Need help? Check out our Support site, then


Wordpress and Cookies

  1. I edit a blog on behalf of a company and I've received the following enquiry from them re the use of cookies on WordPress.com:

    I have been completing a cookie audit for all the Smiths News websites due to the legislation change that will be enforced on 26th May 2012. Could you confirm for me whether the Smiths News Community Week Blog uses cookies, and if it does, what sort of cookies are used?

    Searching through the WordPress Forum and Support pages it does look like WordPress does use Cookies. However, I'm not clear on the way they're used or the answer to the question re the type used.

    Can anyone help me please?

    Here's a link to the EU legislation change info which led to this query being raised. I see the page has a message at the top telling the user the site uses cookies and giving them the option to switch them off. Will WordPress be implementing something similar in order to comply?

    http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx

    The blog I need help with is communityweek.smithsnews.co.uk.

  2. Correction the site I linked to gives the user the option to accept the use of cookies

  3. I'll tag this thread for staff attention as we volunteers can't answer this. Only staff can.

  4. Thanks thesacredpath, that's very helpful :)

    I thought that would be the case, but it looks like raising a question directly with support has been switched off for now, hence my raising it here.

    It looks like it's a topic quite a few EU based companies will be dealing with in the next month or so, so there might be the need for updating the Support pages so the team doesn't get inundated with enquiries.

  5. Yeah, they need to publish some sort of official statement on this and put something up in the support section so that people can refer to it as needed.

  6. This is getting urgent now, I've had two emails in the last 10 minutes asking me the same question. Now the date has changed to May and the implementation is in May everyone has woken up. Potentially the fine for non-compliance in the UK is up to £500,000. It's very unlikely that anyone is going to get fined without a first warning, but the magnitude of this should not be underestimated. If WordPress has no solution everyone in the EU could start switching off their WordPress sites later this month!

  7. Officially, we have no answer yet. Our legal team is still waiting to see how things take shape, but we are keeping an eye on it.

    Unofficially, our servers are hosted in the US, so all WordPress.com blogs should fall under US law, and this has been proven many times in the past. Only time will tell if such precedent extents to the new EU cookie law.

    If every blog on WordPress.com had to abide by every law of every country on the globe, we wouldn't exist.

  8. Thanks for getting back to me macmanx - has your unofficial response actually been tested in court for other EU laws applying to blogs? This looks to be a very murky area when the blog author/editor and blog owner are EU based and are only buying a hosting service from WordPress.

    Can I suggest again that a statement is placed on the official WordPress.com help pages, so that other EU based bloggers don't potentially clutter up the forum with similar queries. Thank you.

    Are you also saying the blog has to comply with US law? What help is there available for a non-US based blogger to help them comply if this is the case?

  9. Unfortunately the advice on the UK Information Commissioner's website is that, even if a site is hosted outside the UK, the website owner is responsible for ensuring it meets UK law, so the fact that WordPress is hosted in the US would not seem to help us! It seems to me Facebook, Google, Twitter etc all have the same problem too and the UK/EU position would be difficult to enforce, though recently the EU threatened action against Google. It's all rather a mess.

  10. Thanks for getting back to me macmanx - has your unofficial response actually been tested in court for other EU laws applying to blogs?

    No, because such a thing has not come up yet, hence it being unofficial.

    Can I suggest again that a statement is placed on the official WordPress.com help pages, so that other EU based bloggers don't potentially clutter up the forum with similar queries.

    We won't be making any official statements until our legal team is absolutely sure.

    Are you also saying the blog has to comply with US law? What help is there available for a non-US based blogger to help them comply if this is the case?

    As long as you abide by our terms of service, you're abiding by US law. In a fringe case that other issues arise, we can provide some help.

    Unfortunately the advice on the UK Information Commissioner's website is that, even if a site is hosted outside the UK, the website owner is responsible for ensuring it meets UK law, so the fact that WordPress is hosted in the US would not seem to help us!

    That bit has yet to be proven in the court of law, so we are not making official statements or taking official action yet.

  11. I've been doing a bit of research and not even some of our Government websites are compliant with what the EU/our Information Commissioner wants, however it would still be useful to have a clear statement from Automattic about opt in/out ... and perhaps for someone senior at Automattic to write to the EU who started all this in the first place. I sympathise with what they are trying to do, but it's clearly very difficult to comply 100%.

  12. Hi - just had this update:

    "One of our Analysts believes that the cookies are also not stored to disk – do you know if this is correct? If this is the case then it would fall outside the current regulations."

    Can you confirm if the cookies aren't stored to disk - there's a glimmer of hope for us all...

  13. Well, all cookies are stored in the browser (and therefore on your disk), that's how cookies work.

    The data, however, is not stored in the browser. The cookie is just a reference.

  14. Thanks - I'll pass that on...

  15. MacManx, can you confirm something for me?

    Are the cookies needed only for editors i.e. blog owners? In which case it is much less of a problem. If cookies are needed in order for someone to read my blog, I would want to have some sort of warning/permission system.

    Just for reference: I want to operate within UK/EU law, regardless of WordPress's 'position' on this. I will move my blog if it appears WordPress will not support its legal operation. So will thousands of other EU organisations.

  16. If cookies are needed in order for someone to read my blog, I would want to have some sort of warning/permission system.

    There is one cookie saved for each visitor to identify them as unique vs. returning.

    I want to operate within UK/EU law, regardless of WordPress's 'position' on this.

    Just to clarify, we do not yet have a position on this, and neither does the EU for that matter. The EU established suggested cookie guidelines and left it up to each member nation to establish a law around the suggested guidelines.

    This is one of the larger reasons for why we have not yet established a position on the issue, because there is no 100% clear issue to establish a position on. And that will never be certain until each nation clearly ratifies each law and such laws are brought in front of a court of law.

    For more details, please see this great reply from a fellow WordPress.com member like yourself: http://en.forums.wordpress.com/topic/eu-cookie-law-what-can-i-do?replies=16#post-888494

  17. The following is from our legal team:

    We’re aware of the recent EU privacy directive and the related UK Cookie Law. As of now, the relevant authorities haven’t issued concrete guidance on the actions that are necessary to comply with the law. We’ll be watching as the situation develops and may make changes to our services in the future, if required.

    For now – since sites hosted at WordPress.com do make use of cookies, you may like to flag this fact for visitors to your site. One way to do this is to add a text widget to your side bar and include a link to our privacy policy (which contains information on the cookies that we use). You might also inform your visitors that they can refuse all cookies by changing the settings of their browsers.

    Our Privacy Policy can be found here:

    http://automattic.com/privacy/

    Instructions for adding a text widget to your site can be found here:

    http://en.support.wordpress.com/widgets/text-widget/

  18. I posted this on the other thread too, but it's very relevant and may reassure others in the UK, as its a climbdown from the Information Commissioner on the issue of 'implied consent':

    The UK Information Commissioner's Office issued new guidance yesterday (25 May 2012) which should reassure people. The main issue here is that 'implied consent' now seems acceptable, provided that you make this very clear and visible to users of your site, but don't take anything from me, read the article: http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

  19. cruciblelearning
    Member

    The statement that WordPress sites do not use cookies maybe somewhat misleading as some widgets - the Twitter feed for example - is gathering and publishing information from other people and is, therefore, covered by the new legislation. Without the ability to add code to WordPress sites to ask people to opt-in/out of cookies the only option appears to remove such widgets!

  20. @ Cruciblelearing: There is no need in the UK to remove anything that has cookies following the Information Commissioner's revised guidance on 25 May 2012. What is important is that you explain openly and prominently what cookies you may have on the site and then make a clear statement about implied consent. If you include the useful points you make about Twitter feeds in your Cookies policy statement, and on my sites I have this as main menu item (if you bury it in a footer or small widget that is unlikely to be compliant), then you should be fine.

  21. ldhltd - your news re the Commissioner's revised guidance is welcome. However, I suspect most WP users won't know which widgets they're using use cookies. I'd make a stab at WP itself (e.g. for gathering stats), Twitter feed (if used), after that I'm stumped.

    Is there a way of finding out which widgets use cookies, or is it sufficient to say in your cookies policy that you're using widgets some or all of which may be using them and give a couple of examples?

  22. PS I'd also link to WP's privacy policy

  23. @vegplotting Well I'm not a legal expert and the Information Commissioner's advice had a lot of people including Ministers and Government Departments confused, but if in doubt I think listing the key suspect widgets, eg anything that collects or feeds data ... not images ... and saying that (a) cookies may be used (b) they are controlled by external sites and that users should check the cookie policy on that external site should cover you. Obviously don't use the word 'widget' itself as nobody would have a clue what that meant! Policies can be fairly general, they are expected to remain up to date for a fair time, you can't be checking every aspect every day. And yes, I also link to WP's own privacy policy: if you're clear where your responsibility lies and where users need to look at someone else's policies you're going a long way to being compliant. And if you really don't know, saying you don't know is more compliant than saying nothing or pretending you do know. The principles seem to rest on (a) transparency and (b) informed choice for the user, not being 100% perfect.

Topic Closed

This topic has been closed to new replies.

About this Topic