Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.How to comply with EU cookie compliance? (Recital 30)
Solution
For most sites, doing a cookie audit (your privacy policy need to inventory the cookies set set by your site), and then installing and correctly configuring a single EU cookie compliance module will do.
If you or a third party are using cookies or other tracking technologies to collect personal data, or for profiling, you need to configure the module for hard consent. Note that this is the case with many third party services, including Goggle Analytics and AddThis.
However, you can use implicit consent if cookies are used for the
sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service
Source: law.stackexchange.com quoting EU Directive on privacy and electronic communications from 2002
You will also have to create and publish a privacy policy document. See: #2971870: Privacy policy document, etc. (Article 12).
Comments
Comment #2
gisleComment #3
gisleComment #4
mgiffordFrom WordPress - https://core.trac.wordpress.org/ticket/44097
Comment #5
mgiffordComment #6
gisleFrom WordPress:
The solution they then propose for WordPress is to use a core function to let modules ("plugins" in WordPress jargon) declare what cookies they set for subsequent inclusion in a the site's privacy policy. [Aside: The proposed WordPress format does not capture all the information you need to disclose according to Directive 2002/58/EC (aka. "the cookie directive"), but that can be fixed by adding more fields.]
I think they are right about one thing: It is going to be a nightmare.
Putting this into core makes little sense to me. There are a lot of modules that use cookies for all sorts of reasons. Some of them, like AddThis are barely maintained (I happen to be a co-maintainer, but the owner is AWOL and refuses to let it go so there is no steerage. I have given up on it.) I think there are a lot of modules like that in our exosystem. Unless you get all contributed modules that set cookies on behalf of themselves and third parties to report, it won't fly. I.e.: I think that no matter what you put in core, the controllers still must do a cookie audit to comply with the 2002 cookie directive.
And by the way: As is clear from this answer on Law StackExchage, nothing has really changed since 2002, when cookies became regulated in Directive 2002/58/EC. A lot of people, including the WordPress team, seem to suddenly freak out about a requirement that has been in place for 16 years! There is IMHO absolutely no reason to do that.
Comment #7
mgiffordSounds good to me @gisle thanks for spelling this out.
Comment #8
anruetherAdded source to quote.
Comment #9
anruetherThe recent EU Court of Justice ruling on pre-ticked checkbox consent does not really offer anything new: EU: Court of Justice of the European Union rules on Cookie Consent
See especially 3. Context of the Decision/4. Open Topics in the article.
Comment #10
jan kellermann commentedWe discussed this in the last few months and see a difference between "cookie notification" and "consent for tracking code/cookies". For cookie notifications there are a couple of modules for drupal at this time. For an effective cookie consent (with loading external stuff AFTER consent) we found some solutions. The best (and open source) seems for us klaro - see https://klaro.kiprotect.com/
We build a first version for a klaro-module (at this time for D7, D8 is still under construction): https://www.drupal.org/project/klaro
We also added a cookie-notification-function (so maybe you can use only this module instead of two different modules).
Maybe you can give some feedback.