Application Cookies | GDPR and Cookie Consent in VerseOne Applications
VerseOne's software platforms power hundreds of websites, intranets and other digital solutions across the Social Housing and Healthcare sectors, and customers naturally want to know that they are compliant with Data Protection laws.
The article below outlines how cookies work within VerseOne CMS, and how the application makes provision for third party cookies.
What are cookies?
Cookies are small identification tokens placed on a user's web browser that provide a web application with some basic information about the current visitor's browsing session.
As the web has grown, some companies have used these tokens to track user behaviour across multiple websites — often used for the purposes of serving targeted advertising or other services — in a way that many think is abusive and contrary to a user's privacy online.
As a consequence, a number of legal instruments have been passed in order to make people more aware of the existence of cookies, how they can be misused, and to provide users with mechanisms for making an informed choice as to whether they wish to accept these terms.
However, cookies also serve useful purposes, such as:
- maintaining a "session key" which is required in order to allow users to log in to websites and portals;
- assigning unique security keys that protect user privacy by ensuring that users' form submissions are not hijacked by hackers;
- maintaining a server key so that, in multi-server environments, users are not randomly jumped between servers such that they are forced to repeatedly login.
These kinds of cookies are broadly known as "essential cookies", i.e. they are absolutely required in order to allow the operation of the application and to protect the privacy and data of users.
VerseOne CMS Cookies
By default, VerseOne CMS uses only one essential cookie, which is called JSESSIONID: this cookie is destroyed at the end of a user's session, i.e. when a user logs out and leaves the site, or after 20 minutes of inactivity on a VerseOne CMS-powered site.
VerseOne CMS does not track users across sites, and JSESSIONID does not enable any functionality except the three items listed above.
JSESSIONID is an essential cookie — it is absolutely required for the operation of the solution and for the protection of users' data and security. For this reason, it cannot be switched off and users cannot opt out.
VerseOne CMS also uses VOPECRA, a long-term non-tracking cookie that is only placed on the user's browser if the user accepts cookies: VOPECRA is the cookie that remembers that the user has accepted cookies.
If the option is switched on, VerseOne CMS also uses KMLI, a medium-term non-tracking cookie that is only placed on the user's browser if the user selects the Remember Me login feature.
Finally, solutions hosted within VerseOne's high-availability Managed Cloud Services environment also use a session management cookie that maintains the user's context across multiple servers: this has the format TS0xxxxxxx.
|JSESSIONID||Session||Essential cookie for software functionality including session management for authentication, form submission validation, load-balancer configuration. Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity.||44B|
|VOPECRA||'Permanent' (multi-year duration)||Remembers that a user has accepted cookies from a specific VerseOne CMS-powered website, enabling cookies from GA and Code Droplets (where configured). Secured and does not track across websites (domain-specific).||8B|
|KMLI_FRONTEND||Configurable duration||Remembers the user so that they do not have to explicitly login to the CMS or front-end features. Secured and does not track across websites (domain-specific). Duration is configurable in VerseOne CMS (default is 2 weeks).||141B|
|TS0xxxxxxx||Session||Essential cookie for maintaining context across VerseOne 's multiple high-availability application servers and secure Web Application Firewall (WAF). Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity.||116B|
VerseOne CMS does not explicitly enable users to reject cookies: in order for this to work in a user-friendly manner, a cookie would have to be placed on the user's browser that would remember that the user had rejected cookies.
Third Party Cookies
Many organisations do legitimately seek information on how people use their websites and digital solutions, so that they can genuinely improve their service to their users — and VerseOne makes this possible through two mechanisms:
- the ability to enter a Google Analytics (GA) ID at site level;
- the ability to enter any other third party code (which may or may not include cookies) through the Code Droplets Module.
VerseOne provides these features but the decision whether or not to use them rests with the VerseOne customer — they can add or remove such services at any time.
Cookie Acceptance Features
VerseOne does, of course, provide its customers with a number of methods for ensuring legal compliance, which were originally put in place to comply with the European Union Privacy and Electronic Communications Regulations (PECR) Amendment, popularly known as the "cookie law".
These features were reviewed with the release of the EU General Data Protection Regulations (GDPR) and the subsequent Data Protection Act 2018 (which comprises the current UK legislation, including the "Frozen GDPR").
These features enable customers to be compliant with GDPR, and are set at Web Site level in VerseOne CMS, and comprise the following:
- PECR Policy: this consists of three settings (of which more, below), which reflect the various positions taken by the Information Commissioners Office (ICO) since the introduction of the "cookie law";
- PECR Banner Text: this is a Word-style Editor which allows customers to insert their own wording, according to their own policies and assessments of the current legal position, into the Cookie Acceptance Banner that appears on all pages of the website;
- PECR Button Text: this allows customers to insert their own wording into the acceptance button.
As mentioned above, the PECR Policy has three settings:
Other than the essential JSESSIONID and the TS0xxxxxxx (WAF), and provided that Code Droplets are correctly configured [see below], no cookies are placed on the user's browser unless they explicitly provide permission by pressing the PECR Button. Web administrators should use this setting for all public websites in order to be compliant with current GDPR
|Relaxed (May 2013): Cookies on, show warning||
Shortly after the introduction of the PECR, the EU and ICO determined that users now had enough information about cookies. The guidance was changed: if a user was presented with an information banner and then proceeded to use the website, they had implicitly accepted cookies. This setting should not currently be used — although this state of affairs is likely to change in the UK in the medium–longer term
|Off: Cookies always enabled||This setting should only be used in controlled environments, such as for intranets.|
VerseOne CMS does not provide any method for users to opt out of the JSESSIONID or other essential cookies listed above because otherwise, under the legal definition, it would not be essential. As such, if the user accepts cookies via the Cookie Acceptance Banner, it is always any third party (potentially tracking) cookies that they are accepting.
As outlined previously, third party code — e.g. heat-mapping software, or videos from YouTube — can be added via Code Droplets. These services almost always include tracking cookies although many (such as YouTube) do provide the ability to omit these cookies when generating the embed code (usually referred to as "GDPR safe" or similar).
VerseOne CMS Code Droplets provide editors with a control: when the GDPR Safe control is set to Yes, then the Code Droplet will obey the Web Site PECR Policy, e.g. if a YouTube video is in a GDPR Safe Code Droplet and the PECR Policy is set to Strict, the video will not render — unless or until the visitor accepts cookies.
If in doubt, follow the example of the Information Commissioner's Office: https://ico.org.uk/global/cookies/