WordPress cookie plugins & the ICO’s new consent guidance
After hearing of the new cookie guidance from the Information Commissioner’s Office, we wanted to get to grips with what compliance looks like now, and how to achieve it.
Want to jump ahead? Pick your relevant section to scroll straight to it:
The Lawyer’s View: How to ensure your website cookies are compliant
Thanks to Charlotte Gerrish of Gerrish Legal for her analysis in this chapter.
With the new cookie guidance out from the Information Commissioner’s office, Charlotte breaks down what cookie compliance looks like in 2019.
With the possibility of either the ePrivacy Directive or the General Data Protection Regulation applying to the use of website cookies, the current landscape of rules can seem confusing.
While we await a final version of a new ePrivacy Regulation, which should bring clearer rules on cookies together in one place, some recent guidance from data protection authorities and the European Courts can be used to ensure that our website cookies are legal.
The existing laws on cookies
Before the passing of the General Data Protection Regulation (EU 2016/679, GDPR), the rules about how website providers should use website cookies were governed solely by the 2002 ePrivacy Directive (2002/58/EC).
With the passing of the GDPR things have become more complicated, with the possibility of one, or both, laws applying.
The internet is waiting for a final draft of the new ePrivacy Directive which will set out – hopefully – clearer rules on cookies, like the most acceptable and safe ways of obtaining consent. For now, these rules are still in draft form and things can appear confusing.
The current rules in the ePrivacy Directive set out that website providers must ask website users for their permission before cookies are used, which is generally done with a pop-up when users access a website.
These rules apply to website providers both within and outside the EU, so long as the website can be accessed within the EU. The main thing is that users must give their consent for their data to be tracked with cookies.
The GDPR sets out that if a cookie can be used to uniquely identify an individual, then it is processing personal data and the GDPR applies. The overlap of the rules means that sometimes, both the ePrivacy Directive and the GDPR can apply to the use of website cookies.
Whilst things can appear unclear, what both of these laws have firmly established to date is that consent is required both for processing personal data, and for the placement of cookies.
Website providers must ensure that users are informed on the legitimate purposes of the uses of cookies. The consent that users give to these cookies should be freely given, specific, informed, and unambiguous.
The ePrivacy Regulation remains in draft form, however, some recent guidance from data protection authorities and recent European court cases can help website providers ensure cookie compliance in the meantime.
The rules on cookies are changing
However, website providers are now being warned of the dangers of pop-ups which have been dubbed as ‘cookie walls’, essentially forcing a visitor to agree to their internet browsing being tracked.
These pop-up walls require that cookies are accepted, and if they are not accepted the user is prevented from accessing the website.
“Using a blanket approach such as this [cookie walls] is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.”
Ali Shah, Head of Technology Policy, ICO
Data protection authorities received complaints about cookie walls, and they have now issued guidance that the acceptance of cookies as the ‘price’ for entry to a website is not compliant with the GDPR or the ePrivacy Regulation.
The requirement that consent is freely given, specific and informed, and involves some sort of unambiguous action means that permission to cookies is not “free” if there is no real choice.
What website owners need to do
It is important for website providers to remember that the average internet user doesn’t possess a high or in-depth understanding of the operation of cookies, and such a knowledge cannot be assumed.
To be legally compliant, a website provider should be sure of the types of cookies used on their website. Are they first party cookies, session cookies, persistent cookies?
Particular cookies might have particular levels of requirements for consent. Sussing out this information first means website users will be provided with the right information.
Next, there should be clear and comprehensive information available on a website which will put a user in a position where they can determine the consequences of any consent they may give.
This might include, for example, the duration of time that cookies will be stored for, and whether any third parties will have access to them.
This sort of practice does not show that a user has read or understood any information about cookies, since they may have just left the box ticked and not read any of the available information.
Doing so avoids the possibility of appearing to have a cookie wall with acceptance being the price for entry to a website. For this, a pop-up explaining that cookies can be rejected but that in doing so the performance of the website could be affected might be a good idea.
5 WordPress plugins for cookie compliance
Now the new guidance on cookies is out, what tools are out there to make compliance easier?
In this chapter we review five WordPress cookie plugins, and how well they can help you towards compliance. Some of these cookie solutions can be used on other CMS platforms as well.
Based on the new guidance, and Charlotte’s helpful breakdown, we now know that cookie consent on a website must:
- Not have pre ticked checkboxes or sliders
- Not present a ‘cookie wall’ preventing access to website content unless the user accepts
- Meet GDPR standards of consent, including:
- The ability to withdraw consent as easily as it was given
- A clear, positive action – continuing to browse the website is not valid
- Granular consent – a user can consent to some cookies and not others
To get closer to compliance we carried out a review of options on the market for WordPress websites and implemented the solution we felt was the best fit.
Finding a compliant cookie banner for WordPress
Working with Gerrish Legal we scoured the current range of cookie plugins for WordPress, searching for something compliant. We chose WordPress as:
- WordPress is the CMS (content management system) that our clients’ websites are built on, and
- WordPress is the most widely used CMS
As with any guidance, this is our view. You should choose a solution based on your opinion and legal advisors who have analysed your specific case.
All of these plugins work by stopping certain website functionality from working until consent is gained. To achieve this, scripts must be removed from areas of your website and be placed into the cookie solution, to allow you to gain consent before they function. It’s likely you’ll need a developer to configure any of these solutions.
Our list of plugin options is not a comprehensive review of every cookie solution on the market. We only reviewed plugins whose functionality we could see and test on the plugin author’s website.
We’ve excluded some plugins as they placed cookies before consent was given and/or didn’t appear to work at all. We’re not looking to name and shame here, we simply left them out.
A comprehensive plugin with tonnes of features, the cookie consent functionality allows you to prevent cookies from being set until after consent is gained.
Learn more about GDPR WP
Kabo Creative’s view
This is a free plugin that doesn’t allow non-essential cookies to be set without a positive action from the website visitor.
We are a little nervous that many users will just hit the ‘x’ close, meaning the cookies you’d like to set (such as Google Analytics) won’t be, but that’s part of the trade off of complying with the ICO’s new cookie guidance. We’d hope for a slightly better solution here that still complies but makes it more likely a user will consent than not.
Once you consent, or refuse, the notice disappears. We’re unsure if this meets the GDPR standard of consent, where it must be just as easy to withdraw consent as it is to give it. We couldn’t work out how you’d get the options back once you’d made your initial decision.
Finally, we’re unsure if the granularity criteria is met, as the user can consent (hit the ‘I Agree’ button) without seeing the options they are consenting to.
Having said the above, we’re certain this plugin is a significantly better step towards compliance than a simple pop up explaining cookies are used on a website.
Gerrish Legal’s View
This is a fairly good way of being compliant with the latest cookie rules. To ensure full compliance, we would prefer that the option to accept or decline cookies was more granular with the different cookies listed / clearly set out.
This would allow website users being able to understand the different cookies, what the they are used for ensuring that they are properly informed about their choice to accept the different cookies or not.
While it would also be preferable if there was a way to directly reject to cookies on the banner as well as accept and open up individual privacy preferences, the banner ensures that there is an easy and clear way for users to access their cookie preferences and understand the consequences of consenting to cookies.
As Penni states, there are also some issues here about being able to withdraw consent – but this could be covered off in the cookies preferences centre (providing this is easily visible and accessible on each page once cookies have been accepted or declined).
A full cookie solution, Cookiebot contains granular options and prevents cookies from being set before consent is gained.
Learn more about Cookiebot
Kabo Creative’s view
Cookiebot stops any non-essential cookies from being set until after consent is gained, which is a positive step towards compliance.
One gives granular choices of cookies as shown in the screenshot above. You have the choice to pre-tick boxes as on the Cookiebot website, or unticked. As pre-ticked boxes are explicitly listed as not allowed by the new guidance, the compliant option would be unticked boxes.
This meets compliance requirements, but the marketer in me fears the complete loss of cookies (no more google analytics data) as we suspect most users would simply hit the big green OK button.
The other option has no pre-ticked boxes and gives you the choice to accept all cookies, or only necessary cookies. Whilst this configuration has no pre-ticked boxes, it is missing the granular choices for a user to select some types of cookies and not others.
We also can’t see a way to bring this information back up if you want to withdraw your consent.
Again, you’d probably need a developer to set this up, although it looks a little simpler to do than some of the other options.
The positive? If you use this plugin it’s more likely you’ll be able to set cookies. It’s down to your risk versus benefit level. We’d still suggest this option is better than a notice that doesn’t give any option to refuse to cookies.
You can implement this solution with Google Tag Manager, and there are set up instructions for other popular CMS systems. This means it’s also possible to use it on non-WordPress websites. There is a free tier available.
Gerrish Legal’s View
Provided you are able to configure Cookiebot without pre-ticked boxes, whilst remaining granular with the choices, it seems like it would be the perfect solution!
As a reminder – since the GDPR came into force, there is a heightened requirement for consent to be freely given, informed and granular, and so pre-ticked boxes have been explicitly mentioned as not being compliant with GDPR consent requirements.
Website users would have to ensure they can apply the solution with boxes “unticked”.
Similar to GDPR WP, CookiePro stops non-essential cookies from being set until consent has been gained.
Learn more about CookiePro
Kabo Creative’s view
Very similar in functionality to GDPR WP, we have the same positives and negatives here.
The plugin does stop non-essential cookies from being set before consent is gained, but the pop up doesn’t show the granular information about the categories of cookies on loading.
If you choose to ‘Accept Cookies’ all cookies will be turned on, but if you select ‘Cookies Settings’ the categories of cookies are off by default. Whether you let a user accept all cookies without seeing the granular information is again down to your risk/benefit choice.
As with the plugins above, we can’t see a way to change our consent settings after the initial decision.
They have a free tier and a WordPress plugin.
Gerrish Legal’s View
Again, while this is a pretty compliant solution, it is a shame there isn’t an option to reject cookies on the banner, and it would be better to ensure that the different cookies are listed clearly (as in the Cookiebot solution but without the pre-checked boxes!).
Whilst we would prefer therefore that more information were made available about the purposes of cookies on the banner itself, it is very clear how users can find more information on the cookies being used. Overall, a good option!
GDPR Cookie Compliance
GDPR Cookie Compliance is highly configurable. It is the first plugin on our list that allows users to easily change their consent after they have closed the cookie banner.
Learn more about GDPR Cookie Compliance
Kabo Creative’s view
Whilst this plugin doesn’t show the granular cookie category options on loading, which we’d been hoping to find, it is highly configurable.
The default example has all cookies, even essential cookies, off by default. This plugin takes the opposite stance to most of the others, where cookies will be turned off unless the website visitor chooses to adjust their settings and turn them on.
As marketers and website developers, this horrifies us. It makes it unlikely a website visitor will take a multiple set of extra clicks to turn on cookies. From a compliance point of view, it’s certainly on the safe side.
However, before we run away from the plugin, they have multiple configuration options, which takes them more in line with the examples above.
You can have cookies off on loading, but with an accept option to turn them all on. In this configuration you still won’t have the granular options available at the point of decision though.
Another positive for this plugin, it is possible to have a small icon button in the bottom left of the screen, allowing website visitors to easily change their consent. This is the first plugin we found that offers this option, essentially making it as easy to withdraw consent as it was to give it.
We like that you could install this plugin to operate to your current risk appetite, and if further guidance came out in the future, it would be possible to change the settings and lock it down further.
There is a free tier available.
Gerrish Legal’s View
From a legal point of view this is a fairly compliant option, but we do understand that it is not so preferable from a data analytics point of view!
It is great that all cookies are off by default as this really gives users a choice about which cookies to apply or disapply. However, when the cookies are turned on, it seems that it is an all or nothing situation. Ideally this would be granular so users can accept cookies on a case-by-case basis.
Another point we really like is the small icon button – its vital to ensure that users have easy access to their preferences so that they are able to change their consent options. Again, it is all about risk appetite. Perhaps you are willing to sacrifice some of the data you can use for the sake of ensuring higher compliance.
Highly configurable, Cookie Control shows the granular cookie categories on loading and remains accessible for website visitors to change their consent.
Learn more about Cookie Control
Kabo Creative’s view
We were close to giving up on a solution that showed granular information on consent categories during our search. Then we had the brainwave of checking what the Information Commissioner’s Office themselves are using on their website.
You guessed it, the answer was Cookie Control. The plugin allows you to have non-essential cookies off by default. You can then choose if each category of cookies is on or off as a recommended setting.
When a user chooses to ‘Accept Recommended Settings’ your decision is then implemented, be that all cookie types on, all off, or a mix of the two.
We were wary of the big ‘x’ function at the top of the plugin, concerned that many users may hit that as it’s the first option. Hitting the ‘x’ function would keep the loading settings, which is all cookies being set to off.
We found that you can change the ‘x’ to a ‘Close’ button and place it further down, which we believe will reduce the number of people who don’t consent whilst still giving them the option.
As with the GDPR Cookie Compliance plugin, there is a small icon that remains on the screen at all times. This allows website visitors to change their consent as easily as they gave it.
There is a free version, a WordPress plugin, support for other CMS’ and you can implement with Google Tag Manager.
Gerrish Legal’s View
We love this option! It is totally compliant from a legal point of view, with an easy way to consent or reject to cookies at first glance on a banner.
It is also really informative, so users can be sure what they are consenting to as they look through the list of cookies.
Furthermore, it is possible to open and close the icon during each visit to the website, which gives users full control over their cookie preferences (including being able to easily withdraw consent if they wish).
It is also a great compromise since you hopefully won’t lose potential data by aiming for legal compliance and losing all your cookies. It’s great!
Having a cookie pop up or banner that allows visitors to consent (or not) is one step towards compliance.
There are some free tools that claim to do this, or you can do it yourself using your browser’s developer tools.
- A table containing:
- A list of all the cookies we could identify
- The name of the product/service that creates the cookie
- A description of the purpose, written as clearly as possible without legalese language
- Whether the cookie is placed from our website domain (first party) or from a different website domain (third party)
- The duration that the cookie will remain on the website visitor’s device
- Guidance on how to manage cookies using popular browsers
- Links wherever possible to third parties that place cookies on our website for further information
- A date to show when the policy was last updated
How to carry out a Cookie Audit
Personally, for non-developers, I am a fan of the Attacat Cookie Audit Tool. Set up an incognito browser window, install the chrome extension, and run a cookie audit by crawling your website. Fill out some forms, leave a comment, use the LiveChat, share a post on social media, etc.
You’ll be provided with a list of cookies the tool picked up on. Then you can get googling [other search engines are available] until you identify them.
The best method is to use the developer tools in your browser to identify the actual cookies that appear as you navigate your website.
Using Chrome’s Developer Tools to run a Cookie Audit
Open up Chrome and select a new incognito window [CTRL+SHIFT+N on a Windows machine]
Right click and select the ‘Inspect’ option from the menu.
Select Application from the top menu, and then select Cookies from the left hand menu. You should end up with a blank window showing ‘cookies’. This means the web page has not set any cookies at this point.
Next, navigate to your website in this browser window. You should notice the Cookies option in the left hand menu display a drop down icon at this point. Click on it to open it, then click on the first option. Your window should now show a list of cookies.
Create a table to list all of the cookies you find. You want to gather the cookie, name, purpose, type and duration.
Now you can fill out the table with the cookies that have shown up on your home page. Using the screenshot above:
- The Cookie field in your table should be filled out with the cookie name. Our first example is _cfduid
- The Name field in your table should be filled out with the product or service that creates the cookie. Our first example is Cloudflare, which is easy to guess from the domain. The third cookie in the list, _ga is served from our website domain. In order to identify which product or service is creating it the easiest thing to do is a quick internet search. _ga is in fact a Google Analytics cookie.
- The Purpose field requires a little more digging. If you do not know exactly why cookies are being used by a product or service on your website, you need to find out and then describe it in easy-to-understand language. The best way to do this is searching online.
- The Type field is asking if the cookies is first party or third party. A first party cookie is served by your domain, while a third party cookie is served by a third party domain. In our examples in the screenshot above, _fr is third party while _ga is first party.
- The Duration field should list how long a cookie will remain on a website visitor’s device. Look at the expires/max age field to determine how long that is. Work out the number of minutes/days/months/years from the time you carried out the action which caused the cookie to be placed, and you have your duration.
Once you have gathered all of the home page cookies, you should navigate through your website and check if any additional cookies appear. Record any that do in your table.
Things that may create cookies include:
- Comment forms on blog posts
- Contact or sign up forms
- Live chat
- Social share buttons
- Embedded video such as youtube
Click on each page type and interact with all the different kinds of functionality you have on your website.
About the guest author
Charlotte Gerrish is the founder of an independent law firm providing practical and commercial legal advice under French, English and European Law, with a focus on all areas of Data Protection / Privacy, GDPR, IT / IP, Commercial Law, Contract Law and Compliance.
About the author
Penni Pickering is Kabo Creative’s website designer and SEO lead. Using her background in marketing she develops WordPress websites that are focused on conversion. Passionate about SEO, she’s always looking in to the latest approaches to help businesses generate more website traffic.
Need help with your website?
From carrying out cookie audits, through to new website design, we’d love to help.
Fill out the form and we’ll be in touch.