Support

July 13, 2018 at 4:33 am

Hi there,

This would seem to be problematic with Event Espresso, relying as it does (I think) on cookies.

That it does, but an important point is that it relies on SESSION cookies (more on this shortly).

So wondering if anyone has come up with a good approach to alter event espresso’s behaviour if a 3rd party declines cookies. I’m presuming its not possible to still book with cookies turned off?

That’s correct, it’s not.

If it is, how would you make Event Espresso go into cookieless mode?

You can’t…. but you don’t need to.

You mentioned above:

1) Users need to be given a choice about accepting cookies or not
2) Users should have the same experience even if they do not accept cookies.

Both of those points as written are too general.

1) Users need to be given a choice about accepting cookies or not

They need to be given the choice of accepting some types of cookies, there are exceptions and they are important.

2) Users should have the same experience even if they do not accept cookies.

In short, this basically means if a user chooses not to consent to tracking/ad cookies etc the site should still function as intended. That does not mean they you need to obtain consent for all cookies and that the site should effectively have 2 ‘modes’. There’s a fair bit more to GDPR and cookie consent than I can sum up in a single post, but point being you don’t need have a second mode for your site because someone doesn’t want to consent to cookies used by analytics.

Now the exceptions, take a look here:

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#exemptions

EE uses a SESSION cookie, it’s a cookie that has an ID and that’s the only data held on that cookie itself. EE creates this cookie to basically maintain state between multiple page requests, without it EE (and everything else on the site) has no idea that your request is for you or it’s my request and so on. Its effectively a way to maintain a ‘cart’ for your registration (even if thats a single registration), the exception text reads:

the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

The user is initiating a registration, they are purchasing a ticket from your and to do that a session cookie is required by EE to function. Its not helpful or convenient. You don’t need consent for it and if the user choses to block all cookies, the site will not function, that should be expected when you block all cookies either way as they are an essential part of the web (just some are used in ways people don’t like).

If you chose not to consent to tracking cookies on something like Amazon, would you expect to purchase a product by using a contact form to show interest, they then invoice you from the contact form and once paid send the goods? No? Me neither and to be able to keep a cart, they need to track your session in one way or another, just as EE does.

So whilst a cookie policy should be on your site (and is now required), as far as I am aware you don’t need consent for the session cookie we use, nor do you need to provide an option to register on Event Espresso when that essential cookies has been blocked. However I’m more than happy to investigate further if you can provide any information that points to otherwise 🙂

July 17, 2018 at 4:24 am

You’re most welcome and I’ll look into adding a link to the ICO guidance to the blog post, thank you.

I should probably throw a quick disclaimer in here just to cover all basis as I’m not a lawyer and my advice above should not be taken as legal advice but pointers for your own research 🙂