Understanding WordPress cookies to remain privacy compliant

Cookies and other tracking technologies are a major part of any website’s functionality, and WordPress sites are no exception. These cookies help power certain features of your website, collect important data, and create an exceptional user experience. However, using cookies without understanding what they do and managing them according to the requirements of privacy regulations could lead to legal trouble.

The enactment of laws like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) has put stricter data privacy requirements in place for the use of website technologies like cookies and trackers that collect personal data.

Navigating compliance with these laws can be challenging, particularly where WordPress cookies are concerned. Understanding the impact of privacy regulations on your WordPress site and determining the necessary cookie consent is crucial.

What are WordPress cookies?

Cookies are small data files that websites place on a person’s device, like in the web browser, to store information about their activities during a browsing session. They make it easier for websites to “remember” information like someone’s language preference, keep them logged in, or the items they have put in online shopping carts. They also help optimize the browsing experience by recalling visited pages and custom settings, thereby streamlining navigation for your website visitors.

WordPress, like any other content management system, uses cookies to enable certain features, such as your login credentials, pages visited, and preferred language settings. Without these cookies, websites couldn’t remember any of the information that makes your life easier, and in many cases wouldn’t function correctly. That’s why WordPress is set up to use cookies right out of the box.

The core WordPress cookies are considered “first-party” as a WordPress site sets them for essential functionality. In contrast, “third-party” cookies are set by other services, like from external domains or WordPress plugins. These cookies are used for tracking, advertising, and other purposes, which can feel invasive for website visitors — if they are even aware of them. This is one reason that the European Union enacted the GDPR, which requires website owners to declare that they use cookies to collect, store, and process information, and for what purposes, among other requirements.

How does WordPress use cookies?

By default, WordPress generates two core types of cookies: session cookies and comment cookies. Both are categorized as “strictly necessary” as they are needed for the website to function properly. They do not require user consent, though they do collect personal information to work.

On WordPress websites, session cookies are activated once a visitor logs in to the website. These session cookies enable the website to save a user’s authentication details, which can include:

• username
• password
• email address
• phone number

These cookies remember your personalized settings and save you from having to log in or reset functions like language preference over and over again on the same sites. Session cookies automatically expire after 15 days.

Comment cookies are generated when you leave a comment on a WordPress website. These cookies enable WordPress to store username, password, and email so that this information can be filled in automatically the next time you go to that site and comment on content. Comment cookies last longer than session cookies, expiring automatically after about a year.

WordPress sites can use additional types of third-party cookies beyond those for sessions and comments. These cookies can be for installed themes, plugins, or other third-party services like Google Analytics, YouTube, Facebook, Hotjar, etc. These are not essential types of cookies, so often require cookie consent from users.

Plugins and other services can enhance user experience on your website, but privacy regulations require website owners to be transparent about all cookies in use on their WordPress sites (both essential and non-essential) in addition to obtaining valid consent where needed. They must provide a WordPress cookie policy that details all the cookies used, their purpose, and what parties may have access to the data they collect. A cookie policy can be a separate document on a website but is commonly included as a section in the broader privacy policy.

How do WordPress plugins use cookies?

Third-party plugins may make extensive use of a variety of cookies. These plugins can be for analytics, history, advertising, or e-commerce functions.

For example, an analytics plugin uses cookies to save a user’s behavioral data, i.e. how they use the website, what they look at or click on, and how much time they spend on different functions. You can then use this behavioral data to optimize user experience or workflow, or to create a more personalized experience for the user, focusing on content they have interacted with in the past and providing more relevant ads for things they have shown interest in.

If you have plugins that use third-party cookies, these are subject to privacy regulations like the GDPR and CCPA, which require obtaining explicit user consent before setting these cookies. The Digital Markets Act (DMA) also now requires websites using services from Google (like Ads or Analytics), Facebook, and others to obtain valid user consent and signal it to those services in order to be able to continue using them with all of their features.

Are WordPress cookies secure?

WordPress cookies are generally secure, with measures like encryption and the HTTPOnly flag helping to protect the data they collect. 

However, there are still some potential security risks to be aware of. While the core WordPress cookies are reasonably secure, WordPress is not directly responsible for plugins and third-party integrations. These may set additional cookies that could raise privacy and security concerns if they are not properly managed. WordPress website owners need to be vigilant about all cookies used on their WordPress sites and ensure they are implementing privacy requirements, or, ideally, best practices, for cookie permissions and security.

How to manually identify cookies stored by a WordPress website (per browser)

Laws like the GDPR require identifying cookies in use on your website, notifying users about them, and getting their consent for cookie use to be compliant. This starts with identifying the cookies that your WordPress website installs in the browser.

One way to do this is to log out of your WordPress website and delete cookies and browsing data in your browser. This will enable you to see cookies used when regular users first visit your website.

Here’s how to manually check which WordPress cookies are stored on a user’s computer depending on the browser they use.

Google Chrome:

1. Visit the WordPress website you want to check.
2. Click on the Padlock icon next to the website address in the browser’s address bar.
3. Select “Cookies and site data”.
4. This will show you the number of sites allowed to set cookies.
5. Click on the “Manage cookies and site data” option.
6. This will show you the cookies set by your own WordPress website as well as any third-party cookies.
7. You can click on any cookie to see the data it is storing.

Safari

1. Visit the WordPress website you want to check.
2. Right-click on the web page and select “Inspect Element” to open the developer console.
3. In the developer console, go to the “Storage” tab.
4. Expand the “Cookies” drop-down on the left to see the cookies set by the website and their name, value, and attributes.

Microsoft Edge:

1. Visit the WordPress website you want to check.
2. Click on the three dots in the top right corner and select “Settings”.
3. Navigate to “Privacy, search, and services” in the settings menu.
4. Under the “Clear browsing data” section, click “Choose what to clear”.
5. Make sure “Cookies and other site data” is selected, then click “Clear now”.

How to automatically identify stored cookies by a WordPress website with Cookiebot CMP

Determining what all the cookies in use are on a site is time-consuming and is not always entirely accurate. Some third-party cookies can be nested and hard to detect. Also, WordPress site operators need to keep the cookie list up to date, so this needs to be done regularly. Fortunately, there are tools to automate it.

Cookiebot CMP cookie scanner

When website users implement the free Cookiebot CMP WordPress plugin to get started with Cookiebot CMP, the patented and automated cookie scanner starts scanning the website to detect all of the cookies and other tracking technologies in use. This list can then be used to notify users in the cookie policy and provide them with granular consent choices in the CMP, enabling regulatory compliance.

This best-in-class cookie scanner can be scheduled on-demand to ensure cookie lists are kept up to date. Cookiebot CMP also provides a comprehensive repository of cookies and trackers with purpose descriptions. This saves time and resources in providing information about all the cookies in use. Categorizations can be automatically applied based on scan results, or customized to your needs.

Cookiebot CMP will enable users to access this information and make their consent choices, which are then stored for your WordPress site. Cookiebot CMP stores consent preferences, so when a user returns to your site, they are not asked for consent again, unless the consent has expired or the user has deleted those saved browser settings. Only the approved cookies and trackers will be allowed to collect personal data.

The secure storage of consent preferences further enables privacy compliance by making the data available in the event of an audit by data protection authorities, or a data subject access request. 

Cookiebot CMP also has Google Consent Mode v2 integrated, which enables signaling consent information from the CMP to Google services, like Ads and Analytics, to control their functions on your WordPress site based on user consent. This enables WordPress site owners to comply with Google’s latest requirements as well. 

How to get cookie consent on a WordPress website?

To comply with requirements of data protection laws, like Article 12 of the GDPR, which governs the use of cookies, you must obtain prior consent from website visitors before enabling non-essential cookies, or risk penalties for noncompliance.

You can achieve cookie compliance by implementing a cookie notice as part of the cookie policy on your WordPress website. This outlines the types of cookies and other tracking technologies used on the site and what they’re used for. It also informs website visitors about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

To ensure compliance with privacy regulations like the GDPR that require prior consent, you must obtain explicit consent from users before setting any non-essential cookies that collect personal data. 

WordPress cookies – get in control

Understanding WordPress cookies is a crucial first step for WordPress website owners to achieve and maintain compliance with global privacy laws. While WordPress uses two core and strictly necessary cookies, any third-party plugin may try to store cookies on your user’s device cand collect personal data. You must be aware of those and stay up to date on which ones are in use, inform your website visitors about them, and collect valid consent for their use where regulations require.

Fortunately, the Cookiebot CMP WordPress plugin with Cookiebot CMP makes this easy to achieve, and maintain.

Frequently Asked Questions