If you have doubts, read this article and find out how to make sure that your site complies with existing legislation.
What are cookies?
Cookies – such a yummy name with such negative connotations. Cookies gained bad press primarily due to their use in persistent advertising practices, suspicious third-party tracking, and sharing of visitors’ data between various websites without permission. In reality, cookies are not pure evil and are mainly used to enhance customer experience.
A cookie is a text file created by a server while the user is browsing, and stored on his computer or other devices. It’s designed to keep data specific to a particular visitor and website. The cookie remembers information about you and your online activity, and carries it from one visit to the website to the next. The process of creation of a cookie starts already when a page is loaded.
Essential and non-essential cookies
Some cookies are essential to ensure a website’s functioning, and the user cannot disable them. They let visitors stay logged in when browsing different pages, they also remember things like a shopping cart while the shopping continues and, in general, make interaction with the website as convenient as possible.
In contrast, non-essential cookies that support advertising, analytics, or social media are unnecessary for a website’s optimal performance. Neither are they crucial for the visitor to finalize the chosen task.
First and third-party cookies
A first-party cookie is created by the website that the user visits at a given time. It collects data about the customer’s interaction with your business, such as login information, comments, past interactions, frequency of visits, and behavior on the site.
Third-party cookies are placed on the website by companies other than yours, which means that the owner of site A embeds a piece of code provided by site B. It’s a cause of concern for digital users who lose track of who has access to their personal details and how they’re being utilized. This is a typical practice for advertisers, social networks, and providers of plugins that collect data.
It’s precisely the plugins that can cause some trouble when it comes to cookies management in WordPress. Hosted versions set cookies by default, as do plugins installed on your website (for example, those used for analytics, contact form creation, lead generation, or social media).
Cookies management on WordPress sites
WordPress core generates two types of cookies by default:
- Users cookies – set during the login, store authentication details, and expire after the user logs out
- Comments cookies – set when someone comments on the blog, store visitor’s name, email address, and the website’s URL
On top of that, depending on the host and the choice of plugins, you can see the following on WordPress sites:
- Cookies that store preferences regarding the language, location, and device used to view the page;
- Files that collect statistics on the website’s interaction, most often visited pages, etc.;
- Marketing cookies used to track users and their behavior (such as clicks on the ad) for advertising purposes;
- Cookies set by embedded content, such as YouTube videos, Facebook and Twitter sharing buttons;
- Web beacons – small transparent elements (clear picture files) used to keep track of users’ navigation and collect statistical data.
Since cookies are present almost everywhere on the website, specific legislations regulate to what extent and how they can be used for tracking purposes. We’re talking about laws such as California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law (LGPD), Argentina’s Personal Data Protection Act, and the Canadian Personal Information Protection and Electronic Documents Act.
If your website is serving customers from the EU and processing personal data, you need to familiarize yourself with two pieces of legislation: the ePrivacy Directive and the General Data Protection Regulation (GDPR) .
EU cookie law
The ePrivacy Directive, otherwise known as the “EU cookie law,” was initiated in 2002. It regulates the processing of personal data in electronic communications and specifically addresses cookies in many clauses.
In legal terms, “processing” means anything from collection to recording, organization, alteration, retrieval, transmission, dissemination, and deletion of data.
The law revolves around the notion of “consent”, without which the cookies cannot be used unless they are strictly necessary for the site to function. Moreover, the Directive says that visitors should receive clear information about all the cookies and trackers and the purpose they serve on the website.
Do you have to worry about GDPR?
General Data Protection Regulation is the privacy and security law that was put into effect in May of 2018. It’s broader in scope than the ePrivacy Directive and concerns anyone (offering goods or services) processing personal data of EU citizens, even if the business operates outside of the EU.
It’s one of the strictest regulations, imposing penalties of up to 20 million euros or 4% of global revenue; therefore, it’s necessary for any provider to ensure compliance. Although it’s not often that such high penalties are imposed, the legislator does not shy away from punishing companies. Fines of €50.000.000 have been handed to Google in France, €35.258.708 to H&M in Germany, and €27.800.000 to TIM in Italy.
Similar to the ePrivacy Directive, GDPR requires website owners and operators to ensure lawful processing and collection of personal data based on users’ explicit consent. Although cookies are mentioned only once in the regulation, they are the most common way to gather and share data; therefore, GDPR requirements apply to them. This is what you need to ensure:
- Prior consent must be given before cookies are activated (except strictly necessary ones);
- Users must be able to activate some cookies if they choose to do so and can’t be forced to consent to all of them (that’s called “granular consent”);
- Consent must be freely given, easily withdrawn, and secured as legal documentation;
- Consent must be renewed at least once a year.
In 2020 the European Data Protection Board clarified the meaning of consent on the website following GDPR and specified that:
- Cookie banners are not allowed to have pre-ticked checkboxes;
- Continued scrolling or browsing by users cannot be considered valid consent. Neither can be the so-called cookie walls that deny users access if they don’t consent to data processing.
WordPress and GDPR compliance
If you want to make your website compliant with complex legislation, here are the steps that you should follow:
- Identify the cookies on your site – you can use one of the available testing tools to check which cookies you’re serving and whether they’re law-compliant. The audit will help you determine what data you collect and store, and for how long. Pay attention not only to cookie identifiers but also IP addresses, GPS locations, and information gathered on the store checkout and various registration pages.
- Check if the plugins you use allow you to easily turn off cookies without breaking their functionality (invest in those).
- Ask for consent – use consent management solutions such as CookieNotice or Cookiebot to add a notification plugin. These solutions will support the creation of consent banners and forms.A cookie banner is a module that provides information about all essential and non-essential cookies used on the website, their purpose, provider, and duration. They allow users to consent to some or all cookies, usually by ticking boxes or using sliders. Remember that no boxes can be pre-ticked.
- Get consent for marketing activities – do it before sending any marketing emails to the visitors. A good practice is, for example, to add a checkbox with confirmation of consent before users subscribe to newsletters. Add user-agreement fields to contact forms.
- Adapt your online store terms and reference to include user consent when processing orders.
- Provide contact information – GDPR guarantees the right to access and delete the data collected online; therefore, make sure that the audience can reach you.
- Register and store consent. Document your compliance by regularly testing the website against GDPR requirements.
- Make it possible to withdraw consent – information about such options can be included in the footer or the cookie declaration.
- Use dedicated plugins for GDPR compliance.
Bottom line is – pay attention to how you process data collected on the website. Cookie-related legislation is not something to be treated lightly, and can severely and painfully impact your business if not adhered to. Even more importantly, if you’re transparent and respect users’ privacy, you gain their trust, and that will always be beneficial for your business.
What can we do for you?
Talk to us about your project and let's start building it together!