VerseOne DXP Application Cookies
VerseOne's Digital Experience Platform (DXP) CMS powers hundreds of websites, intranets and other digital solutions across the Social Housing and Healthcare sectors, and customers naturally want to know that they are compliant with Data Protection laws.
The article below outlines how cookies work within VerseOne DXP, and how the application makes provision for third party cookies.
What are cookies?
Cookies are small identification tokens placed on a user's web browser that provide a web application with some basic information about the current visitor's browsing session.
As the web has grown, some companies have used these tokens to track user behaviour across multiple websites — often used for the purposes of serving targeted advertising or other services — in a way that many think is abusive and contrary to a user's privacy online.
As a consequence, a number of legal instruments have been passed in order to make people more aware of the existence of cookies, how they can be misused, and to provide users with mechanisms for making an informed choice as to whether they wish to accept these terms.
Key principle: informed consent
The key provision is that of informed choice: users cannot make an informed choice if:
- the cookie banner does not show, or is not otherwise legible (in a language that the user does not understand, covered by other page elements, etc.);
- the cookie banner does not either explicitly list all cookies currently used by your site (in the format outlined below) or, more commonly, contain a link to a page that does (Cookie Policy or Privacy Policy. We recommend having both, as their intent is often different);
- you place cookies that are not listed in the Cookie Policy;
- cookies are placed on the user's device prior to them explicitly accepting them.
The above does not apply to Essential Cookies, except that you should list the Esssential Cookies in your Cookie Policy, and provide justification as to why they are essential (in the legal definition of the term). No tracking cookie is ever essential: a cookie for maintaining a user's login session is essential, for instance, but it would not be legal for that session cookie to act as a key for tracking user behaviour.
If you are uncertain about any aspect of your cookie policy, always consider consider whether a user is given enough information and the technical ability to give informed consent.
Essential Cookies
However, cookies also serve useful purposes, such as:
- maintaining a "session key" which is required in order to allow users to log in to websites and portals;
- assigning unique security keys that protect user privacy by ensuring that users' form submissions are not hijacked by hackers;
- maintaining a server key so that, in multi-server environments, users are not randomly jumped between servers such that they are forced to repeatedly login.
These kinds of cookies are broadly known as "Essential Cookies", i.e. they are absolutely required in order to allow the operation of the application and to protect the privacy and data of users, and these have a special meaning with the UK GDPR.
VerseOne CMS Cookies
By default, VerseOne CMS uses only one Essential Cookie, which is called JSESSIONID: this cookie is destroyed at the end of a user's session, i.e. when a user logs out and leaves the site, or after 20 minutes of inactivity on a VerseOne DXP-powered site.
VerseOne DXP does not track users across sites, and JSESSIONID does not enable any functionality except the three items listed above.
JSESSIONID is an Essential Cookie — it is absolutely required for the operation of the solution and for the protection of users' data and security. For this reason, it cannot be switched off and users cannot opt out.
VerseOne DXP also uses VOPECRA, a long-term non-tracking cookie that is only placed on the user's browser when the user accepts or declines cookies via the Cookie Banner: VOPECRA is the cookie that remembers the user's cookie preferences. This cookie currently lasts for years, although we anticipate allowing our customers to set shorter time periods (e.g. 6 months) before the end of 2024.
If the option is switched on, VerseOne DXP also uses KMLI, a medium-term non-tracking cookie that is only placed on the user's browser if the user selects the Remember Me login feature.
Finally, solutions hosted within VerseOne's high-availability Managed Cloud Services environment also use a Firewall-generated session management cookie that maintains the user's context across multiple servers: this has the format TS0xxxxxxx. Once a user has made a cookie choice, the Firewall may generate a new session management cookie.
So, by default, all sites hosted on VerseOne's environment will have JSESSIONID and TS0xxxxxxx. Depending on configuration and user choices, they may also see VOPECRA or KMLI, and a second TS0xxxxxxx.
| Name | Duration | Function | Size |
|---|---|---|---|
| JSESSIONID | Session | Essential cookie for software functionality including session management for authentication, form submission validation, load-balancer configuration. Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity. | 44B |
| VOPECRA | 'Permanent' (multi-year duration) | Remembers that a user has accepted or declined cookies from a specific VerseOne DXP-powered website, enabling cookies from GA and Code Droplets (where configured). Secured and does not track across websites (domain-specific). | 8B |
| KMLI_FRONTEND | Configurable duration | Remembers the user so that they do not have to explicitly login to the DXP or front-end features. Secured and does not track across websites (domain-specific). Duration is configurable in VerseOne DXP (default is 2 weeks). | 141B |
| TS0xxxxxxx | Session | Essential cookie for maintaining context across VerseOne 's multiple high-availability application servers and secure Web Application Firewall (WAF). Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity. | 116B |
As of VerseOne DXP v5.7.3 (May 2023), users can explicitly reject cookies: in order for this to work, the VOPECRA cookie has to be placed in the user's browser that remembers this choice.
VerseOne DXP Biometrics & Notifications
VerseOne DXP v5.7.3.5 (August 2023) adds the ability for users to log in with biometrics — most pertinently on mobile devices (whether via VerseOne's new PWA mobile app, or via a browser), but also with biometric-enabled laptop and desktop computers.
When this feature is enabled and the user opts to login via biometrics, another cookie is added to the device that remembers that choice — and presents the device's biometric login dialogue rather than the traditional username and password.
VerseOne DXP v5.7.4 (October 2023) will also add the ability for users to subscribe to Push Notifications, most pertinently for mobile devices.
| Name | Duration | Function | Size |
|---|---|---|---|
| VOPWABIOM | 1 – 6 months | Remembers that the user wants to login via biometrics, stores their unique system key, and so presents the OS biometric dialogue. Configurable on a per site basis, between 1 – 6 months. | 75B |
| VOPWASUB | 1 – 6 months | Remembers that the user has subscribed to Push Notifications, and stores their unique system key. Configurable on a per site basis, between 1 – 6 months. | 74B |
Third Party Cookies
Many organisations do legitimately seek information on how people use their websites and digital solutions, so that they can genuinely improve their service to their users — and VerseOne makes this possible through two mechanisms:
- the ability to enter a Google Analytics (GA) ID at site level;
- the ability to enter any other third party code (which may or may not include cookies) through the Code Droplets Module.
VerseOne provides these features but the decision whether or not to use them rests with the VerseOne customer — they can add or remove such services at any time.
Cookie Acceptance Features
VerseOne does, of course, provide its customers with a number of methods for ensuring legal compliance, which were originally put in place to comply with the European Union Privacy and Electronic Communications Regulations (PECR) Amendment, popularly known as the "cookie law".
These features were reviewed with the release of the EU General Data Protection Regulations (GDPR) and the subsequent Data Protection Act 2018 (which comprises the current UK legislation, including the "Frozen GDPR" or "UK GDPR").
These features enable customers to be compliant with GDPR, and are set at Web Site level in VerseOne DXP, and comprise the following:
- PECR Policy: this consists of three settings (of which more, below), which reflect the various positions taken by the Information Commissioners Office (ICO) since the introduction of the "cookie law";
- PECR Banner Text: this is a Word-style Editor which allows customers to insert their own wording, according to their own policies and assessments of the current legal position, into the Cookie Acceptance Banner that appears on all pages of the website;
- PECR Button Text: this allows customers to insert their own wording into the acceptance button.
As mentioned above, the PECR Policy has three settings:
| Option | Details |
|---|---|
| Strict |
Other than the essential JSESSIONID and the TS0xxxxxxx (WAF), and provided that Code Droplets are correctly configured [see below], no cookies are placed on the user's browser unless they explicitly provide permission by pressing the PECR Button. Website administrators should use this setting for all public websites in order to be compliant with current GDPR. |
| Relaxed (May 2013): Cookies on, show warning |
Shortly after the introduction of the PECR, the EU and ICO determined that users now had enough information about cookies. The guidance was changed: if a user was presented with an information banner and then proceeded to use the website, they had implicitly accepted cookies. This setting should not currently be used — although this state of affairs is likely to change in the UK in the medium–longer term. |
| Off: Cookies always enabled | This setting should only be used in controlled "non-public" environments, such as for intranets. |
VerseOne DXP does not provide any method for users to opt out of the JSESSIONID or other essential cookies listed above because otherwise, under the legal definition, they would not be essential. As such, if the user accepts or declines cookies via the Cookie Acceptance Banner, it is always any third party (potentially tracking) cookies that they are accepting or declining.
Suggested Cookie Banner Text
VerseOne suggests that your cookie banner uses text similar to the following (but, of course, your own compliance or legal team may wish to amend this to reflect your organisation's policies.
"This website makes use of Essential Cookies, as defined in the UK GDPR, in order to function and to improve your security, e.g. when submitting forms. These Essential Cookies are only for security and site function, and do not track individual in any way.
"In order to better understand your needs and so improve our services to you, this website may also make use of some cookies that are used for traffic analytics or other behavioural statistics ("Analytics Cookies"): more details can be found on our Privacy Page. If you are happy to accept these Analytics Cookies, please press the Accept button; if you are not happy to accept these Analytics Cookies, please press Decline. If you Decline, this site will still work correctly but some third party services (such as some videos or social media feeds) may not display.”
As of VerseOne DXP 5.7.2 (end May 2023), this will be the default wording in the application's Cookie Banner Text. In addition, VerseOne DXP v5.7.2 includes an explicit Decline button for rejecting third party cookies.
Code Droplets
As outlined previously, third party code — e.g. heat-mapping software, or videos from YouTube — can be added via Code Droplets. These services almost always include tracking cookies although many (such as YouTube) do provide the ability to omit these cookies when generating the embed code (usually referred to as "GDPR safe" or similar).
VerseOne DXP Code Droplets provide editors with a control: when the PECR Safe control is set to No, then the Code Droplet will obey the Web Site PECR Policy, e.g. if a YouTube video is in a GDPR Safe Code Droplet and the PECR Policy is set to Strict, the video will not render — unless or until the visitor accepts cookies.
These settings might seem slightly counterintuitive, but are explained below:
- PECR Safe = Yes: the code within this Code Droplet is safe from a PECR / GDPR perspective, i.e. it contains no third party tracking cookies, etc.
- PECR Safe = No: the code within this Code Droplet may contain tracking cookies or other measures which might collect visitor data or otherwise violate PECR / GDPR laws, and thus shoud not be allowed to load if the user has not accepted third party cookies.
Exceptions
If a customer believes that a Code Droplet third party item is "essential", then they may set PECR Safe to Yes. However, they should detail any cookies that the service will place on the user's browser in their Privacy Policy (and the reason why they believe that the service and cookie is essential).
Google Translate
A key principle of acceptance is that a user must understand the terms that they are accepting. As such, a number of customers have suggested that any cookies set by Google Translate should be classed as Essential. VerseOne broadly agrees with this principle, but it is up to your organisation to set its own policy on this (and you must then outline your reasoning within your Privacy or Cookie Policy).
Frequency of Asking
Some implementations of cookie banners ask for preferences each and every time that a user visits the website. VerseOne believes that this is unnecessary and actively reductive: it is not only annoying for all visitors, but potentially exclusionary for those with disabilities.
Currently, VerseOne sets the Cookie Acceptance preference cookie for 2 years. However, by the end of 2024, we will provide a configuration method for our customers to ask more frequently if they believe it necessary to do so, with the default set to 6 months.
Privacy Policy
It is a legal requirement that the details of all cookies used on a website must be documented on the Privacy Policy or Cookie Policy pages, and linked to from the Cookie Acceptance Banner if they are not documented within the Cookie Acceptenace Banner itself. Cookie details should be listed in the format that has been used on this page, i.e. as a minimum, state the cookie name, outline its purpose, and how long it lasts.
Ideally, the Privacy Policy should include what information types can be shared and who it can be shared with, e.g. "We use the Meta (Facebook) Pixel tracking code on our 'Events' pages. If you visit these pages and have accepted non-essential cookies, page views and other personal information including [xyz] is shared with Meta. To prevent this from happening, decline the non-essential cookies."
If in doubt, follow the example of the Information Commissioner's Office: https://ico.org.uk/global/cookies/
Further information
If you have further questions above VerseOne's use of cookies in its software: compliance@verseone.com
Whilst we always want to help our customers as much as possible, we may not be able to help you to accurately document all of information on third party services that you use.