Privacy
comments 4

Automattic, WordPress.com, Jetpack, European cookie laws and transparency

Setting the scene

In Legal checks when building a content-driven WordPress website, I discussed cookies — not the edible variety but the small text files that are stored on your computer or mobile device when you visit or undertake certain activity on certain websites (for further information about cookies, see https://www.allaboutcookies.org.)

I observed that, whilst many countries don’t have laws that require disclosure of cookies, in Europe there are specific (and controversial) cookie laws. Website owners in European Member States are required to:

  • provide clear and comprehensive information about the cookies they are using; and
  • obtain consent to store a cookie on a user or subscriber’s device.

There are some narrow exceptions but I don’t think I need to mention them again.

Questions

The questions I want to explore in this post are these:

  • What are the implications of the European cookie laws for European users of WordPress.com and Jetpack?
  • Are users of WordPress.com and Jetpack able to obtain sufficient information as to the cookies that these services set?
  • If not, do the cookie laws erect an obstacle (at least for those who care) to European use of WordPress.com and/or Jetpack?

Implications of cookie laws for European users

The implications of the cookie laws for European users of WordPress.com and Jetpack are clear: they need to be able to provide information on the cookies that these services set and to include a consent mechanism.

Are users of WordPress.com and Jetpack able to obtain sufficient information from Automattic?

Status in 2014

In November 2014, a Spanish user of WordPress.com posted this message in the WordPress.com forums:

“There are new politics in Europe. In Spain (and maybe other countries of Europe) we need to inform about cookies. …”

I chimed in with this:

“Hi there. I’m interested in this topic too, from the perspective of the cookies that WordPress.com generates when someone with a WordPress.org site is using the Jetpack WordPress.com stats feature. I haven’t been able to find the cookie names anywhere and they are not identified by name in Automattic’s Privacy Policy. I suggest that the cookie names and functions for WordPress.com stats (and any other WordPress.com function) need to be listed somewhere to enable people in or serving European clients to adopt best practices in relation to cookie disclosures … .

In the meantime, is someone able to name what cookies (if any) are generated by Jetpack/WordPress.com Stats when used on a WordPress.org (self-installed) site?

Many thanks for your help.
Richard”

In December a WordPress.com Happiness Engineer kindly updated me, stating that “we don’t have a list of cookies readily available, so it may take some time before we have those details you requested”.

Time marched on and, well, my focus shifted to other matters.

Fast forward to 2015 – Automattic invests in cookie transparency

Fast forward to July 2015. Last week I found out that Automattic has been putting considerable effort into fostering cookie transparency. Automattic has created the following:

A cookies disclosure page for WordPress.com

Cookies-support

A widget that displays a cookies banner

widget

A cookies disclosure page for Jetpack

Jetpack

The cookies disclosure page for WordPress.com explains what cookies are, describes how WordPress.com makes use of cookies for a variety of purposes, and provides fairly detailed information on the cookies WordPress.com uses, distinguishing between cookies that are strictly necessary for technical reasons, cookies that enable a personalised experience for visitors and registered users, and cookies that allow the display of advertising from selected third party networks. It lists and describes many examples of the cookies WordPress.com uses and notes that visitors can restrict the use of cookies or prevent them from being set.

Turning to the widget, you can add an “EU Cookie Law Banner” to your WordPress.com site by adding the widget of that name to the widgets section in your site’s customizer. There’s a range of settings. For example, you can hide the banner after a user clicks the ‘close and accept’ button, or after the user scrolls the page, or after a defined period of time. You can amend the default text if you wish, you can change the colour scheme (light or dark, more if you’re a premium user), you can link to the WordPress.com cookie information or to your own cookies policy page, and you can change the button text. Here is what the default banner looks like:

Cookie banner

Last but not least, the Jetpack cookies page explains that cookies are used by Jetpack in a variety of different ways and that the cookies set will depend on the Jetpack features that are enabled. It notes that the cookies are only set when a user interacts with one of these, or to allow admin functions to be performed in wp-admin. It then names and provides other details on the cookies that are set for visitors and registered users of sites with the Jetpack plugin installed.

Superb developments

As a lawyer who has been a bit frustrated in the past about the inability to obtain information on the cookies set by WordPress.com and Jetpack, I think these developments are superb. They go a substantial way towards enabling those in Europe to comply with the cookie transparency laws.

Whether a site run by someone in a given European country complies with that country’s laws is not Automattic’s responsibility, of course, but Automattic has clearly invested a good deal of time and money in helping its European users.

Any remaining obstacle?

Cookie lists not exhaustive

You might want to note that the cookies listed for WordPress.com are not exhaustive. Rather, the kinds of cookies used are explained and numerous examples are given. The cookies page is clear in stating that the listed cookies are examples. This, I understand, is due to the dynamic and evolving nature of WordPress.com. An exhaustive list of cookies that is valid in one month might become out of date in another. Automattic is certainly not alone in taking this approach. It seems to be the same kind of approach that Google takes.

Residual risk? Unlikely

Does the fact that the cookies lists are not exhaustive pose significant residual risk to European users of WordPress.com? I can’t comment on how the European ePrivacy Directive has been implemented and interpreted in every European member state (there will likely be variance in interpretation across member states), but I can tell you what the United Kingdom’s Information Commissioner has said, namely, this:

What do we need to do to comply?

The rules on cookies are in regulation 6. The basic rule is that you must:

  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.

What information must we give users?

[The Privacy and Electronic Communications Regulations] do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes. You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.”

In my view, the approaches taken by Automattic and Google are pragmatic and provide users with reasonable and digestible information on the fact that cookies are used, what the cookies are doing and why they are doing it. They also provide clear examples of named cookies. Arguably that is sufficient.

There will probably be those who will say the gold standard is listing each and every cookie – and yes if you do that you ought to be safe – but, for large or complex operations, that approach runs the risk of producing monstrous cookie policies that most people will never read, resulting in overly bureaucratic processes for minimal gain. They could even be counter-productive. In my view, a sensible compromise needs to be struck between transparency interests and usability or readability interests. There’s little point in drafting something that is so complete, yet so monstrously detailed, that it’ll never enter anyone’s consciousness.

If you’re in the United Kingdom, I’d be astonished if the Information Commissioner were to take a stricter view, given what it has said publicly (as quoted above). Let us hope the same common sense prevails in the other European member states.

(Update: I need to be clear that I don’t know the position in other European member states on this particular issue. I know there has been inconsistent implementation of the Directive’s requirements in relation to prior consent to the setting of cookies. It wouldn’t surprise me if there were different interpretations on this point too, but I just don’t know. That said, it is widely recognised that the lack of uniformity across Europe is shambolic and that cases involving enforcement are rare.)

(Thanks to Marjan Lazarevski for the ‘Cookie Crave‘ image, licensed under a Creative Commons Attribution-NoDerivs 2.0 Generic licence.)

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *