This article describes my effort to implement GDPR and appropriate privacy, including the famous “cookie banner”, on our web sites. (Not yet implemented on our sites though.)
Since a few years back privacy regulations in the EU (and some other regions) have become much stricter. They set up strict rules on how a web site should function and what kind of privacy it must offer visitors. It changed radically in 2016 when the EU adopted the “General Data Protection Regulation”, usually referred to as GDPR.
The US seems to be behind on this. You might have encountered some US-based sites that say “sorry, you’re not allowed to access this site since you are in the EU”, or similar. That is usually because they do not want to adhere to the current EU privacy regulations so instead the block access from Europe.
The GDPR regulation is big and complex and you should certainly not take this post that you are reading now as a description that fully explains exactly what you must do. It has 99 article described over 89 pages in the official document. No, this is simply a description of some research I’ve done and how we have implemented it.
However, this is a regulation that all sites must follow. But reality seems not quite yet to have caught up with the law. There are many sites who do nothing regarding privacy or that have a totally inadequate implementation. But since we are rebuilding our sites from scratch I wanted to at least make a good effort regarding privacy and GDPR too.
Privacy Policy and WordPress
The first thing you should do is create a privacy policy. We have had one for a long time but one that was limited to one or two paragraphs.
WordPress has an introduction and overview to this here: Your WordPress.com Site and the GDPR, although it should be noted that this is for WordPress.com.
As you can see, there are quite a few “maybe” and “probably” in the text, which illustrates that the details of this is not entirely clear.
In the recent versions of WordPress there is a whole section on this under Settings > Privacy. There you can create a page for your Privacy Policy with quite a lot of help in a template text. But it is a template text that needs a lot of customisation for each particular case.
But that’s where I started; I created a new Privacy Policy page, I looked at several existing privacy policy pages (most of the horrible examples, either far too short or others far too complex). And then I created a text that seemed reasonable for our case.
From what I understand, you must for example explain what kind of “data” you collect about visitors (including cookies, more on that later), what the purpose of that data is, how you use it, how you store it, how long you keep it etc.
You must also tell the visitor that they have the right to access it and have it deleted if they want.
Here’s how one of our Privacy Policy pages look currently.
Cookies and the Cookie Banner
I imagine that today 99.99% of all sites set cookies today. For example, for visitor statistics (Google Analytics or other).
You should tell visitors that you set these cookies and give them the possibility to decline all or some of them. In principle, I think you should not even set any cookies at all until you have their consent.
Fail: Cookie Banner – Cookie Consent Popup – with Elementor
Since our new sites are built with Elementor I was happy to find a tutorial from Elementor on how to create a cookie banner with an Elementor popup.
Very nice and simple.
There was only one problem with this. It is not at all GDPR compliant so it does not solve the problem. They don’t tell you that in the video unfortunately, so I had spent quite a lot of time on it before I discovered it. (It is mentioned in a footnote on the page though.)
So, no good using Elementor for cookie consent or GDPR compliance.
Next step, find a plugin that does the job.
There are many plugins that claim to help you comply with the GDPR regulations. I am unsure of how many of those actually follow the regulations and give you what you need. I started with what seemed the most popular one.
Better try: “GDPR Cookie Consent” plugin
The GDPR Cookie Consent plugin has 800,000 users and has been updated recently. Looks good.
Easy to install and seemingly easy to configure and customise.
One of the items that you need to configure in the plugin is the list of cookies that you set with details of what they are used for.
The list of cookies our site(s) set? I know that we collect visitor stats (Google Analytics, StatCounter) and probably something to facilitate commentators (so our own cookie then?). But what more? In reality, I don’t know at all exactly – exactly! – which cookies our site(s) set. Maye some for social sharing? Yes, no doubt.
This really got me stuck. How do I find out what cookies my site set?
I found (yet another) plugin called cookie-cat (that required one more plugin, called oik for it to work) that claimed to show me that. It did not work.
I continued the hunt and decided to try some other GDPR plugins.
Next try: Complianz
Another popular and recently updated plugin was Complianz (50,000 installations).
This was far more complex, requiring me to fill in lots of different information about the site. Most of it quite simple. The only real difficulty was in answering how Google Analytics was configured and if we use Google Tag Manager. It had detected that we use Tag Manager, so apparently we do. Although I am not entirely sure it is correct I chose what they say is the most common configuration of Analytics/Tag Manger.
The next step in their setup was… to scan the site for cookies. Exactly what I wanted.
This did not work quite well to start with. It detected cookies from Jetpack, that I no longer use, from a chat service and from a customer support service, neither of which I use and with names I had not heard of. So, presumably, some other of the WordPress set those cookies and I am simply not aware of it. So I decided to investigate which, testing them one by one: clearing all cookies from the browser disabling all plugins and then enabling them one by one.
In the end it turned out that neither of the plugins set those cookies so it must have been old cookies left from something old. But in the end I ended up with a cookie list from Complianz that looked pretty much as I had expected it, stat cookies, social cookies plus some more. “Some more” was from our hoster and from Elementor.
But that Complianz cookie scan did not work as expected initially. That will probably lead to many people getting a cookie list that does not correspond to reality. It will show more cookies than what is actually set for a visitor.
My advice: before you install Complianz, make sure you clear all cookies in your browser before doing their cookie scan.
The next step was to really nice features of this plugin:
Complianz can create a “Cookie Policy” page automatically. This contains an explanation of what cookies are, which ones you use on your site and how the visitor can select what to accept or not. Information that you should give to your visitor.
Even better: it connects that Cookie Policy Page to cookiedatabase.org https://cookiedatabase.org/ that explains what the cookies are for and links to more information.
Success?
So, with this, I now have:
- A Privacy Policy page
- A Cookie Policy page, where people also can modify their preferences, and
- A Cookie Consent banner/popup
I am not 100% sure that this is 100% compliant with the GDPR, since I am not a lawyer competent in evaluating it. But I feel quite confident that it is better than what 95% of all sites currently have.
Complianz comes in a free version, which is the one I use, but also has a paying version with more features.
Alternatives
Doing this, I asked people for suggestions of how to do it, and here are the tips that I received for tools to become GDPR compliant and have a cookie consent popup:
- Metomic (paying)
- Borlabs Cookie (paying)
- Osano (paying)
- WP DSGVO Tools (GDPR) (free)
And of course all the plugins in the WordPress directory on GDPR, of varying quality.
Now it’s your turn: What solutions for GDPR compliance would you recommend? Write a comment.