Do all Wordpress sites need a EU Cookie notice?

Question

Does Wordpress in its default install need an EU cookie notice? I have a number of people who have very simple Wordpress sites and am not sure if even a simple Wordpress site installs cookies on a viewers computer?

Answer 1

Based on the european juridiction, there is some cookies types that doesn't need user consent:

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

• used for the sole purpose of carrying out the transmission of a communication, and
• strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

• user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
• authentication cookies, to identify the user once he has logged in, for the duration of a session
• user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
• multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
• load‑balancing cookies, for the duration of session
• user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
• third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

A default Wordpress installation, without any plugin / tracking code / analytics, come with the following cookies :

Non-logged users

PHPSESSID : it's the session ID, used for carrying the session, so it match the point about authentication cookies.

Logged users

wordpress_logged_in_*** : carry session informations. Same as PHPSESSID for legislation.

wp-settings-*** : general settings preferences for internal use only. So it match the point about user-interface customisation.

Commenters

comment_author
comment_author_email
comment_author_url

They all three match the point about user-input cookies BUT by default they are stored for a year. So, according to the legislation, if you use comments functionality on your blog you should ask for consent on this cookies. If comments are disabled on your website, then you probably don't need to ask for any consent for a default Wordpress installation. I suggest you to check on your website if any plugin add some cookies that don't match the quoted points.