Privacy policy discussion page

Legal review

Given the potential legal ramifications (particularly in the EU), it may be wise for the privacy policy to be reviewed by a lawyer before being put into effect.

References

• eTrust web site:
  • Importance of a valid privacy policy
  • Collecting data from children
  • Commercial Privacy considerations
  • Creating your privacy policy

Examples

• Wikimedia Foundation
• U.S. Department of Homeland Security

---

I'm a bit dubious about the accuracy of the description of how we use cookies. That needs to be checked. Otherwise, excellent; though as stated above, it needs to be checked by a lawyer, and doesn't it require a governing body of law (e.g. this policy will be interpreted under EU law)?

-- CrawfordCurrie - 12 Nov 2008 - 07:33

Note the description of cookies is intended to cover future use cases as well, so the privacy policy does not have to be continually updated. The main other use case is tracking cookies, for statistics-gathering purposes. If the project intends to cover this case, then more provisions about how the data will be kept private will have to be added.

One complication is that since external tools like Sourceforge are being used, it may be difficult to list in detail what cookies are being used for on these external sites. An exception for external servers (such as the one in the section on server logs) may be required.

-- IsaacLin - 12 Nov 2008 - 23:31

I have updated the draft policy to include some provisions for tracking cookies.

-- IsaacLin - 12 Oct 2008

The UK is due to start enforcing the EU policy on information storage and retrieval consent. This triggered me into looking at the regulations.

Basically any site that stores a cookie on the users' browser is required to seek explicit permission from the user to do so. There are some exceptions; the law is principally aimed at companies that use cookies for analytics. "Explicit permission" means a popup or other active assent on the part of a visitor to the storing of cookies.

Most websites in the EU seem to be playing a waiting game; probably waiting to see what google does.

From my reading of the UK regulations, Foswiki.org does use cookies that would require explicit consent. These include the session cookie and any preference cookies, plus any analytics cookies.

It seems to me that we can easily obtain an explicit consent from a user who logs in, with a small modification to the login page. Getting a consent from a casual visitor, however, is tricky.

Irrespective of the outcome of any action taken against major websites, I believe Foswiki has to have a plan in place to implement such a consent mechanism, if we want to continue using hosting in the EU.

The UK advice is here: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

Obviously Foswiki is not hosted in the UK; however the rest of the EU will be implementing similar laws on similar timescales (the dutch equivalent appears, if anything, somewhat stiffer).

-- CrawfordCurrie - 04 Apr 2012

(14:57:54) MichaelDaum: I wouldn't care abouit t
(15:00:10) MichaelDaum: what I can agree to is a message in template login saying "we are storing a cookie for your session"

(15:14:13) OliverKrueger: [...] we can do it the google way: display a nag screen / header with some privacy policy bla bla and store a "no nag screen cookie" when the casual user clicks "ok". pro: the user is nagged only once. contra: the user is nagged all the time if s/he deletes his/her cookies.

---

The EU "cookie law" has finally kicked in http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/

-- CrawfordCurrie - 02 Feb 2013