Are you wondering how to make your WordPress website legally compliant for the EU market or are you unsure whether you need an opt-in cookie banner plugins? Then you are in the right place! In this article I will not only introduce you to the currently three best cookie plugins for WordPress, but we will also take a look at all common types of cookie banners. Through the legal foundations and explanations of current judgements, which clearly show the legal situation, you will learn why not every cookie plugin is suitable for your website. You will also find out if you need a cookie banner plugin for your WordPress website at all. So there is a lot to know to make your website GDPR and ePrivacy compliant regarding cookies. After you read this article, many questions will be clearer for you!
In the following, I will show you the best opt-in cookie plugins for WordPress to meet the current legal regulations of the ePrivacy directive and the GDPR as far as possible. I have tested 17 WordPress plugins and would like to introduce the three best plugin to you here. Please note that I only present those plugins here that run directly in your WordPress installation and are not dependent on a cloud of the manufacturer. Thus, you avoid unnecessary further legal conflicts and you are more independent.
Real Cookie Banner is currently clearly the best opt-in cookie plugin for WordPress that you can use for your website. For little money you get everything you need to set cookies safely and document consent.
Real Cookie Banner offers you a comprehensive cookie and content management system that allows you to get informed consent to set cookies according to the ePrivacy Directive. In the cookie banner on your website, visitors can choose to accept all cookies, only certain cookie groups or each cookie individually. This makes the cookie banner ideal for privacy lovers as well as for normal users who just want to accept cookies. It also automatically detects if the user has set a “Do Not Track” header, indicating that as few cookies as possible should be set. Real Cookie Banner can realize this wish automatically. In addition, you can use the geo-restriction feature to decide per country if the cookie banner should be displayed. Thus, you avoid an unnecessary distraction from your content! For example, you can decide not to display the cookie banner for users from outside the EU.
As a website operator you will especially enjoy the flexible layout of the cookie banner. The WordPress plugin itself as well as the numerous templates are available in both English and German. Real Cookie Banner also works in multilingual websites with WPML, Polylang, TranslatePress and Weglot because we have built explicit integrations for these plugins. With more than 200 settings, you can design the cookie banner so that it fits perfectly into your website. Unlike many other cookie banners, Real Cookie Banner automatically warns you in case of design violations (e.g. too little contrast between button color and button font color). Every change is shown in a live preview, so you can create your perfect cookie banner in just a few minutes. In addition, the 20+ design presets are very handy, so you don’t have to start from scratch. In case you change something in your cookie banner, it will automatically notify you when new consent is required.
Another detail Real Cookie Banner has paid attention to are adblockers. They block more and more cookie banners, so the website operator can no longer set non-essential cookies for these users. This means no Google Analytics, YouTube, etc. But not with this plugin, because the integrated anti-ad-blocker system effectively prevents your cookie banner from being blocked in most of the cases.
Cookies are stored in groups in Real Cookie Banner. As a website operator, you will find four common cookie groups with descriptive texts after installation. Creating cookies is just as easy. You can select cookies for well-known services like Google Analytics from over 100 templates. All legal and technical information is already filled out for you in the templates. If you use a service for which there is no template, you have two options: Either you request a free service template from our cookie experts, or you create one on your own. Real Cookie Banner takes you by the hand and carefully guides you through the requirements of the law with lots of descriptive text and explanations of the current legal situation. Each cookie (service) can also execute its own HTML/JavaSctipt code when consent is given or consent is revoked. This allows you to load services at the right time and remove cookies in accordance with the legal requirements. The Real Cookie Banner plugin even removes cookies automatically for you on opt-out.
If you are a website owner of multiple websites, you should definitely take a look at the Consent Forwarding feature. This feature allows you to forward visitor consents and thus avoid multiple consents from one visitor on multiple websites of your company (for WordPress multisites or multiple WordPress installations; forwarding as one-way sync or two-way sync of consents).
Another benefit is that consents are processed and stored exclusively on your server. Therefore, nothing is downloaded from the cloud in the browser of your visitors.
Besides cookies, there are also so-called Content Blockers, which are associated with one or more services. For example, if you embed a YouTube video in an article or a WordPress plugin automatically loads Google Maps, personal data would be transmitted and cookies would be set when you visit the website. However, you first need the consent of the visitor to do so. Real Cookie Banner automatically replaces this content with Content Blockers, which ask your visitor for consent if it has not already given it. With 60+ templates, it’s once again super easy to set up – and you can even create your own Content Blockers in a few minutes thanks to the simple structure.
Speaking of setup: After installing Real Cookie Banner, the WordPress plugin welcomes you with a checklist of all tasks to set up your cookie banner in a legally compliant way. This takes away many of the questions in your mind.
On top, Real Cookie Banner supports the widely used standard TCF 2.0 and newer. TCF (Transparency and Consent Framework) is a standard of the European digital marketing industry association IAB Europe. It allows standardized consent to be obtained.
At least as well-thought-out is the documentation of consent in Real Cookie Banner. The WordPress plugin not only documents which cookies the visitor has agreed to. As one of the few plugins it also provides a documentation of consents including all cookie groups, cookies, content blockers, settings and design preferences. This allows you to show exactly how the cookie banner looked and behaved at the time of consent in case of a dispute. You can even display the cookie banner in your browser as the user saw it at the time of consent. This way, you can invalidate false accusation of a data protection violation.
Once granted, consent can also be viewed, changed and revoked by your visitors at any time in the privacy policy. To do this, simply insert shortcodes into your privacy policy, and you are legally compliant.
Last but not least, we take a look at a real gem of our Real Cookie Banner: the Scanner. This feature automatically finds used services on your website that are relevant for the setup of your cookie banner by crawling the corresponding sitemap with all subpages. We can confirm from experience that this will save you a lot of time and nerves! However, a service scanner is not an ultimate solution, because there are cases in which our scanner cannot find all services (such a thing is simply impossible). Nevertheless, this feature is an enormous help that you should not skip when use Real Cookie Banner.
At this point I could tell you a lot more about Real Cookie Banner, like the age rating to fulfill youth protection requirements, obtaining consent for data processing in the USA, statistics about consent of visits or the support for Google Tag Manager and Matomo Tag Manager. Real Cookie Banner is almost a legendary wool milk sow for obtaining consent for cookies. And at the same time very clear and easy to use.
The price of 49 € per year and website (there are discounts for multiple websites) is almost too cheap for what you are offered. In addition, you can try the free version and test without any risk whether you get along with the plugin.
Advantages
- Fair price-performance ratio
- A checklist of all tasks to set up your cookie banner in a legally compliant way
- Integrated service scanner
- Fully translated into German and English
- Technical specifications of HTTP cookies and cookie-like information
- Execution of opt-in and opt-out HTML/JavaScript code
- Content blocker to block external content and plugins before consenting to cookies
- Blocks already integrated elements by a theme, plugins or content
- Individual design with 200+ settings and around 20+ design templates
- Live preview of all design changes
- Shortcodes make it easy to change and revoke consent
- Complete documentation of consents
- Guided configuration after installation
- Age information for the fulfillment of youth protection requirements according to GDPR
- Obtaining consent for data processing in the USA
- Geo-Restriction to specify in which countries the cookie banner should be displayed
- Consent Forwarding feature to avoid multiple consents from one visitor on multiple websites
- TCF 2.0+ compatibility
- Support for Google Tag Manager and Matomo Tag Manager
- WPML/Polylang/TranslatePress/Weglot and WordPress Mulisite Support
- PageSpeed Insights optimized
- Automatic flushing of all known page caches (No more outdated caches, yeah!)
Disadvantages
- Plugin converts legal requirements meticulously exactly, whereby the setup can take at least one hour
Borlabs Cookie is another good opt-in cookie plugin for WordPress that you can use for your website. And at a fair price.
Borlabs Cookie is primarily known for its comprehensive range of features. It works for (normal) WordPress installations as well as on multisite WordPress installations. The plugin recognizes bots as well as users with the “Do Not Track” header and treats this kind of users according to the applicable law and their wishes. The only thing that does not exist is a recognition if a user is from the EU – non-EU users usually do not need a cookie banner. However, this will only be interesting for a few websites that address an international audience.
The heart of the plugin is its flexible layout of the WordPress cookie banner or dialog. With about 100 settings you can fine-tune how the banner should look like on your website. This leaves little to be desired. And if you still have wishes, you can solve this with CSS, which is delivered directly with the cookie banner. However, you can’t see a live preview of the cookie banner while editing, so we had to press the F5 button about 500 times when we set up Borlabs Cookie on our website. This was annoying and here Real Cookie Banner found a much better solution.
Cookies can be divided into cookie groups using Borlabs Cookie. You can enter the cookies by yourself manually. Here you can enter most of the legally and technically necessary information. Using HTML and JavaScript, which you have to write yourself, you can integrate Google Analytics, for example, at the time of consent and remove it from your website if you revokes his consent.Here the plugin requires a certain amount of informational knowledge, since not all cookies are automatically deleted when you revoke your consent. Once you have overcome this hurdle, the plugin offers you all relevant features. There is no automatic recognition of cookies, but there are templates for nine known services and plugins.
If the user does not give his consent to include YouTube videos and their cookies, for example, they cannot be loaded. Borlabs Cookie also takes care of this. It automatically replaces the elements and instead displays again asking for consent. This is cleverly solved!
You can also block scripts of WordPress plugins that should not be loaded. But this feature is only for professionals and even then the behavior is difficult to understand. At this point, Real Cookie Banner has again found a much more intuitive solution for the same problem.
Users of your website can give their consent to all cookies, only essential cookies, single cookie groups or even single cookies. With this the plugin should meet the legal requirements. Borlabs stores consents in a simple way, which should serve the purpose. Borlabs stores cookie consents in a simple form, which should serve the purpose. In case of conflict, however, data such as the appearance of the cookie banner or its text at the time of consent is missing because Borlabs Cookie does not archive this information. In addition, links can be placed via shortcodes to change or revoke consent, e.g. in the privacy policy. In this way you also meet the legal requirements fron the GDPR.
Common multi-language plugins like WPML or Polylang support Borlabs Cookie. But there is one drawback for website operators with multiple languages: You have to maintain all settings, cookies, content and script blockers for each language individually. This takes a lot of time during the initial setup and the reason for an easier implementation is not really understandable.
You should also be careful with the cookie and content blocker templates in Borlabs Cookie. There aren’t many templates, so you’ll have to research many of the legal and technical details yourself anyway. However, even if there are templates, you should not blindly rely on them, because e.g. the Google Tag Manager template simply contain wrong cookies. Here the developer of the plugin obviously mixes up Google Tag Manager and Google Analytics. A certain amount of technical and legal expertise is expected from you in order to make the right decisions.
The same applies to instructions in the knowledge base of the manufacturer. For example, Borlabs describes how Google Tag Manager can be used with Borlabs Cookie. The tutorial explains how to load Google Tag Manager before consenting. According to the common opinion of lawyers, this is no longer in compliance with applicable law. Nevertheless, the manufacturer points out in this knowledge base article that it would advise against using the two tools together. However, he does not offer a solution.
All in all, with Borlabs Cookie you get a functionally good solution, with which you have all the tools at hand with informatics and legal knowledge to set up the cookie banner correctly. To set it up correctly, however, you have to do it yourself with very little help from the manufacturer. The price of 39 € per website and year (if you have many websites, there is a discount) seems to be fair! There is no free version, so you should make sure that you will be able to use the plugin before you buy it. But at least you can save a few bucks with a coupon for Borlabs Cookie.
Advantages
- Fair price-performance ratio
- Detects bots and “Do Not Track” headers
- Fine granular customizing of the layout in about 100 settings
- Legal and technical information per cookie can be stored
- Content and script blocker meets the legal requirements with link to the cookies
- Cookie banner should meet legal requirements if set up correctly
- Consents are documented in a simple form
- Shortcodes make it easy to change and revoke consent
- WordPress multisite support
Disadvantages
- Legal and informatics expertise required for correct setup
- No differentiation between EU and third country users possible
- Customizer of the banner without live preview
- Cookies must be entered manually
- Cookies are not completely removed automatically after revoking the consent
- Script blocker even for professionals difficult to use
- Cookie and content blocker templates with false information and misleading articles in the manufacturer’s knowledge base
- Documentation of consent may not be sufficient in case of dispute
- With multi-language plugins, settings, cookies, etc. must be managed separately for each language
Complianz
Another great solution is Complianz. The cookie plugin is available for several jurisdictions. It brings a lot of features – almost too many. The price is a bit higher, but still reasonable for the functionality.
Complianz welcomes the website operator with a setup wizard. This wizard first asks which legal area the website is in. In addition to the GDPR, the plugin can also implement rules of the PECR (United Kingdom), CCPA (USA) or PIPEDA (Canada). In addition to cookies, the WordPress cookie banner plugin will also generate cookie guidelines for you as part of the privacy policy.
You can adjust the appearance of your cookie banner with about 25 settings. What at first sounds like a lot, turns out to be a limitation in practice. We could not customize the opt-in cookie banner to fit completely into the corporate design of our website.
The plugin has an integrated cookie scanner. It automatically recognizes cookies on your website and compares them with a database. This allows to automatically recognize common services. Even though Complianz uses an efficient solution for the cookie scanner, it points out in the documentation for cookie scan results that so-called third party cookies are not recognized with the chosen solution. For example, a self-built integration of Google Analytics could not be recognized. Therefore, you should check the results by hand in any case. What works well is that cookies are grouped together. Your users can only agree to whole groups, but not to single cookies, which is legally questionable.
Integrations with common services like YouTube, Vimeo or Google Maps simplify the work with the cookie banner. The cookie banner automatically recognizes when such a service is used and blocks it if the user has not agreed to the cookies of the service. The same applies to JavaScript files added by plugins. They can also be blocked relatively easily for the underlying complexity if no consent has been given.
It is easy for your users to consent. One click and the decision is made. In the background, Complianz documents the consent and many settings of the cookie banner. This enables you, as the website operator, to prove in case of doubt that one of your users has consented to cookies, and when as well as how.
Complianz also offers many other features such as A/-B testing, recognition of EU users or support for multi-language plugins. However, this amount of features is almost overwhelming for a webmaster, because the plugin’s interface in the WordPress backend does not look very clean. So it took me some minutes until I found the cookies stored in the plugin in a submenu item as a hidden second step of a wizard. This is a pity, because there is so much under the hood that many website operators will probably never discover…
To sum up: With Complianz you get one of the probably most powerful opt-in cookie banner plugins for WordPress. But you also get an additional complexity of its own, which you first have to manage. For hobby bloggers, I think the plugin is too complex. The price of 49,00 € per website and year seems almost small for what is offered. And a free version with limited functions is available.
Advantages
- Setup wizard that guides website operators
- In addition to the EU-GDPR, designed for other laws
- Cookie policy generator included
- Cookie scanner for the automatic insertion of cookies
- Content and script blocker with relatively easy handling
- Distinction between EU and third country users possible
- Consents are fully documented
- A/B Testing Support
- WordPress multisite support
Disadvantages
- Customizer of the banner without live preview
- Cookie scanner does not find all cookies
- Customizing of the cookie banner layout is only limited possible
- Consent is only possible for entire cookie groups, which is at least legally questionable
- Confusing user interface with many features, which should overwhelm many users
In addition to the three cookie banner plugins discussed in more detail above, I know of 14 other cookie plugins at the time of writing this article. You can download them from the official plugin directory on wordpress.org. However, I do not want to recommend these plugins for various reasons. For the completeness I list them below and explain briefly why I cannot recommend these WordPress plugins:
- Cookie Notice for GDPR & CCPA: Very simple cookie banner that is the most popular cookie banner plugin for WordPress with over 1 million active installations. And it is completely free! But it is still not recommended. You only have to customize the cookie banner with six settings – for everything else you have to write CSS code. It also only allows you to execute one HTML and JavaScript code if the cookies are enabled. You should be able to execute scripts for each cookie according to current law. The plugin also lets you enter all legal information yourself in your privacy policy. To do this correctly, you must be half a lawyer. So free of charge is not always a useful solution.
- GDPR Cookie Compliance: Many settings in the confusing interface, but unfortunately you can only distinguish between essential cookies, third-party cookies and additional cookies. The user of the website is not given the opportunity to decide about each cookie individually. This should not be compatible with applicable law in the EUR OR Germany (where I came from) and should not happen with a paid solution.
- Cookiebot:The plugin is in general an excellent solution, but it only works with a connection to its cloud service, which results in a permanent dependency. The price of 108 € to 444 € per year and website (as of June 2020) is also very expensive.
- iubenda – Cookie and Consent Solution for the GDPR & ePrivacy: The plugin only integrates the script of the cloud service where the cookie banner is hosted. Accordingly, this results in a high dependency and in case of a failure of the iubenda servers, no consent can be obtained on your website anymore. The pricing model is rather complicated and in case of doubt expensive with an annual fee plus extra costs per website visit above a certain limit.
- GDPR Cookie Consent Banner: The plugin is a cookie notice with a very simple opt-out option and is therefore no longer compatible with applicable law.
- GDPR Cookie Consent: In my opinion, the plugin is not legally compliant in its default settings in Germany. The website operator must first readjust the settings on his own. In addition, essential functions such as the documentation of consents are reserved for paying users. The free version therefore does not appear to me in a good light. If you want to have a solution without a big effort of time, you should rather use another plugin.
- WP DSGVO Tools (GDPR): Powerful plugin that can do much more than just display cookie banners. However, setting up the plugin is not intuitive and seems to be possible only with cookies from services that have been explicitly pre-defined by the plugin. This can quickly become a problem on a not so simple website.
- Italy Cookie Choices (for EU Cookie Law): The plugin was last maintained about two years ago and is, as the name suggests, more adapted to Italian legal practice. There is no business model behind the plugin, so a long-term maintenance of the WordPress plugin cannot be expected.
- Smart Cookie Kit: The plugin has a very technical structure. If you are not a software developer, you will have difficulties using the plugin in any way. Furthermore, it is not possible for your visitors to decide which single cookie they want to use, so it should not be legally compliant in the EU.
- Cookii – Free GDPR Cookie Consent:Besides a very limited customizability, this plugin only allows you to manage Google Analytics, Facebook pixels and two own cookies. After that it’s over, which might not be enough for most websites.
- Surbma | GDPR Proof Cookie Consent & Notice Bar: The plugin comes with a nice interface, but it doesn’t allow your users to interact with individual cookies. Despite a good approach it is therefore not recommended from a legal perspective.
- GDPR Cookie Consent by Supsystic: The WordPress plugin looks nice at first glance, but does not meet the legal requirement that users can choose in fine granularity which cookie they want to consent to.
- WordPress GDPR Cookie Compliance: A plugin that tries to implement a lot of things, but has only half solved everything. It is possible to obtain consent, but the user cannot decide per cookie and all cookie information should be written out on a subpage you have to design. The developers were creative here to save work. But this does not seem to be legally compliant.
- LuckyWP Cookie Notice (GDPR): The plugin offers an opt-in cookie banner for exactly one cookie and the corresponding script. If you want to have more, you have to take care of it yourself. This is unfortunately not more than a good starting point for web developers to create their own cookie banner.
All recommended cookie banner plugins I just introduced to you are so-called opt-in cookie banners. In the EU (and Germany), only opt-in cookie banners are allowed according to current law – why this is so, I’ll explain below in the legal foundations.
If you start looking for the perfect cookie banner for your needs, you will also find plugins and services that offer other types of cookie banners. Some of them falsely claim to be legally compliant because they were implemented according to outdated legal requirements or simply use the statement for marketing purposes without considering the legal situation.
That’s why I explain to you which types of cookie banners there are, so that you can distinguish them yourself. This is important so that you don’t use a cookie banner by mistake, which could put you in legal trouble.
It should be noted that some WordPress plugins or services technically set multiple cookies or cookie-like data. For the purpose of simplicity, I will call all cookies of a service together as one cookie in the following.
Cookie banners that ask for the explicit consent of your visitors whether cookies may be set are called opt-in cookie banners. This type of cookie banner ensures that your visitors are presented with a dialog or banner the first time they visit your website, in which they can select which cookies may be set. The important thing is that the user must be free to choose which cookies they want to allow and each cookie can be rejected individually. The cookie banner must not pre-select cookies and thus patronize your visitors. This is explicitly prohibited by law. However, what has not been finally clarified legally and is therefore usually used is a button or link that allows the user to agree to all cookies with just one click.
The opt-in cookie banner ensures that cookies are only set after consent has been given. This also means that services such as Google Analytics can only be integrated after the user has explicitly agreed to them.
The opposite model to opt-in cookie banners are the opt-out cookie banners, as the name already suggests. With this type of cookie banners, cookies are set first. However, the user of your website must be given the opportunity to disagree immediately after entering your website. Typically, these solutions display a “Do Not Sell My Personal Information” link at the bottom of the screen. If the user contradicts, all cookies must be deleted and the use of the corresponding plugins and services must be prevented.
This type of cookie banner is required by the California Consumer Privacy Act (CCPA), but not by EU law. This law is intended to protect California residents in the United States. Consequently, this type of cookie banner is only relevant for websites targeting the US market. At the same time, the more restrictive opt-in cookie banner from the EU should also meet the requirements of the CCPA.
At the time this article is written, simple notices about the use of cookies are still very common. So even large publishers in Germany still write texts like:
“We use cookies to provide you with the best possible user experience. You agree to the use of cookies and to our privacy policy”.
For a long time many websites, especially in Germany, had such references on their website. In addition, there were instructions spread throughout the privacy policy on how the user could disagree with the use of certain cookies – a very user-unfriendly implementation of the opt-out procedure. In the opinion of many, this fulfilled the requirements of German law. In most cases, however, the data protection declarations did not explain for all cookies how to disagree with them, so that only a cookie notice was on the website. In the meantime, however, it has been clarified by the highest court that such references are not permitted in the EU and not in Germany either. I will explain more about this in the section legal foundations.
In the comparison of the best cookie plugins, cookie groups have been discussed several times. This raises the question of what cookie groups there should be and how cookies should be separated from each other in terms of their function.
As a matter of principle, there is no legal requirement as to which groups cookies should be divided into. In fact, the question of whether cookie groups are legally allowed has not yet been finally clarified in the EU. Currently, however, it can be assumed that they will be permitted or even recommended – more on this in the legal foundations. Only between essential cookies and all other cookies is a distinction to be made for legal reasons. What the difference is, I will explain to you in a moment.
Accordingly, most WordPress cookie plugins divide the cookies into different groups according to their function or use. Most plugins also allow you to create your own groups. Which cookies belong to which group is also a question that every website owner has to answer on its own. Depending on the use of a service, plugin or integration of external media, the answer may vary.
In the following, I would like to show you on the basis of a typical division of cookies into four groups with examples, which cookies belong to which groups according to my legal opinion.
In the legal sense, cookies that are technically absolutely necessary for the operation of the website must be distinguished from all other cookies. These cookies are usually called essential cookies and they are the only type of cookies that may be placed on your visitors’ computers without their explicit consent. You must nevertheless explain their function in your privacy policy (or the cookie banner).
It is important to answer the question correctly, what are technically essential cookies. Often, cookies that are considered to be essential from an organizational point of view are equated by website operators as technically essential cookies. This can have fatal consequences, since consent is required to set these cookies. But what is the difference? You should always ask yourself whether the basic functionality of your website can no longer be maintained if a cookie cannot be set. This explicitly does not mean whether, for example, you need a tool to generate revenue so that the website can earn its costs. It only refers to cookies that are indispensable from the perspective of your visitors.
This sounds very abstract, which is why I would like to give you some examples to answer this question:
- Example for essential cookie: In an online shop the shopping cart cookie or in a member area the login status cookie can be considered essential. In both cases, without the cookie, the functionality of the website would be fundamentally affected, as the visitor would not be able to add products to his or her shopping cart or access the member area.
- Example of a controversial cookie: Google Fonts is a service that allows beautiful fonts to be displayed on websites even if they are not installed on the user’s computer or mobile device. Google collects data from this service and sometimes sets cookies. Practically everyone would probably agree that these cookies are essential, because a website looks completely different with a standard font than with a nice and matching font. Legally speaking, however, the user of your website has no functional restrictions if the website looks less pretty. In addition, as the operator of the website you have the technical possibility to deliver fonts from your own server and therefore not to transmit data to Google. As a result of these arguments, it is legally disputed whether services such as Google Fonts can be regarded as essential. At the time I am writing this article, there is no highest court decision yet. If you want to be on the safe side, you should rather classify such cookies as non-essential.
- Example of a non-essential cookie: You want to embed Google Analytics on your website to track users and thus increase the quality and/or sales of your website. Your website would work exactly the same way without this service and its cookies. Whether you could improve your website in the long run is not important for the legal consideration.
All non-essential cookies are easier to classify than essential cookies, such as statistics cookies. This group includes all services that record data about the behaviour of your visitors, if the data finally shows how a group of users or all users together have behaved. It is important to note that due to the user’s behaviour, the contents of your website must not be personalised for the user, as this is no longer purely for statistical reasons.
Example of statistical cookies: Google Analytics, Matomo or Clicky are tools that comprehensively record the behaviour of your visitors and can be evaluated in aggregated form.
There are a variety of services that allow you to collect and analyze data about individual users. The analysis of the collected data can lead to you treating a user differently, displaying different content or spending different amounts of money on third party websites to display advertisements for your website. With this group of cookies, the data could, but does not have to, be evaluated in monetary value.
Example for marketing cookies: Google Ads or Facebook Ads offer to install trackers on your website, which monitor the success of your advertising campaign. The data collected decides which users receive advertising and can also decide how much you spend to ensure that a user sees your advertising. In the same way, Hotjar is a heatmap recorder in the field of marketing. You do not use the collected data to place advertisements, but you can view a recording of all clicks of each user and use the knowledge gained to optimize your website, for example to achieve more sales.
Finally, many cookie banner plugins combine cookies that load unspecified external media. External media usually enhance the content of your website. If they were missing, users could still use your website without being restricted.
Example: YouTube, Vimeo or Twitch, from which you embed videos as iframe directly into your website and which are immediately loaded by the services.
Now that you have learned about many solutions and can differentiate between cookie banner types and cookie groups, you will certainly ask yourself:
“Why are opt-in cookie banners needed? And does my WordPress website also need a cookie banner?”
Short answer: Since October 2019 it is finally clear in the EU that opt-in cookie banners are mandatory for all non-essential cookies. This also applies to your WordPress website, because you need permission for almost all cookies.
Therefore I would like to explain in the following, as simple and practical as possible, why opt-in cookie banners are mandatory for websites. We will take a look at all legally relevant decisions (from a German perspective) and also take a look at what laws are likely to regulate cookies in the future.
Many opt-in WordPress cookie plugins group cookies together. Whether this is allowed is considered controversial. This question has not yet been clarified in court.
The FAQ of the State Data Protection Commissioner of Baden-Würtenberg, Germany recommends combining cookies into groups. However, all cookies from the group must also be described individually and must be selectable or deselectable. The British data protection authority ICO, on the other hand, considers this behaviour in its status report to be incompatible with the ePrivacy Directive. The ePrivacy Regulation could bring clarity here in a few years.
If non-essential cookies are set without prior consent, this is a violation of the ePrivacy Directive. If the data collected are person-related, this may even constitute a violation of the EU GDPR. Both can be warned and fined. The Federation of German Consumer Organisations (VZBV) has already sent out warnings (with small fees).
According to this, there is a potential risk of being warned in the EU because of the lack of an opt-in cookie banner. In view of the large number of websites that currently still violate this directive or the law, this is likely to mean that not all website operators will receive immediate warnings. However, the chances or danger of a warning or fine should increase over time and thus the need to act.
WordPress websites are usually operated with a lot of plugins and an additionally installed theme. These can store their own cookies or cookie-like information. Accordingly, this question cannot be answered in a general way. Rather, every website operator must find out for himself. Cookie scanners can help here. However, only some of the WordPress Opt-in cookie-banner plugins include a cookie scanner. Therefore I will show you below how this works independently from your plugin.
But you can answer which cookies the WordPress CMS sets without themes and plugins. This is described in detail in the support area on WordPress.org. You have to differentiate between two types of users, for whom different cookies are set.
Logged in users:
- wordpress_[hash]: Login information of the user as hash
- wordpress_logged_in_[hash]: Login status and the user ID
- wp-settings-[time]-[UID]: User-related settings for the WordPress backend
Unregistered users:
- comment_author_[hash]: Name of the commentator
- comment_author_email_[hash]: Email address of the commentator
- comment_author_url_[hash]: Website URL of the commentator
The cookies for unregistered users all refer to the comment function of WordPress. Accordingly they are only set if a user has left a comment in the comment area of your WordPress website. The purpose of the cookies is that the user does not have to enter his data again if he wants to write another comment.
This question is again not easy to answer. Many cookies are set the first time you visit the website. For example, when Google Analytics is integrated into the website. However, there are also scripts that are only integrated into the website on certain subpages and set cookies. For example, the Jetpack plugin only loads its comment feature if a comment area is visible on the subpage. Finally, there are cookies that are only set when the user makes a certain interaction with the website. As an example, the cookies of the standard WordPress comment system mentioned in the previous section can be taken.
Furthermore, technically speaking, not all cookies are the same. The term “cookie” legally stands for so-called HTTP cookies. However, the applicable laws also require that cookie-like information is subject to the same laws. Technically, there are a variety of ways to store such information. The most common methods are briefly explained below:
- HTTP Cookie: Classic cookie that is transferred to the server in every connection.
- Local Storage: Modern local storage of information similar to cookies, but which can only be read by JavaScript applications.
- Session Storage: Same as Local Storage, but technically limited to the respective tab in the browser in which the information was set.
- Pixel Tracker: Loading of a (mostly) invisible graphic that can uniquely identify the user.
- Flash Local Shared Object: Object for storing information about users in Flash files (rarely used anymore).
- IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).
The complexity is not enough, when setting many cookies and cookie-like information, their visibility is limited. This means, for example, that a cookie set by devowl.io can only be read by the server and scripts of the domain devowl.io. This is necessary to prevent a third website (called third parties) from e.g. intercepting the active login to your WordPress backend – stored in a cookie – and forwarding it via their server to the operator of the third website. Tools that search for your cookies must therefore have the rights to read all cookies, including those from third-party websites that are integrated into your website (e.g. Google Analytics).
Tools that promise to find cookies on your website must therefore be critically reviewed. Does the tool run through all subpages of your website? Can you interact with your website to trigger the placement of cookies? Does the tool read not only HTTP cookies, but any kind of cookie-like information? And does the tool even have the rights to read all cookies from 3rd-parties?
In our article How do I find all cookies (services) on my website? we explain in detail how you can manually find all services (not only cookies because you need often consent for more than cookies) on your website. However, this is quite a hard work and requires concentration and some technical knowledge.
The service scanner of Real Cookie Banner is a great alternative! We can’t guarantee that the scanner will find all services on your website (because that’s almost impossible), but it will save you a lot of work by its functionality. The scanner automatically searches all subpages of your website for services that are relevant for creating an individual cookie banner. How exactly our scanner works as well as advantages and disadvantages of this feature can be read in our knowledge base article What does the service scanner find (and what not)?.
You have one of the best opt-in cookie banner plugins installed on your WordPress website. You have also dealt with what cookie groups are. And last but not least you have read cookies from your website. With these extensive preparations: What can still go wrong now? Unfortunately quite a lot!
I have listed the top 10 typical mistakes that are regularly made by less technically skilled owners of WordPress websites:
- Cookie banner not activated: Trivial, but still it happens. The cookie banner has been fully set up, but it is not activated for your visitors. In any case, check in a private window of your browser as an unlogged in user on your WordPress website whether the cookie banner is displayed.
- Cache prevents delivery of the cookie banner: Many WordPress websites use caching plugins to load faster. If the cookie banner plugin does not invalidate the cache properly after changing a setting, this can lead to a situation where the cookie banner is not delivered or only in an outdated version. Be sure you empty the page cache after setting up or changing your cookie banner!
- Not all cookies are detected: Above I described how complicated it is to find all cookies and cookie like information. It’s easy to miss a cookie. So check carefully if you have really collected all cookies in your cookie banner. If in doubt, don’t rely on cookie-scanner tools.
- Incorrectly grouped cookies: Even if you have found all cookies, there is no use if you classify non-essential cookies as essential cookies. So, as described above, question very carefully whether a cookie is really essential. In most cases the honest answer is: No.
- Cookies or cookie groups are not described correctly: You must not only list the technical names of cookies, but for all cookies you must describe who sets them, for what purpose, how long they remain on your visitor’s computer and where he can find the privacy policy of the provider who sets the cookie. If you use cookie groups, you must also describe what cookies are in the group.
- Setting the cookie before consent: Describing all cookies correctly in your cookie banner will not help if the cookies are already set before your visitor’s consent. So make sure that all non-essential scripts and cookies are not executed or set until you have the consent of your visitors. Many opt-in cookie banner plugins for WordPress allow you to specify HTML and JavaScript for this purpose, which will only be executed after you have given permission. This is usually safer than using many WordPress plugins, for example to integrate Google Analytics into your website.
- Consents not properly documented: The visitor of your website could doubt at any time that he has given his consent that you may set cookies on his computer or mobile device. Thanks to the (simply spoken) reversal of the burden of proof of the EU GDPR, you have to prove that he has given his consent. Consequently, the consent must be kept in full for the next approx. 5 years, until the statute of limitations of the possible criminal offense by the possible data protection violation. When choosing the cookie banner plugin, make sure that it documents the consent completely and make regular backups of your website.
- No possibility to change your consent: You must give the visitor to your website the opportunity to change his or her consent at any time. So make sure that in the privacy policy or the footer of your website it is possible to view the cookie banner again at any time.
- Revocation of consent not possible: In the same way, visitors to your website must be able to revoke their consent to the setting of cookies at any time simply by clicking on a link, for example. Such a link should definitely be placed in your privacy policy!
- Cookies not deleted after revocation: If your visitor revokes his or her consent to one or more cookies, you as the website operator are responsible for ensuring that the corresponding scripts are no longer executed for this user from the time of revocation and that the cookies already set are removed from his or her computer. Many opt-in cookie banner plugins for WordPress offer you the possibility to execute JavaScript. You should definitely use this possibility!
You should definitely avoid making the same mistakes. Otherwise, the huge effort you put into setting up an opt-in cookie banner on your website may be wasted.
If you need help setting up your cookie banner, please open a support ticket with us and we will make you an individual offer to set up the opt-in cookie banner on your WordPress website.
In this article we not only looked at what the best opt-in cookie banner plugins for WordPress are, but also covered a variety of understanding issues. If you have read the article completely, you now know what kind of cookie banners exist, what cookie groups are and how you can group cookies into them, if and on which legal basis a cookie banner has to be displayed on your WordPress website, how to find out which cookies your website sets and you have learned about typical mistakes when using a cookie banner plugin. You should avoid the typical mistakes in any case, because otherwise all your efforts to use a cookie banner won’t achieve anything!
In summary, I can say that it is very difficult – especially for projects of customers, when you build WordPress websites as a contract work – to build a website that does not set cookies. If your website is aimed at users from the EU, then according to the current legal situation you have to get the consent of your visitors to set the most cookies. An opt-in cookie banner is then mandatory for your WordPress website!
I personally use the Real Cookie Banner WordPress plugin for our websites. It offers the most features for a reasonable price, allows you a legally compliant setup and is currently the plugin I can best recommend.
You would like to learn more about WordPress? Get news, tips and devowl.io product updates about about twice a month in your inbox!