The EU Cookie Law, WordPress, and You


Published on

My presentation at Paid On Results WordUp Glasgow 2012, 4 February 2012.

When viewing my presentation please keep the following points in mind:
1. I am not a lawyer and this is not legal advice;
2. There is no script, plugin, widget, block of code, or third-party service which will make your site 100% legally compliant through the simple acts of installation and activation, particularly in WordPress which has a unique issue or two. There is no easy solution to EU Cookie Law compliance full stop. The existing solutions on the market approach a compliance solution but do not achieve it in and of itself. Anyone who tries to tell you otherwise is selling you snake oil. To that end, all comments "suggesting" or selling EU cookie compliance "solutions" will be deleted.
3. If performed incorrectly your compliance process can destroy the authenticity and accessibility of your site. A site whose ethos is destroyed through overly literal compliance is worse than a site which openly rejects compliance.

Published in: Technology, News & Politics
1 Comment
  • Comment deleted from a business offering a 'solution'.

    There is no such thing.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The EU Cookie Law, WordPress, and You

  1. 1. Paid On Results WordUp Glasgow 4 February 2012 The EU Cookie Law, WordPress, and You Heather Burns
  2. 2. The EU Cookie Law, WordPress, and You <ul><li>What the law is and is not </li></ul><ul><li>When it comes into effect and its consequences </li></ul><ul><li>The law's advantages and problems </li></ul><ul><li>What you need to do to comply </li></ul><ul><li>How the law affects WordPress </li></ul><ul><li>What's being done already </li></ul><ul><li>What not to do </li></ul><ul><li>What to watch out for </li></ul><ul><li>What ifs? </li></ul>
  3. 3. I AM NOT A LAWYER (neither is he)
  4. 4. What is the EU Cookie Law? The Privacy and Electronic Communications Regulations 2003 is a set of directives from the EU covering the access and storage of information gained through electronic means. While it's conversationally convenient to refer to it as the “EU Cookie Law”, this is technically inaccurate. The directives involve all forms of electronic storage, not just web cookies. It is a set of directives, not a one-size-fits-all order from above. In 2009 this Directive was amended to require informed consent for storage or access to information. Implied consent is no longer enough. Going forward you must ask and receive consent to store cookies on your site visitors' browsers. This applies to every visitor on every site you run.
  5. 5. Who enforces this law? Enforcement and penalties are the jurisdiction of each individual EU member country. In the UK, administration and enforcement falls to the Information Commissioner's Office (ICO). This is a non-departmental UK government agency whose jurisdiction includes the devolved nations. ICO has decreed their own interpretation of the EU cookie law directives. ICO is not decreeing how to comply with the law. They are not prescribing a blanket opt-in process. The ICO is decreeing what we must do to comply – and how they will punish us if we do not.
  6. 6. Why has this law been amended? 1. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. 2. “.. current levels of awareness of the way cookies are used and the options available to manage them is limited. Those who use the internet less regularly, or have a generally lower level of technical awareness, are even less likely to understand the way cookies work and how to manage them .” But does #2 have any bearing on #1? Are cookies the problem with privacy? Well, a lot of people who have a selfish financial or career motivation to say “yes” will tell you so. But cookies are 5% of our privacy issue. More later.
  7. 7. When does this come into practice? EU member countries had until 25 May 2011 to implement these changes into their respective national laws. The UK brought the law into legislation on 25 May 2011 and immediately deferred implementation of the law for one year to give businesses time to prepare. That year is nearly up. By the letter of the law all websites for businesses based in and operating in the UK, regardless of the country where the site is hosted, must comply by 25 May 2012. That's 110 days from today.
  8. 8. Who is responsible for implementation? “ The person setting the cookie is primarily responsible for compliance with the requirements of the law... The key point is not who obtains the consent but that valid, well informed consent is obtained.” In practice, that means it falls to us to educate our clients about this law and the changes required to achieve compliance.
  9. 9. How have other EU countries done it? Only Denmark, Estonia, and the UK met the May 2011 deadline. And the UK technically met the deadline by announcing the one year deferral. Four more countries got on board by the summer of 2011. In August 2011 the EC commenced legal action against 19 member states for not meeting the May 2011 compliance deadline. Nobody has found an easy path to implementation of this law.
  10. 10. What cookies are exempt? It's a common misconception that the cookie directive applies to third but not first party cookies. The source of the cookie is actually not important. The deciding factor is whether the cookie is &quot;strictly necessary&quot; for the provision of a service &quot;explicitly requested&quot; by the user. The third party cookie storing the security token generated when you log into your online banking is strictly necessary and is exempt from the law. The WordPress cookies which keep you logged into the admin dashboard are strictly necessary and exempt. Analytics, display preference, and some shopping cart cookies are not considered necessary.
  11. 11. What are ICO's penalties? 1. Information Notice, a requirement to provide clarification within a certain period of time; 2. Undertaking, an order to comply with a prescribed course of action within a certain period of time; 3. Enforcement Notice, an order to comply in cases where clear breaches have been noted, with failure being a criminal offense; and 4. Monetary Penalty Notice. The maximum fine is £500,000. Innocent Genuine Unaware Easily Fixed No Damage Done Deliberate Ongoing Premeditated Damage Done Careless Severe
  12. 12. What do you need to do? Regardless of platform or CMS you need to do three things to make your site(s) compliant with the law. 1. Conduct an audit of the cookies currently in use on the site. 2. Create a way to advise your visitors about nonessential cookies which will be placed during the course of a site visit, and provide them with a way to consent to these cookies. 3. Create a way to stop cookies from being set on the site before the site visitor has provided their consent.
  13. 13. Advantages
  14. 14. Advantages: Give a mouse a crumb... <ul><li>he's going to want the whole cookie...” </li></ul><ul><li>Facebook was caught using a cookie which tracked people's surfing habits even when they were not logged in to Facebook. The law would have forced Facebook to identify this cookie and give users the chance to opt out of it. </li></ul><ul><li>Some advertisers are establishing a universal icon to indicate that cookie tracking is in use, linking to an industry opt-out page. The law says that icon won't be enough. The fact that cookies are in use, and information about what they are being used for, must be explained in clear words to the user. </li></ul>
  15. 15. Advantages: Isn't this a browser issue? ICO says no. “ It is not clear that even when the necessary changes are achieved you could rely on all users instantly using the most up to date version of any browser.” “ What's a browser?” - ex-client ✔ Internet Explorer 9 has tracking protection. ✔ Firefox has a “do not track” option. ✔ Safari blocks third party cookies by default. ✖ Google Chrome = Google Analytics...
  16. 16. Advantages: It's not impossible! South Ayrshire Council provides a great example of visual and textual compliance which is neither ugly nor intrusive.
  17. 17. Problems
  18. 18. Problem: “Privacy is dead” <ul><li>1997: online privacy meant not having the sites you visited tracked by third party advertisers for targeted ads. </li></ul><ul><li>2012: people voluntarily choose to hand over their privacy on social networking sites and mobile apps. </li></ul><ul><li>People do not choose to hand over their privacy because they are unfamiliar with the cookie settings in their browser. </li></ul><ul><li>People will not stop handing over their privacy because they have ticked a box accepting a cookie. </li></ul><ul><li>An ad tracking cookie is an anonymous privacy violation. Tweeting “I'm in Buchanan Galleries with my kid” is a voluntary relinquishment of personal privacy. </li></ul><ul><li>But you don't even have to tweet that... </li></ul>
  19. 19. Problem: “Privacy is dead” <ul><li>The Buchanan Galleries uses the FootPath surveillance system. Transmitters located throughout the mall assign a short-term tracking number to your smartphone when you enter the mall. </li></ul><ul><li>Your movements through stores, food areas, and restrooms are tracked and mapped. YOU are the browser, your mobile is the cookie. It's anonymous. Of course... </li></ul><ul><li>Tiny signs are the only warning that this surveillance system exists. The only way to opt-out is to switch off your mobile. </li></ul><ul><li>This anonymous tracking is permissible and legal. Cookies are exactly the same, but they're “bad”. Huh? </li></ul><ul><li>Awareness of what cookies are and how they work will not restore societal notions of individual privacy. </li></ul>
  20. 20. Problem: Theoretical purity “ In the case of conflict, consider users over authors over implementers over specifiers over theoretical purity.” - Priority of Constituencies (HTML5 specification) It has taken years for this law to work through its processes. We measure our work in months or even weeks. Many theoretical purists in government offices still use IE6. Fact: policymakers do not use their own communications devices. Politicians who do are not policymakers . Remember Leo's Blackberry? Her name was Margaret.
  21. 21. Problem: Enforceability <ul><li>Is it the business of the UK government to review every web site in the country for compliance with a cookie law when it does not review them for any other form of legal compliance? </li></ul><ul><li>The UK government, the devolved administrations, and local councils do not carry out blanket surveillance. </li></ul><ul><li>The PRS tried and failed spectacularly. </li></ul><ul><li>The Coalition government is pro-small business, anti-regulation, and anti-EU. They will have no taste for small businesses being penalised because of a directive from Brussels. </li></ul>
  22. 22. Problem: Enforceability <ul><li>Who does the surveillance and enforcement? How many government staff? On what salaries? In the age of austerity? ICO has just 353 staff. </li></ul><ul><li>If not blanket surveillance, how does the ICO find out that a site is violating the law? Do they intend to implement an anonymous snitching system reportage engine? What happens when that petty troublemaker decides to report you as an evil lawbreaker? </li></ul><ul><li>Will ICO make noise with test cases? Who gets singled out? </li></ul><ul><li>Improper enforcement will become a witchhunt which achieves no commercial or privacy objective. </li></ul>
  23. 23. WordPress and you
  24. 24. WordPress: Native cookies <ul><li>WP Core is not changing to meet the Directive. Remember, it's not one law, it's 27 laws. </li></ul><ul><li>Your admin functions place a few cookies to keep you logged in and to store your screen options. These are exempt under the directive. </li></ul><ul><li>The only native cookies WordPress creates for visitors are commenter cookies. These remember the comment author, comment author's email, and comment author's URL for future visits. These cookies expire in about a year. </li></ul><ul><li>Even if you were running a plain WordPress install with no themes or plugins at all you would still need to give site visitors an option to opt-out of those comment cookies. </li></ul>
  25. 25. WordPress: Core compliance <ul><li>As for theme and plugin cookies, as well as non-plugin aspects such as analytics, it falls to every one of us as individuals and businesses to devise and implement our compliance strategies. </li></ul><ul><li>Your first step in compliance should be refreshing the keys and salts in your wp-config.php file. Why? Regular visitors to your site still have to opt-in under the new law. </li></ul><ul><li>Next, run a cookie audit. What cookies are left? From what sources? Are they session or permanent? Are they integral to the visitor experience? </li></ul><ul><li>Then, take time to review and refresh your policies. (Or add them...) Create a cookie statement including the information you learned in your cookie audit. </li></ul>
  26. 26. WordPress: Extended compliance <ul><li>Next, determine how you will get the visitor's attention for the opt-in process. Pop-up? Overlay? Hovering button? Info bar? </li></ul><ul><li>Perhaps you would like to try one of the EU Cookie plugins, or a third party solution? </li></ul><ul><li>Installing a plugin called “Cookie Directive compliance” ≠ Cookie Directive compliance </li></ul><ul><li>Then, decide what you are going to do to visitors who opt-out. What experience do you serve them? Where do you redirect them? Do you try the implied consent trick? </li></ul><ul><li>What about your mobile/tablet versions? </li></ul>
  27. 27. Whatever you do, don't do this 1) ICO put a huge accordion box at the top of their site. Not ticking the box sets a cookie establishing that you do not want cookies. This warning does not tell you that it will set a cookie stating that you do not want a cookie... thereby breaking the EU cookie directive. 2) Not clicking the “accept” box does not stop you from exploring the site. This allows ICO to take the stance that lack of consent equals implied consent ...
  28. 28. Whatever you do, don't do this 3) The disclaimer discusses “cookies”, despite ICO's insistence that people don't understand what cookies are. 4) A FOI request established that after they put up that box, ICO's site traffic dropped by 90% due to analytics no longer being tracked. Is that a responsible course of behaviour for a government agency with a duty of care and accountability to the taxpayer? ( )
  29. 29. GOBSHITE!
  30. 30. WordPress: Accessibility <ul><li>Pop-up windows, accordion bars, or overlays are obstacles to accessibility for people with visual or motor disabilities. </li></ul><ul><li>Opt-in processes with technical language are obstacles – and even threats – to people with cognitive disabilities. </li></ul><ul><li>The “change font size” option here is controlled by a cookie. Imagine informing someone experiencing a manic episode, including confusion and paranoia, to tick a box consenting to having information stored about them before they can enlarge the font! </li></ul>
  31. 31. WordPress: What's being done <ul><li>WordPress 3.4 will make wp-comment-post.php “pluggable”, opening the door for the development of a cookie compliance plugin. </li></ul><ul><li>There is an EU Cookie Directive plugin which will display an accordion notification at the top of your screen. </li></ul><ul><li>Its admin menu lets you customise the messages about each cookie, and then display the list in a convenient table on a page with a shortcode. </li></ul>
  32. 32. WordPress: What's being done
  33. 33. Watch out...
  34. 34. Enter the hucksters <ul><li>The first people to respond to vague and unreasonable laws are those who know how to make ££ out of it. </li></ul><ul><li>Toolkits, breakfast seminars, pay plugins, £££... </li></ul><ul><li>“ Free code to install, 100% money-back guarantee!!” </li></ul><ul><li>Please don't try to make money on the back of the EU cookie directive by scaring your clients and prospects. </li></ul><ul><li>Using scaremongering as a revenue stream is an admission that your business model is as messed up as the cookie law. </li></ul><ul><li>Be responsible and ethical in your education process. </li></ul>
  35. 35. The goalposts will move <ul><li>On 24 January the EU Information Commissioner announced a new set of EU data privacy directives, currently in draft discussion phase. ~2 years. </li></ul><ul><li>There will be one set of laws applicable across the whole of the EU – not one set of directives with 27 interpretations. </li></ul><ul><li>Explicit consent must be given for information to be used </li></ul><ul><li>The “Right To Be Forgotten” </li></ul><ul><li>This will have a knock-on impact on the cookie law. </li></ul>
  36. 36. What if... <ul><li>What if the test cases fail? </li></ul><ul><li>What if the ICO disproportionately targets, say, Welsh businesses, but we get off Scot-free? </li></ul><ul><li>What if one member country enforces the law to the letter while others all but ignore it? </li></ul><ul><li>What if ICO jurisdiction over Scotland is devolved? </li></ul><ul><li>What if Scotland leaves the United Kingdom? </li></ul><ul><li>What if the United Kingdom leaves the EU? </li></ul><ul><li>What if the EU collapses? </li></ul>
  37. 37. Thank you for listening. Please contribute to this dialogue by sharing the solutions you devise with the WordPress and web communities. Discussion and Questions (I am not a lawyer)
  38. 38. Links and Resources <ul><li>ICO's initial guidance and ICO's updated guidance </li></ul><ul><li>David Naylor's brilliant literal implementation </li></ul><ul><li>Pinsent Mason's plain-English legal advice </li></ul><ul><li>BBC News: ICO's web site compliance own-goal </li></ul><ul><li>BBC NI News: appalling scaremongering news report (possibly suggested by ICO's PR office) </li></ul><ul><li>Video: the stupid EU cookie law in 2½ minutes </li></ul><ul><li>Preview of the new EU data privacy proposals </li></ul><ul><li>Other EU member approaches to the law </li></ul><ul><li>South Ayrshire Council's privacy & cookie statement </li></ul>