WordPress › WordPress Ideas — Add core functions to comply with EU Cookie Law

mjray
Member

12345

I think a minimal compliance fix for a 3.3.2 site which doesn't have open user registration is to disable any cookie-using plugins, make sure all your registered users know that cookies are used when they log in, and either: a) comment out the setcookie lines in wp-comments-post.php; or b) amend your theme's comments.php to add a notice that commenting will cause cookies to be set and add a listing of those cookies to your privacy policy (the cookie-cat plugin may help with that). Or you could use a plugin to add a notice to your comment and login forms, but I'm not sure if there is one yet and no-one's hired me to make one.

If there are cookie-using plugins, I don't think any of the compliance plugins I've seen will help (most delete cookies after setting them if consent is refused, which isn't what the ICO guidance says), but I might have overlooked one.

Until the 3.4 pluggable cookie functions are available, I think a compliance plugin would need to be able to stop other plugins running - or delete the cookies before they are sent to the browser and I doubt a plugin can do that (the PHP manual says "Cookies will not become visible until the next loading of a page").

I'll mention it if I see one that does work - and I'd love to hear it if you've tested one that really does work, like no cookies attempted unless you click "I agree".

Posted: 12 months ago #
Ipstenu (Mika Epstein)
Administrator

3.4 is in RC right now. It'll be out before summer is over. You can help speed that up by downloading and testing and letting folks know if its broken or not :) (I'm betting by July 4th).

And plugins... Well, again, WordPress cannot know what plugins are doing. If a plugin (like Google Analytics say) puts down a cookie, then (a) it's your reponsibility, as a site owner, to know that and (b) the plugins reponsibility to nuke it.

I would do what BBC did. They changed their cookie parameters (which you can do by changing your hashes and salts) and put a one-time alert: if you continue reading this site, you agree to cookies.

If its good enough for them...

Posted: 11 months ago #
Rick Leslie
Member

12345

WordPress does not need to know WHICH plugins are being used.

All wordpress needs to do is get user permission for cookies to be set BEFORE any cookies used by WP OR ANY PLUGINS are set.

An intercept page for all visitors to the site (unless a previously set "acceptance cookie" is returned with the request) is all that is needed.

The intercept page just needs to inform the visitor that the site uses both first and third party cookies (it does not need to specify which third parties) and allow the user to either accept whatever cookies will be set or leave the page/site with no cookie being set at all.

Posted: 11 months ago #
mjray
Member

12345

I agree that WordPress probably cannot stop plugins screwing up and doing things directly. It can provide the hooks so good plugins can let other plugins regulate cookies and it looks like that is where we're heading.

The BBC's approach was pretty rubbish, claiming that their stats tracking cookie was "strictly necessary" (which it clearly isn't IMO). The government agency basically backed down on the last day and changed its public statements to allow the BBC's approach. See, for example, http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

So for now, make sure your privacy policy is accurate and linked with suitable text and the regulator probably won't act, but I still feel it's not really complying with the law, or what the public want: no cookies before a chance for informed consent.

Posted: 11 months ago #
mjray
Member

12345

@Rick Leslie - intercept pages are ugly and will break some automated tools. I also hate sites that throw a sulk and refuse to work if you say "No thanks" to cookies.

A cookie control widget on the page would be enough, as long as plugins can be told not to set cookies unless the control is set to Allow. That is what a hookable cookies function could allow.

Posted: 11 months ago #
Ipstenu (Mika Epstein)
Administrator

The problem is that not all plugins put down cookies that WP can detect and remove, Rick. That's what I'm driving at here. WP is putting in hooks so you can control all the cookies that people put in using wp_set_cookie (see http://codex.wordpress.org/WordPress_Cookies ), but it simply lacks the built in ability to pull all other cookies. And frankly, you dont want it to, or I could be evil and code something to remove all cookies from other sites. Egad, that would be pretty nasty. I believe you can do it in straight PHP, but it would involve a search of all cookies, looking for the ones with yourdomain in them, and yanking. But again, that's actually looking like a bigger risk...

BBC said they have to use cookies because their Analytics tool uses them, and there's no way to turn that off. Which means either they stop trying to understand their traffic (bad), or they warn you (not great).

And I don't think the majority of the public actually knows enough about what cookies are to know if they do or don't want them. If they did, we wouldn't have asinine laws like this in the first place :)

Posted: 11 months ago #
Rick Leslie
Member

12345

If WP checked to see if there was a "Yes I accept all cookies from this site" cookie, and if not it took the user to a seperate "Please allow this site to set cookies from us and third parties" page, then the issue of plugins setting cookies is dealt with.

Either the user answers "Yes" and gets the "I accept all cookies from this site" cookie set and is then given the requested page or they say "No" and get redirected to another site of the website owners choice or another page explaining that they can't access the site because they said "No".

If the intercept (cookie check) was done in the core then no plugins would have the chance to set cookies.

I realise that the law is totally messed up - due to being written by not techies - but it's still the law and this would ensure full compliance with it.

Posted: 11 months ago #
Rick Leslie
Member

12345

"The problem is that not all plugins put down cookies that WP can detect and remove". If the above was implemented it wouldn't need too as they would't be set in the first place.

Posted: 11 months ago #
fountaininternet
Member

As Ipstenu says above, it is simply not possible for WP to do what you're asking for. Take, for example, Google Maps. Its a piece of JavaScript that lives outside of your website and which puts down third-party persistent cookies. Since it lives outside of WP there's no realistic way WP can find out whether it will place cookies on the end user's machine, and yet as the website owner you are still responsible for those cookies. So it comes down to you to either find a way around it (which in the case of Google Maps happens to be fairly simple, as you can use its cookieless domain instead), or to put something in place that warns the user before you execute the code.

As several of us have said repeatedly in this thread, it's the responsibility of the site owner and the plugin developer to find a solution. WP can assist that by providing hooks, but it can't hope to handle the many different ways that cookies can end up on your machine as a result of visiting a site running on WP. This isn't WP's fault - any CMS will have the same problem.

Posted: 11 months ago #
Rick Leslie
Member

12345

And what part of the intercept page would have to make a call to google maps? Or any other plugin for that matter?

It's really simple. Is there an acceptance cookie? Yes - then load WP pages as usual, No - Only send the user the intercept page. At what point in this are you suggesting that third party plugins are called?

Posted: 11 months ago #

RSS feed for this topic

Reply »

You must log in to post.

WordPress.org

Ideas

Add core functions to comply with EU Cookie Law

Reply »

Rating

Status

Tags

Code is Poetry