Brad Jones

Jun

5

2020

This is the second part of a multi-part series covering the topic of GDPR compliance for your WordPress website. Today we will look at what should be done with regard to cookies and GDPR compliance. As I mentioned in the previous GDPR post, this post is not a complete guide to WordPress GDPR compliance, rather I just wanted to bring to light some of the tools and insights that I’ve found useful in getting closer to GDPR compliance. Secondly, I am not a lawyer and therefore you should not rely on any of this with regard to your own legal protections particularly with regard to your websites Privacy and Cookie policies. You should seek out professional legal advice which is the wisest and cheapest option for you, particularly if you end up facing legal issues with regard to GDPR data protection compliance in the future.

Overview

Interestingly, GDPR, while being the most comprehensive data protection legislation passed by any governing body to this point only mentions cookies once in Recital 30 titled “Online identifiers for profiling and identification. Recital 30 says the following:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

https://gdpr.eu/recital-30-online-identifiers-for-profiling-and-identification/

Other relevant European legislation to consider is the Cookies and ePrivacy Directive passed in 2002 and amended in 2009. This legislation, which is also known as the “cookie law” is the reason why you see so many websites now asking for consent from their visitors with cookie pop-ups.

The long and short of this is that there are two primary things that you should do to start the process of ensuring your website is GDPR compliant with regard to cookies:

(1) write a cookie policy that explains what your understanding of cookies are, what types of cookies you use, what data your cookies collect and for how long, how a user can block cookies if they decide they don’t want your website to use cookies during their visit, etc….

(2) implement a cookie consent pop-up that displays on all pages of your website when a new user visits.

WordPress Comments

With regard to WordPress, if your website takes advantage of the blogging functionality and offers readers the option to leave comments, your website will likely use cookies. The reason for this is because when a user leaves a comment, they are given the option of saving their information so they don’t have to re-enter it for future comments. If they choose this option to save their personal data (as shown in the following screenshot) 3 cookies are stored on their browser.

WordPress Comment Personal Data Consent

The following images give an example of what the cookies might look like that WordPress uses to remember a visitors details when they submit future comments. Those examples look like the following:

wordpress comment cookies
list of cookies added
wordpress comment email cookie
Example of cookie contents

Because of this, you will likely need to ensure that you document this in your cookie policy. Fortunately, WordPress provides us with verbiage to use in our privacy policy and/or cookie policy. As mentioned in the first GDPR blog post the WordPress Privacy Policy Guide can be found at the following relative path of your website when logged in as administrator:

wp-admin/privacy-policy-guide.php

The following is provided in this Privacy Policy Guide with regard to Cookies:

Suggested Text:

“If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.”

Google Analytics

Another area for consideration is when you are using Google Analytics. Google Analytics takes advantage of cookies to record all of the data that it tracks regarding how users come to and use your website. Including personal data such as their country of origin among other things. I’m not going to go into detail here about how Google Uses cookies for Analytics because Google has thoroughly documented this themselves in their Google Analytics Cookie Usage on Websites article. I suggest you look through if your interested.

Thus far I have provided two examples of topics to document in your cookie policy, there are many others. It is important that you consider all the ways your website uses cookies when writing your cookie policy.

Cookie Consent Pop Up

With regard to GDPR compliance and ePrivacy directive compliance, it is not enough to tell visitors how you use cookies on your website. You also need to get their consent for doing so. Fortunately WordPress has a number of plugins that you can use to add such a Pop Up to your website. One that I have found to work really well is the Cookie Notice for GDPR & CCPA plugin which uses the “Implied or Further Browsing Consent” method to ensure you are compliant with GDPR.

After you install the plugin you are given a number of options. At a minimum I advise that you enable the privacy policy button so that your visitors are given easy access to your privacy policy when the pop up is displayed. This option is set in the plugin settings byl (1) checking the “Enable privacy policy link” check box, (2) providing what text you want to show in the button and (3) indicating which page of your website is your Privacy Policy. This plugin will ensure that the Cookie Pop Up will appear on all pages of your website to a new visitor and will look as follows:

Cookie Consent Pop Up Example

If the style of the pop up is not in line with the design of your website, it is very easy to customize it for your needs. I use the following CSS to change the colors to better align with my websites color Scheme:

#cookie-notice{
	background-color: #006680 !important;
}

#cookie-notice #cn-accept-cookie,
#cookie-notice #cn-more-info {
	background-color: #f49531 !important;
}

This simple code block results in the following. And you can do a lot more such as utilize hover/focus to add some UX indicators as well as re-style the buttons to better align with your websites design. The possibilities are really endless.

Conclusion

While there are other considerations to be made with regard to GDPR compliance and cookies, if you take the steps mentioned in this post you’ll be well on your way to achieving compliance. WordPress makes it very easy in some ways and the vast array of plugins available also helps a great deal.

If you need a website for your business or are working on making your website GDPR compliant, we’d love to help you. Please don’t hesitate to request a free quote to speak with us further about your IT needs!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *