This weekend, I spent a lot of time going down the rabbit-hole of investigating the best solution for managing cookies on a self-hosted WordPress website. Actually, I should have done this a long time ago, since this is one of the requirements to be compliant with GDPR – but since I don’t currently have any clients that target European countries, I’ve pretty much just gotten by on a simple cookie notification and a prayer. But the California Consumer Privacy Act (CCPA) taking affect as of January 1st 2020 is bringing these privacy considerations a lot closer to home. I took care of my legal policies a long time ago, but figured now was the time to get my cookies in order.
As I’ve mentioned, I already had a cookie notice in place, which is the beginning and end of most folks cookie concerns. But, as it turns out, this is far from meeting the requirements put in place by the GDPR and the CCPA. You actually need to give visitors the option of opting-out of cookies – meaning, non-essential scripts that use cookies should be disabled for visitors that do not accept your cookie notification. This includes things like your Facebook pixel and Google Analytics. Bummer.
You also need to actually LIST all the cookies your website uses in a cookie policy, so that users can see what cookies you use and what they are used for. Now, I’m sure this policy will be just as widely read as your Privacy Policy, Terms of Service, and the End User License Agreement (EULA) where you sold your soul, but it’s still the law to have all of this information in place.
If you need help with your cookie consent and don’t feel comfortable fixing it yourself, we can take care of it for you! Contact us at [email protected].
The solution that I decided on is the GDPR Cookie Consent Plugin by Web Toffee. There are a lot of “cookie popup” plugins available, but this is one of the few plugins that actually gives you the capabilities required to be compliant. This plugin can be found for free in the WordPress repository. In this article, we will go over how to configure it so your cookies will be compliant.
Start out by installing the plugin – you can find it by searching for “cookie consent” under your add new plugins dashboard. It looks like this –
Then, once you activate it, go the the “Cookie Law Settings” menu. Most of the default settings on this page are fine, but I do like to change a setting under “Show Again Tab” to not use the show again tab. If you leave this setting on, your users will get a small (but annoying) persistent popup at the bottom of the screen that allows them to go back to the cookie consent banner.
Once you have these basic settings in place, we need to list out all the cookies that are in use on your website. This is the most onerous part of the process, because you will have to input these cookies in one-by-one. Although that part is a bit of a pain, luckily there is an awesome free website that gives us all the data that we need to input. Open another browser tab, and go to https://www.cookieserve.com/. Input your url into the handy search box, then hit the “Find Cookies” button to see what cookies are lurking on your site. You’ll get a list like this one –
With this info, we can just enter all of our cookie data into our plugin. I’ve highlighted the most important areas to fill in below – I put the cookie name for both the title and the id. Also – for cookie sensitivity, you want to put either necessary or non-necessary. If you are using the paid version of the plugin, you can get more granular as it gives the user the ability to just disable certain classes of cookies. If you need that capability, definitely look into the paid version of the plugin. For most of the sites that I deal with, the free version is sufficient.
You’ll need to go through this process for each cookie listed on the Cookie Serve site. Once you’ve done this, you can generate your cookie policy, which will have all of your cookies and their purposes listed within the policy. Select “Policy Generator” in the far left menu, and look through the sections of text they’ve provided, making any changes if necessary. I found that it looked pretty good as-is, so I just hit the “Create Cookie Policy Page” button. Doing this creates a new page with all the Cookie Policy text in it. Since I use a plugin (WP AutoTerms) to manage all my legal policies, I just copied the text and pasted it into a page within that plugin.
Once you’ve published your Cookie Policy page, we will need to put the link to that page back into our Cookie Law Settings. Copy the link to the Cookie Policy page, then go to GDPR Cookie Consent > Customize Buttons > Read More Link. Paste the link in the URL field so that folks that click that link will be taken to your privacy policy page.
Now we’ve got our banner, we’ve got our cookie policy, but we’ve got one more important step to ensure compliance. We need to configure our site so it will actually disable those “non-necessary” scripts if the user does not consent to the Cookie Policy.
For the sites I deal with, these non-necessary scripts are mostly marketing and analytics related, and they were all injected into the page <HEAD> section either manually or via a plugin. So, in order to give the user the ability to disable these scripts, we will need to remove whatever mechanism is currently injected them into the <HEAD> section of the website, and instead let the Cookie Consent plugin takeover this function.
I’ve previously used a plugin called “Insert Headers and Footers” as an easy way to insert these scripts. So, I was able to easily copy the tags from that plugin, and move them to the Cookie Consent plugin, then delete the Insert Headers and Footers plugin since it was no longer needed.
Once you’ve copied the code you need, go to the “Non-necessary cookie” settings for the Cookie Consent plugin, and paste that code into the box labeled “This script will be added to the page HEAD section if the above settings is enabled and user has give consent.” Now, these scripts will only be run if the user authorizes it.
Keep in mind, you may have these scripts run by other plugins on your site, so you’ll need to account for those as well. For example, I let my SEO plugin (All In One SEO) handle the Google Analytics piece instead of manually inputting the code for GA into the Headers and Footers plugin. I had to disable that functionality in my SEO plugin, and instead insert the GA tag code in with the other scripts on the non-necessary cookie page.
The steps above should give you a basic idea of what needs to be done in order to be compliant, but be sure you thoroughly audit your site to see what scripts/cookies are in use to make sure you’ve accounted for everything. Also, it’s a good idea to look over the other available settings in the Cookie Consent plugin to make sure it is set up the way you want.