WordPress.org

Ready to get started?Download WordPress

Ideas

Add core functions to comply with EU Cookie Law

  1. Jonathan UK
    Member

    12345

    On 13 December 2011, the UK's Information Commissioner's Office (ICO) published updated guidance for website publishers on complying with the EU Cookie Law. UK publishers now have only a few months of grace period remaining before they must comply fully with the law.

    I believe that UK-based web publishers using WordPress must obtain prior consent for any and all cookies that are associated with a standard WordPress installation. (Similar requirements apply to publishers across Europe, potentially differing based on local interpretation of the law).

    I have very limited coding skills and I would desperately like WordPress to add functionality within the core product to enable publishers to gather the required cookie consents and manage / limit cookie placement accordingly.

    Otherwise, I have no idea how I can possibly comply with the law.

    References:

    http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

    http://www.ico.gov.uk/news/blog/2011/half-term-report-on-cookies-compliance.aspx

    Posted: 2 years ago #
  2. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    http://core.trac.wordpress.org/ticket/17976 will help with that, but it's on you to handle it how you want.

    I believe that UK-based web publishers using WordPress must obtain prior consent for any and all cookies that are associated with a standard WordPress installation. (Similar requirements apply to publishers across Europe, potentially differing based on local interpretation of the law).

    Check with a lawyer.

    WP cookies are NOT 3rd party cookies, and are required to log in. By their own wording, the EU cookie law is obeyed simply by having a disclaimer SAYING 'if you leave a comment you'll get a cookie on your PC.'

    Posted: 2 years ago #
  3. Jonathan UK
    Member

    12345

    Hi Ipstenu

    Thanks, but the resource you've linked to is completely over my head in terms of technical complexity. I simply don't understand it, let alone how to use it.

    This is why I'm suggesting that cookie consent and control features need to be integrated into the core WordPress product. WordPress needs to cater for the lowest common denominator in respect of technical knowledge if its users are to be able to comply with this law.

    Regarding the legalities, the facts are clear: the law relates to ALL cookies, not just to 3rd party cookies and it requires advance consent.

    The best solution is for WordPress to adopt a "belt and braces" approach to cookie management - by which I mean that it should provide publishers with an (easy to use) ability to gain advance consent for all cookies and manage them accordingly.

    Posted: 2 years ago #
  4. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    The facts are not clear, or WP would have to do what you're proposing.

    And you're not a coder. That's fine. Go hire one :) Just like you'd hire a lawyer to handle legal cases, you should hire a programmer for this.

    This fix makes it possible for commenter cookies to be disabled if someone wants to by setting them on an action instead of always. I'm sure someone will come up with a plugin to allow people a GUI if needed.

    Posted: 2 years ago #
  5. Jonathan UK
    Member

    12345

    Please do try reading the guidelines. They're very clear about what's required.

    It strikes me as far more reasonable that WordPress should address this issue within its core functionality than that every single non-techie WordPress user in Europe should go out and hire a programmer!

    The issue for publishers has never really been about a lack of clarity. It's been much more a case that:

    - we've all been hoping the issue might go away (it won't - the ICO even includes this very point within its FAQs)
    - we've been waiting for publishing solution providers (ie WP) to add the required functionality.

    WordPress really can't afford to remain in denial any longer - time is fast running out.

    Posted: 2 years ago #
  6. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    WordPress's solution is linked above. You can use that or not. It's up to you, and your lawyers, to decide that.

    This is what the law requires:

    a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

    (2) The requirements are that the subscriber or user of that terminal equipment-
    Version 2 7 13 December 2011

    (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
    (b) has given his or her consent.

    That's all you have to do. And none of that requires code. You can do that by adding in text above 'submit comment' (IF and only if your legal team determines that clicking that, which does leave a cookie on your computer, is in violation of that law - You really need to sit with legal on that one) which says 'Hey, this'll cookie you!'

    Why do I think it doesn't?

    There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:

    (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

    (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

    Which is what a COMMENT is.

    Posted: 2 years ago #
  7. Jonathan UK
    Member

    12345

    Which, with respect, is what DENIAL is :)

    Posted: 2 years ago #
  8. nathancbriggs
    Member

    Given the language Ipstenu quoted, I don't see how the requirements could possibly apply to cookies dropped on users choosing to leave comments.

    Posted: 2 years ago #
  9. Jonathan UK
    Member

    12345

    I respectfully submit that Ipstenu is misinterpreting the definition, which has a VERY narrow meaning.

    That section continues (and I've thrown some bold in, to help):

    In defining an 'information society service' the Electronic Commerce (EC Directive) Regulations 2002 refer to 'any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service'.

    The term 'strictly necessary' means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the person using the cookie might be subject to, for example, the security requirements of the seventh data protection principle.
    Where the setting of a cookie is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.

    This exception is likely to apply, for example, to a cookie used to ensure that when a user of a site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page. This cookie is strictly necessary to provide the service the user requests (taking the purchase they want to make to the checkout) and so the exception would apply and no consent would be required.

    The Information Commissioner is aware that there has been discussion in Europe about the scope of this exception. The argument has been made in some areas that cookies that are used for resource planning, capacity planning and the operation of the website, for example, could come within the scope of the exemption. The difficulty with this argument is that it could equally be made for advertising and marketing cookies (whose activities help to fund websites). The intention of the legislation was clearly that this exemption is a narrow one and the Commissioner intends to continue to take the approach he has outlined clearly in published guidance since the 2003 Regulations were introduced.

    Activities likely to fall within the exception

    - A cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
    - Certain cookies providing security that is essential to comply with the security requirements of the seventh data protection principle for an activity the user has requested – for example in connection with online banking services
    - Some cookies help ensure that the content of your page loads quickly and effectively by distributing the workload across numerous computers.

    Activities unlikely to fall within the exception

    - Cookies used for analytical purposes to count the number of unique visits to a website for example
    - First and third party advertising cookies
    - Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

    Posted: 2 years ago #
  10. Jonathan UK
    Member

    12345

    We could all consult (and pay) as many lawyers as we like. They will all refer back to the same guidance, which requires ADVANCE consent for ALL cookies unless they are STRICTLY necessary (within the very narrowest of definitions).

    WordPress is like a bus. And publishers like me are passengers on that bus. When the rules of the road change, it's the bus driver's duty to do what's necessary to adhere to them. If we think the driver's behaviour puts us at risk, we'll get off.

    And that's what European publishers will do, in droves, if they can't be confident that they can continue using WP without breaking the law.

    Further info from the ICO's previous guidance (bold style added by me):

      Feature-led consent (Version 1 09/05/11)

    Some objects are stored when a user chooses to use a particular feature of the site such as watching a video clip or when the site remembers what they have done on previous visits in order to personalise the content the user is served. In these cases, presuming that the user is taking some action to tell the webpage what they want to happen – either opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then you can ask for their consent to set a cookie at this point.

    Posted: 2 years ago #

RSS feed for this topic

Reply »

You must log in to post.

  • Rating

    12345
    31 Votes
  • Status

    This idea is under consideration