In this article, let us see how we can achieve GDPR Compliance with the WordPress GDPR Cookie Consent plugin. Concisely, the GDPR Cookie Consent plugin is capable of the following:
- add a cookie notice bar on the front end of the website to notify the users of the cookies being used, either restricted to EU visitors or all.
- scan your website for cookies and add it to your cookie list.
- render or block the scripts of these cookies based on the user’s consent either via the automatic script blocker or by manually adding scripts.
- maintain an audit log of user consents
- consent withdrawal
Install and activate the plugin by uploading the zip file. When done, you will be able to see the notification bar on the bottom of the screen with the default style and text. This can be customized further to achieve the look and feel you desire.
Refer Customize Cookie Notice bar from pre-defined templates to know more on custom cookie templates.
Subsequently, you will be able to see the menu for GDPR Cookie Consent from the WordPress dashboard.
We will now take you through the steps within the plugin that will make you GDPR compliant.
Step 1: Identify and record your website cookies
To make your website compliant with the cookie law, you would want to know what are the cookies that your website may actually be using. Ideally, the developer should be aware of what services are being enabled in the website and what user information is being extracted on account of the same.
However, the following sections of the plugin will assist you with identifying and recording the cookies to the best extent possible.
- Cookie Scanner
- Cookie Category
- Cookie List
So, let’s head to the Cookie Scanner. The plugin lets you automatically scan the cookies and add them to the plugin. Click on the Scan now button to start scanning your website.
It may take some time depending on the number of URLs that the website has or has been custom filtered. The cookies thus identified can be added to your existing website cookie list or downloaded as a CSV.
In this window, you are also given with the provision to view the history of the previous scans. Each row depicts a scan with the respective details and user options to rename, view details(i.e, a list of all your website cookies and the URLs that have been scanned), rescan or delete.
Refer Guide to use Cookie Scanner to get a detailed overview of Cookie Scanner.
The main purpose of the Cookie Category section is to create categories into which cookies of similar function can be grouped. Categorizing cookies also gives the visitors granular control over which categories of cookies they want to render on their website. For example, they might be okay with the cookies that are used for website analytics but do not want any cookies that are used for advertisement purposes.
The plugin comes with two pre-defined cookie categories by default: necessary and non-necessary. The cookies listed under necessary category will be treated as essential for the website to function and hence the visitor will not be able to turn it off. But the cookies listed under non-necessary categories can be subjected to an on/off. The visitor can turn off the category/s(which in turn will block the corresponding scripts) and register their consent accordingly. By doing so only the scripts/cookies corresponding to the categories enabled by the visitor will be rendered in the website and the rest will be blocked.
Now, there are a couple of ways to update the Cookie Categories/Lists.
- Add them manually
- Or via the list exported through the Cookie Scanner(briefed above)
Manual: To create a custom category, you can add the name and the details of the category under the Add New section. For example, In order to add all of the Hotjar cookies in a category named “Analytics”. Create a new category under the field name and fill the rest of the fields as well and then click Add New Tag. It is essential for a category to have at least one cookie assigned to it so that it can appear in the cookie banner in the website under Settings option.
The visitor can now see the Analytics option and enable or disable it to register their consent.
Via Scanner: The scanner updates the cookie description and category for the identified cookies along with a host of other information. By default, the scanner treats all the third-party cookies as non-necessary but classifies them under Analytical/Marketing/ Functional/Performance. Depending on the purpose or nature of the associated scripts you may have to reassign the categories for these cookies.
For e.g, the GA scripts/cookies are classified as Analytical(Non-necessary). However, that site owners may prefer to set this up as a primary functionality depending on the nature of their business. If so, you will have to remap the category accordingly against the respective cookies from the Cookie List(or in the exported list prior to import).
The cookies can be added to the Cookie list in one or more ways:
- Added directly from the Cookie Scanner upon a successful scan
- Export the results from the scanner, edit (if necessary) and import using Import from CSV option from the Cookie List.
- Manually enter the cookie details into the Cookie List using the Add New option.
- Manually create a CSV file and import from the Cookie List using Import from CSV option.
– Editing a cookie category:
Here, the plugin has automatically assigned the category “non-necessary” to the cookie as it recognizes the cookie to be one. From here, we can remove this category and type in the category that we want this cookie to be in.
-Adding a cookie manually:
- to add cookies not identified by the scanner(mostly cookies that reside in external domains injected via iframes or the likes for e.g: .hotjar.com)
- if your website relies on scripts from third-party plugins/themes not identified in our automatic script blocker, you can add a cookie and the script to be blocked manually.
From the Cookie List menu, click on Add New. This will open up the Add New Cookie Type page.
- type in the name of the cookie
- key in the description of the cookie
- specify the category the cookie belongs to
- enter the Cookie ID and the duration of the cookie
- and then enter the cookie sensitivity – which indicates whether the cookie is necessary or non-necessary
- Key in the “Head scripts” and the “Body scripts”- Add the scripts of these cookies, manually. You can make use of either or both of the fields depending on where you want the scripts to be rendered when the users give their consent. Note to remove these scripts from any other place in your website to make sure it is placed only via the plugin.
Step 2: About Script Blocking – Automatic vs Manual
Script blocker lists the third-party services that the plugin is capable of identifying and blocking automatically. By default, the scripts corresponding to all the listed service cookies are set to be blocked automatically. So, you only need to ensure that the toggle button corresponding to the services that you are actually using are enabled to ensure that they get blocked automatically prior to obtaining consent. You must, however, assign a category to this service so that visitors are presented with an enable/disable option to record their consent.
For e.g, let’s say your website uses Hotjar Analytics to track how the user uses your website. To ensure that the Hotjar cookies are not installed unless the users have given explicit consent to, make sure that the toggle button corresponding to Hotjar is enabled.
Alternatively, you can also choose to add the scripts(in the head/body section) via the Cookie List, especially scripts corresponding to services not listed under the Script Blocker.
To know more on Script Blocker, refer to How to automatically block cookies using a script blocker.
Step 3: Audit log of user consents
The GDPR Cookie Consent also maintains an audit log of the user consents per cookie category. This record can be used as proof of the consents that have been obtained on the website. This can be done by enabling the consent log from the Cookie Law settings – General tab. Go to the “other” section and check “yes” for the “Enable consent logging field”.
After consent logging is enabled, you will be able to see the user consents on the Consent Report page with details like:
- IP address
- Visited date
- Cookie details
- USer ID – if the user is logged in
Step 4: Consent withdrawal
The plugin also comes with a consent withdrawal/change consent option. This can be done by enabling the consent log from the Cookie Law settings – Show again tab. This ensures that the minimized cookie tab is retained throughout the pages so that the user can edit their consent at a later point, thus complying to the GDPR norms.
Step 5: Cookie notice bar
The cookie message bar can be completely customized to match the look and feel of your website using pre-made templates or by including a custom CSS via the editor. You can also choose from the various styles available to show the cookie message as a banner, widget or a pop-up from Cookie law Settings > Themes tab.
We have various shortcodes that can be used to add content to pages and posts on your website with little effort. To name a few you can:
- add nicely formatted buttons and/or links into the cookie bar, without you having to add any HTML
- print out a nice table of cookies by category
- delete cookies
- add content only if the consent has been obtained for the specified category.
Step 6: Restrict cookie declaration for EU users
The plugin comes with an option to show the cookie message bar to the users of the EU only. This way you can assume implicit consent for the users of the non-EU countries. This ensures that the consent for using the cookies on the website will only be taken from the visitors of the European Union. However, this GeoIP feature can be extended to more countries using a custom code snippet which can be found in our code snippet section.
To set the cookie notification only for the EU visitors, enable the Show only for EU Countries (GeoIP) from the Cookie Law settings – General tab.
A detailed setup guide for the GDPR cookie consent plugin can be found here.