VerseOne DXP Application Cookies
VerseOne's Digital Experience Platform (DXP) CMS powers hundreds of websites, intranets and other digital solutions across the Social Housing and Healthcare sectors, and customers naturally want to know that they are compliant with Data Protection laws.
The article below outlines how cookies work within VerseOne DXP, and how the application makes provision for third party cookies.
What are cookies?
Cookies are small identification tokens placed on a user's web browser that provide a web application with some basic information about the current visitor's browsing session.
As the web has grown, some companies have used these tokens to track user behaviour across multiple websites — often used for the purposes of serving targeted advertising or other services — in a way that many think is abusive and contrary to a user's privacy online.
As a consequence, a number of legal instruments have been passed in order to make people more aware of the existence of cookies, how they can be misused, and to provide users with mechanisms for making an informed choice as to whether they wish to accept these terms.
Key principle: informed consent
The key provision is that of informed choice: users cannot make an informed choice if:
- the cookie banner does not show, or is not otherwise legible (in a language that the user does not understand, covered by other page elements, etc.);
- the cookie banner does not either explicitly list all cookies currently used by your site (in the format outlined below) or, more commonly, contain a link to a page that does (Cookie Policy or Privacy Policy. We recommend having both, as their intent is often different);
- you place cookies that are not listed in the Cookie Policy;
- cookies are placed on the user's device prior to them explicitly accepting them.
The above does not apply to Essential Cookies, except that you should list the Esssential Cookies in your Cookie Policy, and provide justification as to why they are essential (in the legal definition of the term). No tracking cookie is ever essential: a cookie for maintaining a user's login session is essential, for instance, but it would not be legal for that session cookie to act as a key for tracking user behaviour.
If you are uncertain about any aspect of your cookie policy, always consider whether a user is given enough information and the technical ability to give informed consent.
Essential Cookies
However, cookies also serve useful purposes, such as:
- maintaining a "session key" which is required in order to allow users to log in to websites and portals;
- assigning unique security keys that protect user privacy by ensuring that users' form submissions are not hijacked by hackers;
- maintaining a server key so that, in multi-server environments, users are not randomly jumped between servers such that they are forced to repeatedly login.
These kinds of cookies are broadly known as "Essential Cookies", i.e. they are absolutely required in order to allow the operation of the application and to protect the privacy and data of users, and these have a special meaning with the UK GDPR.
VerseOne DXP Cookies
By default, VerseOne DXP uses only one Essential Cookie, which is called JSESSIONID: this cookie is destroyed at the end of a user's session, i.e. when a user logs out and leaves the site, or after 20 minutes of inactivity on a VerseOne DXP-powered site.
VerseOne DXP does not track users across sites, and JSESSIONID does not enable any functionality except the three items listed above.
JSESSIONID is an Essential Cookie — it is absolutely required for the operation of the solution and for the protection of users' data and security. For this reason, it cannot be switched off and users cannot opt out.
VerseOne DXP also uses VOPECRA, a long-term non-tracking cookie that is only placed on the user's browser when the user accepts or declines cookies via the Cookie Banner: VOPECRA is the cookie that remembers the user's cookie preferences. As of VerseOne DXP v5.7.5.5 (April 2024), the duration of this cookie is configurable, with defaults ranging from none ("ask every time") to 3 years (the default being 6 months).
If the option is switched on, VerseOne DXP also uses KMLI, a medium-term non-tracking cookie that is only placed on the user's browser if the user selects the Remember Me login feature. The duration of this cookie is configurable, with the default being 2 weeks.
Finally, solutions hosted within VerseOne's high-availability Managed Cloud Services environment also use a Firewall-generated session management cookie that maintains the user's context across multiple servers: this has the format TS0xxxxxxx. Once a user has made a cookie choice, the Firewall may generate a new session management cookie.
So, by default, all sites hosted on VerseOne's environment will have JSESSIONID and TS0xxxxxxx. Depending on configuration and user choices, they may also see VOPECRA or KMLI, and a second TS0xxxxxxx.
| Name | Duration | Function | Size |
|---|---|---|---|
| JSESSIONID | Session | Essential cookie for software functionality including session management for authentication, form submission validation, load-balancer configuration. Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity. | 44B |
| VOPECRA | Configurable duration | Remembers that a user has accepted or declined cookies from a specific VerseOne DXP-powered website, enabling cookies from GA and Code Droplets (where configured). Secured and does not track across websites (domain-specific). Duration is configurable in VerseOne DXP (default is 6 months). | 8B |
| KMLI_FRONTEND | Configurable duration | Remembers the user so that they do not have to explicitly login to the DXP or front-end features. Secured and does not track across websites (domain-specific). Duration is configurable in VerseOne DXP (default is 2 weeks). | 141B |
| TS0xxxxxxx | Session | Essential cookie for maintaining context across VerseOne 's multiple high-availability application servers and secure Web Application Firewall (WAF). Secured and does not track across websites (domain-specific). Expires at explicit session end (i.e. explicit log out) or 20 minutes of inactivity. | 116B |
As of VerseOne DXP v5.7.3 (May 2023), users can explicitly reject cookies: in order for this to work, the VOPECRA cookie has to be placed in the user's browser that remembers this choice.
VerseOne DXP Biometrics & Notifications
VerseOne DXP v5.7.3.5 (August 2023) adds the ability for users to log in with biometrics — most pertinently on mobile devices (whether via VerseOne's new PWA mobile app, or via a browser), but also with biometric-enabled laptop and desktop computers.
When this feature is enabled and the user opts to login via biometrics, another cookie is added to the device that remembers that choice — and presents the device's biometric login dialogue rather than the traditional username and password.
VerseOne DXP v5.7.4 (October 2023) will also add the ability for users to subscribe to Push Notifications, most pertinently for mobile devices.
| Name | Duration | Function | Size |
|---|---|---|---|
| VOPWABIOM | 1 – 6 months | Remembers that the user wants to login via biometrics, stores their unique system key, and so presents the OS biometric dialogue. Configurable on a per site basis, between 1 – 6 months. | 75B |
| VOPWASUB | 1 – 6 months | Remembers that the user has subscribed to Push Notifications, and stores their unique system key. Configurable on a per site basis, between 1 – 6 months. | 74B |
Cookie Acceptance Features
VerseOne does, of course, provide its customers with a number of methods for ensuring legal compliance, which were originally put in place to comply with the European Union Privacy and Electronic Communications Regulations (PECR) Amendment, popularly known as the "cookie law".
These features were reviewed with the release of the EU General Data Protection Regulations (GDPR) and the subsequent Data Protection Act 2018 (which comprises the current UK legislation, including the "Frozen GDPR" or "UK GDPR").
These features enable customers to be compliant with GDPR, are set at Web Site level in VerseOne DXP. As of VerseOne DXP v5.7.5.5 (April 2024), these options have been moved to dedicated fieldsets at Web Site level, and renamed: the below guidance is now presented as Fieldset > Label.
The options comprise the following:
- Site Details > GDPR / Cookies policy: this consists of three settings (of which more, below), which reflect the various positions taken by the Information Commissioners Office (ICO) since the introduction of the "cookie law";
- GDPR Banner Text > GDPR Banner Text: this is a Word-style Editor which allows customers to insert their own wording, according to their own policies and assessments of the current legal position, into the Cookie Acceptance Banner that appears on all pages of the website;
- GDPR Banner Text > Hide Button text: this allows customers to insert their own wording into the acceptance button (default is "Accept Analytics cookies").
As mentioned above, the PECR Policy has three settings:
| Option | Details |
|---|---|
| GDPR / Cookies Strict |
Other than the essential JSESSIONID and the TS0xxxxxxx (WAF), and provided that Code Droplets are correctly configured [see below], no cookies are placed on the user's browser unless they explicitly provide permission by pressing the Hide Button. Website administrators should use this setting for all public websites in order to be compliant with current GDPR. |
| Relaxed (May 2013): Cookies on, show warning |
Shortly after the introduction of the PECR, the EU and ICO determined that users now had enough information about cookies. The guidance was changed: if a user was presented with an information banner and then proceeded to use the website, they had implicitly accepted cookies. This setting should not currently be used — although this state of affairs is likely to change in the UK in the medium–longer term. |
| Off: Cookies always enabled | This setting should only be used in controlled "non-public" environments, such as for intranets. |
VerseOne DXP does not provide any method for users to opt out of the JSESSIONID or other essential cookies listed above because otherwise, under the legal definition, they would not be essential. As such, if the user accepts or declines cookies via the Cookie Acceptance Banner, it is always any third party (potentially tracking) cookies that they are accepting or declining.
Suggested Cookie Banner Text
VerseOne suggests that your cookie banner uses text similar to the following (but, of course, your own compliance or legal team may wish to amend this to reflect your organisation's policies.
This website uses some Essential cookies in order to work (e.g. for logging in) and to keep you safe (e.g. to prevent people impersonating you when submitting forms, etc.). These Essential cookies are placed on your device automatically — you can find out all about them in our Privacy Policy.
Some cookies are used for analytics, in order to help us to better understand how our customers use our website, or to provide other third party services (such as translation) and these are also detailed in our Privacy Policy. You do not have to accept these cookies — in which case, you need do nothing or you can press Decline. If you are happy to accept these cookies, however, then please press the "Accept Analytics cookies" button (which will also dismiss this banner).
As of VerseOne DXP 5.7.2 (May 2023), this is the default wording in the application's Cookie Banner Text (with the exception of the phrase "or you can press Decline": this will be updated in an upcoming release). This release also included an explicit Decline button for rejecting third party cookies (and removing the Cookie Banner).
Frequency of Asking
Some implementations of cookie banners ask for preferences each and every time that a user visits the website. VerseOne believes that this is unnecessary and actively reductive: it is not only annoying for all visitors, but potentially exclusionary for those with disabilities.
As of VerseOne DXP v5.7.5.5 (April 2024), a number of important new features were released for managing cookie choices:
- Data and Cookie Compliance > Expire Cookies Decision after the following time period: this allows customers to choose how long their website visitors' choice should be preserved, with the default expiry being "Six months", i.e. after six months, the visitor will be asked to decide again. The defaults range from "ask user every time" (through 1, 3, 6, or 12 months) to 3 years.
- Data and Cookie Compliance > Ask website visitors to re-accept / decline ("revoke") Cookies: this feature should be used if you have added a new cookie-dependent third party service to your website, e.g. a heat-mapping service. In this scenario, a user will be asked to choose again regardless of how long is left on the default duration. Of course, for this measure to be effective, you must update your Cookie Policy as a minimum: it would be better practice to high-light the new addition in the GDPR Banner Text. Additionally, who set the cookie policy to expire, and when, is logged in the system.
We hope that these innovations make it easier for you to safely and legally manage your cookies.
Third Party Cookies
Many organisations do legitimately seek information on how people use their websites and digital solutions, so that they can genuinely improve their service to their users — and VerseOne makes this possible through two mechanisms:
- the ability to enter a Google Analytics (GA) ID at site level;
- the ability to enter any other third party code (which may or may not include cookies) through the Code Droplets Module.
VerseOne provides these features but the decision whether or not to use them rests with the VerseOne customer — they can add or remove such services at any time.
Code Droplets
As outlined previously, third party code — e.g. heat-mapping software, or videos from YouTube — can be added via Code Droplets. These services almost always include tracking cookies although many (such as YouTube) do provide the ability to omit these cookies when generating the embed code (usually referred to as "GDPR safe" or similar).
VerseOne DXP Code Droplets provide editors with a control: when the PECR Safe control is set to No, then the Code Droplet will obey the Web Site PECR Policy, e.g. if a YouTube video is in a GDPR Safe Code Droplet and the PECR Policy is set to Strict, the video will not render — unless or until the visitor accepts cookies.
These settings might seem slightly counterintuitive, but are explained below:
- PECR Safe = Yes: the code within this Code Droplet is safe from a PECR / GDPR perspective, i.e. it contains no third party tracking cookies, etc.
- PECR Safe = No: the code within this Code Droplet may contain tracking cookies or other measures which might collect visitor data or otherwise violate PECR / GDPR laws, and thus shoud not be allowed to load if the user has not accepted third party cookies.
Exceptions
If a customer believes that a Code Droplet third party item is "essential", then they may set PECR Safe to Yes. However, they should still detail any cookies that the service will place on the user's browser in their Privacy / Cookie Policy, and describe why they believe that the service (and cookie) is essential.
Google Translate
A key principle of acceptance is that a user must understand the terms that they are accepting. As such, a number of customers have suggested that any cookies set by Google Translate should be classed as Essential. VerseOne broadly agrees with this principle, but it is up to your organisation to set its own policy on this (and you must then outline your reasoning within your Privacy or Cookie Policy).
Privacy / Cookie Policy
It is a legal requirement, in line with the principle of informed consent, that the details of all cookies used on a website must be documented on the Privacy Policy or Cookie Policy pages, and linked to from the Cookie Acceptance Banner if they are not documented within the Cookie Acceptenace Banner itself. Cookie details should be listed in the format that has been used on this page, i.e. as a minimum, state the cookie name, outline its purpose, and how long it lasts.
Ideally, the Privacy Policy should include what information types can be shared and who it can be shared with, e.g. "We use the Meta (Facebook) Pixel tracking code on our 'Events' pages. If you visit these pages and have accepted non-essential cookies, page views and other personal information including [xyz] is shared with Meta. To prevent this from happening, decline the non-essential cookies."
If in doubt, follow the example of the Information Commissioner's Office: https://ico.org.uk/global/cookies/
Future Features: Explicit Service Cookie Acceptance
Some customers have asked whether their website visitors can be presented with a more fine-grained choices of cookies. The ICO guidance is that, in these cases, cookies should not be individually listed but instead be categorised, e.g. "Marketing cookies", "Tracking cookies", "Performance cookies", etc.
VerseOne does intend to develop this functionality, which is currently on the roadmap for the second half of 2025.
This is a challenging feature to deliver, since customers would need to know and assign the category correctly. We would prefer to find a sustainable way in which to automate this instead; this is complicated, however, by the fact that a single cookie may serve several functions, e.g. it is primarily for "performance" but it is also for "tracking".
We also intend that this functionality be combined with upgrades to our Content Security Policy.
Further information
If you have further questions above VerseOne's use of cookies in its software: compliance@verseone.com
Whilst we always want to help our customers as much as possible, we may not be able to help you to accurately document all of information on third party services that you use.