Posted: July 13, 2018 at 3:34 am
I’m wondering if anyone has come up with good code or a solution for managing cookie control compliance under GDPR; the legislation states that in summary:
1) Users need to be given a choice about accepting cookies or not
This would seem to be problematic with Event Espresso, relying as it does (I think) on cookies.
So wondering if anyone has come up with a good approach to alter event espresso’s behaviour if a 3rd party declines cookies. I’m presuming its not possible to still book with cookies turned off? If it is, how would you make Event Espresso go into cookieless mode?
If its not possible, has anyone got any good code examples of maybe routing the user to a contact us page for a manual booking?
That it does, but an important point is that it relies on SESSION cookies (more on this shortly).
That’s correct, it’s not.
You can’t…. but you don’t need to.
You mentioned above:
Both of those points as written are too general.
They need to be given the choice of accepting some types of cookies, there are exceptions and they are important.
In short, this basically means if a user chooses not to consent to tracking/ad cookies etc the site should still function as intended. That does not mean they you need to obtain consent for all cookies and that the site should effectively have 2 ‘modes’. There’s a fair bit more to GDPR and cookie consent than I can sum up in a single post, but point being you don’t need have a second mode for your site because someone doesn’t want to consent to cookies used by analytics.
Now the exceptions, take a look here:
EE uses a SESSION cookie, it’s a cookie that has an ID and that’s the only data held on that cookie itself. EE creates this cookie to basically maintain state between multiple page requests, without it EE (and everything else on the site) has no idea that your request is for you or it’s my request and so on. Its effectively a way to maintain a ‘cart’ for your registration (even if thats a single registration), the exception text reads:
The user is initiating a registration, they are purchasing a ticket from your and to do that a session cookie is required by EE to function. Its not helpful or convenient. You don’t need consent for it and if the user choses to block all cookies, the site will not function, that should be expected when you block all cookies either way as they are an essential part of the web (just some are used in ways people don’t like).
If you chose not to consent to tracking cookies on something like Amazon, would you expect to purchase a product by using a contact form to show interest, they then invoice you from the contact form and once paid send the goods? No? Me neither and to be able to keep a cart, they need to track your session in one way or another, just as EE does.
Awesome thanks so much – you should append this to your GDPR Blog post perhaps (Promise I did read everything I could find, but didn’t locate the ICO guidance!)
You’re most welcome and I’ll look into adding a link to the ICO guidance to the blog post, thank you.
I should probably throw a quick disclaimer in here just to cover all basis as I’m not a lawyer and my advice above should not be taken as legal advice but pointers for your own research 🙂