WordPress cookie plugins & the ICO’s new consent guidance

After hearing of the new cookie guidance from the Information Commissioner’s Office, we wanted to get to grips with what compliance looks like now, and how to achieve it.

As we’re no legal team, we got in touch with someone who is. This blog dives first into the lawyer’s view on the new cookie guidance, then we apply that knowledge to the options available to WordPress websites. Finally, we wrap up with a guide to carrying out a cookie audit and writing a compliant cookie policy.

Want to jump ahead? Pick your relevant section to scroll straight to it:

1. The lawyer’s view on the ICO’s new cookie guidance
2. WordPress plugins for cookie compliance
3. How to write a compliant cookie policy

With the possibility of either the ePrivacy Directive or the General Data Protection Regulation applying to the use of website cookies, the current landscape of rules can seem confusing.

While we await a final version of a new ePrivacy Regulation, which should bring clearer rules on cookies together in one place, some recent guidance from data protection authorities and the European Courts can be used to ensure that our website cookies are legal.

The existing laws on cookies

Before the passing of the General Data Protection Regulation (EU 2016/679, GDPR), the rules about how website providers should use website cookies were governed solely by the 2002 ePrivacy Directive (2002/58/EC).

With the passing of the GDPR things have become more complicated, with the possibility of one, or both, laws applying.

The internet is waiting for a final draft of the new ePrivacy Directive which will set out – hopefully – clearer rules on cookies, like the most acceptable and safe ways of obtaining consent. For now, these rules are still in draft form and things can appear confusing.

The current rules in the ePrivacy Directive set out that website providers must ask website users for their permission before cookies are used, which is generally done with a pop-up when users access a website.

These rules apply to website providers both within and outside the EU, so long as the website can be accessed within the EU. The main thing is that users must give their consent for their data to be tracked with cookies.

The GDPR sets out that if a cookie can be used to uniquely identify an individual, then it is processing personal data and the GDPR applies. The overlap of the rules means that sometimes, both the ePrivacy Directive and the GDPR can apply to the use of website cookies.

Whilst things can appear unclear, what both of these laws have firmly established to date is that consent is required both for processing personal data, and for the placement of cookies.

Website providers must ensure that users are informed on the legitimate purposes of the uses of cookies. The consent that users give to these cookies should be freely given, specific, informed, and unambiguous.

The ePrivacy Regulation remains in draft form, however, some recent guidance from data protection authorities and recent European court cases can help website providers ensure cookie compliance in the meantime.

The rules on cookies are changing

So, it would seem that so long as users are alerted to the use of cookies and given the opportunity to consent to them, cookie compliance has been achieved.

However, website providers are now being warned of the dangers of pop-ups which have been dubbed as ‘cookie walls’, essentially forcing a visitor to agree to their internet browsing being tracked.

These pop-up walls require that cookies are accepted, and if they are not accepted the user is prevented from accessing the website.

What website owners need to do

It is important for website providers to remember that the average internet user doesn’t possess a high or in-depth understanding of the operation of cookies, and such a knowledge cannot be assumed.

To be legally compliant, a website provider should be sure of the types of cookies used on their website. Are they first party cookies, session cookies, persistent cookies?

Particular cookies might have particular levels of requirements for consent. Sussing out this information first means website users will be provided with the right information.

Next, there should be clear and comprehensive information available on a website which will put a user in a position where they can determine the consequences of any consent they may give.

This might include, for example, the duration of time that cookies will be stored for, and whether any third parties will have access to them.

Websites should always have a privacy policy which explains the use of cookies on the site in depth, and this policy should be easy to find and easy to understand.

Jump to the cookie policy section to learn how to create a cookie policy and how to carry out a cookie audit.

Consent must always be freely given, specific, informed and unambiguous, and it should always be manifested in an active manner. This means that the users’ consent should not be preformulated in any sort of way – by having a check box agreeing to the use of cookies which is pre-ticked, for example.

This sort of practice does not show that a user has read or understood any information about cookies, since they may have just left the box ticked and not read any of the available information.

Whilst there is no specific rule that users should be able to reject to the use of cookies, yet, it seems that it is good practice to make it possible to reject cookies whilst still allowing access to websites.

Doing so avoids the possibility of appearing to have a cookie wall with acceptance being the price for entry to a website. For this, a pop-up explaining that cookies can be rejected but that in doing so the performance of the website could be affected might be a good idea.

Of course, every website is different, and pop-ups can be worded in a way that is in keeping with the feel of the entire website. Use your cookies policy and privacy policy to your advantage, make them part of your brand!

Based on the new guidance, and Charlotte’s helpful breakdown, we now know that cookie consent on a website must:

• Not have pre ticked checkboxes or sliders
• Not present a ‘cookie wall’ preventing access to website content unless the user accepts
• Meet GDPR standards of consent, including:
  • The ability to withdraw consent as easily as it was given
  • A clear, positive action – continuing to browse the website is not valid
  • Granular consent – a user can consent to some cookies and not others

At Kabo Creative we previously had a simple cookie notice, that informed website visitors that we use cookies and directed them to our cookie policy for more information.

To get closer to compliance we carried out a review of options on the market for WordPress websites and implemented the solution we felt was the best fit.

Finding a compliant cookie banner for WordPress

Working with Gerrish Legal we scoured the current range of cookie plugins for WordPress, searching for something compliant. We chose WordPress as:

1. WordPress is the CMS (content management system) that our clients’ websites are built on, and
2. WordPress is the most widely used CMS

As with any guidance, this is our view. You should choose a solution based on your opinion and legal advisors who have analysed your specific case.

All of these plugins work by stopping certain website functionality from working until consent is gained. To achieve this, scripts must be removed from areas of your website and be placed into the cookie solution, to allow you to gain consent before they function. It’s likely you’ll need a developer to configure any of these solutions.

Review Methodology

Our list of plugin options is not a comprehensive review of every cookie solution on the market. We only reviewed plugins whose functionality we could see and test on the plugin author’s website.

We’ve excluded some plugins as they placed cookies before consent was given and/or didn’t appear to work at all. We’re not looking to name and shame here, we simply left them out.

Plugin #1

GDPR WP

A comprehensive plugin with tonnes of features, the cookie consent functionality allows you to prevent cookies from being set until after consent is gained.

Kabo Creative’s view

This is a free plugin that doesn’t allow non-essential cookies to be set without a positive action from the website visitor.

We are a little nervous that many users will just hit the ‘x’ close, meaning the cookies you’d like to set (such as Google Analytics) won’t be, but that’s part of the trade off of complying with the ICO’s new cookie guidance. We’d hope for a slightly better solution here that still complies but makes it more likely a user will consent than not.

Once you consent, or refuse, the notice disappears. We’re unsure if this meets the GDPR standard of consent, where it must be just as easy to withdraw consent as it is to give it. We couldn’t work out how you’d get the options back once you’d made your initial decision.

Finally, we’re unsure if the granularity criteria is met, as the user can consent (hit the ‘I Agree’ button) without seeing the options they are consenting to.

Having said the above, we’re certain this plugin is a significantly better step towards compliance than a simple pop up explaining cookies are used on a website.

Plugin #2

Cookiebot

A full cookie solution, Cookiebot contains granular options and prevents cookies from being set before consent is gained.

Kabo Creative’s view

Cookiebot stops any non-essential cookies from being set until after consent is gained, which is a positive step towards compliance.

One gives granular choices of cookies as shown in the screenshot above. You have the choice to pre-tick boxes as on the Cookiebot website, or unticked. As pre-ticked boxes are explicitly listed as not allowed by the new guidance, the compliant option would be unticked boxes.

This meets compliance requirements, but the marketer in me fears the complete loss of cookies (no more google analytics data) as we suspect most users would simply hit the big green OK button.

The other option has no pre-ticked boxes and gives you the choice to accept all cookies, or only necessary cookies. Whilst this configuration has no pre-ticked boxes, it is missing the granular choices for a user to select some types of cookies and not others.

We also can’t see a way to bring this information back up if you want to withdraw your consent.

Again, you’d probably need a developer to set this up, although it looks a little simpler to do than some of the other options.

The positive? If you use this plugin it’s more likely you’ll be able to set cookies. It’s down to your risk versus benefit level. We’d still suggest this option is better than a notice that doesn’t give any option to refuse to cookies.

You can implement this solution with Google Tag Manager, and there are set up instructions for other popular CMS systems. This means it’s also possible to use it on non-WordPress websites. There is a free tier available.

Plugin #3

CookiePro

Similar to GDPR WP, CookiePro stops non-essential cookies from being set until consent has been gained.

Kabo Creative’s view

Very similar in functionality to GDPR WP, we have the same positives and negatives here.

The plugin does stop non-essential cookies from being set before consent is gained, but the pop up doesn’t show the granular information about the categories of cookies on loading.

If you choose to ‘Accept Cookies’ all cookies will be turned on, but if you select ‘Cookies Settings’ the categories of cookies are off by default. Whether you let a user accept all cookies without seeing the granular information is again down to your risk/benefit choice.

As with the plugins above, we can’t see a way to change our consent settings after the initial decision.

They have a free tier and a WordPress plugin.

Plugin #4

GDPR Cookie Compliance

GDPR Cookie Compliance is highly configurable. It is the first plugin on our list that allows users to easily change their consent after they have closed the cookie banner.

Kabo Creative’s view

Whilst this plugin doesn’t show the granular cookie category options on loading, which we’d been hoping to find, it is highly configurable.

The default example has all cookies, even essential cookies, off by default. This plugin takes the opposite stance to most of the others, where cookies will be turned off unless the website visitor chooses to adjust their settings and turn them on.

As marketers and website developers, this horrifies us. It makes it unlikely a website visitor will take a multiple set of extra clicks to turn on cookies. From a compliance point of view, it’s certainly on the safe side.

However, before we run away from the plugin, they have multiple configuration options, which takes them more in line with the examples above.

You can have cookies off on loading, but with an accept option to turn them all on. In this configuration you still won’t have the granular options available at the point of decision though.

Another positive for this plugin, it is possible to have a small icon button in the bottom left of the screen, allowing website visitors to easily change their consent. This is the first plugin we found that offers this option, essentially making it as easy to withdraw consent as it was to give it.

We like that you could install this plugin to operate to your current risk appetite, and if further guidance came out in the future, it would be possible to change the settings and lock it down further.

There is a free tier available.

Plugin #5

Cookie Control

Highly configurable, Cookie Control shows the granular cookie categories on loading and remains accessible for website visitors to change their consent.

Kabo Creative’s view

We were close to giving up on a solution that showed granular information on consent categories during our search. Then we had the brainwave of checking what the Information Commissioner’s Office themselves are using on their website.

You guessed it, the answer was Cookie Control. The plugin allows you to have non-essential cookies off by default. You can then choose if each category of cookies is on or off as a recommended setting.

When a user chooses to ‘Accept Recommended Settings’ your decision is then implemented, be that all cookie types on, all off, or a mix of the two.

We were wary of the big ‘x’ function at the top of the plugin, concerned that many users may hit that as it’s the first option. Hitting the ‘x’ function would keep the loading settings, which is all cookies being set to off.

We found that you can change the ‘x’ to a ‘Close’ button and place it further down, which we believe will reduce the number of people who don’t consent whilst still giving them the option.

As with the GDPR Cookie Compliance plugin, there is a small icon that remains on the screen at all times. This allows website visitors to change their consent as easily as they gave it.

There is a free version, a WordPress plugin, support for other CMS’ and you can implement with Google Tag Manager.

To write a cookie policy that meets requirements, first you need to be able to identify what cookies are set by your website and by third parties.

There are some free tools that claim to do this, or you can do it yourself using your browser’s developer tools.

What information goes into a cookie policy?

We have tried to create a ‘best practice’ cookie policy on our website, using the previous guidance on cookies from the ICO. Having had this list together already made it much easier for us to implement Cookie Control (our cookie banner), as we already had a list of all the cookies on our website.

Feel free to take a look at our cookie policy. We have included:

1. What we use cookies for
2. A table containing:
   • A list of all the cookies we could identify
   • The name of the product/service that creates the cookie
   • A description of the purpose, written as clearly as possible without legalese language
   • Whether the cookie is placed from our website domain (first party) or from a different website domain (third party)
   • The duration that the cookie will remain on the website visitor’s device
3. Guidance on how to manage cookies using popular browsers
4. Links wherever possible to third parties that place cookies on our website for further information
5. A date to show when the policy was last updated

How to carry out a Cookie Audit

If you don’t have a cookie policy (you should) or you would like to improve it, then read on.

First, a warning – there is no easy tool that just ‘does’ cookie audits and spits out a nice list to add to your cookie policy. However, there are a range of tools out there that you can use along with some common sense to build a list.

Personally, for non-developers, I am a fan of the Attacat Cookie Audit Tool. Set up an incognito browser window, install the chrome extension, and run a cookie audit by crawling your website. Fill out some forms, leave a comment, use the LiveChat, share a post on social media, etc.

You’ll be provided with a list of cookies the tool picked up on. Then you can get googling [other search engines are available] until you identify them.

However, this method is not guaranteed. And it will not give you the full details you require for a comprehensive cookie policy.

The best method is to use the developer tools in your browser to identify the actual cookies that appear as you navigate your website.

Using Chrome’s Developer Tools to run a Cookie Audit

Open up Chrome and select a new incognito window [CTRL+SHIFT+N on a Windows machine]

Right click and select the ‘Inspect’ option from the menu.

Select Application from the top menu, and then select Cookies from the left hand menu. You should end up with a blank window showing ‘cookies’. This means the web page has not set any cookies at this point.

Next, navigate to your website in this browser window. You should notice the Cookies option in the left hand menu display a drop down icon at this point. Click on it to open it, then click on the first option. Your window should now show a list of cookies.

Create a table to list all of the cookies you find. You want to gather the cookie, name, purpose, type and duration.

Now you can fill out the table with the cookies that have shown up on your home page. Using the screenshot above:

• The Cookie field in your table should be filled out with the cookie name. Our first example is _cfduid
• The Name field in your table should be filled out with the product or service that creates the cookie. Our first example is Cloudflare, which is easy to guess from the domain. The third cookie in the list, _ga is served from our website domain. In order to identify which product or service is creating it the easiest thing to do is a quick internet search. _ga is in fact a Google Analytics cookie.
• The Purpose field requires a little more digging. If you do not know exactly why cookies are being used by a product or service on your website, you need to find out and then describe it in easy-to-understand language. The best way to do this is searching online.
• The Type field is asking if the cookies is first party or third party. A first party cookie is served by your domain, while a third party cookie is served by a third party domain. In our examples in the screenshot above, _fr is third party while _ga is first party.
• The Duration field should list how long a cookie will remain on a website visitor’s device. Look at the expires/max age field to determine how long that is. Work out the number of minutes/days/months/years from the time you carried out the action which caused the cookie to be placed, and you have your duration.

Once you have gathered all of the home page cookies, you should navigate through your website and check if any additional cookies appear. Record any that do in your table.

Things that may create cookies include:

• Comment forms on blog posts
• Contact or sign up forms
• Live chat
• Social share buttons
• Embedded video such as youtube

Click on each page type and interact with all the different kinds of functionality you have on your website.

Once you have recorded all the cookies that appear, you have a complete cookie audit. Remember to check any new services or functionality you add to your website in the future to keep your cookie policy up to date.

About the author

Penni Pickering

Penni Pickering is Kabo Creative’s website designer and SEO lead. Using her background in marketing she develops WordPress websites that are focused on conversion. Passionate about SEO, she’s always looking in to the latest approaches to help businesses generate more website traffic.

More about Penni >