The EU Cookie Law and WordPress: Where We Are, and Where We're Going


Published on

My presentation was delivered at WordCampUK Edinburgh on 14 July 2012. In it, I update the WordPress community on what has changed with the EU Cookie Law since it went into force on 25 May of this year, how and have responded, and what new problems have arisen as a result of well-meaning cookie compliance solutions. I also touch on what's ahead for the cookie law and draw some conclusions about its future.

As with my previoius work, no comments will be accepted from parties with a financial interest in cookie law applications or consultancies.

This presentation is not legal advice.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 325 – Brighton and Sussex – ebay 225 – Belfast – disused building
  • The EU Cookie Law and WordPress: Where We Are, and Where We're Going

    1. 1. WordCamp Edinburgh UK 2012 14 July 2012 The EU Cookie Law and WordPress: Where We Are, and Where Were Going Heather Burns14 July 2012 WordCamp Edinburgh UK 2012
    2. 2. Where we are, and where were going  What has happened  What has changed  How the WordPress community has responded  How things are getting better  How things are getting worse  Whats next for the law  What ifs?14 July 2012 WordCamp Edinburgh UK 2012
    3. 3. Earlier cookie law work “The EU Cookie Law, WordPress, and You” was created in late January, before the law went into effect. The presentation addresses the moral and practical problems with the law. “The EU Cookie Law and its Punishments” was written in April to counter the scaremongering that we saw in advance of the law taking effect. Both are available on my blog at http://idea15.wordpress.com14 July 2012 WordCamp Edinburgh UK 2012
    4. 4. I AM NOT A LAWYER I prefer to be addressed as “Consigliere.”14 July 2012 WordCamp Edinburgh UK 2012
    5. 5. What is the EU Cookie Law? The Privacy and Electronic Communications Regulations (EC Directive) 2003 is the UKs own implementation of a set of directives from the EU covering the access and storage of information gained through electronic means. In 2009 the EC updated the Directive to include web cookies. There is not one “EU Cookie Law”. There are 27 of them. Processes which are compliant in one country would not be compliant in others. Today were talking about the UK implementation of the law.14 July 2012 WordCamp Edinburgh UK 2012
    6. 6. Missing the point entirely The fundamental misunderstanding that has driven this law – and all the noise around it – is that cookies are the problem. Cookies are mere strings of code. They are a means to an end. What human beings do with the data resulting from the cookies is the problem. But this law, and some theoretical purists, view cookies - the mechanism - as the problem. Poor PR about the law has equated the existence of a cookie with the presumption of guilt. Ironically the preoccupation with the mechanism has ruined any chance for a meaningful debate about privacy.14 July 2012 WordCamp Edinburgh UK 2012
    7. 7. Who enforces this law? The style of implementation of the Directive, enforcement, and penalties are the jurisdiction of each EU member country. The EU monitors member implementations and takes legal action against countries which have failed to comply. In the UK, administration and enforcement falls to the Information Commissioners Office (ICO). This is a non- departmental UK government agency whose jurisdiction includes the devolved nations. The UKs cookie law went into effect on 25 May 2012.14 July 2012 WordCamp Edinburgh UK 2012
    8. 8. ICOs ever-shifting goalposts First round of discussion (2010): Implied consent is no longer acceptable Express consent must be granted for third party cookies Second round of formal guidance (2011) Implied consent is no longer acceptable Express consent must be granted for all nonessential cookies Must block cookies from being set before consent is granted Information about cookies must be provided in clear language Third round of guidance (25 May 2012) Implied consent is okay as long as an opt-out is provided Cookies can be set before consent is granted Information about cookies must be provided in clear language14 July 2012 WordCamp Edinburgh UK 2012
    9. 9. The deadline day farce On Friday 25 May - “deadline day” - many of the UKs biggest web sites went live with implied consent opt-out boxes. Haud on, thats no whit we were tellt!14 July 2012 WordCamp Edinburgh UK 2012
    10. 10. The deadline day farce While we were struggling to get to grips with the 2011 guidance (express consent), ICO had already given the wink- wink-nudge-nudge to major web sites to carry on with implied consent. ICO publicised their updated guidance to the public only after implied consent structures went live.14 July 2012 WordCamp Edinburgh UK 2012
    11. 11. ICO demonstrate their expertise Iteration one of ICOs own cookie law disclaimer had seventy three words. This was the time when they were encouraging web site owners to follow their example. Iteration two has twenty eight.14 July 2012 WordCamp Edinburgh UK 2012
    12. 12. ICO demonstrate their expertise For the past month or so, failing to opt-in to cookies on ICOs own web site creates an infinite loop which prevents visitors from going past the home page. This technical glitch means that the basic display of statutory information in textual format is conditional upon cookie acceptance – and that is not how the law was intended to work.14 July 2012 WordCamp Edinburgh UK 2012
    13. 13. Is this law enforceable? ICO have said they will take a “practical and proportional” approach to cookie law enforcement. Monetary penalties are only applied in severe data breaches, such as those which directly threaten the life and safety of the public. Aside from ad hominem deployments of spyware, I cannot think of any situation where cookies would put the life and safety of the public at risk.14 July 2012 WordCamp Edinburgh UK 2012
    14. 14. Are ICO preparing the ground? 350 300 My February presentation 250 200 150 Penalty fee (in 000s) 100 50 0 B 11/10 D 02/11 F 06/11 H 11/11 J 01/12 L 02/12 N 03/12 P 05/12 R 06/12 T 07/12 A 11/10 C 02/11 E 05/11 G 11/11 I 12/11 K 02/12 M 02/12 O 04/12 Q 06/12 S 06/12 While it does appear that ICO are ratcheting up Monetary Penalty Fees for severe data protection violations, only two of the twenty issued since 2010 have been to private sector businesses. No fines have been issued for cookie law violations.14 July 2012 WordCamp Edinburgh UK 2012
    15. 15. ICOs snitching system In February I asked “how does the ICO find out that a site is violating the law? Do they intend to implement an anonymous snitching system reportage engine? What happens when that petty troublemaker decides to report you as an evil lawbreaker?” Et voila – ICOs snitching system. Have a wee visit. "As of {8 June} we had 169 reports [submitted]. Its fair to say that some have a little too much rhetoric...” Christopher Graham, Information Commissioner, speaking to on 12 June14 July 2012 WordCamp Edinburgh UK 2012
    16. 16. Hows the rest of Europe getting on? Belgium, Poland, the Netherlands, Portugal, and Slovenia – have not implemented the law yet, full stop. The EU is taking legal action against them. Its not as if the Eurozone has anything else to worry about.14 July 2012 WordCamp Edinburgh UK 2012
    17. 17. WordPress14 July 2012 WordCamp Edinburgh UK 2012
    18. 18. WordCamp UK attendees say...14 July 2012 WordCamp Edinburgh UK 2012
    19. 19. WordPress: Native cookies  WordPresss dashboard admin cookies (login, display preferences) are exempt under the directive.  A fresh WordPress install sets cookies after a comment is left on a post or page.  These cookies remember the comment author, comment authors email, and comment authors URL for future visits. These cookies expire in about a year.  Then, of course, there are your theme and plugin cookies.14 July 2012 WordCamp Edinburgh UK 2012
    20. 20. WordPress: Core compliance  WordPress 3.4.x makes two concessions to compliance:  wp-comment-post.php, which sets commenter cookies, has been made pluggable  default-filters.php has been changed so that commenter cookies can be disabled if someone wants to by setting them on an action instead of always. remove_action ()  Remember to refresh your keys and salts when you implement a cookie compliance strategy14 July 2012 WordCamp Edinburgh UK 2012
    21. 21. As for “We’re aware of the recent EU privacy directive and the related UK Cookie Law. As of now, the relevant authorities haven’t issued concrete guidance on the actions that are necessary to comply with the law. We’ll be watching as the situation develops and may make changes to our services in the future, if required. For now – since sites hosted at do make use of cookies, you may like to flag this fact for visitors to your site. One way to do this is to add a text widget to your side bar and include a link to our privacy policy (which contains information on the cookies that we use). You might also inform your visitors that they can refuse all cookies by changing the settings of their browsers.” forums14 July 2012 WordCamp Edinburgh UK 2012
    22. 22. WordPress: can it adapt?  Could Plugin and Theme Repositories be amended so that developers must list information about the cookies in their plugins? What about themes outside the repository? No.  What about serving different versions of by country IP? No.  Neither of these suggestions would work. But both of them would shift responsibility to WP Core for compliance.  No wonder WordPress wont go anywhere near it!14 July 2012 WordCamp Edinburgh UK 2012
    23. 23. A whole new set of problems14 July 2012 WordCamp Edinburgh UK 2012
    24. 24. The cure is worse than the disease Tom du Pre sets forth a strong case for why cookie compliance cures are worse than the disease, causing problems with -  Usability and accessibility  3rd party dependence  SEO  Malware/spyware  Accountability and legal indemnity  Full and informed consent  Blocking all cookies full stop  Cookies to store cookie preferences14 July 2012 WordCamp Edinburgh UK 2012
    25. 25. Impermanence  According to a ComRes survey, 28% of first party and 37% of third party cookies have an expiry date of one month.  From 25 June the first round of “re-opt-ins” began.  Many options store the cookie opt-in/opt-out preferences in a cookie. opting-out of cookies sets a cookie without necessarily warning that a cookie will be stored to record the fact that the user does not wish to have cookies stored. My head hurts  Simply clearing your browser cache can wipe cookie preference settings as well, triggering re-opt-ins  What do you call a box that keeps popping up to ask you the same question? Closed.14 July 2012 WordCamp Edinburgh UK 2012
    26. 26. Third party solutions  Irony is a third party solution for third party cookies, some of which use – you guessed it - ...  Is any third party service ready, able, and willing to accept full legal accountability for this law?  As with all third party services, you are reliant on them for uptime - if they go down, so does your legal compliance  Would ICO accept “the dog ate my compliance plugin” as an excuse?14 July 2012 WordCamp Edinburgh UK 2012
    27. 27. Accessibility14 July 2012 WordCamp Edinburgh UK 2012
    28. 28. Accessibility Please read James Colthams essential blog post on cookie compliance and web accessibility:  Ensure the solution can be easily tabbed to by a keyboard user, and that all of the controls are accessible by keyboard  Ensure that the solution does not affect existing navigation or accessibility features  Keep the text short and link to more information on a single, separate page (probably your privacy page), ensuring the link is accessible too  Avoid intrusive pop-ups which may confuse the user or block other key functions or content  Don’t put a time limit on any controls, or, if you do, ensure the limit can easily be deactivated or changed14 July 2012 WordCamp Edinburgh UK 2012
    29. 29. Thats your SEO buggered Some cookie compliance utilities are replacing search engine excerpts with cookie disclaimers – in other words, undoing years of work and possibly thousands of pounds worth of consultancy on a web sites SEO strategy.14 July 2012 WordCamp Edinburgh UK 2012
    30. 30. The final nails in the coffin (From The Cookie Law – 28 Days Later by Silktide)14 July 2012 WordCamp Edinburgh UK 2012
    31. 31. Privacy protection, 2012 styleOn the one hand... On the other hand... Are you going to get informed cookie consent off this girl? Suck it, nanny state!14 July 2012 WordCamp Edinburgh UK 2012
    32. 32. Bureaucrats preserve their own jobs  In January the EU Information Commissioner announced a new set of EU data privacy directives, currently in draft discussion phase.  This will consolidate all 27 national data protection laws into one law from above.  ICO claims the EU is looking to the UKs implementation of the cookie law as the ideal standard for Europe. (I bet they say that to all the information commissioners)  At the speed of EU legislation this will take 2-3 years.  In some way or form the cookie law will change in 2014- 2015.14 July 2012 WordCamp Edinburgh UK 2012
    33. 33. East Germany comes to the UK  The Home Offices Communications Data Bill will oblige all ISPs and mobile phone providers to store all message headers and communications trails for a year.  Oi you, tweeting about this conference presentation right now to your mates: that message trail, and therefore that relationship, would go in the “black box.”  Representatives of any overseas country will be able to ask the Home Secretary for access to the “black box” as part of “criminal investigations”  Other public bodies will have access to the “black box”.14 July 2012 WordCamp Edinburgh UK 2012
    34. 34. East Germany comes to the UK “Under the Home Office proposals, once (an email) is sent, the ISPs would have to route the data via a government-approved "black box" which will decrypt the message, separate the content from the "header data", and pass the latter back to the ISP for storage.” - Geoff White, Channel 4 News14 July 2012 WordCamp Edinburgh UK 2012
    35. 35. East Germany comes to the UK  All things considered, individual cookie preferences are ultimately grains of sand.  Yet proposed laws will hoover up all of our communications and interactions. There is no opt-in or opt-out. There is no informed consent.  What is the point of using tweezers to tend grains of sand when the contents of every click, email, post, and tweet will be scooped up by a bulldozer?  What will our craft look like in five years time in the light of multiple international, national, and agency-level directives on data retention and privacy?14 July 2012 WordCamp Edinburgh UK 2012
    36. 36. What if...  “Data protection” is redefined as ICOs enforcement of government surveillance laws - civil liberties be damned?  What if is essentially deemed illegal?  What if Scotland leaves the United Kingdom...  ...and an independent “ICO” has a different interpretation?  What if Greece et al leave the Eurozone...  ...setting off a domino effect of EU withdrawals...  ...and withdrawing nations scrap the EU directives?  What if the UK leaves the EU?14 July 2012 WordCamp Edinburgh UK 2012
    37. 37. And so the EU Cookie Law...  Was created by disconnected bureaucrats who dont even use computers – thats what secretaries are for  It is not making people think about their individual privacy  It does not address this decades privacy threats: social media oversharing and app-based data uploads  It vandalises web sites and destroys web site accessibility  It puts more pressure on SMEs already drowning in government legislation  It is going to change in two years anyway  Privacy officially dies with the Communications Data Bill14 July 2012 WordCamp Edinburgh UK 2012
    38. 38. Discussion and Questions (I am not a lawyer)14 July 2012 WordCamp Edinburgh UK 2012
    39. 39. This presentation is dedicated to Sue Bailey WordCamp UK veteran, WordPress whisperer, and one hell of a gal who would have had plenty to say about the EU Cookie Law and WordPress, none of it repeatable in public.14 July 2012 WordCamp Edinburgh UK 2012