sebastiancrumpcoi

I see esmi just beat me to it. Just to confirm – while it’s EU legislation, which should therefore be the same across the whole EU it is up to the individual member countries to implement and there will likely therefore be differences in both implementation and governance in each country.

In the UK the Information Commissioner’s Office is the official organisation and they have some information – whether it’s clear for your purposes, I could not tell you.

Just to add re differences in UK and German approaches – there isn’t anything wrong with either as far as I understand (IANAL). It is up to each EU country to implement as they choose and justify back to EU if challenged. I’m not making any value judgement specifically on which is the better approach (honestly). I’ll just say one will one will be easier to implement and enforce than the other – you decide which way round you think that is ??

Interesting point re accessibility, esmi. I am not yet entirely clear as to whether as in that case it is up to individuals to bring a case, in which case I agree possibly unlikely (IANAL), or whether a semi-regulated/monitored as in other Data Protection provisions – theoretically could lead to more actions being brought.

Unfortunately, as I manage a government website I don’t have any choice about whether I attempt to conform. Also it seems, not unusually, that the UK is taking a much stricter view on what is covered – strangely almost the converse of the German approach outlined above where third party cookies don’t matter (as long as you inform users in privacy policy), but consent required for most first party cookies.

Thanks for the pointers to comments_notes_before etc. esmi.

As far as I can tell, it only stores a temporary session cookie.

Possibly a simulpost; if the user comments persistent cookies are set as I outlined above.

Yes, I agree with your assessment teppenden_de

As far as I can determine from my testing so far (may depend on what plugins you’re using). Cookies are only used if an ‘anonymous’ user leaves a comment – WP then puts your name, your email address ,and subscribe preference in three separate cookies. As this is just to store those details to save them entering them again for a subsequent comment I do not think they could be described as ‘strictly necessary’ – more equivalent to appearance preferences used as example in ICO guidance.

The question is therefore whether it enough for the user to be informed about that – ‘if you comment you will get cookies…’, or whether you actually need to get consent (and allow refusal). I’m assuming eventually the latter, but informing would be a good first step and may(!)* allow you to rebuff any initial claims as it demonstrates your awareness and progress to implementation…

* I am not a lawyer; this is not official advice.

I don’t think it’s correct to state it’s only third party cookies.

ICO have released guidance [PDF], for the UK at least. They make it very clear it applies to all cookies that are not ‘strictly’ (with a narrow definition) necessary.