Updated at 17:35 BST to mention
The UK is planning to implement various European privacy rules and one of the difficult topics has been the use of data gathered by websites. Superficially this would seem to be targeted primarily at advertisers and other large companies but in practice could catch almost every website that is not completely static. One aspect is that the UK rules will require explicit approval for most cookies to be stored on users computers.
The BBC has reported this here and The Register has a story here. Both organisations have been running various stories over the past few months on this topic. Part of the problem has been lack of clarity as to what is required, and the problems of technically implementing solutions that satisfy the rules.
Much of what has been written on this topic concentrates on
The Information Commissioner’s Office (ICO) guidance says
… you will need a user’s consent if you want to store a cookie on their device. The ICO recognises that cookies perform a number of legitimate functions. We also recognise that gaining consent will, in many cases, be a challenge.
There is an exception, but it is very narrow:
The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.
After a little more detail it makes explicit that merely remembering preferences is not an exception:
The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.
The full text from the ICO is here.
A lot of smaller organisations will, I think, find complying with the rules rather onerous. Cookies are often used within packages that webmasters install, but those packages often don’t explain how cookies are used and probably don’t include pages to get the visitor’s consent to the cookies. Indeed one could argue that getting this consent is itself almost a privacy issue. Anyone using advertising is clearly likely to be caught with these rules although it is unclear to me whether the responsibility is for the website owner or the third party advertiser.
I did a quick check of the WordPress documentation and there is a page about cookies here, although the page does indicate that it is “in progress”. As far as I can see, cookies are used by WordPress for Users and for Commenters. I think therefore it would be necessary to get approval from users when they register. For Commenters, the WordPress documentation notes that it is “purely a convenience” and therefore in my understanding is definitely not an exception under the ICO’s guidance, and again the code would need modification to explicitly seek approval.