Quality WordPress Plugins made in Germany Questions or support needed? Get help now!

Top 3 Cookie Plugins for WordPress (ePrivacy/GDPR compliant)

Jul 1, 2020 | General, WordPress | 0 comments

Are you wondering how to make your WordPress website legally compliant for the EU market or are you unsure whether you need an opt-in cookie banner plugins? Then you are in the right place! In this article I will not only introduce you to the currently three best cookie plugins for WordPress, but we will also take a look at all common types of cookie banners. Through the legal foundations and explanations of current judgements, which clearly show the legal situation, you will learn why not every cookie plugin is suitable for your website. You will also find out if you need a cookie banner plugin for your WordPress website at all. So there is a lot to know to make your website GDPR and ePrivacy compliant regarding cookies. After you read this article, many questions will be clearer for you!

s
Attention: This article is not legal advice! We as developers of WordPress plugins and contractors of website projects have dealt intensively with the topic of cookie banners, as it is essential in our daily work. However, we are neither lawyers, nor can we guarantee the completeness, timeliness and accuracy of the following information. In case of doubt, always consult a lawyer.

Best cookie plugins for WordPress

In the following, I will show you the best opt-in cookie plugins for WordPress to meet the current legal regulations of the ePrivacy directive and the GDPR as far as possible. I have tested 16 WordPress plugins and would like to introduce the three best plugin to you here. Please note that I only present those plugins here that run directly in your WordPress installation and are not dependent on a cloud of the manufacturer. Thus, you avoid unnecessary further legal conflicts and you are more independent.

Borlabs Cookies

Borlabs Cookie logo

Currently, Borlabs Cookie is clearly the best opt-in cookie for WordPress that you can use for your website. And that at a fair price.

Borlabs Cookie is primarily known for its comprehensive range of features. It works for (normal) WordPress installations as well as on multisite WordPress installations. The plugin recognizes bots as well as users with the “Do Not Track” header and treats this kind of users according to the applicable law and their wishes. The only thing that does not exist is a recognition if a user is from the EU – non-EU users usually do not need a cookie banner. However, this will only be interesting for a few websites that address an international audience.

The heart of the plugin is its flexible layout of the WordPress cookie banner or dialog. With about 100 settings you can fine-tune how the banner should look like on your website. This leaves little to be desired. And if you still have wishes, you can solve this with CSS, which is delivered directly with the cookie banner. However, you can’t see a live preview of the cookie banner while editing, so we had to press the F5 button about 500 times when we set up Borlabs Cookie on our website.

Cookies can be divided into cookie groups using Borlabs Cookie. You can enter the cookies by yourself manually. Here you can enter most of the legally and technically necessary information. Using HTML and JavaScript, which you have to write yourself, you can integrate for example Google Analytics at the time of consent and remove it from your website if your user revokes his consent. Here the plugin requires a certain amount of informatics knowledge. Once you have overcome this hurdle, the plugin offers all relevant features. There is no automatic recognition of cookies, but there are templates for nine well-known services and plugins.

If the user does not give his consent to include YouTube videos and their cookies, for example, they cannot be loaded. Borlabs Cookie also takes care of this. It automatically replaces the elements and instead displays again asking for consent. This is cleverly solved!

You can also block scripts of WordPress plugins that should not be loaded. But this feature is only for professionals and even then the behaviour is difficult to understand.

Users of your website can give their consent to all cookies, only essential cookies, single cookie groups or even single cookies. With this the plugin should meet the legal requirements. Borlabs stores consents in a simple way, which should serve the purpose. In addition, links can be placed via shortcodes to change or revoke consent, e.g. in the privacy policy. In this way you also meet the legal requirements fron the GDPR.

Common multi-language plugins like WPML or Polylang support Borlabs Cookie. But there is one drawback for website operators with multiple languages: You have to maintain all settings, cookies, content and script blockers for each language individually. This takes a lot of time during the initial setup and the reason for an easier implementation is not really understandable:

All in all, with Borlabs Cookie you get an all-round solid package and the best solution currently available for WordPress. The price of 39 € per website and year (if you have many websites, you get a discount) seems more than justified! There is no free version. But you will not regret the purchase.

Advantages

  • Advantages
  • Best opt-in cookie banner solution for WordPress
  • Fair price-performance ratio
  • Detects bots and “Do Not Track” headers
  • Fine granular customizing of the layout in about 100 settings
  • All legal and technical information per cookie can be stored
  • Content and script blocker meets the legal requirements with link to the cookies
  • Cookie banner should meet legal requirements
  • Consents are documented
  • Shortcodes make it easy to change and revoke consent
  • WordPress multisite support

Disadvantages

  • No differentiation between EU and third country users possible
  • Customizer of the banner without live preview
  • Cookies must be entered manually
  • With multi-language plugins, settings, cookies, etc. must be managed separately for each language
Borlabs Cookie: Cookie settings
Borlabs Cookie: Cookie settings
Borlabs Cookie Banner at devowl.io
Borlabs Cookie Banner at devowl.io

Complianz

Complianz logo

Another great solution is Complianz. The cookie plugin is available for several jurisdictions. It brings a lot of features – almost too many. The price is a bit higher, but still reasonable for the functionality.

Complianz welcomes the website operator with a setup wizard. This wizard first asks which legal area the website is in. In addition to the GDPR, the plugin can also implement rules of the PECR (United Kingdom), CCPA (USA) or PIPEDA (Canada). In addition to cookies, the WordPress cookie banner plugin will also generate cookie guidelines for you as part of the privacy policy.

You can adjust the appearance of your cookie banner with about 25 settings. What at first sounds like a lot, turns out to be a limitation in practice. We could not customize the opt-in cookie banner to fit completely into the corporate design of our website.

The plugin has an integrated cookie scanner. It automatically recognizes cookies on your website and compares them with a database. This allows to automatically recognize common services. Even though Complianz uses an efficient solution for the cookie scanner, it points out in the documentation for cookie scan results that so-called third party cookies are not recognized with the chosen solution. For example, a self-built integration of Google Analytics could not be recognized. Therefore, you should check the results by hand in any case. What works well is that cookies are grouped together. Your users can only agree to whole groups, but not to single cookies, which is legally questionable.

Integrations with common services like YouTube, Vimeo or Google Maps simplify the work with the cookie banner. The cookie banner automatically recognizes when such a service is used and blocks it if the user has not agreed to the cookies of the service. The same applies to JavaScript files added by plugins. They can also be blocked relatively easily for the underlying complexity if no consent has been given.

It is easy for your users to consent. One click and the decision is made. In the background, Complianz documents the consent and many settings of the cookie banner. This enables you, as the website operator, to prove in case of doubt that one of your users has consented to cookies, and when as well as how.

Complianz also offers many other features such as A/-B testing, recognition of EU users or support for multi-language plugins. However, this amount of features is almost overwhelming for a webmaster, because the plugin’s interface in the WordPress backend does not look very clean. So it took me some minutes until I found the cookies stored in the plugin in a submenu item as a hidden second step of a wizard. This is a pity, because there is so much under the hood that many website operators will probably never discover…

To sum up: With Complianz you get one of the probably most powerful opt-in cookie banner plugins for WordPress. But you also get an additional complexity of its own, which you first have to manage. For hobby bloggers, I think the plugin is too complex. The price of 49,00 € per website and year seems almost small for what is offered. And a free version with limited functions is available.

Advantages

  • Setup wizard that guides website operators
  • In addition to the EU-DSGVO, designed for other laws
  • Cookie policy generator included
  • Cookie scanner for the automatic insertion of cookies
  • Content and script blocker with relatively easy handling
  • Distinction between EU and third country users possible
  • Consents are fully documented
  • A/B Testing Support
  • WordPress multisite support

Disadvantages

  • Customizer of the banner without live preview
  • Cookie scanner does not find all cookies
  • Customizing of the cookie banner layout is only limited possible
  • Consent is only possible for entire cookie groups, which is at least legally questionable
  • Confusing user interface with many features, which should overwhelm many users

Cookie Notice for GDPR & CCPA

Cookie Notice for GDPR & CCPA logo

Who likes it easier, is well advised to use Cookie Notice for GDPR & CCPA as an opt-in cookie plugin. With over 1 million active installations, it is probably the most popular free WordPress cookie banner plugin on wordpress.org.

All settings of this cookie-banner plugin can be found in the WordPress backend on only one page. This already shows that this plugin is much simpler than the plugins mentioned before. Simpler does not necessarily mean better in this case. As a website operator you still have to fulfill legal requirements.

You can adjust the appearance of the opt-in cookie banner in exactly six settings. No more, but also no less. Everything else you have to style yourself using CSS code. Accordingly, this solution is not very flexible, which is probably only interesting for operators of very small hobby blogs.

Cookie groups as well as cookies with detailed descriptions do not exist in this plugin. Nevertheless, the plugin manages to fulfill at least most legal requirements. The cookie banner can distinguish between essential and non-essential cookies. It also allows executing HTML and JavaScript code if the cookies are accepted by the visitor. So all scripts of all non-essential cookies can be executed as soon as the consent is given. A description of which cookies are used on your website must be included in your privacy policy. You are responsible for this and the plugin does not give you any assistance with the technical or legal description. It is legally disputed whether the use of more than one non-essential cookie is legally permitted, if the user cannot agree to each cookie individually. But if you only set one non-essential cookie, then the plugin is enough for you!

Also, this cookie banner plugin does not have content and script blockers, with which you prevent YouTube videos from being loaded if the user has not given you permission to set their cookies. At this point you have to use third party plugins like Shariff Wrapper to legally operate your website.

The cookie banner is very easy for your users to use. Two buttons: Agree or Reject. That’s it! In addition, the plugin offers you the legally required option to revoke the consent to set cookies in your privacy policy. This is done with a simple short code. In this case it is important that you use a self-written script to ensure that the cookies are removed from your user’s computer. Again, the plugin is minimalistic in supporting you.

A point of criticism of this WordPress plugin may be that consent is not documented. There is also no legal obligation to do so. However, the GDPR (simply spoken) provides for a reversal of the burden of proof (with in an explicit exceptionin EU law). This means that if one of your users questions his or her consent to non-essential cookies, you as the website operator are obliged to prove when, how and to what he or she has given his or her consent. With this free solution, you have a risk in case of this event.

Further features such as multi-language plugin support, detection of bots or a live preview of the cookie banner when customizing it, should not be expected from a free solution like this.

Cookie Notice for GDPR & CCPA is thus an opt-in cookie banner solution for very small websites. As soon as you want to set more than one non-essential cookie, it becomes difficult with legal compliance. However, there are a lot of small non-commercial blogs that have no budget for a premium WordPress plugin. For exactly this target group, the plugin should cover just about what is absolutely necessary in terms of cookies.

Advantages

  • Completely free of charge!
  • Most popular free solution for WordPress
  • Simplicity ensures easier handling than with premium plugins
  • Easy to use for website operators and visitors
  • Revocation of consent possible via shortcode

Disadvantages

  • Only recommended for very small websites or blogs
  • Visually hardly customizable
  • A lot of manual work required for setup
  • No cookie groups
  • From two non-essential cookies onwards legally insecure
  • Content or script blocker not integrated
  • No documentation of consent
  • No support from the developer

All other cookie plugins for WordPress

In addition to the three cookie banner plugins discussed in more detail above, I know of 13 other cookie plugins at the time of writing this article. You can download them from the official plugin directory on wordpress.org. However, I do not want to recommend these plugins for various reasons. For the completeness I list them below and explain briefly why I cannot recommend these WordPress plugins:

 

  • GDPR Cookie Compliance: Many settings in the confusing interface, but unfortunately you can only distinguish between essential cookies, third-party cookies and additional cookies. The user of the website is not given the opportunity to decide about each cookie individually. This should not be compatible with applicable law in the EUR OR Germany (where I came from) and should not happen with a paid solution.
  • Cookiebot: The plugin is in general an excellent solution, but it only works with a connection to its cloud service, which results in a permanent dependency. The price of 108 € to 444 € per year and website (as of June 2020) is also very expensive.
  • iubenda – Cookie and Consent Solution for the GDPR & ePrivacy: The plugin only integrates the script of the cloud service where the cookie banner is hosted. Accordingly, this results in a high dependency and in case of a failure of the iubenda servers, no consent can be obtained on your website anymore. The pricing model is rather complicated and in case of doubt expensive with an annual fee plus extra costs per website visit above a certain limit.
  • GDPR Cookie Consent Banner: The plugin is a cookie notice with a very simple opt-out option and is therefore no longer compatible with applicable law.
  • GDPR Cookie Consent: In my opinion, the plugin is not legally compliant in its default settings in Germany. The website operator must first readjust the settings on his own. In addition, essential functions such as the documentation of consents are reserved for paying users. The free version therefore does not appear to me in a good light. If you want to have a solution without a big effort of time, you should rather use another plugin.
  • WP DSGVO Tools (GDPR): Powerful plugin that can do much more than just display cookie banners. However, setting up the plugin is not intuitive and seems to be possible only with cookies from services that have been explicitly pre-defined by the plugin. This can quickly become a problem on a not so simple website.
  • Italy Cookie Choices (for EU Cookie Law): The plugin was last maintained about two years ago and is, as the name suggests, more adapted to Italian legal practice. There is no business model behind the plugin, so a long-term maintenance of the WordPress plugin cannot be expected.
  • Smart Cookie Kit: The plugin has a very technical structure. If you are not a software developer, you will have difficulties using the plugin. Furthermore, it is not possible for your visitors to decide which single cookie they want to use, so it should not be legally compliant.
  • Cookii – Free GDPR Cookie Consent: Besides a very limited customizability, this plugin only allows you to manage Google Analytics, Facebook pixels and two own cookies. After that it’s over, which might not be enough for most websites.
  • Surbma | GDPR Proof Cookie Consent & Notice Bar: The plugin comes with a nice interface, but it doesn’t allow your users to interact with individual cookies. Despite a good approach it is therefore not recommended from a legal perspective.
  • GDPR Cookie Consent by Supsystic: The WordPress plugin looks nice at first glance, but does not meet the legal requirement that users can choose in fine granularity which cookie they want to consent to.
  • WordPress GDPR Cookie Compliance: A plugin that tries to implement a lot of things, but has only half solved everything. It is possible to obtain consent, but the user cannot decide per cookie and all cookie information should be written out on a subpage you have to design. The developers were creative here to save work. But this does not seem to be legally compliant.
  • LuckyWP Cookie Notice (GDPR): The plugin offers an opt-in cookie banner for exactly one cookie and the corresponding script. If you want to have more, you have to take care of it yourself. This is unfortunately not more than a good starting point for web developers to create their own cookie banner. 

Types of cookie banners

All recommended cookie banner plugins I just introduced to you are so-called opt-in cookie banners. In the EU (and Germany), only opt-in cookie banners are allowed according to current law – why this is so, I’ll explain below in the legal foundations.

If you start looking for the perfect cookie banner for your needs, you will also find plugins and services that offer other types of cookie banners. Some of them falsely claim to be legally compliant because they were implemented according to outdated legal requirements or simply use the statement for marketing purposes without considering the legal situation.

That’s why I explain to you which types of cookie banners there are, so that you can distinguish them yourself. This is important so that you don’t use a cookie banner by mistake, which could put you in legal trouble.

It should be noted that some WordPress plugins or services technically set multiple cookies or cookie-like data. For the purpose of simplicity, I will call all cookies of a service together as one cookie in the following.

Opt-in cookie banner

Cookie banners that ask for the explicit consent of your visitors whether cookies may be set are called opt-in cookie banners. This type of cookie banner ensures that your visitors are presented with a dialog or banner the first time they visit your website, in which they can select which cookies may be set. The important thing is that the user must be free to choose which cookies they want to allow and each cookie can be rejected individually. The cookie banner must not pre-select cookies and thus patronize your visitors. This is explicitly prohibited by law. However, what has not been finally clarified legally and is therefore usually used is a button or link that allows the user to agree to all cookies with just one click.

The opt-in cookie banner ensures that cookies are only set after consent has been given. This also means that services such as Google Analytics can only be integrated after the user has explicitly agreed to them.

Opt-out cookie banner

The opposite model to opt-in cookie banners are the opt-out cookie banners, as the name already suggests. With this type of cookie banners, cookies are set first. However, the user of your website must be given the opportunity to disagree immediately after entering your website. Typically, these solutions display a “Do Not Sell My Personal Information” link at the bottom of the screen. If the user contradicts, all cookies must be deleted and the use of the corresponding plugins and services must be prevented.

This type of cookie banner is required by the California Consumer Privacy Act (CCPA), but not by EU law. This law is intended to protect California residents in the United States. Consequently, this type of cookie banner is only relevant for websites targeting the US market. At the same time, the more restrictive opt-in cookie banner from the EU should also meet the requirements of the CCPA.

Cookie notice

At the time this article is written, simple notices about the use of cookies are still very common. So even large publishers in Germany still write texts like:

“We use cookies to provide you with the best possible user experience. You agree to the use of cookies and to our privacy policy”.

For a long time many websites, especially in Germany, had such references on their website. In addition, there were instructions spread throughout the privacy policy on how the user could disagree with the use of certain cookies – a very user-unfriendly implementation of the opt-out procedure. In the opinion of many, this fulfilled the requirements of German law. In most cases, however, the data protection declarations did not explain for all cookies how to disagree with them, so that only a cookie notice was on the website. In the meantime, however, it has been clarified by the highest court that such references are not permitted in the EU and not in Germany either. I will explain more about this in the section legal foundations.

Cookie groups: Which cookies exist and which cookies require consent?

In the comparison of the best cookie plugins, cookie groups have been discussed several times. This raises the question of what cookie groups there should be and how cookies should be separated from each other in terms of their function.

As a matter of principle, there is no legal requirement as to which groups cookies should be divided into. In fact, the question of whether cookie groups are legally allowed has not yet been finally clarified in the EU. Currently, however, it can be assumed that they will be permitted or even recommended – more on this in the legal foundations. Only between essential cookies and all other cookies is a distinction to be made for legal reasons. What the difference is, I will explain to you in a moment.

Accordingly, most WordPress cookie plugins divide the cookies into different groups according to their function or use. Most plugins also allow you to create your own groups. Which cookies belong to which group is also a question that every website owner has to answer on its own. Depending on the use of a service, plugin or integration of external media, the answer may vary.

In the following, I would like to show you on the basis of a typical division of cookies into four groups with examples, which cookies belong to which groups according to my legal opinion.

Essential cookies

In the legal sense, cookies that are technically absolutely necessary for the operation of the website must be distinguished from all other cookies. These cookies are usually called essential cookies and they are the only type of cookies that may be placed on your visitors’ computers without their explicit consent. You must nevertheless explain their function in your privacy policy (or the cookie banner).

It is important to answer the question correctly, what are technically essential cookies. Often, cookies that are considered to be essential from an organizational point of view are equated by website operators as technically essential cookies. This can have fatal consequences, since consent is required to set these cookies. But what is the difference? You should always ask yourself whether the basic functionality of your website can no longer be maintained if a cookie cannot be set. This explicitly does not mean whether, for example, you need a tool to generate revenue so that the website can earn its costs. It only refers to cookies that are indispensable from the perspective of your visitors.

This sounds very abstract, which is why I would like to give you some examples to answer this question:

 

  • Example for essential cookie: In an online shop the shopping cart cookie or in a member area the login status cookie can be considered essential. In both cases, without the cookie, the functionality of the website would be fundamentally affected, as the visitor would not be able to add products to his or her shopping cart or access the member area.
  • Example of a controversial cookie: Google Fonts is a service that allows beautiful fonts to be displayed on websites even if they are not installed on the user’s computer or mobile device. Google collects data from this service and sometimes sets cookies. Practically everyone would probably agree that these cookies are essential, because a website looks completely different with a standard font than with a nice and matching font. Legally speaking, however, the user of your website has no functional restrictions if the website looks less pretty. In addition, as the operator of the website you have the technical possibility to deliver fonts from your own server and therefore not to transmit data to Google. As a result of these arguments, it is legally disputed whether services such as Google Fonts can be regarded as essential. At the time I am writing this article, there is no highest court decision yet. If you want to be on the safe side, you should rather classify such cookies as non-essential.
  • Example of a non-essential cookie: You want to embed Google Analytics on your website to track users and thus increase the quality and/or sales of your website. Your website would work exactly the same way without this service and its cookies. Whether you could improve your website in the long run is not important for the legal consideration.

Statistics cookies

All non-essential cookies are easier to classify than essential cookies, such as statistics cookies. This group includes all services that record data about the behaviour of your visitors, if the data finally shows how a group of users or all users together have behaved. It is important to note that due to the user’s behaviour, the contents of your website must not be personalised for the user, as this is no longer purely for statistical reasons.

Example of statistical cookies: Google Analytics, Matomo or Clicky are tools that comprehensively record the behaviour of your visitors and can be evaluated in aggregated form.

Marketing cookies

There are a variety of services that allow you to collect and analyze data about individual users. The analysis of the collected data can lead to you treating a user differently, displaying different content or spending different amounts of money on third party websites to display advertisements for your website. With this group of cookies, the data could, but does not have to, be evaluated in monetary value.

Example for marketing cookies: Google Ads or Facebook Ads offer to install trackers on your website, which monitor the success of your advertising campaign. The data collected decides which users receive advertising and can also decide how much you spend to ensure that a user sees your advertising. In the same way, Hotjar is a heatmap recorder in the field of marketing. You do not use the collected data to place advertisements, but you can view a recording of all clicks of each user and use the knowledge gained to optimize your website, for example to achieve more sales.

External media and other cookies

Finally, many cookie banner plugins combine cookies that load unspecified external media. External media usually enhance the content of your website. If they were missing, users could still use your website without being restricted.

Example: YouTube, Vimeo or Twitch, from which you embed videos as iframe directly into your website and which are immediately loaded by the services.

Legal foundations: Does every WordPress website need an opt-in cookie banner (as a plugin)?

Now that you have learned about many solutions and can differentiate between cookie banner types and cookie groups, you will certainly ask yourself:

“Why are opt-in cookie banners needed? And does my WordPress website also need a cookie banner?”

Short answer: Since October 2019 it is finally clear in the EU that opt-in cookie banners are mandatory for all non-essential cookies. This also applies to your WordPress website, because you need permission for almost all cookies.

Therefore I would like to explain in the following, as simple and practical as possible, why opt-in cookie banners are mandatory for websites. We will take a look at all legally relevant decisions (from a German perspective) and also take a look at what laws are likely to regulate cookies in the future.

§ 15 (3) TMG, German law (before 2009)

Until 2009, the legal situation regarding the use of cookies in Germany was rather unclear. Some will have § 15 (3) TMG as the German solution to the cookie question in the back of their minds. The paragraph assumes that consent is automatically granted if the user does not disagree (opt-out procedure). It was disputed what the opt-out procedure should look like. For example, there were and are many cookie notices on German websites where you can only give your consent. How to revoke your consent per service or cookie used had to be explained in the privacy policy of the website. In practice, this was rarely done with sufficient clarity.

ePrivacy Directive, also called Cookie Directive (2009)

The ePrivacy Directive, formally Directive 2009/136/EC, passed in 2009 should provide clarity. It became known as the “Cookie Directive” because it regulates for the first time at EU level that non-technically essential cookies must be set in an opt-in procedure.

However, an EU directive is not the same as a law. Directives must be transposed into national law. In Germany, however, the directive has never been implemented. This created a grey area, as the EU said that opt-in was mandatory, but national laws like in Germany contradicted this.

EU-DSGVO (May 2018)

Many people expected the introduction of the EU DSGVO to provide this legal clarity. Recital 30 of the EU DSGVO, however, only states that cookies can be personal data. This is important for the regulation, as rhe DSGVO primarily regulates the handling of personal data. Cookies may therefore also fall under the rules of the EU DSGVO.

However, the EU DSGVO does not explicitly regulate how cookies are to be handled in general. This should be regulated by the ePrivacy Regulation (not to be mixed up with the ePrivacy Directive), which should originally be introduced with or shortly after the EU DSGVO. However, this project failed due to the political discussion process.

ECJ judgment (October 2019)

The ECJ clarified on 1 October 2019 in case C-673/17 that the German special way of an opt-out procedure is not in line with the ePrivacy Directive.

The court thus made it clear that cookies that are not technically absolutely necessary can only be set after explicit consent, via the so-called opt-in procedure. The judges also deduced from Directive 95/46/EC that no pre-selection for the user is allowed. This means that checkboxes with standard consent to all cookies are not allowed. However, the procedure did not clarify whether an “I accept all cookies” button, which is possibly more present than a “Accept only essential cookies” button, complies with the applicable law. That is why this kind of presentation in opt-in cookie banners is also offered and recommended by many WordPress plugins.

BGH judgement (May 2020)

The judgement of the European Court of Justice in October 2019 was made on the basis of appeals by the BGH 8highest German court). The case thus returned to the BGH and it had to interpret the ECJ judgment into German law.

On 28. May 2020 the BGH interpreted Section 15 (3) TMG for Germany (Case No. I ZR 7/16 – Cookie Consent II) in such a way that it is in line with the ePrivacy Regulation. The court held that the in English translated wording “unless the user objects” in German law should be understood as “unless the user consents”. Since then, it has been made clear that non-essential cookies in Germany require explicit consent (opt-in procedure). The same applies to other EU counties because of the ECJ judgement.

ePrivacy Regulation (expected 2021/2022)

The ePrivacy Regulation (ePVO) mentioned above is intended to finally regulate the handling of cookies in a uniform manner in the EU. In contrast to a directive, a regulation does not first have to be transposed into national law, but is applied immediately in the EU member states.

It is to be expected that the ePrivacy Regulation will have to be applied from 2021 or 2022 (as of June 2020).

May cookies be combined in groups?

Many opt-in WordPress cookie plugins group cookies together. Whether this is allowed is considered controversial. This question has not yet been clarified in court.

The FAQ of the State Data Protection Commissioner of Baden-Würtenberg, Germany recommends combining cookies into groups. However, all cookies from the group must also be described individually and must be selectable or deselectable. The British data protection authority ICO, on the other hand, considers this behaviour in its status report to be incompatible with the ePrivacy Directive. The ePrivacy Regulation could bring clarity here in a few years.

Legal consequences when using cookies without consent

If non-essential cookies are set without prior consent, this is a violation of the ePrivacy Directive. If the data collected are person-related, this may even constitute a violation of the EU DSGVO. Both can be warned and fined. The Federation of German Consumer Organisations (VZBV) has already sent out warnings (with small fees).

According to this, there is a potential risk of being warned in the EU because of the lack of an opt-in cookie banner. In view of the large number of websites that currently still violate this directive or the law, this is likely to mean that not all website operators will receive immediate warnings. However, the chances or danger of a warning or fine should increase over time and thus the need to act.

Which cookies does a WordPress website use?

WordPress websites are usually operated with a lot of plugins and an additionally installed theme. These can store their own cookies or cookie-like information. Accordingly, this question cannot be answered in a general way. Rather, every website operator must find out for himself. Cookie scanners can help here. However, only some of the WordPress Opt-in cookie-banner plugins include a cookie scanner. Therefore I will show you below how this works independently from your plugin.

But you can answer which cookies the WordPress CMS sets without themes and plugins. This is described in detail in the support area on WordPress.org. You have to differentiate between two types of users, for whom different cookies are set.

Logged in users:

  • wordpress_[hash]: Login information of the user as hash
  • wordpress_logged_in_[hash]: Login status and the user ID
  • wp-settings-[time]-[UID]: User-related settings for the WordPress backend

Unregistered users:

  • comment_author_[hash]: Name of the commentator
  • comment_author_email_[hash]: Email address of the commentator
  • comment_author_url_[hash]: Website URL of the commentator

The cookies for unregistered users all refer to the comment function of WordPress. Accordingly they are only set if a user has left a comment in the comment area of your WordPress website. The purpose of the cookies is that the user does not have to enter his data again if he wants to write another comment.

How do I find all the cookies that my website sets?

This question is again not easy to answer. Many cookies are set the first time you visit the website. For example, when Google Analytics is integrated into the website. However, there are also scripts that are only integrated into the website on certain sub-pages and set cookies. For example, the Jetpack plugin only loads its comment function if a comment area is visible on the sub-page. Finally, there are cookies that are only set when the user makes a certain interaction with the website. As an example the cookies of the standard WordPress comment system mentioned in the previous section can be taken.

Furthermore, technically speaking, not all cookies are the same. The term “cookie” legally stands for so-called HTTP cookies. However, the applicable laws also require that cookie-like information is subject to the same laws. Technically, there are a variety of ways to store such information. The most common methods are briefly explained below:

  • HTTP Cookie: Classic cookie that is transferred to the server in every connection.
  • Local Storage: Modern local storage of information similar to cookies, but which can only be read by JavaScript applications.
  • Session Storage: Same as Local Storage, but technically limited to the respective tab in the browser in which the information was set.
  • Pixel Tracker: Loading of a (mostly) invisible graphic that can uniquely identify the user.
  • Flash Local Shared Object: Object for storing information about users in Flash files (rarely used anymore).
  • IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).

The complexity is not enough, when setting many cookies and cookie-like information, their visibility is limited. This means, for example, that a cookie set by devowl.io can only be read by the server and scripts of the domain devowl.io. This is necessary to prevent a third website (called thrid parties) from e.g. intercepting the active login to your WordPress backend – stored in a cookie – and forwarding it via their server to the operator of the third website. Tools that search for your cookies must therefore have the rights to read all cookies, including those from third-party websites that are integrated into your website (e.g. Google Analytics).

Tools that promise to find cookies on your website must therefore be critically reviewed. Does the tool run through all sub-pages of your website? Can you interact with your website to trigger the placement of cookies? Does the tool read not only HTTP cookies, but any kind of cookie-like information? And does the tool even have the rights to read all cookies from 3rd-parties?

I would like to recommend a tool that does all this for you automatically. But I don’t know any at the moment. This includes cookie scanners in various WordPress plugins that promise to find your cookies. In practice, however, they usually only find a part of your cookies.

The best thing is to delete all cookies in your browser. Then open the developer console of your browser. Now visit all sub-pages of your website and use every known way to interact with the website. Then go to the “Application” tab in Google Chrome or the “Web Storage” tab in Mozilla Firefox. There you will find all types of cookies and all 3th-party domains that have been set cookies on your website. You can now read them manually and transfer them to your cookie banner.

I admit, this solution is not optimal. Therefore, we are already working on a tool for this. If you don’t want to miss its release, please subscribe to our newsletter (in the sidebar of this blog article)!

Typical errors when using cookie banner plugins in WordPress websites

You have one of the best opt-in cookie banner plugins installed on your WordPress website. You have also dealt with what cookie groups are. And last but not least you have read cookies from your website. With these extensive preparations: What can still go wrong now? Unfortunately quite a lot!

I have listed the top 10 typical mistakes that are regularly made by less technically skilled owners of WordPress websites:

  1. Cookie banner not activated: Trivial, but still it happens. The cookie banner has been fully set up, but it is not activated for your visitors. In any case, check in a private window of your browser as an unlogged in user on your WordPress website whether the cookie banner is displayed.
  2. Cache prevents delivery of the cookie banner: Many WordPress websites use caching plugins to load faster. If the cookie banner plugin does not invalidate the cache properly after changing a setting, this can lead to a situation where the cookie banner is not delivered or only in an outdated version. Be sure you empty the page cache after setting up or changing your cookie banner!
  3. Not all cookies are detected: Above I described how complicated it is to find all cookies and cookie like information. It’s easy to miss a cookie. So check carefully if you have really collected all cookies in your cookie banner. If in doubt, don’t rely on cookie-scanner tools.
  4. Incorrectly grouped cookies: Even if you have found all cookies, there is no use if you classify non-essential cookies as essential cookies. So, as described above, question very carefully whether a cookie is really essential. In most cases the honest answer is: No.
  5. Cookies or cookie groups are not described correctly: You must not only list the technical names of cookies, but for all cookies you must describe who sets them, for what purpose, how long they remain on your visitor’s computer and where he can find the privacy policy of the provider who sets the cookie. If you use cookie groups, you must also describe what cookies are in the group.
  6. Setting the cookie before consent: Describing all cookies correctly in your cookie banner will not help if the cookies are already set before your visitor’s consent. So make sure that all non-essential scripts and cookies are not executed or set until you have the consent of your visitors. Many opt-in cookie banner plugins for WordPress allow you to specify HTML and JavaScript for this purpose, which will only be executed after you have given permission. This is usually safer than using many WordPress plugins, for example to integrate Google Analytics into your website.
  7. Consents not properly documented: The visitor of your website could doubt at any time that he has given his consent that you may set cookies on his computer or mobile device. Thanks to the (simply spoken) reversal of the burden of proof of the EU DSGVO, you have to prove that he has given his consent. Consequently, the consent must be kept in full for the next approx. 5 years, until the statute of limitations of the possible criminal offense by the possible data protection violation. When choosing the cookie banner plugin, make sure that it documents the consent completely and make regular backups of your website.
  8. No possibility to change your consent: You must give the visitor to your website the opportunity to change his or her consent at any time. So make sure that in the privacy policy or the footer of your website it is possible to view the cookie banner again at any time.
  9. Revocation of consent not possible: In the same way, visitors to your website must be able to revoke their consent to the setting of cookies at any time simply by clicking on a link, for example. Such a link should definitely be placed in your privacy policy!
  10. Cookies not deleted after revocation: If your visitor revokes his or her consent to one or more cookies, you as the website operator are responsible for ensuring that the corresponding scripts are no longer executed for this user from the time of revocation and that the cookies already set are removed from his or her computer. Many opt-in cookie banner plugins for WordPress offer you the possibility to execute JavaScript. You should definitely use this possibility!

You should definitely avoid making the same mistakes. Otherwise, the huge effort you put into setting up an opt-in cookie banner on your website may be wasted.

If you need help setting up your cookie banner, please open a support ticket with us and we will make you an individual offer to set up the opt-in cookie banner on your WordPress website.

Conclusion: Opt-in cookie banners are mandatory for almost every website

In this article we not only looked at what the best opt-in cookie banner plugins for WordPress are, but also covered a variety of understanding issues. If you have read the article completely, you now know what kind of cookie banners exist, what cookie groups are and how you can group cookies into them, if and on which legal basis a cookie banner has to be displayed on your WordPress website, how to find out which cookies your website sets and you have learned about typical mistakes when using a cookie banner plugin. You should avoid the typical mistakes in any case, because otherwise all your efforts to use a cookie banner won’t achieve anything!

In summary, I can say that it is very difficult – especially for projects of customers, when you build WordPress websites as a contract work – to build a website that does not set cookies. If your website is aimed at users from the EU, then according to the current legal situation you have to get the consent of your visitors to set the most cookies. An opt-in cookie banner is then mandatory for your WordPress website!

I personally use the Borlabs Cookie WordPress plugin for my websites. It offers the most features for a reasonable price, complies with many legal requirements and is currently the plugin I can recommend best.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *