EU cookie law and jquery.com setting Google Analytics cookies
I'm trying to develop various webpages using jQuery and jQuery Mobile and have been using
http://code.jquery.com as the source of the jQuery and jQuery Mobile scripts and the jQuery CSS.
I have noticed that Google Analytics cookies are being set, which belong to the domain .jquery.com. I don't think it would be in my power either to block these or delete them and, even if it was, presumably, such action would not be welcomed by the jQuery Foundation.
I'm trying to be strictly compliant with relevant EU law. Google Analytics cookies do not, as I understand it, fall within the "strictly necessary" category of cookie, so, as I understand it, I ought to obtain prior consent to them being set. I am uncertain whether obtaining such consent is my responsibility. I'm not setting them but I think they are being set as a result of me embedding code from http://code.jquery.com. (I have not actually verified that no Google Analytics cookies are set if I host the relevant files and I have not tried to inspect the code to see if I can see evidence that it sets cookies.)
I don't want the consequence of this post to be that the jQuery Foundation stops offering the possibility of embedding code hosted at http://code.jquery.com. I can understand the Foundation wanting to keep track of usage of its hosted code. I assume but have not verified that my webpages will load more quickly if code at http://code.jquery.com is used, rather than locally hosted copies. I don't know whether http://code.jquery.com amounts to what is called a CDN (content delivery network), nor whether I'd get better performance by using e.g. Google's CDN (nor whether I'd then have exactly the same issue regarding Google Analytics cookies and/or other cookies and consent).
To deal with the need to gain consent prior to Google Analytics cookies being placed, the approach I currently have in mind is to implement a landing page which either uses locally hosted jQuery code (assuming this will not cause cookies to be set) or no jQuery code.
At least for my jQuery Mobile pages, if I've caused locally hosted jQuery code to be loaded initially in the head section, I think there's no point in specifying remotely hosted jQuery code on other pages, unless I'm going to cause full page loads instead of insertion of pages into the originally loaded DOM.
Assuming I was going to embed code from .jquery.com in some pages of my website, that landing page would seek to obtain explicit consent to the setting of Google Analytics cookies (by .jquery.com and possibly by my own domain) or indicate that by proceeding beyond the landing page visitors would be giving implicit consent to such setting of Google Analytics cookies. It might also alert users to the possibility of installing Google's Google Analytics opt-out browser add-on (if they are using one of the popular browsers which are supported), though I wouldn't want to encourage that because I might want to use Google Analytics myself (and besides, even if I don't want to use it, lots of people do).
I'm unsure whether my landing page will take visitors to another page automatically based on whether particular cookies are set or whether I will make the landing page adapt itself by loading particular scripts from particular sources based on whether particular cookies are set. Either of those approaches is probably going to result in it taking longer to load the appropriate page/version of a page than it would take to simply load the page using locally hosted jQuery code, though, if there are other cookies I need to test for and act on, right at the outset, a separate initial landing page or a self-adapting landing page may be inevitable.
I'd envisage that if visitors arrive on my site at a page other than the intended initial landing page without a relevant cookie consent cookie having been set, they would be redirected to the intended landing page. If the page they initially arrived at used code at http://code.jquery.com, they might end up with Google Analytics cookies from jquery.com without having given prior consent but I'd have done my best to be compliant.
I may well be making a mountain out of a molehill. I'd hope that website operators who had made a genuine attempt at legal compliance would not face serious consequences for technical non-compliance when what was complained of 1) was outside their control (though website operators do have control, to the extent that they decide whether or not to embed remote code) or 2) arose only in edge cases.
I would be interested to hear if readers find that the above evidences any misconceptions on my part and to hear whether, and if so how, other readers who design websites have addressed the issue of Google Analytics cookies being set without website visitors' prior consent as a consequence of the website designer having embedded code from elsewhere.
I have noticed that Google Analytics cookies are being set, which belong to the domain .jquery.com. I don't think it would be in my power either to block these or delete them and, even if it was, presumably, such action would not be welcomed by the jQuery Foundation.
I'm trying to be strictly compliant with relevant EU law. Google Analytics cookies do not, as I understand it, fall within the "strictly necessary" category of cookie, so, as I understand it, I ought to obtain prior consent to them being set. I am uncertain whether obtaining such consent is my responsibility. I'm not setting them but I think they are being set as a result of me embedding code from http://code.jquery.com. (I have not actually verified that no Google Analytics cookies are set if I host the relevant files and I have not tried to inspect the code to see if I can see evidence that it sets cookies.)
I don't want the consequence of this post to be that the jQuery Foundation stops offering the possibility of embedding code hosted at http://code.jquery.com. I can understand the Foundation wanting to keep track of usage of its hosted code. I assume but have not verified that my webpages will load more quickly if code at http://code.jquery.com is used, rather than locally hosted copies. I don't know whether http://code.jquery.com amounts to what is called a CDN (content delivery network), nor whether I'd get better performance by using e.g. Google's CDN (nor whether I'd then have exactly the same issue regarding Google Analytics cookies and/or other cookies and consent).
To deal with the need to gain consent prior to Google Analytics cookies being placed, the approach I currently have in mind is to implement a landing page which either uses locally hosted jQuery code (assuming this will not cause cookies to be set) or no jQuery code.
At least for my jQuery Mobile pages, if I've caused locally hosted jQuery code to be loaded initially in the head section, I think there's no point in specifying remotely hosted jQuery code on other pages, unless I'm going to cause full page loads instead of insertion of pages into the originally loaded DOM.
Assuming I was going to embed code from .jquery.com in some pages of my website, that landing page would seek to obtain explicit consent to the setting of Google Analytics cookies (by .jquery.com and possibly by my own domain) or indicate that by proceeding beyond the landing page visitors would be giving implicit consent to such setting of Google Analytics cookies. It might also alert users to the possibility of installing Google's Google Analytics opt-out browser add-on (if they are using one of the popular browsers which are supported), though I wouldn't want to encourage that because I might want to use Google Analytics myself (and besides, even if I don't want to use it, lots of people do).
I'm unsure whether my landing page will take visitors to another page automatically based on whether particular cookies are set or whether I will make the landing page adapt itself by loading particular scripts from particular sources based on whether particular cookies are set. Either of those approaches is probably going to result in it taking longer to load the appropriate page/version of a page than it would take to simply load the page using locally hosted jQuery code, though, if there are other cookies I need to test for and act on, right at the outset, a separate initial landing page or a self-adapting landing page may be inevitable.
I'd envisage that if visitors arrive on my site at a page other than the intended initial landing page without a relevant cookie consent cookie having been set, they would be redirected to the intended landing page. If the page they initially arrived at used code at http://code.jquery.com, they might end up with Google Analytics cookies from jquery.com without having given prior consent but I'd have done my best to be compliant.
I may well be making a mountain out of a molehill. I'd hope that website operators who had made a genuine attempt at legal compliance would not face serious consequences for technical non-compliance when what was complained of 1) was outside their control (though website operators do have control, to the extent that they decide whether or not to embed remote code) or 2) arose only in edge cases.
I would be interested to hear if readers find that the above evidences any misconceptions on my part and to hear whether, and if so how, other readers who design websites have addressed the issue of Google Analytics cookies being set without website visitors' prior consent as a consequence of the website designer having embedded code from elsewhere.
Topic Participants
graham
jakecigar
jtara-jquery