You bought Real Cookie Banner PRO and expected that our WordPress plugin would find all cookies for you automatically? Unfortunately, we don’t currently have a cookie scanner that handles the setup of your cookie banner. Other consent management solutions partly offer cookie scanners. In this article we would like to explain why this scanner usually does not find all cookies and other parts of your website that require consent. We also explain what Real Cookie Banner offers you as a better alternative and how you can have your cookie banner set up if you can’t handle this alternative either.
For what you need consent on your website
Tools commonly known as cookie banners are, if they comply with the legal requirements of the EU, actually Consent Management Platforms (CPMs). In practical terms, they manage not only consent for cookies – which could possibly be found via a cookie scanner – but consent for additional purposes. Cookies and these additional purposes are usually so closely linked that one does not exist without the other.
Real Cookie Banner offers you a solution to comply with the following important legislation in the EU:
- Art. 6 GDPR: To process personal data (e.g. in your WordPress or by sharing it with YouTube via an embedded video) you need a legal justification. In many cases, only consent is an option. In Germany, for example, the IP address, which must always be transmitted to load content on the Internet, is also a personal data (see BGH ruling dated May 16, 2017, file no. VI ZR 135/13). In practical terms, this means that you need the informed consent of your visitors before, for example, loading a YouTube video on your website and therefore passing on data of your visitors.
Applied in practice, for example, embedding a YouTube video has the following legal consequences:
- Processing of personal data: When loading the YouTube video, the IP address of your visitor must necessarily be transmitted to YouTube or Google, so that the video player and later, if necessary, the video can be loaded. Even if Google does not store the IP address and evaluates it for marketing purposes, the IP address is usually processed in the web server, the logs, etc. of the Google servers. Whether there is a justification for processing this personal data other than consent depends on the individual case. However, in our legal opinion, consent is the only possible justification in the vast majority of cases.
- Setting and reading cookies: On and after the YouTube video (more specifically, the iframe in which the YouTube video is located) has been loaded, the scripts of YouTube and Google can set cookies. They can also read cookies that were set, for example, when the user previously logged in to youtube.com. This is especially in the interest of such platforms, if the user is logged into his account because so the video can for example add it to the history of videos watched by the user and use ultimately this information for commercial purposes. For the setting or reading of non-essential cookies, you as the website operator must obtain consent if you are responsible for the video being loaded in the first place (without the prior knowledge of your visitor).
We hope that this (brief) explanation of the most important basics has shown that there is more to a cookie banner than just finding technical cookies. To be privacy-compliant, additional consents must be obtained beyond cookies. In addition, legal considerations must be made, which can often be made by a human being.
Why most cookie scanners don’t find all cookies etc.
Let’s forget the above and assume that we only need to find technical cookies. Unfortunately, even that is not as easy as it seems at first glance. This is due to several aspects.
From a technical point of view, not all cookies are the same. The term “cookie” legally stands for so-called HTTP cookies. However, the applicable laws also require that cookie-like information is subject to the same rights. Technically, there are a variety of ways to store such information. The most common methods are briefly explained below:
- HTTP Cookie: Classic cookie that is transferred to the server in every connection.
- Session Storage: Same as Local Storage, but technically limited to the respective tab in the browser in which the information was set.
- Pixel Tracker: Loading of a (mostly) invisible graphic that can uniquely identify the user.
- Flash Local Shared Object: Object for storing information about users in Flash files (rarely used anymore).
- IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).
A cookie scanner would therefore have to be able to search all these methods. However, this is not technically possible in some cases, since some cookie-like information is only stored in the visitor’s client and a cookie scanner as a server application would not see it at all. Even if an additional client application would send this cookie-like information to the server application, there is another technical hurdle to overcome: Security constraints. For HTTP cookies in particular, certain so-called flags can be set that limit the visibility of the cookie. For HTTP cookies, the following restrictions are the most important:
- Domain: The domain determines which domain (website) is allowed to read (and write) the cookie. For example, if the YouTube iframe video sets a cookie for youtube.com, the client application on your website cannot (necessarily) see the cookie.
- HttpOnly: This flag determines that the cookie can only be read and written by the server application, but not by the client application.
- Secure: A cookie can be set so that it can only be read and written when there is an HTTPS connection. For example, if you develop your website in a local development environment without a TLS certificate, some cookies can no longer be written or read and will falsify the cookie scanner result.
- SameSite: This flag prevents cookies from being misused in so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, which can be used to steal the token for example for an active login on YouTube/Google. In order to be able to read out all cookies and transfer them to the server application, it would have to be possible under certain circumstances to use precisely the type of transfer that attackers also use (and that is prevented).
If you think that these are already enough issues, then we have to disappoint you. Besides this technical complexity, there are also some “organizational” hurdles with a cookie scanner. Cookies are not always set when the homepage is loaded, but only under certain circumstances. A cookie scanner in Real Cookie Banner would have to consider at least the following most important organizational rules for finding all cookies:
- Only on certain subpages: Some services and plugins do not set cookies on or for all subpages, but only on certain subpages of your website. In addition, cookies may only be set when certain subpages are accessed in a certain sequence (typically when tracking sales funnels). A cookie scanner would have to call every single subpage of your website and read every cookie and cookie like information to be sure to find all necessary information. You as a human know much better if you only use certain services on certain subpages (e.g. Google Maps is only integrated on the contact page) or special funnels.
- Only when interacting with the website: Another complexity is that cookies are sometimes set only on certain interactions. A good example is the standard comment system of WordPress. It sets cookies (on user request) to remember the name, email address and website of the commenter for future comments. A cookie scanner would thus have to understand with some human awareness how to interact with your website and what options are available e.g. to submit the comment form. For a human, this is no problem, but for a machine without consciousness it is an extremely complex task.
In summary: Tools that promise to find cookies on your website must be questioned critically. Does the tool go through all subpages of your website? Can you interact with your website to trigger the setting of cookies? Does the tool read not only HTTP cookies, but any kind of cookie-like information? And does the tool even have the rights to read all cookies?
We have already thought a lot about how such a cookie scanner could be implemented. Currently, however, we do not know of any freely available cookie scanner that implements all these requirements. For example, the cookie scanner from Cookiebot, which scans your website and then offers you its product, cannot solve all the organizational problems mentioned above. And the integrated cookie scanner in the WordPress plugin Complianz fails to the best of our knowledge due to the technical hurdles described above. Thus, both cookie scanners deliver many important cookies, but not all of them. However, to make your website privacy compliant, you would need to know all cookies.
Service and Content Blocker templates as better alternative
Real Cookie Banner tries to help you differently because of the problems described in the previous section. In our eyes, better to help you to set up your cookie banner completely correctly and consequently to comply with the requirements of the data protection law.
We offer you a variety of service templates and content blocker templates to name cookies in your cookie banner as well as to prevent the processing of personal data before consent. All templates were created with an intensive research of all legal and technical information. We sometimes put half working days into creating a service template to represent as many cases as possible in them and to test whether cookies are really set only after consent and personal data is processed only after consent.
You just need to put the templates of services and plugins you use into Real Cookie Banner. You will be guided step by step through the creation of the information and can always adapt and expand them for your specific case. This saves you many hours of work compared to researching and testing yourself!
How to find all cookies and services on your website
Well, there’s one question we haven’t answered yet: If you don’t have a cookie scanner available, how do you find out which cookies and services you use in your WordPress website? The best service and content blocker templates won’t work if you don’t know that you need to use them.
We have answered this question in a detailed article that you should definitely read: How do I find all services (cookies) on my website?
Too complicated? Our cookie experts are here to help!
We can absolutely understand if the explanations in this article have left you feeling a bit overwhelmed. The data protection requirements for you as a website operator in the EU are complex. They make it difficult to operate websites without intensively dealing with the legal requirements. At least, if you want to sleep with a clear conscience to have done everything right.
But don’t worry, if all this overwhelms you. We have a solution for you: Read the article I can’t manage to set up the cookie banner. What do I do now? to learn how our cookie experts can easily relieve you of this worry!