching and delivery that bit hard. I mean, ridiculously hard and the added strain is huge, and for what.

Last edited by Gocom (2012-06-11 12:06:58)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#5 2012-06-11 12:11:07

spiffin
Plugin Author
From: London, UK
Registered: 2004-06-08
Posts: 79
Website

Re: spf_if_eu - serve content to EU visitors only

Hi Jakob

The ‘EU cookie law’ is undoubtedly confused. There appear to be no clear guidelines as to what constitutes a ‘harmful’ cookie and therefore (as far as I understand it) site owners are expected to audit all cookie use, make a clear statement available to users about that cookie use, and (although this is not 100% clear) give users the ability to accept or decline cookies.

The UK government position is outlined here — note the distinction between ‘implied consent’ and ‘informed consent’:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.

A good cookie audit tool is available here — along with suggested privacy policy and cookie-usage table.

Good idea re.a ‘suite’ of tools – but I thought I’d introduce spf_if_eu as a ‘primer’ and see how things develop before packing it with other features.
Code for both spf_if_eu and my fork of cPrompt are on GitHub — so can be forked and taken further by anyone keen to do so.
I’ll be updating both as and when.

Offline

#6 2012-06-11 12:19:08

spiffin
Plugin Author
From: London, UK
Registered: 2004-06-08
Posts: 79
Website

Re: spf_if_eu - serve content to EU visitors only

Gocom wrote:

this is the lamest set of laws and situation ever. Who ever came up with it is an idiot, and those that approved it, are ignorant and clearly uneducated on the subject.

.. agreed.

The thing that annoys me most about even doing such opt-out integration is resource usage, storage and caching. To do any of this you need some sort of processing on each page view, and server-side storage is required. Makes content caching and delivery that bit hard. I mean, ridiculously hard and the added strain is huge, and for what.

.. absolutely.

The spokesperson for the UK ICO does say in the YouTube video (which, ironically, sets cookies) that enforcement will be impossible without users reporting malicious cookies. This would suggest that governments simply don’t have the resources to police this law and will be relying on ‘vigilante’ groups of users. Not good.

Offline

#7 2012-06-11 12:32:05

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,982
Website

Re: spf_if_eu - serve content to EU visitors only

spiffin wrote:

this is the lamest set of laws and situation ever. Who ever came up with it is an idiot, and those that approved it, are ignorant and clearly uneducated on the subject.

+1

[OT] Textpattern’s admin side uses cookies so you don’t get logged out between page views. Presumably people who ‘opt out’ of our terribly harmful cookie will have to log in each time they click?

I don’t have half a million quid when someone in a company/Government/NGO that uses Txp kicks their toys out of the pram. Maybe the README.txt file needs to have a line added to it stating the obvious…?

Last edited by Bloke (2012-06-11 12:33:27)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#8 2012-06-11 12:54:09

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: spf_if_eu - serve content to EU visitors only

Bloke wrote:

I don’t have half a million quid when someone in a company/Government/NGO that uses Txp kicks their toys out of the pram. Maybe the README.txt file needs to have a line added to it stating the obvious…?

Perhaps, but I wouldn’t care too much. Don’t take my word for it, I just really don’t care about this cookie mess.

Presumably people who ‘opt out’ of our terribly harmful cookie will have to log in each time they click?

The admin-side is totally unusable without cookies. Only thing you can do, if anything, is viewing pages. You can’t do any changes or save anything. Form submits can not be processed without login and the processes can not resume after re-logging.

Textpattern could maybe offer a cookie-less login mechanism. One that uses session IDs appended to the URL, since local storage (and similar solutions) too is subject to this cookie regulation. /sarcasm Oh boy, stealing someones login just by looking at their screen or by getting access to server’s plain request logs.


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#9 2012-06-11 13:44:05

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 1,943
Website

Re: spf_if_eu - serve content to EU visitors only

I agree with you too – and in Germany as far as I can tell, there’s not been any action on the issue yet. However, from what I’ve read, the implication is that since Germany has not acted on it, the EU regulation starts to apply in Germany too after the 12 month grace period. In Germany we are already legally obliged to show an imprint page, and there’s a thriving business among unscrupulous lawyers in researching sites that don’t comply (or properly comply) and sending them legal warnings with not inconsiderable fees. A lot of it is scaremongering but it’s bothersome and I imagine they can’t wait to get their hands on this kind of thing.

My motivation for trying this was that I happen to manage a website for a UK-based Community Interest Company concerned with migration where privacy is potentially a thorny issue that the users may also wish to know about, so I thought it would be good to be up front about it.

Implied consent is a valid form of consent…

I see that cPrompt has (sort of) support for this, in that after first load, it allows cookies but continues to ask for explicit acceptance. I guess ‘true’ implied consent means you must inform adequately first, and that’s hard to fit in a single line of text.

The admin-side is totally unusable without cookies

This would count as a cookie that is essential for site operation and does not invade privacy, so this would be exempted from the directive. Same goes for things like shopping carts.

But if we go by the general ruling, then you can’t show 3rd-party video players to those visitors that opt-out from cookies. Yes, that sucks. No YouTube, no Vimeo, no file or open-content services.

Yep, it’s things that are not considered “essential for site operation” are the cookies in question. One might argue that analytics are “essential for improving site services” but they don’t count (it seems) as being strictly essential for site operation.

On the site I mentioned above, we bring in embedded players from vimeo and from issuu. We don’t set the cookies ourselves and some are in iframes, so technically it’s not even under our control. Does that mean it’s not our responsibility? From what I can tell, it probably is still our responsibility. I can’t control what vimeo or issuu do with the cookie, and they both have a social-network side to their business models that probably does involve tracking surfing behaviour, so my guess is that we’d have to disable those for those people who decline to accept cookies.

The thing that annoys me most about even doing such opt-out integration is resource usage, storage and caching

I agree. The geoIP.dat file alone is 1.4 MB for example, although that’s server-internal.

A way to partially reduce resource usage if you’re hiding the message once cookies acceptance has been given (opt-in) is to check that cookie’s status and not load any of the code or eu checking code except for on the cookie-policy page where you have the option to revoke that allowance. For that you need server-side cookie checking. But for the first page load – which is also where you make your first impression – it will always be necessary. FWIW, Simon’s fork of cPrompt is fairly minimal.

But server resources is only part of the story. It looks like webmasters in the EU now need to make (sometimes large) parts of their site conditional, and need to research whether a new widget they add to a site uses cookies and update the cookie-policy accordingly.


TXP Builders – finely-crafted code, design and txp

Offline

#10 2012-06-11 14:02:52

Gocom
Developer
Registered: 2006-07-14
Posts: 4,476
Website

Re: spf_if_eu - serve content to EU visitors only

jakob wrote:

A way to partially reduce resource usage if you’re hiding the message once cookies acceptance has been given (opt-in) is to check that cookie’s status and not load any of the code or eu checking code except for on the cookie-policy page where you have the option to revoke that allowance. For that you need server-side cookie checking. But for the first page load – which is also where you make your first impression – it will always be necessary. FWIW, Simon’s fork of cPrompt is fairly minimal.

For a website that can work from pre-baked cache or partial cache the difference is huge. We can be talking about usage increase of thousands of times. Minimal module that does cache pulling vs. access to Textpattern and it’s dynamic page templates… you are essentially cutting requests per second to 1/5000.

Last edited by Gocom (2012-06-11 14:05:04)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

Board footer

Powered by FluxBB