WordPress.org

Ready to get started?Download WordPress

Forums

[closed] How can we control cookies with new EU legislation? (47 posts)

  1. grahamjones
    Member
    Posted 3 years ago #

    On the 25th May in Europe it becomes illegal for any website owner to set a cookie without the PRIOR explicit permission of the visitor. That means when an individual first visits a website that uses cookies they will have to agree to accept the cookies if they wish to use the site. If they refuse the cookies the site becomes blocked.

    According to the legislators at the EU, this helps protect privacy.

    But how can this be implemented within WordPress?

    As I see it, anyone running a WordPress site which is accessed by people in Europe after 25th May will be doing so illegally.

  2. tappenden_de
    Member
    Posted 3 years ago #

    I've been wondering the same thing.

    I was looking for a plug-in that could help with this, maybe to give a warning before the cookie is stored.

    But I see that the PHPSESSID cookie is stored almost immediately when I arrive at a site.

  3. Shouldn't affect most bloggers.

    The European Union created a requirement that companies whose websites use cookies to track computers' use of their sites must seek the 'explicit consent' of users for that tracking to be lawful.

    Note a couple things: Firstly, companies doesn't mean all websites. If you're not a company, you should be exempt. Second, if you're not using cookies to track anything, you should also be exempt.

    Now there's some wiggle room if WP is using a cookie to TRACk anything, but you should grab a lawyer to make sure.

  4. tappenden_de
    Member
    Posted 3 years ago #

    The trouble is that WP obviously does use a session cookie, and I'm sure that some lawyers will try and argue that this is reason enough to warn visitors.

    Some EU countries also consider a website in itself to be a business if it has any form of income, eg. AdSense or Amazon Associates.

    And doesn't Google Analytics use tracking cookies?

    But all of this is irrelevant to the discussion. Businesses in the EU have to do this, so the original question is what is important: how do I inform users about cookies and get their consent *before one is set* on a WordPress-based site?

  5. Popups?

    Host your site in Canada or some less stroppy nation, and use a shell company to own it?

    Don't use any TRACKING cookies? (WordPress's cookies do not track the user, they leave site-only info. Google AdSense DOES track between sites, so take off that and you're okay.)

    Seriously one of the more half baked laws the EU has come up with. But the short answer is WordPress itself DOES leave a cookie, but it doesn't track anything, and only contains per session info, so you should be okay. I spent a couple hours reading that part of the law. I would check with a EU specialist lawyer to be sure, but I would feel safe, if it were me.

  6. tappenden_de
    Member
    Posted 3 years ago #

    "Host your site in Canada or some less stroppy nation, and use a shell company to own it?"

    I'm sorry, but that answer is like me saying that US citizens should host their sites outside the U.S. to avoid FCC regulations.

    The FCC don't care AFAIK - if you live in the US they say the rules apply. I've even had discussions where it has been claimed they apply in the EU as well, because our e-commerce sites have buyers in the US.

    The fact is, EU companies already host their websites all over the place, but as long as they have their employees here they will be covered.

    Again, AFAIK even a U.S. company with the European TLD and subsidiary will have to comply.

    That said, if WordPress's cookie does not track, then I can use a popup or lightbox when the visitor arrives before they see any AdSense etc. and warn them (and just ignore the non-tracking cookie that will already be in place by then). Not that it makes the website any user friendlier, but if it may just have to be done that way.

    "Seriously one of the more half baked laws the EU has come up with."

    I think we can agree on that :-)

  7. If my COMPANY is based in the US, then US laws apply. If my company is based in Canada and I live in the US, it does not. And yes, it's legal to do that. My father is in Asia, his company in the US. He doesn't have to have his website comply with the laws of where're he lives because it's all above board in the US. It's a hair splitting semantic, and took a couple lawyers to help us get right, but it does work.

    You do notice I keep coming back to lawyers? You need one. Seriously.

    My layman understanding of the law, and of how WP cookies work with regards to that law, is that WordPress's site only cookies only 'track' if you're logged in, and even then, not between other sites. Obviously you'll need a consent to cookie for for registration and for AdSense etc.

    Probably the most elegant way would be to make a plugin that, when you visit any WP page on your site, checks for cookies. If it finds none, it redirects you to another page which says "Hi, you don't have cookies, and since the EU is a prat, you have to consent to let me put them on your computer. Cookies are used to store information like when you last visited, and if you log in, your user information, so no one else can pretend to be you. I promise to never use this information in illegal or unethical ways. If you do not accept to have cookies on your system, you can't visit this site. Sorry about that."

    Google up some PHP checks for cookies. They Should be usable. You can check what your own site's cookies look like, the name format and all, to search for.

  8. esmi
    Forum Moderator
    Posted 3 years ago #

    Some EU countries also consider a website in itself to be a business if it has any form of income

    Which countries?

  9. Germany does. I THOUGHT the UK did, but I'm far less to-date on that hair-splitting than I used to be :/

  10. esmi
    Forum Moderator
    Posted 3 years ago #

    In the UK, a company is a very specific legal entity. A web site that generated an income would not be classed as a company.

  11. Dogzzz
    Member
    Posted 3 years ago #

    I have a wordpress blog as a part of a company website and it is all hosted in-house in the UK.

    Is there a plugin that allows wordpress to remain legal after May 26th 2011? Or is there some other way to make my wordpress installation comply with the law after that date? If not I shall have to remove my company blog!

    It does track more than mere session variables too:

    Name wordpress_logged_in_7f0cf5cdeaaf17c3c7b53a1af69464e4
    Value {*** my username ***}
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires At End Of Session

    Name wordpress_test_cookie
    Value WP+Cookie+check
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires At End Of Session

    Name wp-settings-1
    Value align%3Dcenter%26m6%3Dc%26editor%3Dhtml%26m5%3Do%26m9%3Dc%26m10%3Do
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires Tue, 15 May 2012 10:12:59 GMT

    Name wp-settings-time-1
    Value 1305540309
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires Tue, 15 May 2012 10:12:59 GMT

    I would rather be safe than sorry, so how do I get wordpress to ask a user's permission before setting any cookies?

  12. esmi
    Forum Moderator
    Posted 3 years ago #

    http://www.simply-docs.co.uk/Newsletter.aspx?NewsletterID=257

    Note the reference to third party cookies. Plus:

    If a cookie forms an integral part of a website’s functionality – for example, a shopping basket or the storage of a user’s personal preferences – no consent need be obtained and life, for both the website owner and the user, goes on as normal.

    Also http://www.out-law.com/page-10510

    An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent.

    Since WP's functionality requires the setting of non-tracking cookies, it would seem to fall under the "strictly necessary" provision. So if you don't set any 3rd party tracking cookies, I'd wait and see what the UK Information Commissioner's Office has to say. Currently it's guidance hasn't changed.

    In the meantime, brush up your privacy policy page, ensure that it mentions that WP sets non-tracking cookies and provide user instructions on how to remove them.

  13. tappenden_de
    Member
    Posted 3 years ago #

    Is there a plugin that allows wordpress to remain legal after May 26th 2011?

    I am working on one to create a landing page where the user gives their consent to the cookies. I don't really like the idea, but it may be the only way on some sites. Here's a preview screenshot.

    Name wordpress_logged_in_7f0cf5cdeaaf17c3c7b53a1af69464e4
    Value {*** my username ***}

    Quite a few of those cookies are only set when you login to WordPress. If your users don't login, then they don't get the cookies. You may want to put a cookie warning above the comment box if that is storing any. If, however, you have a membership site then obviously the memebers log in, but you could cover the cookie issue in the TOS.

  14. If you're really doing this, it's stupid easy. Keeping in mind that it's the NON-logged in users you need to protect (becuase a logged in user will be accepting cookies by logging in, more on that in a second), you just need to flip WordPress around to not save cookies for non-logged in users.

    First you change your KEYs and SALTS in the wp-config.php (you can get new ones at http://api.wordpress.org/secret-key/1.1/wpmu/salt). This will force all users to log back in.

    Next you change your registration/login page to alert people to the cookies. There are plugins for this, and on BuddyPress you can edit your theme's template page for registration easily. By having the login/registration page say 'hey, you're gonna get cookies if you log in!' you're now in compliance with EU law!

    Finally you slap this your header (or functions or a mu-plugin file), to delete cookies on every single page you visit, which will prevent cookies from staying on people's computer ONLY if they're not logged in:

    <?php if ( !is_user_logged_in() ) { wp_clear_auth_cookie(); } ?>

    Mind you, it's totally unnecessary becuase Esmi's right. It's only third party cookies that are affected. Per site, that only track ON THAT SITE, are exempt. It's a cookie that tracks BETWEEN sites (see Google Adsense and Analytics) that are a problem with the new law.

  15. SebastianCrumpCOI
    Member
    Posted 3 years ago #

    I don't think it's correct to state it's only third party cookies.

    ICO have released guidance [PDF], for the UK at least. They make it very clear it applies to all cookies that are not 'strictly' (with a narrow definition) necessary.

  16. esmi
    Forum Moderator
    Posted 3 years ago #

    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user.
    [...]
    the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user.

    ICO Guidance Page 3

    WordPress needs cookies to work. Users explicitly request to view your WordPress site by following a link or typing in your url.

  17. tappenden_de
    Member
    Posted 3 years ago #

    WordPress needs cookies to work. Users explicitly request to view your WordPress site by following a link or typing in your url.

    I think that is going to be debatable, because the user cannot know that before he/she visits the site, eg. by clicking on a link.

    If I am on the site already and add something to a shopping cart, then I request the site to carry out an action and that action needs cookies. But I suspect that simply visiting the site will not be sufficient cause, just as the ICO says you cannot simply rely on users to block cookies in their browser.

    But does WordPress really store anything other than a session cookie for normal (ie. not logged in) visitors?

  18. SebastianCrumpCOI
    Member
    Posted 3 years ago #

    Yes, I agree with your assessment teppenden_de

    As far as I can determine from my testing so far (may depend on what plugins you're using). Cookies are only used if an 'anonymous' user leaves a comment - WP then puts your name, your email address ,and subscribe preference in three separate cookies. As this is just to store those details to save them entering them again for a subsequent comment I do not think they could be described as 'strictly necessary' - more equivalent to appearance preferences used as example in ICO guidance.

    The question is therefore whether it enough for the user to be informed about that - 'if you comment you will get cookies...', or whether you actually need to get consent (and allow refusal). I'm assuming eventually the latter, but informing would be a good first step and may(!)* allow you to rebuff any initial claims as it demonstrates your awareness and progress to implementation...

    * I am not a lawyer; this is not official advice.

  19. esmi
    Forum Moderator
    Posted 3 years ago #

    does WordPress really store anything other than a session cookie for normal (ie. not logged in) visitors?

    As far as I can tell, it only stores a temporary session cookie.

  20. SebastianCrumpCOI
    Member
    Posted 3 years ago #

    As far as I can tell, it only stores a temporary session cookie.

    Possibly a simulpost; if the user comments persistent cookies are set as I outlined above.

  21. As mentioned, if you comment on the site, as anonymous, it also stashes the name/email/website you used. Otherwise, you get a temp cookie session (which is why I came up with my stupid-easy suggestion to flush cookies if not logged in).

    The question is therefore whether it enough for the user to be informed about that - 'if you comment you will get cookies...', or whether you actually need to get consent (and allow refusal).

    The problem here, and this is why everyone needs to get a lawyer, is that the EU law does not answer that. Frankly, I don't think they know. Given the content of the temp cookies, it's not storing user info as much as site info, and the content may exempt itself from regular, depending on your interpretation of the law.

    I did ask a lawyer who does IT law and he thinks a decent lawyer could argue this either way, but the real problem is that the folks who made the law and those who will be enforcing and judging it have no clue what the hell a cookie is in the first place.

  22. esmi
    Forum Moderator
    Posted 3 years ago #

    The comment cookie can be addressed by editing your theme's comments.php file - or amending the callback for comment_form() for comment_notes_before and must_log_in - to include a cookie warning.

  23. shahar
    Member
    Posted 3 years ago #

    It's a very interesting thread, thank you all :)

    Have any laws like this ever been enforced? How much should we really be concerned about this?

    (In your strictly non-legal-advisor roles of course!)

  24. Have any laws like this ever been enforced?

    Yes, but not with anything I'd call an understandable standard :/

    How much should we really be concerned about this?

    IANAL, but the consensus from my buddies in Germany is that normal site specific cookies are fine, but advertising/flash cookies are not.

    So ... If you don't have 3rd party cookies, I wouldn't worry.

  25. esmi
    Forum Moderator
    Posted 3 years ago #

    Have any laws like this ever been enforced?

    To quote a parallel example, it's been law in most EU (and non-EU) countries that no web site should discriminate against disabled people for anything from 2 - 11 years. When was the last court case? Equally importantly, when did you last check your web site to ensure that it complies with national and EU anti-discriminatory laws?

  26. shahar
    Member
    Posted 3 years ago #

    Thanks for the opinions.
    Esmi, good point well made :)

  27. SebastianCrumpCOI
    Member
    Posted 3 years ago #

    Interesting point re accessibility, esmi. I am not yet entirely clear as to whether as in that case it is up to individuals to bring a case, in which case I agree possibly unlikely (IANAL), or whether a semi-regulated/monitored as in other Data Protection provisions - theoretically could lead to more actions being brought.

    Unfortunately, as I manage a government website I don't have any choice about whether I attempt to conform. Also it seems, not unusually, that the UK is taking a much stricter view on what is covered - strangely almost the converse of the German approach outlined above where third party cookies don't matter (as long as you inform users in privacy policy), but consent required for most first party cookies.

    Thanks for the pointers to comments_notes_before etc. esmi.

  28. SebastianCrumpCOI
    Member
    Posted 3 years ago #

    Just to add re differences in UK and German approaches - there isn't anything wrong with either as far as I understand (IANAL). It is up to each EU country to implement as they choose and justify back to EU if challenged. I'm not making any value judgement specifically on which is the better approach (honestly). I'll just say one will one will be easier to implement and enforce than the other - you decide which way round you think that is :)

  29. esmi
    Forum Moderator
    Posted 3 years ago #

    Also it seems, not unusually, that the UK is taking a much stricter view on what is covered

    Are you sure? Last time I checked (a few days ago), the UK was still fighting the EU on the opt-in laws from about 5(?) years ago.

  30. coder-monkey
    Member
    Posted 3 years ago #

    The UK law is quite specific - all cookies will require explicit consent from the user unless the cookie is specifically required for the website to work (i.e. a shopping basket). The cookies that WP set that relate to the administration of the site can quite clearly be placed in the latter (specifically required), and the session cookie could be defined as strictly necessary if it is also required for the administration aspect, but the cookies that are set when you respond to a post are not strictly necessary, and one of the elements that the law is trying to avoid, as it stores personal information (i.e. name and email address) in plain text files on your computer.

    I believe that this can be fixed by having the response cookies not set unless the user checks a box in the reply field, saying something like "Remember my details". If they do not check it (and it should not be checked as default), then the cookies are not set.

    I would do this change myself on my site, but the change would disappear when I run an update, and would also not be applied to the millions of WP users in the EU/UK!

Topic Closed

This topic has been closed to new replies.

About this Topic