Are you wondering how to make your WordPress website legally compliant for the EU market or are you unsure whether you need an opt-in cookie banner plugins? Then you are in the right place! In this article I will not only introduce you to the currently three best cookie plugins for WordPress, but we will also take a look at all common types of cookie banners. Through the legal foundations and explanations of current judgements, which clearly show the legal situation, you will learn why not every cookie plugin is suitable for your website. You will also find out if you need a cookie banner plugin for your WordPress website at all. So there is a lot to know to make your website GDPR and ePrivacy compliant regarding cookies. After you read this article, many questions will be clearer for you!
In the following, I will show you the best opt-in cookie plugins for WordPress to meet the current legal regulations of the ePrivacy directive and the GDPR as far as possible. I have tested 17 WordPress plugins and would like to introduce the three best plugin to you here. Please note that I only present those plugins here that run directly in your WordPress installation and are not dependent on a cloud of the manufacturer. Thus, you avoid unnecessary further legal conflicts and you are more independent.
Real Cookie Banner is currently clearly the best opt-in cookie plugin for WordPress that you can use for your website. For little money you get everything you need to set cookies safely and document consent.
Real Cookie Banner offers you a comprehensive cookie and content management system that allows you to get informed consent to set cookies according to the ePrivacy Directive. In the cookie banner on your website, users can choose to accept all cookies, only certain cookie groups or each cookie individually. This makes the cookie banner ideal for privacy lovers as well as for normal users who just want to accept cookies. It also automatically detects if the user has set a “Do Not Track” header, indicating that as few cookies as possible should be set. Real Cookie Banner can realize this wish automatically. The only thing the plugin currently does not offer is a recognition of whether the user is from the EU and therefore has to agree at all.
As a website operator you will especially enjoy the flexible layout of the cookie banner. With 170 settings, you can design the cookie banner so that it fits perfectly into your website. Every change is shown in a live preview, so you can create your perfect cookie banner in just a few minutes. In addition, the about 10 design presets are very handy so you don’t have to start from scratch.
Another detail Real Cookie Banner has paid attention to are adblockers. They block more and more cookie banners, so the website operator can no longer set non-essential cookies for these users. This means no Google Analytics etc. But not with this plugin, because the integrated anti-ad-blocker system effectively prevents your cookie banner from being blocked.
Cookies are stored in cookie groups in Real Cookie Banner. As a website operator, you will find four common cookie groups with descriptive texts after installation. Creating cookies is just as easy. You can select cookies for well-known services like Google Analytics from over 40 templates. All legal and technical information is already filled out for you in the templates. If you use a service for which there is no template, Real Cookie Banner will guide you carefully through the requirements of the law with many descriptive texts and explanations of the current legal situation. Each cookie (service) can also execute its own HTML/JavaSctipt code when consent is given or consent is revoked. This allows you to load services at the right time and remove cookies in accordance with the legal requirements. The Real Cookie Banner plugin even removes cookies automatically for you on opt-out.
Besides cookies, there are also so-called Content Blockers. For example, if you embed a YouTube video in an article or a WordPress plugin automatically loads Google Maps, personal data would be transmitted and cookies would be set when you visit the website. However, you first need the consent of the visitor to do so. Real Cookie Banner automatically replaces this content with Content Blockers, which ask your visitor for consent if it has not already given it. With 25+ templates, it’s once again super easy to set up – and you can even create your own Content Blockers in a few minutes thanks to the simple structure.
Speaking of setup: After installing Real Cookie Banner, the WordPress plugin welcomes you with a checklist of all tasks to set up your cookie banner in a legally compliant way. No other plugin offers this, but it takes away many of the questions in your mind.
At least as well thought out is the documentation of consent in Real Cookie Banner. The WordPress plugin not only documents which cookies the visitor has agreed to. A documentation of consent includes all cookie groups, cookies, content blockers, settings and design preferences. This allows you to show exactly how the cookie banner looked and behaved at the time of consent in case of a dispute. You can even display the cookie banner in your browser as the user saw it at the time of consent. This way you can invalidate any false accusation of a data protection violation.
At this point I could tell you a lot more about Real Cookie Banner, like the age rating to fulfill youth protection requirements, obtaining consent for data processing in the USA, statistics about consent of visits or the support for Google Tag Manager and Matomo Tag Manager. Real Cookie Banner is almost a legendary wool milk sow for obtaining consent for cookies. And at the same time very clear and easy to use.
The price of 49 € per year and website (there are discounts for multiple websites) is almost too cheap for what you are offered. In addition, you can try the free version and test without any risk whether you get along with the plugin.
- Fair price-performance ratio
- Divide cookies into individual groups
- Technical specifications of HTTP cookies and cookie-like information
- Automatic deletion of 1st-party cookies
- Detects bots and “Do Not Track” headers
- Content blocker to block external content and plugins before consenting to cookies
- Individual design with 170 settings and around 10 design templates
- Live preview of all design changes
- Shortcodes make it easy to change and revoke consent
- Complete documentation of consents
- Guided configuration after installation
- Age information for the fulfillment of youth protection requirements according to GDPR
- Obtaining consent for data processing in the USA
- Support for Google Tag Manager and Matomo Tag Manager
- WPML/Polylang and WordPress Mulisite Support
- No distinction between users from the EU and the rest of the world
- Plugin converts legal requirements meticulously exactly, whereby the setup can take at least one hour
Borlabs Cookie is another good opt-in cookie plugin for WordPress that you can use for your website. And at a fair price.
Borlabs Cookie is primarily known for its comprehensive range of features. It works for (normal) WordPress installations as well as on multisite WordPress installations. The plugin recognizes bots as well as users with the “Do Not Track” header and treats this kind of users according to the applicable law and their wishes. The only thing that does not exist is a recognition if a user is from the EU – non-EU users usually do not need a cookie banner. However, this will only be interesting for a few websites that address an international audience.
The heart of the plugin is its flexible layout of the WordPress cookie banner or dialog. With about 100 settings you can fine-tune how the banner should look like on your website. This leaves little to be desired. And if you still have wishes, you can solve this with CSS, which is delivered directly with the cookie banner. However, you can’t see a live preview of the cookie banner while editing, so we had to press the F5 button about 500 times when we set up Borlabs Cookie on our website. This was annoying and here Real Cookie Banner found a much better solution.
If the user does not give his consent to include YouTube videos and their cookies, for example, they cannot be loaded. Borlabs Cookie also takes care of this. It automatically replaces the elements and instead displays again asking for consent. This is cleverly solved!
You can also block scripts of WordPress plugins that should not be loaded. But this feature is only for professionals and even then the behavior is difficult to understand. At this point, Real Cookie Banner has again found a much more intuitive solution for the same problem.
Common multi-language plugins like WPML or Polylang support Borlabs Cookie. But there is one drawback for website operators with multiple languages: You have to maintain all settings, cookies, content and script blockers for each language individually. This takes a lot of time during the initial setup and the reason for an easier implementation is not really understandable.
You should also be careful with the cookie and content blocker templates in Borlabs Cookie. There aren’t many templates, so you’ll have to research many of the legal and technical details yourself anyway. However, even if there are templates, you should not blindly rely on them, because e.g. the Google Tag Manager template simply contain wrong cookies. Here the developer of the plugin obviously mixes up Google Tag Manager and Google Analytics. A certain amount of technical and legal expertise is expected from you in order to make the right decisions.
The same applies to instructions in the knowledge base of the manufacturer. For example, Borlabs describes how Google Tag Manager can be used with Borlabs Cookie. The tutorial explains how to load Google Tag Manager before consenting. According to the common opinion of lawyers, this is no longer in compliance with applicable law. Nevertheless, the manufacturer points out in this knowledge base article that it would advise against using the two tools together. However, he does not offer a solution.
All in all, with Borlabs Cookie you get a functionally good solution, with which you have all the tools at hand with informatics and legal knowledge to set up the cookie banner correctly. To set it up correctly, however, you have to do it yourself with very little help from the manufacturer. The price of 39 € per website and year (if you have many websites, there is a discount) seems to be fair! There is no free version, so you should make sure that you will be able to use the plugin before you buy it.
- Fair price-performance ratio
- Detects bots and “Do Not Track” headers
- Fine granular customizing of the layout in about 100 settings
- Legal and technical information per cookie can be stored
- Content and script blocker meets the legal requirements with link to the cookies
- Cookie banner should meet legal requirements if set up correctly
- Consents are documented in a simple form
- Shortcodes make it easy to change and revoke consent
- WordPress multisite support
- Legal and informatics expertise required for correct setup
- No differentiation between EU and third country users possible
- Customizer of the banner without live preview
- Cookies must be entered manually
- Cookies are not completely removed automatically after revoking the consent
- Script blocker even for professionals difficult to use
- Cookie and content blocker templates with false information and misleading articles in the manufacturer’s knowledge base
- Documentation of consent may not be sufficient in case of dispute
- With multi-language plugins, settings, cookies, etc. must be managed separately for each language
Another great solution is Complianz. The cookie plugin is available for several jurisdictions. It brings a lot of features – almost too many. The price is a bit higher, but still reasonable for the functionality.
You can adjust the appearance of your cookie banner with about 25 settings. What at first sounds like a lot, turns out to be a limitation in practice. We could not customize the opt-in cookie banner to fit completely into the corporate design of our website.
The plugin has an integrated cookie scanner. It automatically recognizes cookies on your website and compares them with a database. This allows to automatically recognize common services. Even though Complianz uses an efficient solution for the cookie scanner, it points out in the documentation for cookie scan results that so-called third party cookies are not recognized with the chosen solution. For example, a self-built integration of Google Analytics could not be recognized. Therefore, you should check the results by hand in any case. What works well is that cookies are grouped together. Your users can only agree to whole groups, but not to single cookies, which is legally questionable.
It is easy for your users to consent. One click and the decision is made. In the background, Complianz documents the consent and many settings of the cookie banner. This enables you, as the website operator, to prove in case of doubt that one of your users has consented to cookies, and when as well as how.
Complianz also offers many other features such as A/-B testing, recognition of EU users or support for multi-language plugins. However, this amount of features is almost overwhelming for a webmaster, because the plugin’s interface in the WordPress backend does not look very clean. So it took me some minutes until I found the cookies stored in the plugin in a submenu item as a hidden second step of a wizard. This is a pity, because there is so much under the hood that many website operators will probably never discover…
To sum up: With Complianz you get one of the probably most powerful opt-in cookie banner plugins for WordPress. But you also get an additional complexity of its own, which you first have to manage. For hobby bloggers, I think the plugin is too complex. The price of 49,00 € per website and year seems almost small for what is offered. And a free version with limited functions is available.
- Setup wizard that guides website operators
- In addition to the EU-DSGVO, designed for other laws
- Cookie scanner for the automatic insertion of cookies
- Content and script blocker with relatively easy handling
- Distinction between EU and third country users possible
- Consents are fully documented
- A/B Testing Support
- WordPress multisite support
- Customizer of the banner without live preview
- Cookie scanner does not find all cookies
- Customizing of the cookie banner layout is only limited possible
- Consent is only possible for entire cookie groups, which is at least legally questionable
- Confusing user interface with many features, which should overwhelm many users
In addition to the three cookie banner plugins discussed in more detail above, I know of 14 other cookie plugins at the time of writing this article. You can download them from the official plugin directory on wordpress.org. However, I do not want to recommend these plugins for various reasons. For the completeness I list them below and explain briefly why I cannot recommend these WordPress plugins:
- GDPR Cookie Compliance: Many settings in the confusing interface, but unfortunately you can only distinguish between essential cookies, third-party cookies and additional cookies. The user of the website is not given the opportunity to decide about each cookie individually. This should not be compatible with applicable law in the EUR OR Germany (where I came from) and should not happen with a paid solution.
- Cookiebot: The plugin is in general an excellent solution, but it only works with a connection to its cloud service, which results in a permanent dependency. The price of 108 € to 444 € per year and website (as of June 2020) is also very expensive.
- iubenda – Cookie and Consent Solution for the GDPR & ePrivacy: The plugin only integrates the script of the cloud service where the cookie banner is hosted. Accordingly, this results in a high dependency and in case of a failure of the iubenda servers, no consent can be obtained on your website anymore. The pricing model is rather complicated and in case of doubt expensive with an annual fee plus extra costs per website visit above a certain limit.
- GDPR Cookie Consent Banner: The plugin is a cookie notice with a very simple opt-out option and is therefore no longer compatible with applicable law.
- GDPR Cookie Consent: In my opinion, the plugin is not legally compliant in its default settings in Germany. The website operator must first readjust the settings on his own. In addition, essential functions such as the documentation of consents are reserved for paying users. The free version therefore does not appear to me in a good light. If you want to have a solution without a big effort of time, you should rather use another plugin.
- WP DSGVO Tools (GDPR): Powerful plugin that can do much more than just display cookie banners. However, setting up the plugin is not intuitive and seems to be possible only with cookies from services that have been explicitly pre-defined by the plugin. This can quickly become a problem on a not so simple website.
- Italy Cookie Choices (for EU Cookie Law): The plugin was last maintained about two years ago and is, as the name suggests, more adapted to Italian legal practice. There is no business model behind the plugin, so a long-term maintenance of the WordPress plugin cannot be expected.
- Smart Cookie Kit: The plugin has a very technical structure. If you are not a software developer, you will have difficulties using the plugin. Furthermore, it is not possible for your visitors to decide which single cookie they want to use, so it should not be legally compliant.
- Cookii – Free GDPR Cookie Consent: Besides a very limited customizability, this plugin only allows you to manage Google Analytics, Facebook pixels and two own cookies. After that it’s over, which might not be enough for most websites.
- Surbma | GDPR Proof Cookie Consent & Notice Bar: The plugin comes with a nice interface, but it doesn’t allow your users to interact with individual cookies. Despite a good approach it is therefore not recommended from a legal perspective.
- GDPR Cookie Consent by Supsystic: The WordPress plugin looks nice at first glance, but does not meet the legal requirement that users can choose in fine granularity which cookie they want to consent to.
- WordPress GDPR Cookie Compliance: A plugin that tries to implement a lot of things, but has only half solved everything. It is possible to obtain consent, but the user cannot decide per cookie and all cookie information should be written out on a subpage you have to design. The developers were creative here to save work. But this does not seem to be legally compliant.
- LuckyWP Cookie Notice (GDPR): The plugin offers an opt-in cookie banner for exactly one cookie and the corresponding script. If you want to have more, you have to take care of it yourself. This is unfortunately not more than a good starting point for web developers to create their own cookie banner.
All recommended cookie banner plugins I just introduced to you are so-called opt-in cookie banners. In the EU (and Germany), only opt-in cookie banners are allowed according to current law – why this is so, I’ll explain below in the legal foundations.
If you start looking for the perfect cookie banner for your needs, you will also find plugins and services that offer other types of cookie banners. Some of them falsely claim to be legally compliant because they were implemented according to outdated legal requirements or simply use the statement for marketing purposes without considering the legal situation.
That’s why I explain to you which types of cookie banners there are, so that you can distinguish them yourself. This is important so that you don’t use a cookie banner by mistake, which could put you in legal trouble.
It should be noted that some WordPress plugins or services technically set multiple cookies or cookie-like data. For the purpose of simplicity, I will call all cookies of a service together as one cookie in the following.
The opt-in cookie banner ensures that cookies are only set after consent has been given. This also means that services such as Google Analytics can only be integrated after the user has explicitly agreed to them.
This type of cookie banner is required by the California Consumer Privacy Act (CCPA), but not by EU law. This law is intended to protect California residents in the United States. Consequently, this type of cookie banner is only relevant for websites targeting the US market. At the same time, the more restrictive opt-in cookie banner from the EU should also meet the requirements of the CCPA.
In the comparison of the best cookie plugins, cookie groups have been discussed several times. This raises the question of what cookie groups there should be and how cookies should be separated from each other in terms of their function.
As a matter of principle, there is no legal requirement as to which groups cookies should be divided into. In fact, the question of whether cookie groups are legally allowed has not yet been finally clarified in the EU. Currently, however, it can be assumed that they will be permitted or even recommended – more on this in the legal foundations. Only between essential cookies and all other cookies is a distinction to be made for legal reasons. What the difference is, I will explain to you in a moment.
Accordingly, most WordPress cookie plugins divide the cookies into different groups according to their function or use. Most plugins also allow you to create your own groups. Which cookies belong to which group is also a question that every website owner has to answer on its own. Depending on the use of a service, plugin or integration of external media, the answer may vary.
In the following, I would like to show you on the basis of a typical division of cookies into four groups with examples, which cookies belong to which groups according to my legal opinion.
It is important to answer the question correctly, what are technically essential cookies. Often, cookies that are considered to be essential from an organizational point of view are equated by website operators as technically essential cookies. This can have fatal consequences, since consent is required to set these cookies. But what is the difference? You should always ask yourself whether the basic functionality of your website can no longer be maintained if a cookie cannot be set. This explicitly does not mean whether, for example, you need a tool to generate revenue so that the website can earn its costs. It only refers to cookies that are indispensable from the perspective of your visitors.
This sounds very abstract, which is why I would like to give you some examples to answer this question:
- Example for essential cookie: In an online shop the shopping cart cookie or in a member area the login status cookie can be considered essential. In both cases, without the cookie, the functionality of the website would be fundamentally affected, as the visitor would not be able to add products to his or her shopping cart or access the member area.
- Example of a controversial cookie: Google Fonts is a service that allows beautiful fonts to be displayed on websites even if they are not installed on the user’s computer or mobile device. Google collects data from this service and sometimes sets cookies. Practically everyone would probably agree that these cookies are essential, because a website looks completely different with a standard font than with a nice and matching font. Legally speaking, however, the user of your website has no functional restrictions if the website looks less pretty. In addition, as the operator of the website you have the technical possibility to deliver fonts from your own server and therefore not to transmit data to Google. As a result of these arguments, it is legally disputed whether services such as Google Fonts can be regarded as essential. At the time I am writing this article, there is no highest court decision yet. If you want to be on the safe side, you should rather classify such cookies as non-essential.
- Example of a non-essential cookie: You want to embed Google Analytics on your website to track users and thus increase the quality and/or sales of your website. Your website would work exactly the same way without this service and its cookies. Whether you could improve your website in the long run is not important for the legal consideration.
All non-essential cookies are easier to classify than essential cookies, such as statistics cookies. This group includes all services that record data about the behaviour of your visitors, if the data finally shows how a group of users or all users together have behaved. It is important to note that due to the user’s behaviour, the contents of your website must not be personalised for the user, as this is no longer purely for statistical reasons.
Example of statistical cookies: Google Analytics, Matomo or Clicky are tools that comprehensively record the behaviour of your visitors and can be evaluated in aggregated form.
There are a variety of services that allow you to collect and analyze data about individual users. The analysis of the collected data can lead to you treating a user differently, displaying different content or spending different amounts of money on third party websites to display advertisements for your website. With this group of cookies, the data could, but does not have to, be evaluated in monetary value.
Example for marketing cookies: Google Ads or Facebook Ads offer to install trackers on your website, which monitor the success of your advertising campaign. The data collected decides which users receive advertising and can also decide how much you spend to ensure that a user sees your advertising. In the same way, Hotjar is a heatmap recorder in the field of marketing. You do not use the collected data to place advertisements, but you can view a recording of all clicks of each user and use the knowledge gained to optimize your website, for example to achieve more sales.
Finally, many cookie banner plugins combine cookies that load unspecified external media. External media usually enhance the content of your website. If they were missing, users could still use your website without being restricted.
Example: YouTube, Vimeo or Twitch, from which you embed videos as iframe directly into your website and which are immediately loaded by the services.
Now that you have learned about many solutions and can differentiate between cookie banner types and cookie groups, you will certainly ask yourself:
“Why are opt-in cookie banners needed? And does my WordPress website also need a cookie banner?”
Short answer: Since October 2019 it is finally clear in the EU that opt-in cookie banners are mandatory for all non-essential cookies. This also applies to your WordPress website, because you need permission for almost all cookies.
Therefore I would like to explain in the following, as simple and practical as possible, why opt-in cookie banners are mandatory for websites. We will take a look at all legally relevant decisions (from a German perspective) and also take a look at what laws are likely to regulate cookies in the future.
§ 15 (3) TMG, German law (before 2009)
However, an EU directive is not the same as a law. Directives must be transposed into national law. In Germany, however, the directive has never been implemented. This created a grey area, as the EU said that opt-in was mandatory, but national laws like in Germany contradicted this.
EU-DSGVO (May 2018)
However, the EU DSGVO does not explicitly regulate how cookies are to be handled in general. This should be regulated by the ePrivacy Regulation (not to be mixed up with the ePrivacy Directive), which should originally be introduced with or shortly after the EU DSGVO. However, this project failed due to the political discussion process.
ECJ judgment (October 2019)
The court thus made it clear that cookies that are not technically absolutely necessary can only be set after explicit consent, via the so-called opt-in procedure. The judges also deduced from Directive 95/46/EC that no pre-selection for the user is allowed. This means that checkboxes with standard consent to all cookies are not allowed. However, the procedure did not clarify whether an “I accept all cookies” button, which is possibly more present than a “Accept only essential cookies” button, complies with the applicable law. That is why this kind of presentation in opt-in cookie banners is also offered and recommended by many WordPress plugins.
BGH judgement (May 2020)
On 28. May 2020 the BGH interpreted Section 15 (3) TMG for Germany (Case No. I ZR 7/16 – Cookie Consent II) in such a way that it is in line with the ePrivacy Regulation. The court held that the in English translated wording “unless the user objects” in German law should be understood as “unless the user consents”. Since then, it has been made clear that non-essential cookies in Germany require explicit consent (opt-in procedure). The same applies to other EU counties because of the ECJ judgement.
ePrivacy Regulation (expected 2021/2022)
It is to be expected that the ePrivacy Regulation will have to be applied from 2021 or 2022 (as of June 2020).
Many opt-in WordPress cookie plugins group cookies together. Whether this is allowed is considered controversial. This question has not yet been clarified in court.
The FAQ of the State Data Protection Commissioner of Baden-Würtenberg, Germany recommends combining cookies into groups. However, all cookies from the group must also be described individually and must be selectable or deselectable. The British data protection authority ICO, on the other hand, considers this behaviour in its status report to be incompatible with the ePrivacy Directive. The ePrivacy Regulation could bring clarity here in a few years.
If non-essential cookies are set without prior consent, this is a violation of the ePrivacy Directive. If the data collected are person-related, this may even constitute a violation of the EU DSGVO. Both can be warned and fined. The Federation of German Consumer Organisations (VZBV) has already sent out warnings (with small fees).
According to this, there is a potential risk of being warned in the EU because of the lack of an opt-in cookie banner. In view of the large number of websites that currently still violate this directive or the law, this is likely to mean that not all website operators will receive immediate warnings. However, the chances or danger of a warning or fine should increase over time and thus the need to act.
WordPress websites are usually operated with a lot of plugins and an additionally installed theme. These can store their own cookies or cookie-like information. Accordingly, this question cannot be answered in a general way. Rather, every website operator must find out for himself. Cookie scanners can help here. However, only some of the WordPress Opt-in cookie-banner plugins include a cookie scanner. Therefore I will show you below how this works independently from your plugin.
But you can answer which cookies the WordPress CMS sets without themes and plugins. This is described in detail in the support area on WordPress.org. You have to differentiate between two types of users, for whom different cookies are set.
Logged in users:
- wordpress_[hash]: Login information of the user as hash
- wordpress_logged_in_[hash]: Login status and the user ID
- wp-settings-[time]-[UID]: User-related settings for the WordPress backend
- comment_author_[hash]: Name of the commentator
- comment_author_email_[hash]: Email address of the commentator
- comment_author_url_[hash]: Website URL of the commentator
The cookies for unregistered users all refer to the comment function of WordPress. Accordingly they are only set if a user has left a comment in the comment area of your WordPress website. The purpose of the cookies is that the user does not have to enter his data again if he wants to write another comment.
This question is again not easy to answer. Many cookies are set the first time you visit the website. For example, when Google Analytics is integrated into the website. However, there are also scripts that are only integrated into the website on certain sub-pages and set cookies. For example, the Jetpack plugin only loads its comment function if a comment area is visible on the sub-page. Finally, there are cookies that are only set when the user makes a certain interaction with the website. As an example the cookies of the standard WordPress comment system mentioned in the previous section can be taken.
Furthermore, technically speaking, not all cookies are the same. The term “cookie” legally stands for so-called HTTP cookies. However, the applicable laws also require that cookie-like information is subject to the same laws. Technically, there are a variety of ways to store such information. The most common methods are briefly explained below:
- HTTP Cookie: Classic cookie that is transferred to the server in every connection.
- Session Storage: Same as Local Storage, but technically limited to the respective tab in the browser in which the information was set.
- Pixel Tracker: Loading of a (mostly) invisible graphic that can uniquely identify the user.
- Flash Local Shared Object: Object for storing information about users in Flash files (rarely used anymore).
- IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).
The complexity is not enough, when setting many cookies and cookie-like information, their visibility is limited. This means, for example, that a cookie set by devowl.io can only be read by the server and scripts of the domain devowl.io. This is necessary to prevent a third website (called thrid parties) from e.g. intercepting the active login to your WordPress backend – stored in a cookie – and forwarding it via their server to the operator of the third website. Tools that search for your cookies must therefore have the rights to read all cookies, including those from third-party websites that are integrated into your website (e.g. Google Analytics).
Tools that promise to find cookies on your website must therefore be critically reviewed. Does the tool run through all sub-pages of your website? Can you interact with your website to trigger the placement of cookies? Does the tool read not only HTTP cookies, but any kind of cookie-like information? And does the tool even have the rights to read all cookies from 3rd-parties?
I would like to recommend a tool that does all this for you automatically. But I don’t know any at the moment. This includes cookie scanners in various WordPress plugins that promise to find your cookies. In practice, however, they usually only find a part of your cookies.
The best thing is to delete all cookies in your browser. Then open the developer console of your browser. Now visit all sub-pages of your website and use every known way to interact with the website. Then go to the “Application” tab in Google Chrome or the “Web Storage” tab in Mozilla Firefox. There you will find all types of cookies and all 3th-party domains that have been set cookies on your website. You can now read them manually and transfer them to your cookie banner.
I admit, this solution is not optimal. Therefore, we are already working on a tool for this. If you don’t want to miss its release, please subscribe to our newsletter (in the sidebar of this blog article)!
I have listed the top 10 typical mistakes that are regularly made by less technically skilled owners of WordPress websites:
- Cookie banner not activated: Trivial, but still it happens. The cookie banner has been fully set up, but it is not activated for your visitors. In any case, check in a private window of your browser as an unlogged in user on your WordPress website whether the cookie banner is displayed.
- Cache prevents delivery of the cookie banner: Many WordPress websites use caching plugins to load faster. If the cookie banner plugin does not invalidate the cache properly after changing a setting, this can lead to a situation where the cookie banner is not delivered or only in an outdated version. Be sure you empty the page cache after setting up or changing your cookie banner!
- Not all cookies are detected: Above I described how complicated it is to find all cookies and cookie like information. It’s easy to miss a cookie. So check carefully if you have really collected all cookies in your cookie banner. If in doubt, don’t rely on cookie-scanner tools.
- Incorrectly grouped cookies: Even if you have found all cookies, there is no use if you classify non-essential cookies as essential cookies. So, as described above, question very carefully whether a cookie is really essential. In most cases the honest answer is: No.
- Consents not properly documented: The visitor of your website could doubt at any time that he has given his consent that you may set cookies on his computer or mobile device. Thanks to the (simply spoken) reversal of the burden of proof of the EU DSGVO, you have to prove that he has given his consent. Consequently, the consent must be kept in full for the next approx. 5 years, until the statute of limitations of the possible criminal offense by the possible data protection violation. When choosing the cookie banner plugin, make sure that it documents the consent completely and make regular backups of your website.
You should definitely avoid making the same mistakes. Otherwise, the huge effort you put into setting up an opt-in cookie banner on your website may be wasted.
If you need help setting up your cookie banner, please open a support ticket with us and we will make you an individual offer to set up the opt-in cookie banner on your WordPress website.
In this article we not only looked at what the best opt-in cookie banner plugins for WordPress are, but also covered a variety of understanding issues. If you have read the article completely, you now know what kind of cookie banners exist, what cookie groups are and how you can group cookies into them, if and on which legal basis a cookie banner has to be displayed on your WordPress website, how to find out which cookies your website sets and you have learned about typical mistakes when using a cookie banner plugin. You should avoid the typical mistakes in any case, because otherwise all your efforts to use a cookie banner won’t achieve anything!
In summary, I can say that it is very difficult – especially for projects of customers, when you build WordPress websites as a contract work – to build a website that does not set cookies. If your website is aimed at users from the EU, then according to the current legal situation you have to get the consent of your visitors to set the most cookies. An opt-in cookie banner is then mandatory for your WordPress website!
I personally use the Real Cookie Banner WordPress plugin for our websites. It offers the most features for a reasonable price, allows you a legally compliant setup and is currently the plugin I can best recommend.