Support

Home Forums Event Espresso Premium GDPR Cookie Compliance – Action on Cookie non-consent

GDPR Cookie Compliance – Action on Cookie non-consent

Posted: July 13, 2018 at 3:34 am


Steve

July 13, 2018 at 3:34 am

Hi All,

I’m wondering if anyone has come up with good code or a solution for managing cookie control compliance under GDPR; the legislation states that in summary:

1) Users need to be given a choice about accepting cookies or not
2) Users should have the same experience even if they do not accept cookies.

This would seem to be problematic with Event Espresso, relying as it does (I think) on cookies.

So wondering if anyone has come up with a good approach to alter event espresso’s behaviour if a 3rd party declines cookies. I’m presuming its not possible to still book with cookies turned off? If it is, how would you make Event Espresso go into cookieless mode?

If its not possible, has anyone got any good code examples of maybe routing the user to a contact us page for a manual booking?

Thanks!


Tony

  • Support Staff

July 13, 2018 at 4:33 am

Hi there,

This would seem to be problematic with Event Espresso, relying as it does (I think) on cookies.

That it does, but an important point is that it relies on SESSION cookies (more on this shortly).

So wondering if anyone has come up with a good approach to alter event espresso’s behaviour if a 3rd party declines cookies. I’m presuming its not possible to still book with cookies turned off?

That’s correct, it’s not.

If it is, how would you make Event Espresso go into cookieless mode?

You can’t…. but you don’t need to.

You mentioned above:

1) Users need to be given a choice about accepting cookies or not
2) Users should have the same experience even if they do not accept cookies.

Both of those points as written are too general.

1) Users need to be given a choice about accepting cookies or not

They need to be given the choice of accepting some types of cookies, there are exceptions and they are important.

2) Users should have the same experience even if they do not accept cookies.

In short, this basically means if a user chooses not to consent to tracking/ad cookies etc the site should still function as intended. That does not mean they you need to obtain consent for all cookies and that the site should effectively have 2 ‘modes’. There’s a fair bit more to GDPR and cookie consent than I can sum up in a single post, but point being you don’t need have a second mode for your site because someone doesn’t want to consent to cookies used by analytics.

Now the exceptions, take a look here:

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#exemptions

EE uses a SESSION cookie, it’s a cookie that has an ID and that’s the only data held on that cookie itself. EE creates this cookie to basically maintain state between multiple page requests, without it EE (and everything else on the site) has no idea that your request is for you or it’s my request and so on. Its effectively a way to maintain a ‘cart’ for your registration (even if thats a single registration), the exception text reads:

the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

The user is initiating a registration, they are purchasing a ticket from your and to do that a session cookie is required by EE to function. Its not helpful or convenient. You don’t need consent for it and if the user choses to block all cookies, the site will not function, that should be expected when you block all cookies either way as they are an essential part of the web (just some are used in ways people don’t like).

If you chose not to consent to tracking cookies on something like Amazon, would you expect to purchase a product by using a contact form to show interest, they then invoice you from the contact form and once paid send the goods? No? Me neither and to be able to keep a cart, they need to track your session in one way or another, just as EE does.

So whilst a cookie policy should be on your site (and is now required), as far as I am aware you don’t need consent for the session cookie we use, nor do you need to provide an option to register on Event Espresso when that essential cookies has been blocked. However I’m more than happy to investigate further if you can provide any information that points to otherwise 🙂


Steve

July 15, 2018 at 3:30 pm

Awesome thanks so much – you should append this to your GDPR Blog post perhaps (Promise I did read everything I could find, but didn’t locate the ICO guidance!)


Tony

  • Support Staff

July 17, 2018 at 4:24 am

You’re most welcome and I’ll look into adding a link to the ICO guidance to the blog post, thank you.

I should probably throw a quick disclaimer in here just to cover all basis as I’m not a lawyer and my advice above should not be taken as legal advice but pointers for your own research 🙂

The support post ‘GDPR Cookie Compliance – Action on Cookie non-consent’ is closed to new replies.

Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.

Support forum for Event Espresso 3 and Event Espresso 4.
Documentation for EE3 and EE4
Documentation for Event Espresso 3

Documentation for Event Espresso 4

Status: closed

Updated by  Tony 5 months ago ago

Topic Tags

Tagged: 

Notifications

This topic is: not resolved
Do NOT follow this link or you will be banned from the site!