You use a service for which there is no cookie template in Real Cookie Banner? You can always request a new cookie template for free, and we will try to implement it for you in a reasonable time. Alternatively, you can always create a custom cookie by yourself. This article shows you step by step how to find all the necessary information.
Where can I create a cookie (service)?
Go to your WordPress backend and there in the left sidebar by clicking on Cookies in the Real Cookie Banner settings. On this page you will find several tabs. One of them is called Cookies and is relevant for us. In the tab there is an “Add cookie” button in the upper-right corner, which we can use to create a cookie or service. In addition to the selection from cookie templates, we find in this view at the top a “Create from scratch” button, with which we can create an individual cookie (service).
What must be specified in a cookie (service)?
To create the service, you will see a number of fields. Under each field you will find a description of what exactly needs to be entered in the field. Please read the description carefully to understand what you need to enter in which field. Therefore, in the following we will only go into how to collect the information for the fields.
There are the following fields to fill:
The name of the cookie (service) is displayed to your visitors in the individual privacy settings and should show at a glance what service it is. You should therefore look up the full name of the service you are using.
Positive example: Google Analytics
Negative example: Google or Analysis Software
You, as a website owner, have to make a legally correct assessment of whether the service is essential or non-essential for your website. If you decide that the service is not essential, then you can place it in a suitable further group. However, from a legal point of view, the classification in which none-essential cookie group the cookie lives has only a minor role.
Regarding technical cookies and processing of personal data, you should ask yourself the following questions to assess whether the cookies of the service are essential:
- Would my website or the one main function (e.g. shopping in an online store) no longer work without this service or cookie?
- Does the service or cookie serve solely to defend against threats (e.g. against DDOS attacks), so that the website remains available to legitimate users?
If you can answer yes at least one if these questions with yes, then there are still the following exclusion questions that you should be able to answer no to:
- If I remove this service from my website, does it still work in the technical sense? It doesn’t have to look good (e.g. Arial font instead of a nice font via Google Fonts) or be comfortable (e.g. email address as link instead of contact form).
- Is there a way to achieve the same or a very similar result with reasonable effort that does not require cookies to be set or personal data to be processed (by third parties) (e.g. host fonts in your WordPress instead of using Google Fonts)?
If you can answer at least one of the first two questions with yes and answer a no to the second two questions, then you have a good indication that this is an essential service and essential cookies. If it is not, you should put the service in another group and let it load only after you have the consent of your visitor.
In our legal opinion, the provider of a service is the company or natural person who sets/reads cookies and processes personal data. So if the service runs entirely on your webspace and does not send any data to the manufacturer of the software, you are the provider. Otherwise, the operator of the service is usually the provider.
We recommend that you first describe in the field what the service does from your users perspective. Then you should describe what data is processed about the user and for what purpose. Finally, in our opinion, it should be made clear exactly what data is collected with the technical cookies.
US data processing (if feature is activated)
The USA is currently considered an unsafe third country in the EU from the perspective of data protection law. Therefore, it should be clear if a service comes from the USA or processes data in this country.
Note that Google’s Ireland Limited, for example, is an affiliated company of its parent company in the USA. Thus, for legal reasons, it could be in doubt that the US company must receive data from Google Ireland Limited. We therefore recommend that you specify data processing in the USA even if only the parent company is located in the USA.
Technical cookie information
You should identify which cookies and cookie-like information are set by the service. This technical information provides further insight into the data processing that takes place on or through your website. How to find all cookies is explained in detail in the article How do I find all cookies on my website?. You should simply transfer the information you find into the table with technical cookie information.
If a service has been classified as non-essential in the Group field above, it must not process personal data or set cookies before you have obtained consent of the visitor. That means the visitor of your website must have explicitly agreed in the cookie banner.
This leads to the following most important cases that you should consider for this section when creating an individual cookie (service):
- Block embedded content: For example, you have embedded a YouTube video in your blog. This must be blocked until you have the consent to load it. Of course, you should not have to maintain one version of the blog article with and one without video. At this point you need to set up a so-called content blocker, as we described in the article How do I create an individual content blocker?. You do not need to include an opt-in code in the Technical handling section in this case.
- Prevent loading of data from a WordPress plugin/theme: Many WordPress plugins/themes are first installed in your WordPress, but later load data and scripts in the browser of your visitors from 3rd-parties. For example, if you use the plugin Smash Balloon Social Post Feed, it should display the Facebook feed of e.g. your Facebook page. To achieve this, the plugin loads data from the Facebook servers in the browser of your visitors (how to determine this we have explained in the article How do I find all cookies on my website?) and transmits data to the servers of Facebook. At this point, you also need to set up a content blocker, which does not necessarily block Facebook, but starts one step earlier and blocks Smash Balloon Social Post Feed. What exactly needs to be blocked differs from case to case. You usually do not have to include an opt-in code in the Technical handling section in this case.