WordPress compliance with GDPR/ePR and CCPA

WordPress, cookies, plugins and GDPR: What’s the deal?

Updated August 19, 2021.

What does the GDPR and CCPA mean for your WordPress website and its use of cookies?

In this article, learn more about the Cookiebot consent management platform (CMP) WordPress plugin for GDPR and CCPA compliance – in use on more than 40,000 WordPress sites across the world.

Cookiebot CMP WordPress plugin

Cookiebot CMP offers a WordPress plugin that makes your website fully GDPR/ePR and CCPA compliant.

Using the Cookiebot CMP WordPress plugin enables a highly customizable consent banner to handle consents and empower users with the option to opt in and out of cookie categories, as required by the GDPR/ePR, CCPA and similar data privacy laws around the world.

Cookiebot CMP scans your website to find all cookies and similar tracking technologies, then automatically blocks all until your users choose which categories of cookies to activate.

Our cookie declaration includes the option for a Do Not Sell My Personal Information link – offering full compliance with the GDPR/ePR and CCPA.

Try the Cookiebot CMP WordPress plugin for free

WordPress and cookies

WordPress is a hugely popular website management tool. You might yourself use WordPress as a tool for your website.

If you do, you might be wondering: does my WordPress site use cookies? And is it compliant with the GDPR and CCPA?

Well, it depends on how you use WordPress and how it is set up.

A clean version of the WordPress code without plugins doesn't set any user related cookies. It only sets cookies when a site admin logs into the backend of the system. In this case, you don't need a cookie consent on your website, as there are no cookies.

But very few people use WordPress in its basic form. Once you start to install plugins on your site, you either need to check the plugins to ensure that they don’t set cookies, or you need to implement a cookie consent function on your site.

Most hosted versions of WordPress set cookies per default, such as WordPress sites hosted on WordPress.com.

Hence, we recommend that you always use a cookie consent solution to ensure that you comply with data privacy laws like GDPR, ePR and CCPA.

Scan your website for free to see what cookies are in use

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

The General Data Protection Regulation (GDPR) and the ePrivacy Directive are two EU-wide initiatives for the protection of personal data.

They mean that you have to take measures to ensure that your website meets the requirements and is compliant with the regulations.

See WordPress’ GDPR Compliance Guide here

Otherwise, you risk heavy GDPR fines of up to €20 million, or 4% of the organization's global yearly turnover, whichever is higher.

Basically, what you have to do is to go through your data processing activities and revise how the user data is handled on your website.

Websites typically manage data by means of cookies and online tracking technologies.

Be aware that you are responsible not only for the data handled directly by you and your site, but also for that which is handled by any third parties in use on your site.

Most sites make use of some kind of third parties.

For example, social media buttons, embedded videos, and tools for analytics all are data-gathering third parties on your website.

The GDPR primarily affects your cookie notice, cookie consent and your privacy policy.

The European Data Protection Board (EDPB) is the leading supervisory authority in the European Union of the GDPR, responsible for guiding how each national data protection authority in EU countries are to interpret and enforce the GDPR.

On May 4, 2020, the EDPB adopted guidelines on valid consent in the EU. These clarify what constitutes valid consent on websites under the GDPR.

EDPB guidelines specify that:

Cookie banners are not allowed to have pre-ticked checkboxes. All cookies except for strictly necessary cookies must be deselected and deactivated by default, so that users can give consent by a clear and affirmative action.
Cookie walls (forced consent by making access to your website conditioned on user consent) are an invalid form of consent. Users must be able to filter their consent between each category of cookie and consent must be freely given.
Continued scrolling and browsing on your website by users cannot be interpreted as valid consent, since consent must be a clear and affirmative action on part of the user.

Learn more about the EDPB guidelines on valid consent in EU

CCPA and WordPress

The California Consumer Privacy Act (CCPA) is a state-wide privacy law that regulates how businesses all over the world are allowed to handle the personal information of California residents.

It took effect on January 1, 2020.

CCPA requires that a website notify visitors of the categories of personal information that it collects and for what purposes.

This must be done at or before the point of collection. The list of categories of personal information must include all that a business collects, sells or discloses and it must be updated every 12 months.

Websites must also update their website’s privacy policy to include a description of the CCPA consumer rights –

Right to opt-out
Right to disclosure
Right to deletion

According to the CCPA, websites must feature a Do Not Sell My Personal Information link that consumers can use to opt out of having their data sold to third parties.

Try our free test and get an idea whether your WordPress site is GDPR/ePR and CCPA compliant.

The free website audit scans five pages of your website and sends you a report of the cookies and online tracking on these pages, including information on their provenance, purpose and whether or not they are compliant.

If you want a complete overview of the cookies and online tracking going on on all of your website, sign up to the Cookiebot CMP solution.

Scan your website to see what cookies are in use

Try Cookiebot CMP free for 30 days – or forever if you have a small website

To be compliant with the GDPR when using WordPress, you must ensure that you:

Inform your users:

Provide a clear and specific information on the cookies in use on the site, what types of data are processed, for what purpose and where in the world they are sent.

Ask for consent before setting cookies. Only strictly necessary cookies may be set prior to the reception of the consent.

Document:

Keep record of all received consents as evidence that the cookie consent has been given.

Protect the data:

Ensure that all personal data is securely stored. Only transmit data to the EU and other GDPR adequate countries.

Give your users a true choice:

Make sure that your users have the possibility to see the cookies, select, accept and reject them. The site must function even though the user has rejected cookies.

Provide the option for your users to change their mind:

Give access for the users to see and change their choice of accepted and rejected cookies on your site. If the user so requests, you must be able to erase their data.

Alert:

In the case of a GDPR breach, alert securities and affected users within 72 hours.

A GDPR compliant cookie banner by Cookiebot CMP.

This helpful Web Privacy And WordPress GDPR Compliance – The Definitive Guide can help you navigate GDPR compliance on WordPress.

CCPA compliance on WordPress

To be compliant with the CCPA when using WordPress, you must ensure that you:

Enable opt-out

Feature a Do Not Sell My Personal Information link on the website that users can use to opt-out of third party data sales.

Inform your users of what you collect and sell

Provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.

Stop selling personal information if requested

React to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.

Delete personal information if requested

Include two steps whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.

Get opt-in from minors

If users are under the age of 16, you must obtain their opt-in consent before selling their personal information. If users are under the age of 13, opt-in consent from parents or legal guardians are required.

A CCPA compliant opt-out banner by Cookiebot CMP.

Cookiebot CMP WordPress plugin

The Cookiebot CMP WordPress plugin is an easy way to make the use of cookies etc. on your website compliant with the GDPR and CCPA.

Cookiebot CMP is one of the only fully GDPR and ePrivacy directive compliant cookie solutions on the market.

It is based on years of thorough research on the regulations and ensures full compliance and full control at a fair price.

The experience is user-friendly and transparent for both you as a website owner and for your users.

Try the Cookiebot CMP WordPress plugin for free

List of cookies on my WordPress site

The cookies in use vary from site to site, also depending on what plugins are in use and where the site is hosted. Generally speaking, WordPress sites may use the following:

Strictly Necessary Cookies:

For example authentication cookies, used to know whether the user is logged in or not.

Preference Cookies:

Stores preferences set by users such as account name, language, location, and whether the user has chosen to view the mobile version of a site.

Statistics Cookies:

Collects information on how users interact with websites hosted on WordPress, including what pages are visited most, as well as other analytical data. These details are used to improve the performance of the website’s functions.

Marketing/Tracking Cookies:

Used to target the advertising to visitors on WordPress sites, as well as to track the volume of visitors. They track details about visitors such as the number of unique visitors, number of times particular ads have been displayed, the number of clicks the ads have received, and are also used to measure the effectiveness of ad campaigns by building up detailed user profiles. These kinds of cookies are set by trusted third party networks, and are generally persistent in nature.

Cookies set by Third Parties/Embedded Content:

Sites hosted on WordPress make use of different third party applications and services to enhance the experience of website visitors. These include social media platforms such as Facebook and Twitter (through the use of sharing buttons), or embedded content from YouTube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track your online activity.

Web beacons and other tracking technologies:

Both websites and HTML e-mails may also contain other tracking technologies such as ‘web beacons’. These are typically small transparent images that provide WordPress with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, the web beacons may still load, but their functionality will be restricted.

Find out what cookies are in use on your WordPress site, where they come from and what purpose they serve by taking an audit of your website.

The free audit scans five pages of your website and sends you a report of the cookies and online tracking on these pages, including information on their provenance, purpose and whether or not they are compliant.

If you want a complete overview of the cookies and online tracking going on on all of your website, sign up to the Cookiebot CMP solution.

Your cookie policy should contain:

What types of cookies are set on the user’s browser when they visit your site
How long they persist on the user’s browser
What data they track
For what purpose (functionality, performance, statistics, marketing, etc.)
Where the data is sent to and with whom it is shared
How to reject cookies, and how your users subsequently can change the status regarding what cookies they have accepted and rejected.

The cookie policy may be written as a part of the website’s privacy policy.

You may check out the WPbeginners guide on how to add a privacy policy in WordPress.

You can find many examples and templates for your cookie policy on the internet.

Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site.

FAQ

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU data privacy law that governs how websites, companies and organizations are allowed to process the personal data of individuals inside the European Union. The GDPR requires websites that use cookies and trackers to inform its users of such and to obtain the clear and affirmative consent before activating any cookies that process personal data.

Learn more about GDPR compliance

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law governing the collection, processing, sharing and selling of personal information from California residents. The CCPA requires businesses that use cookies and trackers on their websites to inform users of such and to enable users to opt out of having their personal information disclosed and sold to third parties.

Learn more about CCPA compliance

Is WordPress GDPR and CCPA compliant?

WordPress is a website management tool that can be used in a lot of different ways. If you use plugins on your WordPress website, like social media plugins, webshop plugins or analytics plugins, these will set third-party cookies on your users’ browsers that will most likely process their personal data such as IP addresses, browser and search history, among others. For your WordPress website to be compliant then, you need to ask and obtain the clear and affirmative consent from users before activating any cookies (apart from strictly necessary cookies).

Learn more about GDPR and cookies

Learn more about CCPA and cookies

What is a WordPress plugin for GDPR and CCPA compliance?

Consent management platforms (CMPs) help websites become compliant with GDPR, CCPA and more data privacy laws around the world by protecting users’ personal data from unconsented collection, processing and abuse. Cookiebot’s consent management platform comes as a free WordPress plugin.

Try the Cookiebot CMP WordPress plugin free for 30 days… or forever if you have a small website.

What is a cookie banner?

A cookie banner is the user interface of a consent management platform that helps websites become compliant with data privacy laws like GDPR and CCPA. It is also meant to notify the users of any cookies that could be on the site, their rights in that regard, and to ask for the user's consent to run those cookies.

Scan your website for free to see all cookies and trackers in use

What is a cookie notice?

A cookie notice is a notification on a website, informing the visitor on the use of cookies. The GDPR requires that all users should not only be informed about the specific cookies in use, but given a real choice to opt in and out of them. The CCPA requires websites to feature a Do Not Sell My Personal Information link, so users can opt-out of having their personal information sold. Cookiebot CMP offers a highly customizable banner that features all of the above.

Scan your website to see what cookies your website uses

What should a WordPress cookie notice or warning contain?

In order to be GDPR compliant, a cookie notice or warning should contain specific information about the cookies in use on the website, including cookies and other online tracking technologies set by third parties. In order to be CCPA compliant, it must include a Do Not Sell My Personal Information link for users to opt out of third- party data sales. The cookie notice should also inform about the types of cookies in use, their provenance and purpose, and provide your users with the possibility to opt in and out. Remember, also, that the notice should be given before any cookies are set (except for strictly necessary ones), and that the cookies are not allowed before the user has given their consent to it.

Try the Cookiebot CMP WordPress plugin free for 30 days… or forever if you have a small website.