It’s one of those things you’d rather put off until the last minute, but is actually very important: making your WordPress website General Data Protection Regulation (GDPR) proof. If you do not meet the key privacy and data protection requirements of the GDPR, you run the risk of a hefty fine that could run up to € 20 million or 4% of annual turnover. This applies to every organization in Europe, so not just enterprises or multinationals. Fortunately, this does not have to be a very complex hassle if you know how to arrange it. To help you a bit, we will list the best tested WordPress cookie plugins for you. But before that, we first will provide you with some more in-depth information about cookies and the GDPR.
Cookies and the GDPR
Fair is fair, there are still plenty of websites that are not GDPR proof at all and also do not take cookie requirements or a correct implementation thereof into account. How GDPR and cookies relate to each other? The GDPR has been applicable for some time, namely since May 25, 2018. This ‘new’ law requires every organization in Europe to be able to justify that personal data flowing through the organization is properly protected. Roughly speaking, this means three things:
First of all, it means that as an organization you must have a clear picture regarding the personal data you collect. This should then be incorporated into a privacy policy that is also visible to visitors.
Secondly, you must justify that personal data that you provide to other parties is protected. Think for example of personal data that ends up with your accountant, in your CRM or in your email marketing software. This also applies to software outside Europe (e.g. software from American companies); as a European organization you are required to make these agreements with all your suppliers. In practice, this means that the GDPR has a global impact on the privacy policies of organizations.
Thirdly, you must also make agreements for your WordPress website with other parties who have access to your website. Think of your hosting company, editors, administrators and parties who, for example, have access to personal data through a plugin.
Actually, the cookie law was already there, obliging websites to ask their visitors for permission to collect privacy-sensitive data. Essentially, cookie consent is nonetheless a cornerstone of compliance for websites with EU-located users. However, GDPR links this part to the entire privacy legislation, as it were, and immediately makes it a lot more serious. Especially in the sense that nowadays there are stricter controls and hefty fines can be handed out.
How do I create a legal (WordPress) cookie?
Every website that receives visitors from Europe must ask permission to collect privacy-sensitive data. First of all, it is important to know that the cookie law makes an exception for cookies that are not privacy-sensitive. These are often cookies that make a website work properly. For example:
- Analytical cookies
Websites use analytical cookies, for example, to keep track of visitor statistics. This gives them better insight into the functioning of the website. Analytical cookies have hardly any effect on privacy.
- Functional cookies
Functional cookies are necessary for a service or webshop to function. For example, these are files that keep track of what’s in a shopping cart.
Do you only measure this kind of data? Then it is often not necessary to ask permission from your visitors and it is not a necessity WordPress cookie plugin.
However, the cookies that almost always require permission are those related to tracking. These types of cookies keep track of individual surfing habits and create profiles in order to enable targeted advertising. Personal data is usually processed with tracking cookies.
But how do you ask permission?
According to the GDPR, consent is only valid if it is freely, specifically, informed and unambiguously given.
This means that:
- Prior and explicit permission must be obtained before any placement of cookies (apart from necessary cookies).
- Your website visitors must also be able to refuse permission for tracking. Also, permission must be as easily withdrawn as they are given.
- It must be clear exactly what you are asking permission for
- Visitors must be given sufficient information about what happens to their personal data after they have given permission
- Visitors must actually and with an active action give permission (‘he who remains silent, agrees’ does not apply).
- Offer visitors a choice between ‘yes’ and ‘no’ by means of a clear banner. This way, you at least meet the requirement of choice for unambiguous consent.
- It is not allowed to place a cookie wall, which denies access to visitors when they do not accept cookies.
- You have to be able to prove that your visitor actually granted permission for their personal data to be tracked
WordPress cookie plugin top 3
Before we present the best-in-class WordPress cookie plugins to you, it is important to mention that no plugin will automatically make your WordPress website GDPR proof. It is all about having the right settings and permissions (see the list above), which correspond to what you describe in your privacy policy.
Also, it is not possible for a plugin to find out what cookies you use on your WordPress website. Therefore, you will have to work on placing a script yourself that ensures that the cookies are loaded correctly. For example, you do not want certain cookies to be loaded while the visitor has not granted permission for that. The best cookie plugins are therefore the ones that offer the option to accept or not accept certain cookies.
WordPress cookie plugin 1: GDPR Consent
With GDPR Consent plugin you can prevent your website from collecting personal data before your visitor has given permission to do so. The GDPR requires that visitors to your website give their permission first, but also that you cannot use a cookie wall to accomplish this. Meaning that your website must continue to work, even if no permission has been given for cookies. For many WordPress websites this means that some WordPress plugins (for example Google Tag Manager, Adwords, Facebook Pixels and Remarketing plugins) may only be activated after your visitor has given his or her consent.
With the GDPR Consent plugin you can define ‘consents’ and check which plugins should be activated after consent is given. Your visitors will see a narrow popup bar at the bottom of your website where they can give their consents (e.g. for Remarketing, Statistics and Advertisements). Depending on those permissions, the plugins are turned on for that particular visitor. This plugin is released by Sowmedia on WpUpgrader.com, our English-language platform.
WordPress cookie plugin 2: CookieYes
The CookieYes GDPR Cookie Consent & Compliance Notice plugin is also a great choice to make your WordPress website more GDPR proof. It works through accept and reject options, and the cookies are only placed after acceptance from visitors. You can also choose to make the cookie notification disappear after a few seconds. The cookies are then automatically not accepted. A handy feature of this plugin is that the different cookies can also be shown on the privacy policy page using shortcodes.
In terms of styling, this plugin has a lot going for it. You can fully customize the style of the cookie notice to fit the corporate identity of your WordPress website: change the colors, fonts, styles, position on the page and even how it behaves when ‘Accept’ is clicked.
Furthermore, the plugin integrates seamlessly with the official Facebook Pixel, Instagram & Twitter Feeds and Google Tag Manager.
WordPress cookie plugin 3: Complianz
Complianz is a Cookie Consent plugin that supports privacy laws for different regions such as European Union, United Kingdom, United States, Australia or Canada. It provides options for a conditional ‘Cookie Notice’ with default templates or custom CSS and a custom ‘Cookie Policy’ handled based on the results of a built-in ‘Cookie Scan’. What is very convenient is that the plugin also stores evidence of consent, i.e. registration of consents from users who accept the cookies.
Furthermore, periodic Cookie Scan for changes in Cookies, Plugins and 3rd Party services are done. Like the others, this plugin also offers full integration with third party software such as Google Tag Manager, Google Analytics and the official Facebook Pixel.