Is your WordPress cookie banner GDPR-compliant?

Cookies and GDPR

Numerous websites employ various tracking technologies, such as cookies, pixels, and tags, to advertise, gather statistics, and conduct marketing campaigns. These technologies are a part of well-known tools like Google Analytics, Google Maps, YouTube, Facebook Pixel, WP plugins, social media buttons, and more. The data collected via these technologies can hold immense value for marketers. Within the European Union, use of these tools falls under GDPR regulation.

Certain cookies are exempt from requiring consent because they are categorized as “necessary”, meaning, for example, that they are vital for the smooth operation of a website. These cookies may be used for website navigation or retain shopping cart information, among other uses. Under the GDPR, “strictly necessary” cookies can be used without obtaining users’ consent. All other cookies that track user behavior or collect personal information require explicit consent from the user before they start collecting any data.

In order to obtain user consent to use cookies and other tracking technologies, we recommend using a consent management platform (CMP). These tools are designed to help you inform users when and where needed about cookie usage on your site, what data is collected and how it is shared. A CMP enables users to provide “freely given, specific, informed and unambiguous” consent for their usage, as required by the GDPR (Art. 7). 

Consent management platforms, such as Cookiebot CMP for WordPress, display cookie pop-ups to your users, asking them to make a choice (or choices) about the use of cookies. Let’s take a closer look at WordPress cookie banners, how they inform users and collect consent, and how to ensure they’re GDPR-compliant.

What are cookie banners?

Cookie banners serve as a means for website owners to inform visitors about the use of cookies and obtain their consent to collect and process their personal data. A cookie banner is typically a cookie pop-up window or banner that appears on a website, informing visitors that the site uses cookies. 

A cookie banner provides an overview of the cookies and other tracking technologies in use on the site, how they are used, information they collect, and parties that the information may be shared with, e.g. advertising partners. Usually, the banner gives users the option to accept or reject the use of cookies. According to the GDPR, a cookie banner should also include an option to consent to the use of only selected categories of cookies. This is what is meant by “granular” consent, where the user could consent only to the use of data for specific purposes.

Why is cookie compliance important?

Under the GDPR, in many cases the collection and processing of personal data are prohibited unless the user provides consent. Businesses are not permitted to use cookies and other tracking technologies unless they have obtained explicit user permission or the service used is necessary for the functioning of the website. This applies to any website (or app) that collects the personal data of EU residents. It doesn’t matter if the site is for ecommerce, healthcare, finance, a corporate website, a club, or even a personal blog.

By complying with the GDPR, website owners can ensure that their visitors’ data is protected and that their privacy is respected, while still getting the high quality data they need for marketing operations. This also helps to build trust with customers, as they will know that their data is safe when visiting the website. 

Cookie compliance also helps to create a better user experience by providing users with more control over how their data is used. By providing a clear explanation of what cookies and other tracking technologies are and how they are used, users are able to make informed decisions about whether they want to accept or reject the use of them.

When do you need a WordPress cookie banner?

Getting consent is not just a legal obligation, it’s also a respectful and ethical way to protect the data of your website visitors. This makes incorporating a cookie banner an indispensable requirement for any website using cookies. 

If your site is built with WordPress and you have visitors from the European Union (EU), it is your responsibility to ensure GDPR compliance. While the GDPR violation fines that make the headlines are often for huge companies, individuals and small organizations have been found in violation of the GDPR’s rules, too. If EU residents access the site, GDPR compliance is required, even if the company or site owner is not located in the EU. One way to achieve GDPR compliance is to use a WordPress cookie banner plugin.

GDPR compliance may seem complicated, especially if data privacy is not your core business or interest. Let us help you take care of it.

Consequences of noncompliance

Noncompliance with the GDPR can result in significant fines. The maximum fine for noncompliance is €20 million or 4% of global annual turnover (gross revenue for the preceding calendar year), whichever is higher. In addition to financial consequences, noncompliance can damage your organization or brand’s reputation. 

It’s important to take cookie banner requirements seriously and ensure that your website is up to date with the latest regulations. In today’s global landscape, it’s not uncommon for organizations to have responsibilities under multiple data privacy laws, not just the GDPR.

What makes a cookie banner compliant?

A data privacy compliant cookie banner should provide visitors with clear information about cookies in use and obtain their consent before collecting their personal data. The cookie banner should be clearly visible on a website, easy to understand, and state what cookies and other trackers are being used and why, and how data collected may be shared.

User consent obtained must be explicit and freely given. Dark patterns cannot be used to manipulate or trick users into giving consent. Users must also have the option to reject the processing and still use the website. 

Organizations need to provide a comprehensive privacy notice or privacy policy, often on a web page, which provides detailed information about data collection and use, users’ rights and how to exercise them, and more.

Users must also be able to withdraw their consent at any time. Website owners need to securely store consent data and ensure that communications and consent requests are up-to-date with GDPR requirements.

We recommend reading our GDPR compliance checklist to help you ensure that your website is compliant with the GDPR regulation and that visitors’ data is secure. 

How to check if your WordPress cookie banner is compliant?

To check if your WordPress cookie banner is GDPR-compliant, use our free Cookiebot compliance scanner. This tool will scan your website and provide you with a report on the privacy compliance of your consent banner, focusing on your site’s cookie usage. The report will highlight any areas of noncompliance and provide you with recommendations on how to fix them.

We also recommend checking your consent banner for dark patterns. Dark patterns are deceptive design techniques used to manipulate users into taking an action that they normally would not. These techniques can be used to trick people into agreeing to unwanted terms or services, signing up for subscriptions, or making purchases. 

Common examples of dark patterns include pre-checked boxes, deceptive wording, and suggestive colors. On a cookie banner a common tactic is to make the “deny” option for consent smaller, different looking, or harder to find than the “accept” option. To avoid dark patterns, you should ensure that all forms and agreements are written in plain language and that users are given an equal option to opt out of any services or subscriptions. All user preferences also have to be set to “off” by default.

5 common mistakes on cookie banners

Go to your WordPress site and look at your cookie banner. Check if it contains any of the following noncompliant settings:

1. Missing “Deny/Reject” button on the banner.

This violates the GDPR’s consent requirements, as consent cannot be considered to be freely given.

2. Rejecting cookies requires more clicks than accepting cookies.

In this situation, there is usually no “Deny/Reject” button, but a different one, e.g. “More options”, and the user can only reject the use of cookies after entering this area. When rejecting cookies through your consent banner requires more clicks than accepting them, it’s not GDPR-compliant.

3. Using different colors for the “Accept/Allow” and “Deny/Reject” buttons.

Using suggestive colors to get more users to accept processing of their data on your site is considered a dark pattern and is not GDPR-compliant.

4. “Allow/Accept” and/or “Deny/Reject” buttons completely missing from the banner.

If your banner is just a cookie information pop-up with a close icon in the top right corner (or with an “OK” button only), it’s under current legislation most likely not GDPR-compliant.

5. Pre-checked boxes for non-essential cookies.

This is another example of a dark pattern. Avoid pre-checked boxes for processing categories. Users need to take explicit, affirmative action to check the boxes when giving consent.

Also note that scrolling, clicking on links, or similar actions do not constitute consent. It’s also important to display the cookie banner in the language of the user’s browser to ensure they understand. You can use automatic translations that are usually part of WordPress cookie plugins.

How to choose a cookie banner for WordPress?

GDPR compliance on a WordPress website is not easy to achieve without implementing a specific software. Consent management platforms for WordPress enable compliance through varying features and functionality. It’s important to choose the right one to meet cookie banner requirements and ensure you can maintain GDPR compliance as regulations evolve.

Here important cookie banner features for enabling WordPress cookie compliance on your site:

• Customization: choice of colors, fonts, button text, logo
• Granular consent options 
• Customizable processing categories and services in use
• Automatic and secure storage of user data 
• Ability to access or download user data
• Preference center and/or widget to enable users change or revoke consent
• Automated scan to keep the site’s cookie/tracker list up to date
• Automated blocker for all new cookies and other trackers until user consent is obtained
• Auto-updated cookie declaration on your privacy page
• Option to disable pre-checked boxes with categories
• Geotargeting, enabling displaying the banner only to EU users
• Automatic translations into multiple languages
• Integrations with Google Consent Mode and Google Tag Manager
• Compliance with multiple privacy regulations
• Easy implementation

Check this comparison of 5 best GDPR plugins for WordPress. 

How to ensure your WordPress cookie banner compliance with Cookiebot CMP

To achieve GDPR compliance with your WordPress cookie banner using the Cookiebot CMP WordPress plugin, follow these steps:

1. Sign up for a free trial with Cookiebot CMP.
2. Run a scan of your website using the Cookiebot CMP.
3. Review the scan results.
4. Install the Cookiebot CMP plugin on your WordPress site.
5. Configure the plugin settings to match your website’s tools/services and data collection.

Updating your cookie banner as regulations evolve

Regulations governing cookies/trackers and online privacy more broadly are constantly evolving. It’s important to stay up to date with the latest regulations and make any necessary changes to your cookie banner. 

Since the introduction of the GDPR, there have been regular rulings and updates to regulations to address new concerns and technologies. For example, in 2019, the European Court of Justice ruled that websites must obtain consent from visitors before placing non-essential trackers on their computer (source). This ruling has had a major impact on how companies use cookies and other tracking technologies, requiring adjustments to their policies and data processing. 

Updating your cookie banner as regulations evolve is your responsibility as a website owner. You also need to keep your cookie banner up to date with any changes you make to the cookies or other trackers used on your website. For example, if you add a new tracking cookie, you need to update your cookie banner to let visitors know about it and enable them to decide if they consent to its use. You can use the Cookiebot CMP WP plugin to quickly and easily update your cookie banner whenever necessary. 

Final privacy recommendations

In summary, a GDPR-compliant cookie banner can be an essential tool for protecting the privacy of website visitors and avoiding legal consequences. To ensure compliance with GDPR on your WordPress site, your cookie banner should provide visitors with clear information about cookies and other trackers and obtain their explicit consent before collecting their personal data. 

It is important to remember that the cookie banner is just one step in protecting website visitors’ privacy. Website owners may need to employ a variety of tactics to ensure that their websites are secure and private, depending on what services the site provides and who the audience is. This includes using secure login credentials, encrypting data, and regularly updating software. It’s also a good idea to keep an eye on the latest developments in data privacy for both regulations and best practices.

Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.