EU cookie law compliance (in WordPress)
By 26th May 2012 all websites in the UK are supposed to comply with the 2009 changes to the EU Privacy and Communications Directive, and this means paying attention to how any website deals with cookies. This website – just as almost any other website – uses cookies to improve the user experience for things like sharing buttons, and to gather stats on visitor numbers via Google Analytics.
So what’s to be done to bring this site, and the dozens of others I’ve built over the years, into compliance with the new rules? That’s where it gets complicated. The ICO has released guidance about how this should be done, but it’s as clear as mud. So I’ve experimented a bit, and spoken to a few people, and these are my conclusions.
Firstly, I have looked at explicit consent plugins for WordPress – essentially displaying some sort of warning message to site visitors, telling them that cookies will be set. I’ve particularly evaluated EU Cookie Directive and Cookie Control. There are pros and cons of each. EU Cookie Directive displays a prominent message at the top of any page – it’s in your face and almost forces people to comply as a result. Cookie Control is more subtle, sitting at the bottom left of your screen, and also has better compatibility with Google Analytics and has better control over which countries should show the warning.
BUT the first day running this site with Cookie Control installed, site visitors to Google Analytics plunged 80%. Visitors were either not giving consent, or did not understand what the whole thing was about. Also how all of this applies to mobile devices, and old browser versions (IE) is a minefield.
So I am – for now – going for the same sort of approach that the UK government itself is using for its own sites, as explained by the Cabinet Office here. Hence I am not going to be seeking prior approval for cookies, but – for this site and for any others that I host – explaining clearly and simply what first party and third party cookies are set, how these can be controlled by an individual visitor, and explaining clearly what will be done with any data submitted by users of sites. The privacy statement for this blog can be found here.
I don’t wish to completely over-simplify the issue, but it is my intention to completely the whole thing until I either see the majority of sites on the web implementing it fully – or – I get a letter/email from the ICO addressed to me personally.
Not necessarily, any embedded content can produce third-party cookies with requests it doesn’t have to be JavaScript based. Even an image or video hosted on a third-party site can drop a cookie.
You also have a lot WordPress plugin’s creating first-party cookies at the server (PHP) level, some needlessly, while many need cookies to function, however, create them at times when they are not required.
For example, I found that a contact form plugin on one of my sites, which needs a cookie on each page with a form (csrf token to stop attacks), was dropping cookies on every page even those without a form. Okay, probably okay and such cookies are exempt from what I can gather when used properly. However, still a sign of poor implementation which could be improved upon as apart of compliance.
Regards,
Andrew
Well, with JS disabled, there’s bound to be very little (if any) 3rd party tracking going on anyway, no?
Interesting Frank, however, what about when JavaScript is disabled?
A middle-road might be to at least stop (3rd party) cookies for users who have explicitly set their browsers to “tell websites they do not want to be tracked”, which can be done with WP DoNotTrack (of which I am the author, to be totally honest)?
“I have noticed a serious drop in visitors since the Cookie Control plugin ”
You will do, even the ICO saw a 90% drop in GA according to data gathered via the freedom of information act and we can assume of that 10% many people were only interested in the ICOs implementation of the law. So I would ,therefore, imagine regular sites would see even more of a drop.
You couldn’t make it up – UK Government web sites will not meet the cookie directive deadline!
http://www.bbc.co.uk/news/technology-18090118
@Kevin – thanks for the comment. Do let me know how it goes!
I have noticed a serious drop in visitors since the Cookie Control plugin was installed and I am now experimenting with the EU country filters to ensure that non EU countries don’t see it. If that doesn’t work then I am going to scrap the whole bloody thing and take a risk.
The Information Commissioner has issued “guidelines” about UK based sites that are hosted abroad, ie the USA, but these guidelines are muddying the water. Having worked for the EU for four years and have Freedom of Information as part of my day job I don’t hold out much hope for rapid clarification.
I wonder where the information thata user rejected the cookies is stored. Is this considered information necessary to provide the service the user requested (in fact is is not first party cookies but cookies necessary for the working of the site and provision of the service the user requested which donot require consent)?
The problem with this law, like data protection generally and all forms of online regulation, is going to be in enforcement. It’s all very well having myriad laws but the internet is still almost un-policeable due to it’s unprecedented speed. the only real way of enforcement is via high publicity, so that users of websites are so aware of the law that they will think twice before using a website that doesn’t request their permission for cookies.
Jon, Devil,
The Google Analytics script places cookies in the website’s domain (so they are 1st party in the strict technical sense), one of the values encoded is unique to every visitor and is sent (using Ajax) to Google every time they visit a page. Because this ajax call is sent from a visitor’s browser the IP address is theirs and is allso communicated to Google.
Some say that the UUID thus encoded does not contain personally identifiable information so cannot be used to track people for behavioural advertising or other purposes. This is disingenuous because any software engineer would be able to take this unique value and use it as a key to a databse containing information gathered elesewhere (that could contain PII).
Article 5(3) and the PECR were designed to make it a requirement that individuals be given a choice on whether this information is transmitted and this sort of situation is exactly what it was meant to target.
The “cookie law” has been mis-characterised as a techically ignorant regulation foisted on businesses by European bureaucrats. In fact it was motivated to uphold old fashioned liberal (even libertarian) priciples to give individuals a say in whether and how information about them is used. The regualtors and the law will now in any case become irrelevant because the issue is out in the open. This will mean that buisnesses will compete with each other to show to their potential customers that they also value their privacy.
Jon,
At my work, we have been having similar discussions. As a result, I looked at the law itself, and the ICO guidance notes (both versions) and wrote a summary document which we have passed through our lawyers.
They seem incredibly sure that the approach that you are taking—especially as regards Google Analytics—is not legal. First party cookies,e.g. session cookies used by the CMS to optimise experience (or other critical features) are being treated rather more laxly than persistent third party cookies, e.g. Google Analytics.
DK