WordPress.org

Support

Support » Miscellaneous » How can we control cookies with new EU legislation?

How can we control cookies with new EU legislation?

  • On the 25th May in Europe it becomes illegal for any website owner to set a cookie without the PRIOR explicit permission of the visitor. That means when an individual first visits a website that uses cookies they will have to agree to accept the cookies if they wish to use the site. If they refuse the cookies the site becomes blocked.

    According to the legislators at the EU, this helps protect privacy.

    But how can this be implemented within WordPress?

    As I see it, anyone running a WordPress site which is accessed by people in Europe after 25th May will be doing so illegally.

Viewing 15 replies - 1 through 15 (of 46 total)
  • I’ve been wondering the same thing.

    I was looking for a plug-in that could help with this, maybe to give a warning before the cookie is stored.

    But I see that the PHPSESSID cookie is stored almost immediately when I arrive at a site.

    Shouldn’t affect most bloggers.

    The European Union created a requirement that companies whose websites use cookies to track computers’ use of their sites must seek the ‘explicit consent’ of users for that tracking to be lawful.

    Note a couple things: Firstly, companies doesn’t mean all websites. If you’re not a company, you should be exempt. Second, if you’re not using cookies to track anything, you should also be exempt.

    Now there’s some wiggle room if WP is using a cookie to TRACk anything, but you should grab a lawyer to make sure.

    The trouble is that WP obviously does use a session cookie, and I’m sure that some lawyers will try and argue that this is reason enough to warn visitors.

    Some EU countries also consider a website in itself to be a business if it has any form of income, eg. AdSense or Amazon Associates.

    And doesn’t Google Analytics use tracking cookies?

    But all of this is irrelevant to the discussion. Businesses in the EU have to do this, so the original question is what is important: how do I inform users about cookies and get their consent *before one is set* on a WordPress-based site?

    Popups?

    Host your site in Canada or some less stroppy nation, and use a shell company to own it?

    Don’t use any TRACKING cookies? (WordPress’s cookies do not track the user, they leave site-only info. Google AdSense DOES track between sites, so take off that and you’re okay.)

    Seriously one of the more half baked laws the EU has come up with. But the short answer is WordPress itself DOES leave a cookie, but it doesn’t track anything, and only contains per session info, so you should be okay. I spent a couple hours reading that part of the law. I would check with a EU specialist lawyer to be sure, but I would feel safe, if it were me.

    “Host your site in Canada or some less stroppy nation, and use a shell company to own it?”

    I’m sorry, but that answer is like me saying that US citizens should host their sites outside the U.S. to avoid FCC regulations.

    The FCC don’t care AFAIK – if you live in the US they say the rules apply. I’ve even had discussions where it has been claimed they apply in the EU as well, because our e-commerce sites have buyers in the US.

    The fact is, EU companies already host their websites all over the place, but as long as they have their employees here they will be covered.

    Again, AFAIK even a U.S. company with the European TLD and subsidiary will have to comply.

    That said, if WordPress’s cookie does not track, then I can use a popup or lightbox when the visitor arrives before they see any AdSense etc. and warn them (and just ignore the non-tracking cookie that will already be in place by then). Not that it makes the website any user friendlier, but if it may just have to be done that way.

    “Seriously one of the more half baked laws the EU has come up with.”

    I think we can agree on that 🙂

    If my COMPANY is based in the US, then US laws apply. If my company is based in Canada and I live in the US, it does not. And yes, it’s legal to do that. My father is in Asia, his company in the US. He doesn’t have to have his website comply with the laws of where’re he lives because it’s all above board in the US. It’s a hair splitting semantic, and took a couple lawyers to help us get right, but it does work.

    You do notice I keep coming back to lawyers? You need one. Seriously.

    My layman understanding of the law, and of how WP cookies work with regards to that law, is that WordPress’s site only cookies only ‘track’ if you’re logged in, and even then, not between other sites. Obviously you’ll need a consent to cookie for for registration and for AdSense etc.

    Probably the most elegant way would be to make a plugin that, when you visit any WP page on your site, checks for cookies. If it finds none, it redirects you to another page which says “Hi, you don’t have cookies, and since the EU is a prat, you have to consent to let me put them on your computer. Cookies are used to store information like when you last visited, and if you log in, your user information, so no one else can pretend to be you. I promise to never use this information in illegal or unethical ways. If you do not accept to have cookies on your system, you can’t visit this site. Sorry about that.”

    Google up some PHP checks for cookies. They Should be usable. You can check what your own site’s cookies look like, the name format and all, to search for.

    esmi

    @esmi

    Forum Moderator

    Some EU countries also consider a website in itself to be a business if it has any form of income

    Which countries?

    Germany does. I THOUGHT the UK did, but I’m far less to-date on that hair-splitting than I used to be :/

    esmi

    @esmi

    Forum Moderator

    In the UK, a company is a very specific legal entity. A web site that generated an income would not be classed as a company.

    I have a wordpress blog as a part of a company website and it is all hosted in-house in the UK.

    Is there a plugin that allows wordpress to remain legal after May 26th 2011? Or is there some other way to make my wordpress installation comply with the law after that date? If not I shall have to remove my company blog!

    It does track more than mere session variables too:

    Name wordpress_logged_in_7f0cf5cdeaaf17c3c7b53a1af69464e4
    Value {*** my username ***}
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires At End Of Session

    Name wordpress_test_cookie
    Value WP+Cookie+check
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires At End Of Session

    Name wp-settings-1
    Value align%3Dcenter%26m6%3Dc%26editor%3Dhtml%26m5%3Do%26m9%3Dc%26m10%3Do
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires Tue, 15 May 2012 10:12:59 GMT

    Name wp-settings-time-1
    Value 1305540309
    Host ***.*******.com
    Path /pages/live/blog/
    Secure No
    Expires Tue, 15 May 2012 10:12:59 GMT

    I would rather be safe than sorry, so how do I get wordpress to ask a user’s permission before setting any cookies?

    esmi

    @esmi

    Forum Moderator

    http://www.simply-docs.co.uk/Newsletter.aspx?NewsletterID=257

    Note the reference to third party cookies. Plus:

    If a cookie forms an integral part of a website’s functionality – for example, a shopping basket or the storage of a user’s personal preferences – no consent need be obtained and life, for both the website owner and the user, goes on as normal.

    Also http://www.out-law.com/page-10510

    An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user – so cookies can take a user from a product page to a checkout without the need for consent.

    Since WP’s functionality requires the setting of non-tracking cookies, it would seem to fall under the “strictly necessary” provision. So if you don’t set any 3rd party tracking cookies, I’d wait and see what the UK Information Commissioner’s Office has to say. Currently it’s guidance hasn’t changed.

    In the meantime, brush up your privacy policy page, ensure that it mentions that WP sets non-tracking cookies and provide user instructions on how to remove them.

    Is there a plugin that allows wordpress to remain legal after May 26th 2011?

    I am working on one to create a landing page where the user gives their consent to the cookies. I don’t really like the idea, but it may be the only way on some sites. Here’s a preview screenshot.

    Name wordpress_logged_in_7f0cf5cdeaaf17c3c7b53a1af69464e4
    Value {*** my username ***}

    Quite a few of those cookies are only set when you login to WordPress. If your users don’t login, then they don’t get the cookies. You may want to put a cookie warning above the comment box if that is storing any. If, however, you have a membership site then obviously the memebers log in, but you could cover the cookie issue in the TOS.

    If you’re really doing this, it’s stupid easy. Keeping in mind that it’s the NON-logged in users you need to protect (becuase a logged in user will be accepting cookies by logging in, more on that in a second), you just need to flip WordPress around to not save cookies for non-logged in users.

    First you change your KEYs and SALTS in the wp-config.php (you can get new ones at http://api.wordpress.org/secret-key/1.1/wpmu/salt). This will force all users to log back in.

    Next you change your registration/login page to alert people to the cookies. There are plugins for this, and on BuddyPress you can edit your theme’s template page for registration easily. By having the login/registration page say ‘hey, you’re gonna get cookies if you log in!’ you’re now in compliance with EU law!

    Finally you slap this your header (or functions or a mu-plugin file), to delete cookies on every single page you visit, which will prevent cookies from staying on people’s computer ONLY if they’re not logged in:

    <?php if ( !is_user_logged_in() ) { wp_clear_auth_cookie(); } ?>

    Mind you, it’s totally unnecessary becuase Esmi’s right. It’s only third party cookies that are affected. Per site, that only track ON THAT SITE, are exempt. It’s a cookie that tracks BETWEEN sites (see Google Adsense and Analytics) that are a problem with the new law.

    I don’t think it’s correct to state it’s only third party cookies.

    ICO have released guidance [PDF], for the UK at least. They make it very clear it applies to all cookies that are not ‘strictly’ (with a narrow definition) necessary.

    esmi

    @esmi

    Forum Moderator

    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user.
    […]
    the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user.

    ICO Guidance Page 3

    WordPress needs cookies to work. Users explicitly request to view your WordPress site by following a link or typing in your url.

Viewing 15 replies - 1 through 15 (of 46 total)
  • The topic ‘How can we control cookies with new EU legislation?’ is closed to new replies.