WordPress, cookies, plugins and GDPR: What’s the deal?

Do you need cookie consent if you have a WordPress site?

What does the EU cookie law mean for your website and cookie notice? Are you compliant?

What is a WordPress cookie plugin, and why should you choose Cookiebot?

Read the article and get the answers!

Does my WordPress site use cookies?

---

It depends on how you use WordPress and how it is set up.

A clean version of the WordPress code without plugins doesn't set any user related cookies. It only sets cookies when a site admin logs into the backend of the system. In this case, you don't need a cookie consent on your website, as there are no cookies.

Very few people use WordPress in its basic form. Once you start to install plugins on your site, you either need to check the plugins to ensure that they don’t set cookies, or you need to implement a cookie consent function on your site.

Most hosted versions of WordPress set cookies per default, such as WordPress sites hosted on WordPress.com.

Hence, we recommend that you always use a cookie consent solution to ensure that you comply with the GDPR and the EU ePrivacy directive.

You can try our Compliance Test if you are in doubt about what cookies are in use on your site.

What does the GDPR mean for my WordPress website and cookie notice?

The General Data Protection Regulation (GDPR) and the ePrivacy directive are two EU-wide initiatives for the protection of personal data.

They mean that you have to take measures to ensure that your website meets the requirements and is compliant with the regulations.

Otherwise, you risk heavy fines of up to €20 million, or 4% of the organization's global yearly turnover, whichever is higher.

Basically, what you have to do is to go through your data processing activities and revise how the user data is handled on your website.

Websites typically manage data by means of cookies and online tracking technologies.

Be aware that you are responsible not only for the data handled directly by you and your site, but also for that which is handled by any third parties in use on your site.

Most sites make use of some kind of third parties.

For example, social media buttons, embedded videos, and tools for analytics all are data-gathering third parties on your website.

The regulation primarily affects your cookie notice, cookie consent and your privacy policy.

The EU regulations are complex. Luckily, there exists a user-friendly plugin for WordPress sites that ensures that your website meets the requirements and complies in one single stroke regarding everything that has to do with cookies and online tracking.

Is my WordPress site compliant with the GDPR (General Data Protection Regulation) and ePrivacy directive?

Try our free test and get an idea whether your site is compliant:

Scan my website

The free audit scans five pages of your website and sends you a report of the cookies and online tracking on these pages, including information on their provenance, purpose and whether or not they are compliant.

If you want a complete overview of the cookies and online tracking going on on all of your website, sign up to the Cookiebot solution.

For your WordPress site to meet the requirements and hence comply, make sure that you:

Inform your users:

Provide a clear and specific information on the cookies in use on the site, what types of data are processed, for what purpose and where in the world they are sent.

Get prior consent:

Ask for consent before setting cookies. Only strictly necessary cookies may be set prior to the reception of the consent.

Document:

Keep record of all received consents as evidence that the consent has been given.

Protect the data:

Ensure that all personal data is securely stored. Only transmit data to the EU and other adequate countries.

Give your users a true choice:

Make sure that your users have the possibility to see the cookies, select, accept and reject them. The site must function even though the user has rejected cookies.

Provide the option for your users to change their mind:

Give access for the users to see and change their choice of accepted and rejected cookies on your site. If the user so requests, you must be able to erase their data.

Alert:

In the case of a breach, alert securities and affected users within 72 hours.

Also check out the nice infographic by the EU explaining the regulations in plain language and what they mean for your business.

What is a WordPress cookie consent plugin?

A cookie plugin for WordPress sites is an easy way to make the use of cookies etc. on your website GDPR-compliant, if you choose the right one.

Most cookie plugins on the market simply provide a banner or notification for your website, informing visitors that the website makes use of cookies. Some of them also supply a corresponding privacy policy default text.

However, this is not sufficient to comply.

An adequate WordPress cookie plugin takes care of all the processes concerning cookies on your site, so that everything in relation to cookies and online tracking on your website complies with the GDPR and ePrivacy directive.

What is the best cookie plugin for WordPress?

There exists a vast range of cookie plugins for WordPress, both free and paid. Their functionality and quality varies accordingly.

What you need to look for when choosing a cookie plugin for your website, is whether it meets the actual laws and requirements.

NB! Be aware that the rules have changed.

Previously, websites operating within the EU or with EU-citizens as users were required to simply inform users that the website made use of cookies.

With the enforcement of the GDPR, the requirements have become both stricter and more complex.

Therefore, be careful and bear in mind that a great deal of the existing cookie plugins for WordPress that explicitly claim to be compliant, are not. Even though they have “EU law” in their name or EU stars in their icon!

The price for making the wrong choice is very high.

For a WordPress cookie plugin to be compliant, it has to:

• Provide clear and specific information about data types and purpose of the cookies.
• Block all but strictly necessary cookies until the visitor has given consent - a feature called ‘prior consent’.
• Keep a full documentation of all given consents.
• Contain the possibility for users to reject superfluous cookies and still use the website.
• Give users the possibility of withdrawing their consent whenever they want.

Cookie solutions that don’t have those features are not GDPR compliant.

Why should I choose the Cookiebot WordPress plugin?

Cookiebot is one of the only fully GDPR and ePrivacy directive compliant cookie solutions on the market.

It is based on years of thorough research on the regulations and ensures full compliance and full control at a fair price.

The experience is user-friendly and transparent for both you as a website owner and for your users.

Cookiebot informs about all cookies in use in a clear and simple manner, gives your users the free choice of opting in and out of the different types of cookies, and securely stores all consents as documentation.

The customizable Cookiebot notification informs your visitors about the use of cookies and gives them the option to accept or reject different types of cookies directly in the banner, offering maximum transparency with a minimum impact on the overall user experience.

With Cookiebot, you are in full control. See an overview of all of the functions on Cookiebot.com

How do I set a WordPress cookie plugin?

It's easy to set a WordPress cookie plugin.

Go to the WordPress plugin page and search for the cookie plugin of your choice.

Be sure to do your research on the requirements for a compliant cookie consent before making your choice.

Then, select the plugin of your choice from the list on WordPress.org and follow the instructions.

If you choose the Cookiebot plugin, the first step is to install it on your WordPress site.

After installing the plugin, go to Settings → Cookiebot and add your Cookiebot ID.

If you haven't created one yet - or if you're not sure how to find it - follow the instructions on the page.

Once your Cookiebot ID is added, the consent dialog will be displayed to the visitors of your site.

Cookie declaration

The Cookiebot solution also comprehends an automatically updated cookie declaration about the cookies in use on your site.

By implementing it, you ensure that your cookie declaration is specific and accurate at all times, as required by the GDPR.

To display your cookie declaration, create a new page on your website - and add the shortcode that the plugin provides to the page: [cookie_declaration]. Alternatively, you can incorporate it into e.g. your existing Privacy Policy.

Prior consent

Now comes the trickiest part.

As one of the few cookie consent plugins on the market, Cookiebot supports 'prior consent', as required by the EU ePrivacy Directive.

Prior consent means that no cookies (except for the strictly necessary ones) may be set on the browser before the user's consent to it is given.

To allow for this to happen, you must make small adjustments to the plugins in use on your website, so that Cookiebot can ensure that no cookies are set until the consent is given.

1. Search through your plugin files and find the relevant script tags. This can usually be done by searching for "<script">.

2. Mark the script tags with the attribute "data-cookieconsent", along with one of the following values: ('preferences'), ('statistics'), or ('marketing').

Then, to prevent the scripts from setting cookies until consent is given, change or add "text/plain" to the type.

Or, try our helper function, called cookiebot_assist.

To use it, you must still search for the <script> tag in the files. In the illustration below, it's in line 190:

Remove the type attribute - and write cookiebot_assist($consentType). This outputs the data-cookieconsent and type attributes:

Repeat this action for all your plugins, so that they are kept passive until your visitor has consented to the use of cookies.

Remember to repeat this action every time your cookie-setting plugins are updated.

With Cookiebot, you will have an overview over what plugins set cookies at all times thanks to the monthly scan report of your website.

List of cookies on my WordPress site

---

The cookies in use vary from site to site, also depending on what plugins are in use and where the site is hosted. Generally speaking, WordPress sites may use the following:

Strictly Necessary Cookies:

For example authentication cookies, used to know whether the user is logged in or not.

Preference Cookies:

Stores preferences set by users such as account name, language, location, and whether the user has chosen to view the mobile version of a site.

Statistics Cookies:

Collects information on how users interact with websites hosted on WordPress, including what pages are visited most, as well as other analytical data. These details are used to improve the performance of the website’s functions.

Marketing/Tracking Cookies:

Used to target the advertising to visitors on WordPress sites, as well as to track the volume of visitors. They track details about visitors such as the number of unique visitors, number of times particular ads have been displayed, the number of clicks the ads have received, and are also used to measure the effectiveness of ad campaigns by building up detailed user profiles. These kinds of cookies are set by trusted third party networks, and are generally persistent in nature.

Cookies set by Third Parties/Embedded Content:

Sites hosted on WordPress make use of different third party applications and services to enhance the experience of website visitors. These include social media platforms such as Facebook and Twitter (through the use of sharing buttons), or embedded content from YouTube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track your online activity.

Web beacons and other tracking technologies:

Both websites and HTML e-mails may also contain other tracking technologies such as ‘web beacons’. These are typically small transparent images that provide WordPress with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, the web beacons may still load, but their functionality will be restricted.

Cookie checker: How can I check the cookies on my WordPress website?

Find out what cookies are in use on your WordPress site, where they come from and what purpose they serve by taking an audit of your website.

The free audit scans five pages of your website and sends you a report of the cookies and online tracking on these pages, including information on their provenance, purpose and whether or not they are compliant.

If you want a complete overview of the cookies and online tracking going on on all of your website, sign up to the Cookiebot solution.

What should a GDPR compliant WordPress cookie policy contain?

---

Your cookie policy should contain:

• What types of cookies are set on the user’s browser when they visit your site
• How long they persist on the user’s browser
• What data they track
• For what purpose (functionality, performance, statistics, marketing, etc.)
• Where the data is sent to and with whom it is shared
• How to reject cookies, and how your users subsequently can change the status regarding what cookies they have accepted and rejected.

The cookie policy may be written as a part of the website’s privacy policy.

You may check out the WPbeginners guide on how to add a privacy policy in WordPress.

There are many websites on the internet that allow you to automatically generate a text for your privacy policy or terms of service pages.

However, with the GDPR, you have to make sure that the part containing your cookie declaration is updated at all times.

If you choose to use the Cookiebot plugin on your WordPress site, you can easily integrate an automatically updated cookie declaration as part of your privacy policy.

Examples of WordPress cookie policies

You can find many examples and templates for your cookie policy on the internet.

Keep in mind, however, that your policy should be revised and updated regularly, to make sure that it informs about the actual cookies in use on your site.

FAQ

---

What is a WordPress cookie banner?

A WordPress cookie banner is a banner, that shows up on a website the first time a user visits it.

The purpose of a GDPR compliant cookie banner is to inform visitors about the use of cookies and get consent from the user before setting all but strictly necessary cookies.

With the enforcement of the GDPR, the information should be specific, clear and transparent, and the user should be provided the option to accept or reject different types of cookies.

Cookiebot does all of the above directly in the banner, thereby complying with the regulations with a minimum impact on the overall user experience.

Once 12 months has passed since the specific user gave their consent, the cookie banner should show up again upon the user’s first visit to the site, asking for renewed consent.

What is a cookie notice?

A cookie notice is a notification on a website, informing the visitor on the use of cookies.

With the EU cookie law and data protection regulation, all users should not only be informed about the specific cookies in use, but given a real choice to opt in and out of them.

Examples of cookie notice texts

Be aware that the rules have changed, rendering many cookie notices obsolete. Here is an example of a cookie notification, that doesn’t comply with the regulations:

Here is an example of a compliant cookie notice:

What are the cookie requirements for WordPress Free domains?

Any site that uses cookies must comply with the GDPR.

Most WordPress Free domains make use of cookies for various purposes, and are therefore subject to the regulations.

In short:

Provide clear and specific information about data types and purpose of the cookies. Keep a full documentation of all given consents. Give your users the possibility to reject superfluous cookies and still use the website. Give your users the possibility of withdrawing their consent whenever they want.

Check out our Cookiebot plugin for WordPress, which is one of the few GDPR compliant solutions out there.

What should a WordPress cookie notice or warning contain?

A cookie notice or warning should contain specific information about the cookies in use on the website, including cookies and other online tracking technologies set by third parties.

The notice should inform about the types of cookies in use, their provenance and purpose, and provide your users with the possibility to opt in and out.

Remember, also, that the notice should be given before any cookies are set (except for strictly necessary ones), and that the cookies are not allowed before the user has given their consent to it.

Resources

---

WordPress' information on the use of cookies
The General Data Protection Regulation
The ePrivacy Directive
Cookiebot plugin for WordPress sites
Check if your website complies with the GDPR and the ePrivacy Directive
Data Protection - Better rules for small businesses
GDPR Fines
GDPR adequate countries
Cookiebot Plans and pricing
WPbeginners guide on how to add a privacy policy in WordPress
Blogpost: Cookies and WordPress: How to Set, Get and Delete