Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#43976 closed enhancement (worksforme)

Provide mechanism to opt-out of commenter cookies without needing to post a comment - GDPR

Reported by: garrett-eclipse's profile garrett-eclipse Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.1
Component: Privacy Keywords: gdpr
Focuses: administration Cc:



Currently, with the GDPR updates for the comments form there's been the addition of the opt-in for cookies.
And I noticed in this thread ( that you can opt-out by unchecking that box but it requires you post a comment.

It would be nice to provide a mechnism even a link beside that checkbox text which allows a user to opt-out of the commenter cookies without needing them to post a comment.
Maybe just a (opt-out) link beside it which clears the cookies.

It might also be a good idea in the removal request confirmation email to provide a link so users can purge their commenter cookie after their data was removed.


Change History (4)

#1 @netweb
6 years ago

  • Keywords gdpr added

#2 @azaozz
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

you can opt-out by unchecking that box but it requires you post a comment.

No, it's the opposite. You have to opt-in by checking the checkbox. If you don't opt-in the checkbox is not checked regardless of whether you post a comment or not :)

If the users have per-existing cookies that they don't want, it would be best to clear them in the browser. All browsers have that functionality and it works a lot better and does a lot more than any website can offer.

#3 @garrett-eclipse
6 years ago

Hi @azaozz

Sorry for the confusion, you're right to have cookies added for WP Comments you first must consent to them through the checkbox. But part of GDPR is the ability to withdraw consent at any time and with the comment cookies to do that the user either needs to do so from their browser (most users don't know how) or if you submit another comment with the box unchecked that'll also purge the cookies.

So to my understanding of GDPR in terms of consent and the ability to withdraw especially with cookies is that the website first needs to block the cookies till they receive consent, then that consent needs to be logged, and a mechanism to remove that consent and those cookies needs to be provided to the user.

I may be wrong, but everything I've been reading about cookies+consent indicates you now how to log that consent but also allow for it's removal. And to my interpretation removing consent would constitute the removal of those cookies. That's just from my understanding, and below is some info about needing to provide the opt-out mechanism.

Possibility to withdraw the consent at any time

The user must have the power to withdraw his or her consent.
It is therefore important to make sure that users have access to their current consent state at all times and can change the settings or withdraw their consent entirely.

Reference -

Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

Reference -

Let me know what you think I might be off the deep end here

#4 @desrosj
6 years ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

Note: See TracTickets for help on using tickets.