Dealing with the Dutch cookie law as a web developer

This post is partially outdated because of recent developments. See the notes at the bottom.

This note about how to comply with the Dutch cookie law is mostly a memo to self, but I believe the information past the fold is also useful to anyone who runs their own website and needs to ensure the privacy of their site’s visitors.

Web cookies are small pieces of information that can be stored on your computer by the websites that you are visiting.

A typical use of cookies is when sites with a user login, for instance online stores, store a unique code on your computer for the duration of your session so that they don’t have to keep asking you for your password every time you go to a different page. These cookies are deleted when you log out or when you close your browser, whichever comes first.

Another use of cookies is for tracking you across websites and browser sessions. This is done by online advertising networks who build up big personal profiles of you that may include surprisingly effective guesses about your age, gender, sexual preferences, political preferences and so on. There is no reason to assume these networks cannot be hijacked by other parties. Such cookies give bad actors, and I include governments in this, added possibilities when they wish to deal with what they consider problematic individuals.

Legal obligations when setting cookies

In 2009 the European Union amended its Telecom directive with a section on cookies (by which they meant all tracking technologies, not just browser cookies). According to this law, website operators amongst others had to gain the informed consent from visitors before placing cookies that weren’t strictly necessary for the use of the website on the visitor’s computer. This includes the type of tracking cookies that advertising networks use.

If a website cannot obtain permission of a visitor to place these unnecessary cookies, it may not place them. From here on I will only be discussing these unnecessary cookies and will refer to them simply as ‘cookies’.

From what I can tell websites that comply with the directive will typically put a notice at the top of the page that states that by using the website you agree to the placement of cookies.

Illustration: an example of a cookie notice from theregister.co.uk.

The Dutch government went a step further than the directive and created a law containing two further obligations:

1. Websites must inform users explicitly about the purpose of each cookie.
2. Websites must obtain explicit permission.

What this second step means is that a visitor must click a button stating something like “I agree”. It is not sufficient (under Dutch law) to state that by continuing to use a site the visitor agrees to the use of cookies.

This is problematic for operators of small information driven websites. Websites of freelancers or amateur talents are typical for this category. These sites are often based on WordPress and are tied to social networking sites through so-called widgets written in Javascript. These widgets place cookies on a visitor’s computer as a matter of fact, but are (or so I believe) the responsibility of the website operator, not (or not just) of the social network.

Such an owner may decide to add Google Ads to offset hosting costs. These owners may also embed videos from their YouTube accounts. Google Ads and YouTube both place tracking cookies on a visitor’s computer, allegedly to suit the ads they display to the taste of the visitor.

Impossible

Here’s the kicker. Under Dutch law a visitor must be informed about what each cookie does, but as a website builder you cannot know what foreign cookies do. You have only control over your own code, but not over code that is hosted elsewhere. You may set up a test environment to mimic the behaviour of your visitors and use that to read out the cookies that the social and advertising networks place on your test computer, but how you can you be sure that you get the exact same cookies as your visitors? You neither own nor know the code that places cookies, so ultimately you cannot know what cookies are being placed.

For instance, a foreign website may set different cookies based on your locality, your IP number, whether or not you are logged into their service and they may set cookies based on your previous surfing behaviour. Each visitor may receive an entirely unique set of cookies.

In order to let your website comply with the Dutch cookie law, you cannot let foreign sites set any cookie when somebody visits your website unless you have your visitor’s permission to do so.

Tracking technologies

There are a number of methods that the operator of a social or advertising network can use to track your visitors:

• HTML iframe and frame elements (load web pages inside another web page)
• HTML object elements (load for instance Adobe Flash programs)
• HTML script elements (run Javascript programs inside a web page)
• Images
• Web fonts
• Anything else that gets loaded or embedded from elsewhere

Different types of cookies can be placed:

• web cookies (initiated by the web site)
• browser cookies (initiated by the browser)
• Flash cookies (set by the Adobe Flash plugin)
• web storage
• zombie cookies

Zombie cookies are web cookies that use as many technologies as the programmer can find to restore a cookie that you deleted. This works as follows. 1) You visit a website. 2) You leave the website and for some reason decide to delete the cookies that it set. 3) Then when you go back to the website or when a you visit a website that runs code from the hostile network, the hostile network will use any of the other types of cookies it can find and any other information it has at its disposal to resurrect the cookie you intentionally deleted.

Apart from cookies and embedded foreign elements on your website there is a very powerful third way with which to track a visitor and that is via IP numbers. An IP number is the address you have on the internet. Every IP number is unique. IP numbers must be sent by the browser to the web server simply because that is how the web server knows where to reach the visitor and send web pages and so on.

Alternative, cookie-less technologies

There are cookieless variants of widgets out there, but they aren’t always easy to find. I stumbled upon a cookieless YouTube embedder because I was looking for it. Share buttons and like buttons are distributed by social networks as easy to use Javascript-based widgets but the cookie free variants are ‘hidden’ in programming manuals. I imagine the reason these cookieless variants exist is so they can be used in internet-aware applications that don’t support Javascript, such as mobile phone apps. Looking for how to implement the functionality of a widget outside a web browser could therefore be a good strategy for finding cookie free alternatives.

A number of these ‘safe’ share links can (update June 2017: no longer) be found at [deleted]. They’ve even built a little generator for share links although this assumes you know the address of the page you’re going to use them on. (Update June 2017: try [deleted]. Update: just search the web for “share link generator”; check that the output of the generator you find is raw HTML.)

If all you need is a plugin that generates ‘safe’ share links for WordPress, as far as I can tell No JS Social Sharing fulfils that need except for the Pinterest button.

A number of social networks document their privacy friendly share links on the following pages:

• Google
• Facebook simple
• Facebook feed (let’s you add more to the shared link than just the link)
• Twitter
• Linkedin
• Pinterest
• Reddit

The Pinterest documentation claims you need to use Javascript, but it will work without. The same goes for the Reddit share link.

Note that share links will typically replace your website in the browser when clicked. You will need to write your own pop-up code to avoid this.

Further considerations

Although I managed to find privacy friendly versions of social network share links, I struck out with so-called like buttons. These tend to be based on Javascript; perhaps because the networks feel the need to send back real-time information about the number of likes received.

YouTube has a privacy friendly version of its video player, other video hosting websites like Vimeo do not.

If you use privacy friendly versions of widgets and ads, you still have to rely on the honesty of the provider in cases where the privacy friendly versions use one of the methods outlined above (iframes, Javascript and so on). What can you do when the foreign entity breaks its word? What risks do you run as a web site owner?

The only safety lies in not embedding or loading anything from a foreign website unless you have a visitor’s permission to set cookies. German publisher Heise developed a method for double clicking like buttons; the first button indicating your permission and the second being the actual ‘like’.

This method could be extended to everything that gets embedded by providing filters in popular CMSes and frameworks for ‘dangerous’ HTML elements. If these elements point to foreign sources (src and href attributes) they could be filtered out by default unless you get the visitor’s OK to show cookies. This would also impact embedded items that do not track your visitors.

Hiding widgets from visitors until they permit you to show them still does not let you abide by the Dutch cookie law, because you still have to tell visitors what the cookies from widgets do. If you make a good faith effort to study and report the cookies that third parties set, at least you will have helped your visitors as best you can and hopefully have made yourself a smaller target for the authorities.

Update 23 February 2022, part 1: since I published this, the EU has issued a directive that deals with the way third parties track personal date. Unfortunately I do not entirely understand how this works, so I cannot currently tell you more.

Update 23 February 2022, part 2: I mentioned the cookieless Youtube embedder. On a site I manage I noticed that editors would sometimes forget to use the privacy-enhanced versions of Youtube videos, so I made a plugin for Wordpress that will change every Youtube link into its privacy enhanced version called No Cookie for Youtube.

Since then however I have also come to the realisation that this is not much of a solution either, because a) once a visitor presses Play, cookies are placed without their informed consent, and b) I believe (although I can not prove it) that Google/Youtube uses other tracking techniques, even if you use the privacy-enhanced version.

This entry was posted on Friday, April 25th, 2014 at 9:01 pm and is filed under Web design + usability. You can follow any responses to this entry through the RSS feed. You can leave a response, or trackback from your own site.