Dealing with the Dutch cookie law as a web developer

This note about how to comply with the Dutch cookie law is mostly a memo to self, but I believe the information past the fold is also useful to anyone who runs their own website and needs to ensure the privacy of their site’s visitors.

Web cookies are small pieces of information that can be stored on your computer by the websites that you are visiting.

A typical use of cookies is when sites with a user login, for instance online stores, store a unique code on your computer for the duration of your session so that they don’t have to keep asking you for your password every time you go to a different page. These cookies are deleted when you log out or when you close your browser, whichever comes first.

Another use of cookies is for tracking you across websites and browser sessions. This is done by online advertising networks who build up big personal profiles of you that may include surprisingly effective guesses about your age, gender, sexual preferences, political preferences and so on. There is no reason to assume these networks cannot be hijacked by other parties. Such cookies give bad actors, and I include governments in this, added possibilities when they wish to deal with what they consider problematic individuals.

Legal obligations when setting cookies

In 2009 the European Union amended its Telecom directive with a section on cookies (by which they meant all tracking technologies, not just browser cookies). According to this law, website operators amongst others had to gain the informed consent from visitors before placing cookies that weren’t strictly necessary for the use of the website on the visitor’s computer. This includes the type of tracking cookies that advertising networks use.

If a website cannot obtain permission of a visitor to place these unnecessary cookies, it may not place them. From here on I will only be discussing these unnecessary cookies and will refer to them simply as ‘cookies’.

From what I can tell websites that comply with the directive will typically put a notice at the top of the page that states that by using the website you agree to the placement of cookies.

[Screenshot]

Illustration: an example of a cookie notice from theregister.co.uk.

The Dutch government went a step further than the directive and created a law containing two further obligations:

  1. Websites must inform users explicitly about the purpose of each cookie.
  2. Websites must obtain explicit permission.

What this second step means is that a visitor must click a button stating something like “I agree”. It is not sufficient (under Dutch law) to state that by continuing to use a site the visitor agrees to the use of cookies.

This is problematic for operators of small information driven websites. Websites of freelancers or amateur talents are typical for this category. These sites are often based on WordPress and are tied to social networking sites through so-called widgets written in Javascript. These widgets place cookies on a visitor’s computer as a matter of fact, but are (or so I believe) the responsibility of the website operator, not (or not just) of the social network.

Such an owner may decide to add Google Ads to offset hosting costs. These owners may also embed videos from their YouTube accounts. Google Ads and YouTube both place tracking cookies on a visitor’s computer, allegedly to suit the ads they display to the taste of the visitor.

Impossible

Here’s the kicker. Under Dutch law a visitor must be informed about what each cookie does, but as a website builder you cannot know what foreign cookies do. You have only control over your own code, but not over code that is hosted elsewhere. You may set up a test environment to mimic the behaviour of your visitors and use that to read out the cookies that the social and advertising networks place on your test computer, but how you can you be sure that you get the exact same cookies as your visitors? You neither own nor know the code that places cookies, so ultimately you cannot know what cookies are being placed.

For instance, a foreign website may set different cookies based on your locality, your IP number, whether or not you are logged into their service and they may set cookies based on your previous surfing behaviour. Your visitors may receive an entirely set of cookies.

In order to let your website comply with the Dutch cookie law, you cannot let foreign sites set any cookie when somebody visits your website unless you have your visitor’s permission to do so.

Tracking technologies

There are a number of methods that the operator of a social or advertising network can use to track your visitors:

  • HTML iframe and frame elements (load web pages inside another web page)
  • HTML object elements (load for instance Adobe Flash programs)
  • HTML script elements (run Javascript programs inside a web page)
  • Images
  • Web fonts
  • Anything else that gets loaded or embedded from elsewhere

Different types of cookies can be placed:

  • web cookies (initiated by the web site)
  • browser cookies (initiated by the browser)
  • Flash cookies (set by the Adobe Flash plugin)
  • web storage
  • zombie cookies

Zombie cookies are web cookies that use as many technologies as the programmer can find to restore a cookie that you deleted. This works as follows. 1) You visit a website. 2) You leave the website and for some reason decide to delete the cookies that it set. 3) Then when you go back to the website or when a you visit a website that runs code from the hostile network, the hostile network will use any of the other types of cookies it can find and any other information it has at its disposal to resurrect the cookie you intentionally deleted.

Apart from cookies and embedded foreign elements on your website there is a very powerful third way with which to track a visitor and that is via IP numbers. An IP number is the address you have on the internet. Every IP number is unique. IP numbers must be sent by the browser to the web server simply because that is how the web server knows where to reach the visitor and send web pages and so on.

Alternative, cookie-less technologies

There are cookieless variants of widgets out there, but they aren’t always easy to find. I stumbled upon a cookieless YouTube embedder because I was looking for it. Share buttons and like buttons are distributed by social networks as easy to use Javascript-based widgets but the cookie free variants are ‘hidden’ in programming manuals. I imagine the reason these cookieless variants exist is so they can be used in internet-aware applications that don’t support Javascript, such as mobile phone apps. Looking for how to implement the functionality of a widget outside a web browser could therefore be a good strategy for finding cookie free alternatives.

A number of these ‘safe’ share links can (update June 2017: no longer) be found at themergency.com. They’ve even built a little generator for share links although this assumes you know the address of the page you’re going to use them on. (Update June 2017: try sharelinkgenerator.com.)

If all you need is a plugin that generates ‘safe’ share links for WordPress, as far as I can tell Simple Share Button Adder fulfills that need except for the Pinterest button.

A number of social networks document their privacy friendly share links on the following pages:

The Pinterest documentation claims you need to use Javascript, but it will work without. The same goes for the Reddit share link.

Note that share links will typically replace your website in the browser when clicked. You will need to write your own pop-up code to avoid this.

Further considerations

Although I managed to find privacy friendly versions of social network share links, I struck out with so-called like buttons. These tend to be based on Javascript; perhaps because the networks feel the need to send back real-time information about the number of likes received.

YouTube has a privacy friendly version of its video player, other video hosting websites like Vimeo do not.

If you use privacy friendly versions of widgets and ads, you still have to rely on the honesty of the provider in cases where the privacy friendly versions use one of the methods outlined above (iframes, Javascript and so on). What can you do when the foreign entity breaks its word? What risks do you run as a web site owner?

The only safety lies in not embedding or loading anything from a foreign website unless you have a visitor’s permission to set cookies. German publisher Heise developed a method for double clicking like buttons; the first button indicating your permission and the second being the actual ‘like’.

This method could be extended to everything that gets embedded by providing filters in popular CMSes and frameworks for ‘dangerous’ HTML elements. If these elements point to foreign sources (src and href attributes) they could be filtered out by default unless you get the visitor’s OK to show cookies. This would also impact embedded items that do not track your visitors.

Hiding widgets from visitors until they permit you to show them still does not let you abide by the Dutch cookie law, because you still have to tell visitors what the cookies from widgets do. If you make a good faith effort to study and report the cookies that third parties set, at least you will have helped your visitors as best you can and hopefully have made yourself a smaller target for the authorities.

3 responses to “Dealing with the Dutch cookie law as a web developer”

  1. Paolo says:

    Could you please post where you did find the cookieless YouTube embedder?

    I searched for it but without success.

    Thank you

  2. brankl says:

    Interestingly, I used it today, so I know it still exists! :-)

    On a desktop PC, under a YouTube video, using English as the interface language, you currently (2017) see the following: the title of the video, the name of the channel plus a subscription button (and, right aligned, the amount of views), and then a row of three buttons, “Add to”, “Share”, and “More” (and, right aligned, the amount of likes and dislikes).

    If you click “Share”, a new sub-form appears below the buttons with three tabs, “Share”, “Embed”, and “Email”.

    Click “Embed” and the sub-form changes. It now conists of the three tabs, a field with the embedding code and a link “Show more”.

    Click “Show more” and the sub-form changes again. Below the field with the embed link, you now see a preview of the video and below that a number of options. Changing the options will change the embed link and the preview. One of the options is “Enable privacy enhanced mode”. If you select that option, the embed link will change to use the privacy enhanced server.

    Note that (as I believe I mentioned in the blog) once a visitor actually plays a video, their privacy-enhanced days are over and Google will start setting cookies.

    Here is how Google explains it.

Leave a Reply

Your email address will not be published.