Knowledge Base

How do I create an individual service?

You use a service for which there is no template in Real Cookie Banner? You can always request a new service template for free, and we will try to implement it for you in a reasonable time. Alternatively, you can always create a custom service by yourself. This article shows you step by step how to find all the necessary information.

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

Contents show

Where can I create a cookie (service)?

Go to your WordPress backend and there in the left sidebar by clicking on Cookies in the Real Cookie Banner settings. On this page you will find several tabs. One of them is called Services (Cookies) and is relevant for us. In the tab there is an “Add service” button in the upper-right corner, which we can use to create a service (cookie). In addition to the selection from service templates, we find in this view at the top a “Create from scratch” button, with which we can create an individual service.

Create a service from scratch

What must be specified in a cookie (service)?

To create the service, you will see a number of fields. Under each field you will find a description of what exactly needs to be entered in the field. Please read the description carefully to understand what you need to enter in which field. Therefore, in the following we will only go into how to collect the information for the fields.

There are the following fields to fill:

Name

The name of the cookie (service) is displayed to your visitors in the individual privacy settings and should show at a glance what service it is. You should therefore look up the full name of the service you are using.

Positive example: Google Analytics
Negative example: Google or Analysis Software

Group

You, as a website owner, have to make a legally correct assessment of whether the service is essential or non-essential for your website. If you decide that the service is not essential, then you can place it in a suitable further group. However, from a technical point of view, the classification in which non-essential service group the service lives has only a minor role.

Regarding technical cookies and processing of personal data, you should ask yourself the following questions to assess whether the cookies of the service are essential:

  1. Would my website or the one main function (e.g. shopping in an online store) no longer work without this service or cookie and has the visitor explicitly wanted to request this service by calling up the website?
  2. Does the service or cookie serve solely to defend against threats (e.g. against DDOS attacks), so that the website remains available to legitimate users?

If you can answer yes at least one if these questions with yes, then there are still the following exclusion questions that you should be able to answer no to:

  1. If I remove this service from my website, does it still work in the technical sense? It doesn’t have to look good (e.g. Arial font instead of a nice font via Google Fonts) or be comfortable (e.g. email address as link instead of contact form).
  2. Is there a way to achieve the same or a very similar result with reasonable effort that does not require cookies to be set or personal data to be processed (by third parties) (e.g. host fonts in your WordPress instead of using Google Fonts)?

If you can answer at least one of the first two questions with yes and answer a no to the second two questions, then you have a good indication that this is an essential service and essential cookies. If it is not, you should put the service in another group and let it load only after you have the consent of your visitor.

Provider

In our legal opinion, the provider of a service is the company or natural person who sets/reads cookies and processes personal data. So if the service runs entirely on your webspace and does not send any data to the manufacturer of the software, you are the provider. Otherwise, the operator of the service is usually the provider.

It is important to specify the legally complete name of the company or natural person. Also, big companies often have different local companies depending on the country where you run the website and for which country you run it. For example, Google operates a separate company for their EU customers, which is not the US parent company. Such situations should be clearly stated in the privacy policy of the provider, which is why you should read it.

Purpose

In our legal opinion, which we described in another article, the purpose of a service must be described comprehensively so that the user can get an idea of exactly what the service does before giving consent. This is often less clear in the privacy policy of the service than you would expect.

We recommend that you first describe in the field what the service does from your users perspective. Then you should describe what data is processed about the user and for what purpose. Finally, in our opinion, it should be made clear exactly what data is collected with the technical cookies.

To be able to describe the purpose exactly, you should on the one hand intensively study the possibilities of the service you are using. On the other hand, reading the privacy policy is usually mandatory because it often explains the processing of data, which is not always obvious.

Privacy policy of the provider

Your visitors should be able to read exactly how the respective service handles their data before they give their consent. Therefore, you should link to the provider’s privacy policy. The privacy policy should also be in the same language as your website, as it is assumed that not every visitor to your website will be able to read a legal document such as the privacy policy in a foreign language.

Data processing in unsecure third countries (if feature is activated)

Every country where the GDPR does not apply and when there is no adequacy decision for this country is considered an unsafe third country from the perspective of data protection law. Therefore, it should be clarified if a service comes from an unsafe country or processes data in this country.

Note that some companies are affiliated companies of their parent company in an unsafe country. Thus, for legal reasons, the parent company could receive data from the affiliated companies. We therefore recommend that you specify data processing in unsafe countries, even if only the parent company is located in an unsafe country.

Technical cookie information

You should identify which cookies and cookie-like information are set by the service. This technical information provides further insight into the data processing that takes place on or through your website. How to find all cookies is explained in detail in the article How do I find all services (cookies) on my website?. You should simply transfer the information you find into the table with technical cookie information.

Technical handling

If a service has been classified as non-essential in the Group field above, it must not process personal data or set cookies before you have obtained consent of the visitor. That means the visitor of your website must have explicitly agreed in the cookie banner.

This leads to the following most important cases that you should consider for this section when creating an individual cookie (service):

  • Block embedded content: For example, you have embedded a YouTube video in your blog. This must be blocked until you have the consent to load it. Of course, you should not have to maintain one version of the blog article with and one without video. At this point you need to set up a so-called content blocker, as we described in the article How do I create an individual content blocker?. You do not need to include an opt-in code in the Technical handling section in this case.
  • Prevent loading of data from a WordPress plugin/theme: Many WordPress plugins/themes are first installed in your WordPress, but later load data and scripts in the browser of your visitors from 3rd-parties. For example, if you use the plugin Smash Balloon Social Post Feed, it should display the Facebook feed of e.g. your Facebook page. To achieve this, the plugin loads data from the Facebook servers in the browser of your visitors (how to determine this we have explained in the article How do I find all services (cookies) on my website? and transmits data to the servers of Facebook. At this point, you also need to set up a content blocker, which does not necessarily block Facebook, but starts one step earlier and blocks Smash Balloon Social Post Feed. What exactly needs to be blocked differs from case to case. You usually do not have to include an opt-in code in the Technical handling section in this case.
  • Only load the service after consent: Many services called SaaS or cloud services provide you with HTML or JavaScript code to load the service in the browser of your visitors. For example, Google Analytics, Hotjar or Intercom works this way. The code to load the service may only be executed after you have the consent of your visitor and should therefore only be placed in the field “Code executed on opt-in“.

WordPress Plugins by devowl.io

Find helpful articles

Topics