Cookies – I’d like to talk about them

Thanks for creating this post, I was just thinking of the same thing this morning.

The cookie functionality for this plugin is indeed still open for discussion. If anyone has useful feedback or feature ideas, then please post here, because we’re listening.

I’ll clarify a couple of things.

> you can’t set a cookie saying they don’t want cookies, can you?
Yes, you actually can. While PECR specifically states that you must obtain explicit consent before placing cookies in someone’s device, it later on says that exceptions apply – and exceptions include “essential cookies.” What is “essential” is of course open to interpretation and everyone has a different opinion on that.

Another thing is that we consider the current cookie laws unreasonable (what a shocker, right). So we’re going to initially release a “reasonable” solution taking into account the general philosophy of GDPR (risks to visitor’s rights vs website owner’s interests) even if it’s not technically completely legal right now. Then, later we’d add functionality such as a fully compliant opt-in popup solution, even though it’s going to completely kill your analytics (and I will not be recommending it to anyone before someone actually gets fined for using Google Analytics without asking for opt-in).

From a technical perspective, if anyone has ideas how to make this thing work on custom cookies without having to write code for each integration, then please do let me know.

It’s interesting to take a look at how some of the big players are handling this – if only because what they’ve created is mostly a hot mess!!

Yahoo ran me through an enormous “you must agree to this” speil today before I could login – I particularly noticed this snippet

“You must allow cookies from Yahoo in order to opt out. To make your opt-out apply to every computer you use you must be signed in to your Yahoo account.”

Despite all their noise – I didn’t actually have to click ‘Agree’ or ‘Accept’ to any specific thing which is wrong in my reading of the GDPR

Other monstrosities include CBS’s “Manage Cookies” section – see here for an example

https://www.techrepublic.com/blog/microsoft-office/accommodate-different-headers-and-footers-in-a-word-document/

That’s a scary-long-list of pre-ticked (not allowed!!) options they have (Yahoo/Oath’s was longer but I can’t link to it) – many with no opt-out option (tho a link to a Privacy Policy is offered)

The only solid solution to someone not opting-in is blocking them from your site until they do – I can’t see that one working-out well for anyone tho so we need compromise.

That plugin I mentioned allows you to link scripts to opt-in options – so you can literally not include GA (or any other tracking code) if someone chooses to not have it. I like that idea and I’m using it for now – but it may not be feasible for everyone (some sites just stop working without this stuff??)

I think it’s worth keeping a sense of proportionality. One of the problems with GDPR is that it appears to place the same requirements on small businesses with limited technical resources as the likes of Facebook etc.

A website representing a “bricks & mortar” business generating enquiries in the form of names/email addresses is unlikely to need the same level of cookie functionality as a website that is trying to collect data for marketing purposes, such as the likes of Yahoo.

We’ve taken the approach that we only set essential cookies, plus Google analytics. Our cookie notice informs visitors that this is what we’ve done and directs them to information about how to either disable cookies in their browser or use the Google opt-out service.

I think ideally we would not set the analtyics cookies until they click “continue” so that level of functionality would be useful. Would not be surprising to see someone argue that analtyics forms an essential part of running an online business anyway.

In my view, a website that is setting cookies for anything more elaborate is likely to need some considerable developer time to identify cookies being set and block them pending permission, let alone give the option for permission to be revoked. Given the level of support this would entail it’s arguably beyond the scope of a free WordPress plugin?

> Would not be surprising to see someone argue that analtyics forms an essential part of running an online business anyway.
Yep. Our friends at law office Triniti argue that this is the case. But the ICO for example specifically says that analytics cookies are “likely” not essential. I’m personally just going to use them by default and wait for the first court cases before I change my mind.

> In my view, a website that is setting cookies for anything more elaborate is likely to need some considerable developer time to identify cookies being set and block them pending permission, let alone give the option for permission to be revoked. Given the level of support this would entail it’s arguably beyond the scope of a free WordPress plugin?
That’s probably true and for those cases we are definitely going to have a comfy API so that other plugin developers could easily build an integration. But I’m still thinking – maybe there’s a better way somehow that doesn’t necessarily involve development work.

Base anonymized analytics – “who from where when and what they looked at” is, to my mind, absolutely fine to collect/not personal and not tracking a “person”.

Problems begin when you leave non-temp. cookies so that you can track the same browser later or where cookies from third-parties are used to track people across sites. That is where the GDPR wants you to declare them/allow people to opt-out of them IMO

On that basis, if you use GA I think you need a cookie warning (and you shouldn’t enable GA without that being accepted) but it does seem a lot of people have decided they don’t need to bother with that?

I think the days of unfettered access to analytics are coming to an end – I’m not actually sure that’s entirely a bad thing (some webmasters worry FAR too much about GA) but the effort involved may quickly overcome the benefits at this rate?

• This reply was modified 6 years, 6 months ago by johnpeat.

By way of an update – it seems most of the really players are now offering comprehensive cookie managers – I’ve enjoying staring at them thinking “Wow, this must have taken MONTHS of work to do!!”

Most are still breaking the rules with pre-ticked boxes and most have an “Accept all and continue” button which is a bit contentious as they don’t tell you what you’re accepting in enough detail but there’s a LOT of material to work with already!!