How can we control cookies with new EU legislation?

WordPress needs cookies to work. Users explicitly request to view your WordPress site by following a link or typing in your url.

I think that is going to be debatable, because the user cannot know that before he/she visits the site, eg. by clicking on a link.

If I am on the site already and add something to a shopping cart, then I request the site to carry out an action and that action needs cookies. But I suspect that simply visiting the site will not be sufficient cause, just as the ICO says you cannot simply rely on users to block cookies in their browser.

But does WordPress really store anything other than a session cookie for normal (ie. not logged in) visitors?

Yes, I agree with your assessment teppenden_de

As far as I can determine from my testing so far (may depend on what plugins you’re using). Cookies are only used if an ‘anonymous’ user leaves a comment – WP then puts your name, your email address ,and subscribe preference in three separate cookies. As this is just to store those details to save them entering them again for a subsequent comment I do not think they could be described as ‘strictly necessary’ – more equivalent to appearance preferences used as example in ICO guidance.

The question is therefore whether it enough for the user to be informed about that – ‘if you comment you will get cookies…’, or whether you actually need to get consent (and allow refusal). I’m assuming eventually the latter, but informing would be a good first step and may(!)* allow you to rebuff any initial claims as it demonstrates your awareness and progress to implementation…

* I am not a lawyer; this is not official advice.

does WordPress really store anything other than a session cookie for normal (ie. not logged in) visitors?

As far as I can tell, it only stores a temporary session cookie.

As far as I can tell, it only stores a temporary session cookie.

Possibly a simulpost; if the user comments persistent cookies are set as I outlined above.

As mentioned, if you comment on the site, as anonymous, it also stashes the name/email/website you used. Otherwise, you get a temp cookie session (which is why I came up with my stupid-easy suggestion to flush cookies if not logged in).

The question is therefore whether it enough for the user to be informed about that – ‘if you comment you will get cookies…’, or whether you actually need to get consent (and allow refusal).

The problem here, and this is why everyone needs to get a lawyer, is that the EU law does not answer that. Frankly, I don’t think they know. Given the content of the temp cookies, it’s not storing user info as much as site info, and the content may exempt itself from regular, depending on your interpretation of the law.

I did ask a lawyer who does IT law and he thinks a decent lawyer could argue this either way, but the real problem is that the folks who made the law and those who will be enforcing and judging it have no clue what the hell a cookie is in the first place.

The comment cookie can be addressed by editing your theme’s comments.php file – or amending the callback for comment_form() for comment_notes_before and must_log_in – to include a cookie warning.

It’s a very interesting thread, thank you all ??

Have any laws like this ever been enforced? How much should we really be concerned about this?

(In your strictly non-legal-advisor roles of course!)

Have any laws like this ever been enforced?

Yes, but not with anything I’d call an understandable standard :/

How much should we really be concerned about this?

IANAL, but the consensus from my buddies in Germany is that normal site specific cookies are fine, but advertising/flash cookies are not.

So … If you don’t have 3rd party cookies, I wouldn’t worry.

Have any laws like this ever been enforced?

To quote a parallel example, it’s been law in most EU (and non-EU) countries that no web site should discriminate against disabled people for anything from 2 – 11 years. When was the last court case? Equally importantly, when did you last check your web site to ensure that it complies with national and EU anti-discriminatory laws?

Thanks for the opinions.
Esmi, good point well made ??

Interesting point re accessibility, esmi. I am not yet entirely clear as to whether as in that case it is up to individuals to bring a case, in which case I agree possibly unlikely (IANAL), or whether a semi-regulated/monitored as in other Data Protection provisions – theoretically could lead to more actions being brought.

Unfortunately, as I manage a government website I don’t have any choice about whether I attempt to conform. Also it seems, not unusually, that the UK is taking a much stricter view on what is covered – strangely almost the converse of the German approach outlined above where third party cookies don’t matter (as long as you inform users in privacy policy), but consent required for most first party cookies.

Thanks for the pointers to comments_notes_before etc. esmi.

Just to add re differences in UK and German approaches – there isn’t anything wrong with either as far as I understand (IANAL). It is up to each EU country to implement as they choose and justify back to EU if challenged. I’m not making any value judgement specifically on which is the better approach (honestly). I’ll just say one will one will be easier to implement and enforce than the other – you decide which way round you think that is ??

Also it seems, not unusually, that the UK is taking a much stricter view on what is covered

Are you sure? Last time I checked (a few days ago), the UK was still fighting the EU on the opt-in laws from about 5(?) years ago.

The UK law is quite specific – all cookies will require explicit consent from the user unless the cookie is specifically required for the website to work (i.e. a shopping basket). The cookies that WP set that relate to the administration of the site can quite clearly be placed in the latter (specifically required), and the session cookie could be defined as strictly necessary if it is also required for the administration aspect, but the cookies that are set when you respond to a post are not strictly necessary, and one of the elements that the law is trying to avoid, as it stores personal information (i.e. name and email address) in plain text files on your computer.

I believe that this can be fixed by having the response cookies not set unless the user checks a box in the reply field, saying something like “Remember my details”. If they do not check it (and it should not be checked as default), then the cookies are not set.

I would do this change myself on my site, but the change would disappear when I run an update, and would also not be applied to the millions of WP users in the EU/UK!

The UK law is quite specific

This isn’t UK law – it’s EU law. Semantics, possibly but there is a difference ??

I believe that this can be fixed by having the response cookies not set unless the user checks a box in the reply field,

Or by displaying a clear warning immediately above the comment area.