Add core functions to comply with EU Cookie Law

  1. Ipstenu (Mika Epstein)

    I think we can agree that WordPress can only be held responsible for the cookies a plain install puts down. That is to say, an install with ONLY core files, the default theme, and no activated plugins.

    With THAT in mind, there are two situtions when a user would get a cookie that would be impacted by this statement:

    when the site remembers what they have done on previous visits in order to personalise the content the user is served.

    That happens:
    1) When they log in
    2) When they leave a comment

    That's it.

    So by the strict definitions of 'You need a cookie to stay logged in', all you need for compliance with scenario #1 is up-front details on registration. That requires no code, just a page, call it 'Registration' and have your CYA text there. Then from THAT page, have a link to the real sign up page. That requires a click-through, and you've done your part.

    As for #2, that's where the patch comes in, to a degree. First, you should have a disclaimer on EVERY comment form (easily done in your theme) like:

    "By posting a comment, you agree to abide by the Terms of Use, accept full liability for cookies placed on your system and follow these guidelines..."

    Have a link to what you mean by cookies, and you're, again, legally protected.

    The patch will allow you to add in a checkbox that could, say, be used to "Check here if you don't want cookies..."

    I'm not discussing plugins, or videos, since they're outside the scope of what WordPress, as a first party system, would legally be responsible for.

    Posted: 6 years ago #
  2. Jonathan UK


    I certainly agree that those points are a great start and should definitely be considered within a User Requirements Document.

    If WordPress is to remain publisher-friendly, they should be core functions managed via the admin menu. Aside from catering to technically unsavvy publishers, this will also cover all angles systematically (eg including registrations originating via the Meta widget).

    Cookies and existing users

    Another requirement arising from the EU cookie law is that publishers (and therefore WP) must gather opt-in consent from all previously registered users. Simply updating a site's Ts & Cs won't suffice:

    >>> "it is important to note that changing the terms of use alone to include consent for cookies would not be good enough even if the user had previously consented to the overarching terms. To satisfy the new rules on cookies, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms."

    WP must also address this via core functionality. I can't speak to the best technical solution, but it may involve placing (with consent) an additional "cookie consent storage cookie", so users don't have to be asked every time they come back to the site.

    WP and plugins that use cookies

    Whether and how WP chooses to address the issue of managing cookie consent for plugins will depend upon its level of interest in meeting the needs of developers, publishers and end users (which will, in turn, impact upon the willingness of publishers and end users to keep using it).

    > Is it best to require all plugin developers to replicate (possibly in myriad different ways) coding that seeks consent to receive cookies? Is it efficient in coding terms? Will it look good at the front end? How can plugin-related consents, including the ability to opt out of each individually in the future, best be managed?

    > Do publishers want end users to be presented with intrusive requests for cookie consent from multiple plugins at multiple points during their user experience?

    > What would the best overall legally compliant solution look like from an end user's perspective and to what extent does WP wish to enable publishers to deliver this?

    Rather than just identifying and addressing the bare minimum that WP needs to do, wouldn't it be best to identify how WP can provide the tools to provide an overall solution?

    Why not tackle the issue in a way that creates a selling point to European publishers? You can imagine a tick list of features:

    "WordPress enables full compliance with the EU Cookie Law:

    - No manual coding or template changes required
    - Admin menu-driven cookie consent management for core WP features
    - Admin menu-driven cookie consent management for WP plugins
    - Single stage end user cookie consent collection (tick list of cookies with summaries of related functions)
    - End user cookie consent control panel (view and change consents on a per-cookie basis at any time)
    - Automatic disabling of plugins based on end user consents
    - etc, etc... "

    This isn't meant to be an exhaustive or prescriptive list - just an idea of how WP's response to the introduction of this (ridiculous) law could be turned to its significant benefit. Why not grab that first mover advantage while you can?

    Posted: 6 years ago #
  3. emerym

    With a threat of a £500,000 fine for those that do not comply with the EU Cookie Law in June 2012 this is something major that the WP Team need to spend some cycles on. I'm not Google or Amazon, my firm couldn't swallow a fine of that size.

    Given the date by which sites must comply (Why am I only seeing news about this now??) I suggest planning a number of phases with the 1st being a simple 'consent to store cookies' Cookie that if not seen takes users to an opt-in page. If they decline they are taken to a page that explains why they cannot continue to use the site and deletes all relevant past cookies. Later phases can add more functionality.

    To help jump start things this might help: http://www.smartinsights.com/marketplace-analysis/digital-marketing-laws/cookie-privacy-software/

    Something generic that other bits of code can call on would be good. For example I also have Coppermine on my site. Being able to have all code on my site check for the same consent cookie would improve the user experience.

    As others have commented we can all go off an hire coders, but why reinvent the wheel so many times? It's why so many of us use WordPress and the plugins in the first place rather than paying for yet another CMS to be built from the ground up.

    Posted: 6 years ago #
  4. mikeoneill

    Ipstenu and Jonathan

    Our Cookieq button ( http://cookieq.com) gets your site to comply with the law ie. it removes cookies unless visitors click on the button and opt-in to them. There is also an optional banner that can sit on the top of the page to ask visitors to opt-in. It is free for small sites, and works with wordpress. You go to our site, open an account and get your choice of button code from the GetButton page. You can put it on a wordpress page by editing a template file or using an HTML plugin. Email us at info@baycloud.com and we can give you a hand setting it up.

    Posted: 6 years ago #
  5. marksteven1

    I don't agree that WP needs to exert itself too hard in order comply with the legislation. Login functionality, session cookies and things like load balancer cookies are all exceptions under the regulations as they are necessary for the functionality of the site (it's still necessary to explain what they are).

    The real challenge is with advertising, analytics and social media plugins that drop cookies, as this kind of software will not be considered "essential" in terms of the legislation.

    For WordPress Plugin builders who are doing implementations for this category of software, I'd suggest adding a configurable "hook" which enables their plugin to test for the presence of an acceptance condition.

    This would allow website builders to deploy a cookie control widget such as Cookie Control - http://www.civicuk.com/cookie-law or @mikeoneill's (above), and then have their plugin look for a token (always a cookie) left by the cookie control widget.

    That will save website builders from having to add their own conditional statements in their WP themes.

    This isn't really for WP to do though, unless some of the non-essential stuff comes into core.

    I've not used hosted WordPress before, so I don't know whether they offer a server-side analytics solution, but server side analytics looks increasingly necessary as Google Analytics will require a user opt-in if you agree with the UK ICO's interpretation of the rules.

    Going somewhat further off-topic, it's been shown that users really dislike cookies and tend to refuse them when explicitly offered: The UK's ICO lost 90% of their recorded visits in Google Analytics after implementing an explicit cookie opt-in.

    To me this means that as builders of websites we need to avoid using cookies unless they fall strictly into the "essential" category, as the functionality that requires them will not be enabled by 90% of our users.

    Affiliate advertising, display advertising schemes, Facebook buttons etc, should be carefully assessed before you add them to your websites.

    Posted: 6 years ago #
  6. mikeoneill


    It it not right to say all those cookies are "strictly necessary". The law says that cookies can only be placed without consent if they are needed for a service explicitly requested by a user, and the purpose explained. So Login cookies would be OK if their use was explained on a LogIn form but not necessarily the others.
    Also, the term "session cookies" is ambiguous as it has a couple of technical meanings, see my post about it (about the French CNIL guidance) here http://cookieq.com/CookieQ/Blog.
    Any cookie containing a visitor unique value can be used to track people, that is why the law was drafted the way it was.
    Our CookieQ solution http://cookieq.com lets you use some analytics services, such as Google Analytics, in a way that complies with the law. Support for other analytics services is coming.
    CookieQ is working on a number of WP sites, and has been for several months. Contact us ( info@baycloud.com ) for details.

    Posted: 6 years ago #
  7. marksteven1


    You're quite right about session cookies - and it's true that they don't become "strictly necessary" until you encounter a service on a website that requires them.

    Load balancing cookies are for me an unambiguous exception: by requesting a website, you want to be sure that it arrives in your browser.

    My point regarding analytics solutions is that when compliance with the law requires a user to opt in, most users do not. Therefore cookie-based analytics solutions such as Google Analytics may be somewhat less useful to webmasters who have gone for total compliance.

    If anyone has found a way of making Google Analytics work on a compliant website, without requiring an explicit opt-in, I'd love to learn what that is, because nothing occurs to me right now. Incidentally, it's pretty clear that Google are aware of the problem and have yet to unleash a solution: http://techpad.co.uk/content.php?sid=199

    Dragging myself back onto topic... do you think WP should be bringing things like boiler-plate notification text into its build? Not sure I'd be keen on that myself.

    Posted: 6 years ago #
  8. A default installation of WordPress 3.3.1 doesn't appear to create a session cookie for users who are not logged in. However, certain plugins do create sessions (the default session name being PHPSESSID). If your site relies on these plugins and you don't want to hack them in order to comply with the regulations you can do the following to destroy the session for users who haven't logged in:

    1. In your theme folder, find the file functions.php and open it in a text editor
    2. Add the following code near the top of functions.php:
      if (!is_user_logged_in()) {
          $_SESSION = array(); // Clear session variables
          session_destroy(); // Destroy session
          setcookie(session_name(), '', time() - 3600, '/', '', 0, 0); // Destroy session cookie
    3. Save functions.php

    Note that this might have a negative impact on the way your site behaves if the session is critical to the way your site makes use of any plugins that rely on it.

    Posted: 6 years ago #
  9. A follow-up to my snippet of code above. Having tried it on a few sites, I suggest that instead of step 2 above, you try adding the following code to the bottom of functions.php:

    if (!is_user_logged_in()) {
        $_SESSION = array(); // Clear session variables
        setcookie(session_name(), '', time() - 3600, '/', '', 0, 0); // Destroy session cookie
    Posted: 6 years ago #
  10. Andy Macaulay-Brook


    Plus one for this. In the UK the Information Commissioner's Office (ICO) has made the position perfectly clear, as has Jonathan. I'd like to see WP Core having a function for setting cookies that plugin developers should always use. Then a well placed hook would allow plugin or theme developers to trap cookies at the point they are sent by any WP site.

    PS - FWIW I would read the reference in the EU directive to third parties storing information as meaning people who are not the user of the computer. It's not a reference to what we commonly term third party cookies.

    PPS - the only websites I have ever found that do comply are the ICO themselves and people selling solutions to this problem. The UK Parliament, Monarchy, Ministry of Justice, Home Office, 3 main political parties and No 10 Downing Street are all issuing cookies for Google Analytics without the site visitor opting in

    Posted: 6 years ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.

  • Rating

    39 Votes
  • Status

    This idea is under consideration