Application Cookies | GDPR and Cookie Consent in VerseOne Applications

VerseOne's software platforms power hundreds of websites, intranets and other digital solutions across the Social Housing and Healthcare sectors, and customers naturally want to know that they are compliant with Data Protection laws.

The article below outlines how cookies work within VerseOne CMS, and how the application makes provision for third party cookies.

What are cookies?

Cookies are small identification tokens placed on a user's web browser that provide a web application with some basic information about the current visitor's browsing session.

As the web has grown, some companies have used these tokens to track user behaviour across multiple websites — often used for the purposes of serving targeted advertising or other services — in a way that many think is abusive and contrary to a user's privacy online.

As a consequence, a number of legal instruments have been passed in order to make people more aware of the existence of cookies, how they can be misused, and to provide users with mechanisms for making an informed choice as to whether they wish to accept these terms.

Essential Cookies

However, cookies also serve useful purposes, such as:

  • maintaining a "session key" which is required in order to allow users to log in to websites and portals;
  • assigning unique security keys that protect user privacy by ensuring that users' form submissions are not hijacked by hackers;
  • maintaining a server key so that, in multi-server environments, users are not randomly jumped between servers such that they are forced to repeatedly login.

These kinds of cookies are broadly known as "essential cookies", i.e. they are absolutely required in order to allow the operation of the application and to protect the privacy and data of users.

VerseOne CMS Cookies

By default, VerseOne CMS uses only one essential cookie, which is called JSESSIONID: this cookie is destroyed at the end of a user's session, i.e. when a user logs out and leaves the site, or after 20 minutes of inactivity on a VerseOne CMS-powered site.

VerseOne CMS does not track users across sites, and JSESSIONID does not enable any functionality except the three items listed above.

JSESSIONID is an essential cookie — it is absolutely required for the operation of the solution and for the protection of users' data and security. For this reason, it cannot be switched off and users cannot opt out.

VerseOne CMS also uses VOPECRA, a long-term non-tracking cookie that is only placed on the user's browser if the user accepts cookies: VOPECRA is the cookie that remembers that the user has accepted cookies.

VerseOne CMS Cookies
Name Duration Function Size
JSESSIONID Session Essential cookie for software functionality including session management for authentication, form submission validation, load-balancer configuration. Secured and does not track across websites (domain-specific). 44B
VOPECRA 'Permanent' (multi-year duration) Remembers that a user has accepted cookies from a specific VerseOne CMS-powered website, enabling cookies from GA and Code Droplets (where configured). Secured and does not track across websites (domain-specific). 8B

VerseOne CMS does not explicitly enable users to reject cookies: in order for this to work in a user-friendly manner, a cookie would have to be placed on the user's browser that would remember that the user had rejected cookies.

Third Party Cookies

Many organisations do legitimately seek information on how people use their websites and digital solutions, so that they can genuinely improve their service to their users — and VerseOne makes this possible through two mechanisms:

  • the ability to enter a Google Analytics (GA) ID at site level;
  • the ability to enter any other third party code (which may or may not include cookies) through the Code Droplets Module.

VerseOne provides these features but the decision whether or not to use them rests with the VerseOne customer — they can add or remove such services at any time.

Cookie Acceptance Features

VerseOne does, of course, provide its customers with a number of methods for ensuring legal compliance, which were originally put in place to comply with the European Union Privacy and Electronic Communications Regulations (PECR) Amendment, popularly known as the "cookie law".

These features were reviewed with the release of the EU General Data Protection Regulations (GDPR) and the subsequent Data Protection Act 2018 (which comprises the current UK legislation, including the "Frozen GDPR").

These features enable customers to be compliant with GDPR, and are set at Web Site level in VerseOne CMS, and comprise the following:

  • PECR Policy: this consists of three settings (of which more, below), which reflect the various positions taken by the Information Commissioners Office (ICO) since the introduction of the "cookie law";
  • PECR Banner Text: this is a Word-style Editor which allows customers to insert their own wording, according to their own policies and assessments of the current legal position, into the Cookie Acceptance Banner that appears on all pages of the website;
  • PECR Button Text: this allows customers to insert their own wording into the acceptance button.

As mentioned above, the PECR Policy has three settings:

PECR Policy Details
Option Details
Strict

Other than the essential JSESSIONID, and provided that Code Droplets are correctly configured [see below], no cookies are placed on the user's browser unless they explicitly provide permission by pressing the PECR Button. Web administrators should use this setting for all public websites in order to be compliant with current GDPR

Relaxed (May 2013): Cookies on, show warning

Shortly after the introduction of the PECR, the EU and ICO determined that users now had enough information about cookies. The guidance was changed: if a user was presented with an information banner and then proceeded to use the website, they had implicitly accepted cookies. This setting should not currently be used — although this state of affairs is likely to change in the UK in the medium–longer term

Off: Cookies always enabled This setting should only be used in controlled environments, such as for intranets.

VerseOne CMS does not provide any method for users to opt out of the JSESSIONID essential cookie because otherwise, under the legal definition, it would not be essential. As such, if the user accepts cookies via the Cookie Acceptance Banner, they are always accepting tracking cookies.

Code Droplets

As outlined previously, third party code — e.g. heat-mapping software, or videos from YouTube — can be added via Code Droplets. These services almost always include tracking cookies although many (such as YouTube) do provide the ability to omit these cookies when generating the embed code (usually referred to as "GDPR safe" or similar).

VerseOne CMS Code Droplets provide editors with a control: when the GDPR Safe control is set to Yes, then the Code Droplet will obey the Web Site PECR Policy, e.g. if a YouTube video is in a GDPR Safe Code Droplet and the PECR Policy is set to Strict, the video will not render — unless or until the visitor accepts cookies.

Exceptions

If a customer believes that a Code Droplet third party item is "essential", then they may set GDPR Safe to No. However, they should detail any cookies that the service will place on the user's browser in their Privacy Policy (and the reason why they believe that the service and cookie is essential).

All cookies used on a website should be documented on the Privacy Policy or Cookie Policy pages, and linked to from the Cookie Acceptance Banner.