System update - more improvements and fixes

Yet more goodies for you!

New privacy policy

Our new privacy policy is now live; there is also an account-specific version that's used on your subscribe pages, and anywhere else your subscribers interact with our pages.

Privacy improvements

Our normal and subscriber login pages are now entirely cookie-free on first hit, and only set session cookies if you actually log in.

The subscriber portal no longer asks for cookie consent as no non-essential, non-session cookies are set at all, and access is not subject to our T&Cs as it's a statutory requirement.

We've tightened our Content Security Policy headers even further, gaining us an excellent set of results on this privacy checker.

Our strict-origin-when-cross-origin referrer policy means only our domain is passed in referrer headers, and then only to secure pages; it's important that the full referrer URL is not leaked. In the event that a public page we host contains personal data - such as on personalised web versions which rely on unguessable URLs - outbound links must not point directly back to the page via the referrer header. This is why we don't use such pages by default, and have always used a referrer policy that does not leak the full URL.

Privacy notices that mention Do Not Track now show whether the current browser has that option set.

Template zip imports completed

As we mentioned last time, we support importing templates from zip files; this has now been completed, and now includes support for bundled images in an images folder. The docs have been updated to show how to use that.

Templates now default to using HTML5 instead of the previous HTML4.01/transitional doctype.

RSS

Our RSS feed reader code is now smaller and faster, and should be more reliable into the bargain. In case you didn't know, we can do all kinds of cool things with RSS, meaning you don't need to duplicate effort in creating templates if you're already writing blog posts, or if your ecommerce system provides RSS feeds of special offers, etc.

Interface improvements

Drop-down menus now make full use of available screen height - this is especially useful on long menus such as those used for time zones and template tags.

Corruption in content using the UTF-8 character set (i.e. all of it!) is now filtered much more reliably, and corruption resulting from mixing ISO-8859-1 and UTF-8 character sets in the same content is now dealt with automatically.

The syntax check indicator on the send page no longer defaults to showing an error!

Logging out manually now says that's what you did, not that your connection timed out.

Callbacks

We have added a new "delete" event to our callback system, meaning you will receive a notification on your callback URL when a subscriber chooses to delete their own data (a requirement of GDPR), allowing you to keep your own systems up to date with respect to your users' preferences.

More lists in subscriber portal

In the subscriber data access portal, we now show subscriptions to lists that are not marked as visible so that subscribers may choose to unsubscribe from them. We'd like to remind you that mailing list names can be shown to subscribers, so it helps to give lists meaningful names, and also to make use of our separate public and internal list names. One of our competitors had an embarrassing incident relating to unexpectedly visible list names, and we'd like you to avoid the same fate!

Á la prochaine!

Now on GitHub!

Somehow it slipped through the cracks and we failed to announce it, but a little while ago we put our Smartmessages API client libraries for PHP and .NET on github, so please feel free to fork, report issues and submit pull requests.

The EU Cookie Directive

This Wednesday (May 25th), a new law comes into force affecting the ability of web sites to issue cookies to visitors. Under this legislation, web site hosts will require explicit informed consent from visitors before issuing cookies unless they are 'strictly necessary' to provide the service. Unfortunately the UK has been slow to legislate on this directive, so the law is extremely vague. What exactly 'strictly necessary' means is currently undefined, however, an example of a cookie that would not be considered 'strictly necessary' is the ability to remember your login on a login page.

There is a document issued by the UK Information Commissioner's office contains an overview of the new law and how it will apply to businesses that you might like to read.

For our part, we think we're in a good position for compliance. We don't use cookies to store login details or other account preferences - browsers do a good enough job of that nowadays. We do use session cookies for authenticating logins, but they would fall under the 'strictly necessary' use case (our service simply won't work without them). They contain solely a random number hash, are deleted on logout, and expire after a couple of hours, so have very little scope for any kind of personal data leakage and certainly no cross-site tracking, which is one of the chief concerns of the legislation.

We don't issue cookies to normal visitors at all, including those that are opening or clicking through from links in email messages. That said, another aspect of this legislation may apply to the use of tracking images (a.k.a. web bugs or beacons), but it remains to be seen what regulations are made in that area.

The most obvious point of concern for this legislation is for services that do track activity across sites, most obviously pretty much any web analytics system such as Google Analytics and many ad issuing services, such as Google AdWords, doubleclick etc. Google have yet to comment on the issue, but there is some discussion of it here. We're not concerned by ads since we don't use them anywhere, but Google Analytics is a very useful service that we do link with, and while we don't use cookies in conjunction with it (we just generate the specially formatted URLs it uses), you may well do on your own site. The requirement to obtain explicit informed consent for such services may prove extremely detrimental to both consumers and providers alike. Without that consent, providers can't target incentives and campaigns appropriately to visitors, and web advertising is likely to become much more random as a result.

In the short term there's little to be worried about. Communications Minister Ed Vaizey has said "We do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies."

We'll keep you posted on any changes that may affect your use of our services.

Updated API documentation

Our API has been evolving over time, and while our PHP example code is up to date, our API documentation wasn't keeping up.  It's now been updated to cover the more recent changes, such as campaign creation, template uploads, and the big one - sending mailshots.
Of course there's more to come too...