Dealing with the Dutch cookie law as a web developer
This post is partially outdated because of recent developments. See the notes at the bottom.
This note about how to comply with the Dutch cookie law is mostly a memo to self, but I believe the information past the fold is also useful to anyone who runs their own website and needs to ensure the privacy of their site’s visitors.
Web cookies are small pieces of information that can be stored on your computer by the websites that you are visiting.
Legal obligations when setting cookies
In 2009 the European Union amended its Telecom directive with a section on cookies (by which they meant all tracking technologies, not just browser cookies). According to this law, website operators amongst others had to gain the informed consent from visitors before placing cookies that weren’t strictly necessary for the use of the website on the visitor’s computer. This includes the type of tracking cookies that advertising networks use.
If a website cannot obtain permission of a visitor to place these unnecessary cookies, it may not place them. From here on I will only be discussing these unnecessary cookies and will refer to them simply as ‘cookies’.
From what I can tell websites that comply with the directive will typically put a notice at the top of the page that states that by using the website you agree to the placement of cookies.
The Dutch government went a step further than the directive and created a law containing two further obligations:
- Websites must inform users explicitly about the purpose of each cookie.
- Websites must obtain explicit permission.
Such an owner may decide to add Google Ads to offset hosting costs. These owners may also embed videos from their YouTube accounts. Google Ads and YouTube both place tracking cookies on a visitor’s computer, allegedly to suit the ads they display to the taste of the visitor.
Here’s the kicker. Under Dutch law a visitor must be informed about what each cookie does, but as a website builder you cannot know what foreign cookies do. You have only control over your own code, but not over code that is hosted elsewhere. You may set up a test environment to mimic the behaviour of your visitors and use that to read out the cookies that the social and advertising networks place on your test computer, but how you can you be sure that you get the exact same cookies as your visitors? You neither own nor know the code that places cookies, so ultimately you cannot know what cookies are being placed.
For instance, a foreign website may set different cookies based on your locality, your IP number, whether or not you are logged into their service and they may set cookies based on your previous surfing behaviour. Each visitor may receive an entirely unique set of cookies.
In order to let your website comply with the Dutch cookie law, you cannot let foreign sites set any cookie when somebody visits your website unless you have your visitor’s permission to do so.
There are a number of methods that the operator of a social or advertising network can use to track your visitors:
- HTML iframe and frame elements (load web pages inside another web page)
- HTML object elements (load for instance Adobe Flash programs)
- Web fonts
- Anything else that gets loaded or embedded from elsewhere
Different types of cookies can be placed:
- web cookies (initiated by the web site)
- browser cookies (initiated by the browser)
- Flash cookies (set by the Adobe Flash plugin)
- web storage
- zombie cookies
Zombie cookies are web cookies that use as many technologies as the programmer can find to restore a cookie that you deleted. This works as follows. 1) You visit a website. 2) You leave the website and for some reason decide to delete the cookies that it set. 3) Then when you go back to the website or when a you visit a website that runs code from the hostile network, the hostile network will use any of the other types of cookies it can find and any other information it has at its disposal to resurrect the cookie you intentionally deleted.
Apart from cookies and embedded foreign elements on your website there is a very powerful third way with which to track a visitor and that is via IP numbers. An IP number is the address you have on the internet. Every IP number is unique. IP numbers must be sent by the browser to the web server simply because that is how the web server knows where to reach the visitor and send web pages and so on.
Alternative, cookie-less technologies
A number of these ‘safe’ share links can (update June 2017: no longer) be found at [deleted]. They’ve even built a little generator for share links although this assumes you know the address of the page you’re going to use them on. (Update June 2017: try [deleted]. Update: just search the web for “share link generator”; check that the output of the generator you find is raw HTML.)
If all you need is a plugin that generates ‘safe’ share links for WordPress, as far as I can tell No JS Social Sharing fulfils that need
except for the Pinterest button.
A number of social networks document their privacy friendly share links on the following pages:
- Facebook simple
- Facebook feed (let’s you add more to the shared link than just the link)
Note that share links will typically replace your website in the browser when clicked. You will need to write your own pop-up code to avoid this.
YouTube has a privacy friendly version of its video player, other video hosting websites like Vimeo do not.
The only safety lies in not embedding or loading anything from a foreign website unless you have a visitor’s permission to set cookies. German publisher Heise developed a method for double clicking like buttons; the first button indicating your permission and the second being the actual ‘like’.
This method could be extended to everything that gets embedded by providing filters in popular CMSes and frameworks for ‘dangerous’ HTML elements. If these elements point to foreign sources (src and href attributes) they could be filtered out by default unless you get the visitor’s OK to show cookies. This would also impact embedded items that do not track your visitors.
Hiding widgets from visitors until they permit you to show them still does not let you abide by the Dutch cookie law, because you still have to tell visitors what the cookies from widgets do. If you make a good faith effort to study and report the cookies that third parties set, at least you will have helped your visitors as best you can and hopefully have made yourself a smaller target for the authorities.
Update 23 February 2022, part 1: since I published this, the EU has issued a directive that deals with the way third parties track personal date. Unfortunately I do not entirely understand how this works, so I cannot currently tell you more.
Update 23 February 2022, part 2: I mentioned the cookieless Youtube embedder. On a site I manage I noticed that editors would sometimes forget to use the privacy-enhanced versions of Youtube videos, so I made a plugin for Wordpress that will change every Youtube link into its privacy enhanced version called No Cookie for Youtube.
Since then however I have also come to the realisation that this is not much of a solution either, because a) once a visitor presses Play, cookies are placed without their informed consent, and b) I believe (although I can not prove it) that Google/Youtube uses other tracking techniques, even if you use the privacy-enhanced version.
This entry was posted on Friday, April 25th, 2014 at 9:01 pm and is filed under Web design + usability. You can follow any responses to this entry through the RSS feed. You can leave a response, or trackback from your own site.
Could you please post where you did find the cookieless YouTube embedder?
I searched for it but without success.
Interestingly, I used it today, so I know it still exists! :-)
On a desktop PC, under a YouTube video, using English as the interface language, you currently (2017) see the following: the title of the video, the name of the channel plus a subscription button (and, right aligned, the amount of views), and then a row of three buttons, “Add to”, “Share”, and “More” (and, right aligned, the amount of likes and dislikes).
If you click “Share”, a new sub-form appears below the buttons with three tabs, “Share”, “Embed”, and “Email”.
Click “Embed” and the sub-form changes. It now conists of the three tabs, a field with the embedding code and a link “Show more”.
Click “Show more” and the sub-form changes again. Below the field with the embed link, you now see a preview of the video and below that a number of options. Changing the options will change the embed link and the preview. One of the options is “Enable privacy enhanced mode”. If you select that option, the embed link will change to use the privacy enhanced server.
Note that (as I believe I mentioned in the blog) once a visitor actually plays a video, their privacy-enhanced days are over and Google will start setting cookies.
Here is how Google explains it.