What data does Real Cookie Banner process?

Real Cookie Banner is a consent management plugin for WordPress. You can use it to obtain consent to set cookies and process personal data from your website visitors. This requires Real Cookie Banner itself to set cookies and process (personal) data. We explain below what and where Real Cookie Banner stores and reads data on your website.

What data from website visitors does Real Cookie Banner process?

Real Cookie Banner sets the cookies mentioned below. In addition, it stores the consent provided by the website visitor in the cookie banner, so that you as the website operator can comply with the obligation to disclose under the GDPR.

Practically, this means that each consent of your website visitors is stored in the database of your WordPress website. You can view them visually prepared in your WordPress backend under Cookies > Consent > List of consents and export them.

In addition – logically – the cookie banner will be displayed in the browser of the website visitor, where data will be processed. If the “Geo Restriction” feature has been activated by the website operator, the visitor’s IP address is used to determine the visitor’s country. For this purpose, the MaxMind GeoIP2 database is used, which is stored locally in the WordPress of the accessed website. This means that the IP address is not transmitted to a third server for location determination.

Documentation of consent

Each consent is documented to fulfill the obligation to disclose. This involves documenting the following data per consent:

• id: Incremental identification number of the documented consent.
• ipv4: IPv4 address of the website visitor (disabled by default, as it may be considered personal date within the EU).
• ipv6: IPv6 address of the website visitor (disabled by default, as it may be considered personal date within the EU).
• ipv4_hash: IPv4 address without the last octet as a salted SHA256 or as a fallback MD5 hash to prevent an attack by mass storage of consents by an IP address range.
• ipv6_hash: IPv6 address without the last octet as salted SHA256 or as fallback MD5 hash to prevent an attack by mass storage of consents by an IP address range.
• uuid: UUID is a server-side randomly generated pseudonymous unique identification number of the website visitor, under which all consents given by the website visitor are documented as long as the cookie exists in which his UUID is stored in his terminal device.
• revision: Hash that allows to assign which settings of the cookie banner (texts, colors, features, service groups, services, content blockers, etc.) were used at the time of consent to play out the cookie banner. Changes to these settings will result in the visitor’s consent being obtained again.
• revision_independent: Hash that lets assign which cookie banner settings (texts, colors, features, service groups, services, content blockers, etc.) were used at the time of consent to play out the cookie banner. Changes to these settings do not result in the visitor’s consent being obtained again.
• previous_decision: Selection of service groups and services to which the website visitor had consented before the change of consent.
• previous_tcf_string: Selection according to the Transparency & Consent Framework (TCF) to which the website visitor had consented before the change of consent.
• previous_gcm_decision: Selection according to the Google Consent Mode to which the website visitor had consented before the change of consent.
• decision_hash: MD5 hash over the data of the entire consent.
• decision: services and its service groups to which the website visitor has consented. Each service and service group is thereby represented by a unique identification number (ID).
• blocker: If consent was given via a content blocker, the unique identification number (ID) of the content blocker.
• button_clicked: Button in the cookie banner, which the website visitor has clicked to give consent. This allows the origin of the consent to be traced in retrospect.
• context: Consents are obtained per context (e.g. WordPress website ID or website language). How a context is structured is explained in more detail in the cookie real_cookie_banner_* definition.
• viewport_width: width of the viewport in px in which the website in the browser of the website visitor, at the time consent was given. This allows the origin of the consent to be tracked in retrospect.
• viewport_height: height of the viewport in px in which the website in the website visitor’s browser, at the time consent was given. This allows the creation of the consent to be tracked in retrospect.
• referer: URL on which the consent was given. Thus, in retrospect, the origin of the consent can be traced.
• pure_referer: URL on which the consent was given, but without query parameters, which does not belong to the definition of the page as defined in the permalink structure configured in the WordPress settings. This allows in retrospect the origin of consent to be tracked and aggregated to show on which subpage consents were granted.
• url_imprint: URL of the imprint linked in the cookie banner.
• url_privacy_policy: URL of the privacy policy that was linked in the cookie banner.
• dnt (deprecated): used before Real Cookie Banner version 2.0.0 to indicate that consent was given via the Do Not Track HTTP header (replaced by custom_bypass).
• custom_bypass: If consent was not given by hand, the technical mechanism through which consent is given. geo represents geo-restriction functionality and dnt represents minimal consent (refusal of all non-essential services) via the Do Not Track HTTP header. Additional technical mechanisms can be defined by the website operator using the Real Cookie Banner developer API.
• created: Date and time when consent was given and documented.
• forwarded: If consent was obtained via Consent Forwarding on a third party website, its website URL.
• forwarded_blocker: If consent was obtained via Consent Forwarding on a third party website and consent was obtained there via a content blocker, the unique identification number (ID) of the content blocker.
• user_country: If the “Geo Restrictions” feature is enabled, the country from which the website visitor most probably came is stored. This information was determined at the time of consent based on a comparison of the website visitor’s IP address with a locally stored copy of the MaxMind GeoIP2 database.
• recorder (from version 3.5.0): Sequence of the website visitor’s interactions with the cookie banner or content blocker (generally consent dialog) that led to consent. Clicks, scrolling, and resizing of the browser window are recorded. Interactions on other elements on the website are not recorded. Interactions, if they occur very quickly one after the other and are of the same type, can be combined into one interaction in the interest of data economy. The recording of the sequence of interactions is used to be able to track which information offers the website visitor has taken advantage of before giving consent.
• tcf_string: If consents are obtained for vendors, purposes, special Purposes, features, and special features according to the TCF v2.0 or newer standard, consents to these are formatted as TC String.

Where does Real Cookie Banner process (personal) data?

Real Cookie Banner is a consent management WordPress plugin. That means you install Real Cookie Banner completely in your WordPress website. The plugin creates database tables in your WordPress database during installation, where all settings, but also consents of your visitors are stored. In addition, the Real Cookie Banner extends the interfaces and routines of your WordPress so that, among other things, consent of your visitors can be stored.

Real Cookie Banner is installed and run on your webspace (so it does not run in a “cloud” of us). You configure the cookie banner according to your wishes and the individual requirements of your website. If the cookie banner is shown, this is done from your webspace (no data is ever downloaded from our servers by your visitors). The consents are collected, processed and documented on your webspace. With our solution, consents are never transferred to our servers, captured or processed there.

Furthermore, we as the manufacturer of Real Cookie Banner have no access to the settings or individual documented consents. Unless you explicitly and proactively give us access to your WordPress installation as part of a support request.

Do you need a data processing agreement for Real Cookie Banner?

Based on the type of data processing described in the preceding, we have the legal opinion not to be a data processor in the sense of Art. 28 GDPR, in terms of the operation of Real Cookie Banner on your website.

We have deliberately chosen this approach so that everything takes place on your server and therefore under your sovereignty so that we make the use of our software as uncomplicated as possible for you legally.

We therefore do not offer a data processing contract for the operation of Real Cookie Banner and do not consider a reference to data processing by devowl.io GmbH in your privacy policy necessary.

If you give us access to your WordPress in a support ticket so that we can help you solve a problem, the situation is different. In that case, we have access to all the data in your WordPress and need to process parts of it to be able to help you. In this case, we are a data processor in the sense of the GDPR and therefore ask you to agree to a data processing contract when opening the support ticket.

What cookies does Real Cookie Banner set?

Real Cookie Banner sets cookies and cookie-like information on your website visitor’s device. These are technically necessary to store your website visitor’s choices and to load services to which he has consented on the website.

Cookies for all visitors

The following cookies and cookie-like information are stored by Real Cookie Banner for all website visitors. * in the name of the cookie stands for a placeholder, which is explained in more detail for the respective cookie.

The visitors of your website are informed in the Real Cookie Banner service in the cookie banner that these cookies are set. In this way, you fulfill your obligation to inform according to Art. 13 GDPR. The cookies are set because of the fulfilment of a legal obligation (obtaining consent to set cookies and process personal data) according to Art. 6 (1) (c) GDPR.

real_cookie_banner-test

• Type: HTTP Cookie
• Host: Domain where your website is hosted
• Duration: 365 days (default)
• Purpose: The cookie is set to test whether HTTP cookies can be set. It will be deleted immediately after the test.

real_cookie_banner-*

• Type: HTTP Cookie
• Host: Domain where your website is hosted
• Duration: 365 days (default)
• Purpose: The cookie stores the UUID (Universally Unique Identifier) of the website visitor’s consent. The UUID is a server-side randomly generated pseudonymous unique identification number of the given consent. Consents of one website visitor are not connected to each other. In addition, a revsion hash is stored, which makes it possible to look up which settings (texts, colors, features, service groups, services, content blockers, etc.) were used to display the cookie banner at the time of consent. Furthermore, the cookie stores which services from which service groups the visitor consented to. Each service and each service group is represented by a unique identification number (ID).
• Placeholder: One cookie of this type is written and read per context of a WordPress website. There are the following contexts:
  • WordPress Blog: A WordPress installation can contain one or more (called WordPress Mulisite) WordPress websites (technically called “blog”). Each WordPress websites has a unique ID. Consequently, for the default WordPress single site installation, blog:1 is appended to the cookie name as context. If one is in a WordPress multisite, for example, in the WordPress website with ID 3, then blog:3 is appended as the context.
  • Website language: WordPress websites can be output in multiple languages using multilanguage plugins such as WPML, Polylang, TransatePress or Weglot. Per language, a separate consent is obtained by default in the cookie banner. For example, lang:en_US for English (United States) or lang:de_DE for German (Germany) is appended as context.
  • Version: Since version 3.0.2, Real Cookie Banner has introduced a versioning of the cookie name, so that existing customers do not lose previous consents when updating the plugin. A new version includes changes to the cookie name and/or cookie value. Example: v:2.
  • Path: Since Real Cookie Banner version 3.0.2 and cookie version > 2, the path of the WordPress installation and its host are also stored in the cookie name. This prevents cookies from interfering with each other within the same domain and subdomain and isolates them from each other (if you want to share a consent via a WordPress instance, please use the forwarding of a consent here). The value is also hashed with MD5 and only the first 7 characters are used. Example: path:23e11df.
  • Individual context: The website operator can extend Real Cookie Banner individually via its developer API. Thereby, further contexts can be programmatically defined.

real_cookie_banner-*-tcf

• Type: HTTP Cookie
• Host: Domain where your website is hosted
• Duration: 365 days (default)
• Purpose: If consents are collected under the Transparency & Consent Framework (TCF), the cookie stores consents given in TCF vendors, purposes, special purposes, features, and special features in the standardized TC String format.
• Placeholder: One cookie of this type is written and read per context of a WordPress website. The contexts are designed the same way as for the real_cookie_banner_* cookie.

real_cookie_banner-*-gcm

• Type: HTTP Cookie
• Host: Domain where your website is hosted
• Duration: 365 days (default)
• Purpose: If consents are collected under the Google Consent Mode, the cookie stores consents given in Google Consent Mode consent types (purposes) which are valid for all services loaded with a Google Consent Mode compatibility system.
• Placeholder: One cookie of this type is written and read per context of a WordPress website. The contexts are designed the same way as for the real_cookie_banner_* cookie.

Cookies for specific visitors

The following cookies and cookie-like information is stored by Real Cookie Banner for logged-in visitors who have at least the edit_posts permission in the WordPress permission system. * in the name of the cookie stands for a placeholder, which is explained in more detail with the respective cookie.

real_queue-test

• Type: Local Storage
• Host: Domain where your website is hosted
• Purpose: The cookie is set to check if entries can be set in Local Storage. It will be deleted immediately after the test.

real-queue-restore-jobs-*

• Type: Local Storage
• Host: Domain under which your website is operated
• Purpose: Real Cookie Banner brings a queuing system that allows it to process tasks in the browser. This is used, for example, for the service scanner feature. Jobs in a queue can be assigned to a browser to process. The cookie stores jobs that have already been assigned to the browser but have not yet been fully processed. Each job is thereby represented by a unique ID.
• Placeholder: One such cookie is set per website within a WordPress installation. The website is represented at by a MD5 hash of site URL and blog ID.

real-queue-lock-tab-*

• Type: Local Storage
• Host: Domain under which your website is operated
• Purpose: In the queuing system described earlier, each browser is supposed to process only one queue, and not one queue per open tab where the queue script is executed. Therefore, the tab that is currently processing the queue stores the current time as a UNIX timestamp every 3 seconds to indicate that it is still processing the queue. Other tabs read this information periodically to be able to take over the processing of the queue if necessary.
• Placeholder: One such cookie is set per website within a WordPress installation. The website is represented at by a MD5 hash of site URL and blog ID.