Add core functions to comply with EU Cookie Law

  1. Rick Leslie


    Surely it would make sense for WP to automatically display a page, to any user whose browser does not supply an opt in cookie with the page request, informing them that access to the site requires consent to cookies being set. Until the user accepts the request they would not be able to access any page on the site. The page could explain the it is necessary in order to comply with EU law.

    Once the user accepts the cookies any future request from their browser would retune the cookie with the request and therefor they would be able to access the site without seeing the request page again.

    Once consent had been obtained, third party plugins would be covered by the acceptance as would Google Analytics.

    I'm not a PHP programmer so I do not have the necessary skill set to do this myself but I wouldn't think it would be hard to implement.

    Unless this, or a similar solution is included urgently I will have no choice other than to discontinue the three blogs that I run and look at alternative solutions :-(

    Posted: 5 years ago #
  2. Jonathan UK


    The ICO's one year grace period expires on 25 May 2012. Time is fast running out, WordPress, and I still don't see a compliant feature in the core product.

    T minus 8 days and counting...

    Posted: 5 years ago #
  3. Ipstenu (Mika Epstein)

    There are a lot of plugins that can do this now. (And people are still arguing if WP even HAS to do it.)

    Posted: 5 years ago #
  4. Jonathan UK


    With the very greatest of respect and credit to those who have made the effort to create plugins that address this issue, I don't want to use a PLUGIN to fulfil what the UK's law enforcer has clearly defined as being legal requirements with which WP needs to comply.

    Why would I entrust my website's ongoing legal compliance to a third party plugin that may or may not be supported and updated to keep pace with WP's changes next week, next month, next year, etc?

    To reiterate the title of this idea, I'm suggesting in the strongest possible terms that WP should add CORE FUNCTIONS to comply with the EU cookie law.

    (And if people are still arguing, they're wasting their breath, not to mention precious time. Are they also members of the Flat Earth Society, by any chance?)

    T minus 7 days and counting...

    Posted: 5 years ago #
  5. Jonathan, I think it's clear that no core update is imminent that will address the new cookie regs, but I'm not sure that one is even needed. As I mentioned in an earlier post in this thread, a vanilla installation of WordPress doesn't seem to place cookies on users' machines, except for some specific instances that can be addressed fairly easily.

    Two key examples: logging into the WP control panel, and leaving a comment. The first example I would expect to fall under the "strictly necessary" provision. The second example couldn't reasonably be described as "strictly necessary", but can be catered for by a line of text above your comment form (perhaps highlighted so it can't be missed) indicating clearly that the user, in leaving a comment, will receive a cookie. If they don't like that, then they don't have to leave a comment.

    IANAL, but to me that seems good enough, and I'm taking a more strict attitude to the regs than many people. If that isn't good enough for you, then there's the option of nuking the cookies after they've been created, using the method I described earlier in the thread.

    WP is actually one of the better CMS because it uses cookies sparingly. There are other CMS I could mention that chuck down a load of cookies for anonymous users the moment they arrive.

    Bear in mind that some third-party plugins put down cookies. WP can't be held responsible for those, and you'll need to deal with them using either a cookie plugin or the method I described (which is a rather brute-force approach).


    Posted: 5 years ago #
  6. Rick Leslie


    I've looked at several plugins. They only deal with cookies that are set by the core WP instalation. They do not deal with cookies related to plugins. I have not yet found a plugin that stops ALL cookies from being set BEFORE the user agrees to them.

    Without the user consent being gained BEFORE ANY cookies are set the website owner is liable to a fine of up to 500,000 UK Pounds.

    Where can I get a plugin that complies with the EU law?

    Posted: 5 years ago #
  7. If your plugins are setting cookies, then a change to core won't solve the problem (although it would be nice if the WP developers created some kind of hook that plugin developers can use to check if cookies are accepted). There are a few things you can do:

    - Contact the developers of the plugin to ask them to provide an effective solution (for example, by giving you a cookieless option, assuming that by doing so it doesn't make the plugin useless)
    - Use the cookie-nuking approach described in my earlier post
    - Use a different plugin or abandon the plugin altogether

    Posted: 5 years ago #
  8. Rick Leslie


    I disagree. If all page requests that do not include a 'cookies accepted' cookie are intercepted and the user is redirected to a page informing them of the reason for the page request intercept then no cookies from either WP core or third party plugins are set up to that point.

    Once the user accepts cookies being set (the acceptance would need to include both first and third party cookies) then the WP core and third party cookies can be set without a problem.

    I have been in contact with the UK's Information Commissioners Office and have been informed that it is not good enough to allow cookies to be set and then send instructions to remove them again. The user MUST ACTIVELY ACCEPT, BEFORE ANY COOKIE IS SET.

    The intercept must therefore take place at the point of the server getting the request for the WP page. If ANY cookie gets set, whether or not it then gets deleted, then an offence has taken place and the site owner is liable to prosecution.

    The UK interpretation of the EU directive is very clear about this.

    Posted: 5 years ago #
  9. Rick Leslie


    One other point is that it's no good just having an index.html/htm/php page to ask for acceptance because all users must content to cookies however they arrive at the site. Therefore, it would seem that the intercept has to be BEFORE any third party plugins are called from the WP Core.

    Posted: 5 years ago #
  10. Rick, I've also been in touch with the ICO for clarification so I understand the situation pretty well. You're correct that users must be given the opportunity to accept cookies before they are placed on their machine.

    But I think you're misunderstanding my point. Apart from the specific cases I mentioned (which can be handled already), WP doesn't set cookies. If third-party plugins do so, then it's the responsibility of the plugin developer to support the cookie regs (or the website owner can choose to use something else, or abandon the plugin).

    Let's say that WP added this cookie option to the core (which I support, because it would enable responsible developers to check for cookie acceptance before setting them). It wouldn't do anything to stop plugins from setting cookies independently, if the plugin developer chose to do so.

    You still have the option of nuking the cookies as per my earlier post. Please try it and see if it solves your problem. You may well find that's all you need to do.

    Posted: 5 years ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.

  • Rating

    39 Votes
  • Status

    This idea is under consideration