Disclaimer: I’m not a legal expert and this is just some thoughts on the matter that I hope will be useful, it’s not intended as legal advice.

UPDATE: skip to the bottom of this post for the latest!

There’s a good summary of what the EU Cookie Law is and means here.[footnote]It’s a commercial site but offers a clear explanation.[/footnote]

As the article suggests, the first step is to work out what cookies your WordPress site is using. WordPress itself uses cookies. Here is the information about what cookies WordPress uses. There’s a good discussion of the WordPress cookie situation here – it looks like the ‘comment cookie’ is the only one up for debate in terms of requiring opt-in.

There may also be cookies issued by 3rd parties such as plugin providers and other software or services used within the site such as commenting/analytics services.

Once you know which cookies your site uses, it’s probably a good idea to include a cookie policy alongside your site’s other legal statements [footnote]Terms and Conditions, Privacy Policy, Disclaimer[/footnote] – some or all of which are already required by law.

Look at this example of a well-constructed and clear privacy policy for reference.

It’ll be interesting to see how the EU WordPress community responds to the legislation: it’s likely that a best practice will emerge over the coming months if the law looks like it’s actually anywhere near enforceable anyway.

I know that’s not a 100% comprehensive answer, but hopefully it’s useful as a reference. Please do sound off in the comments with any thoughts, advice or resources – thanks!

UPDATE: Apparently just having a cookie policy isn’t enough: users must explicitly consent to receive cookies. Here at Pragmatic, we’re going to go with the policy route and see what happens.

UPDATE 2: This is the best bit of advice I’ve seen – it’s a plugin that points out that the DMCS (the department that oversees this issue) doesn’t have a pop-up, just a policy (and their policy is here). So, until they introduce a pop-up, then I’d say you’re safe with a policy only, but again this is not authoritative, just a discussion of the situation.

UPDATE 3: This Google Chrome add-on looks like a really useful way to analyse the cookies running on your site and generate info for your cookie policy.

UPDATE 4: The law was amended just before it came into force to allow ‘implied consent’ – read this Guardian article for more. My current take on this all is that it’s probably (a) necessary to have a good cookie policy as part of your overall privacy policy, (b) good to understand what cookies your site is using and (c) not to implement an annoying and intrusive pop-up/consent box. However, if you or your clients really feel the need to have one, this looks like the best WordPress cookie consent plugin around.

UPDATE 5: As of January 2013, it seems you no longer need to ask explicit consent. But, we do recommend a cookie policy with cookie audit to ensure compliance.

If you would like further training and support with your WordPress website, get in touch!