Setting Up GDPR & CCPA Cookie Consent Plugin – User Guide

The GDPR Cookie Law requires that the websites that serve the users in the European Union be transparent about all the personal data of the users that it collects. As well as, the California Consumer Privacy Act-CCPA is intended to enhance privacy rights and consumer protection for residents of California.

The non-necessary cookies on a website that are used for purposes like analytics, targeted advertising, recording user preferences, etc, collect users’ data. With the new GDPR law in effect since May 25th, 2018, it is required that the websites should take informed and explicit consent from the users for any cookies to be installed on the users’ browser.

The GDPR Cookie Consent plugin helps you to implement these regulations and comply with the Cookie Law easily. Let’s go through how you can set up the plugin to display a cookie message and use the cookies on the website only when the users have given their explicit consent.

In short, the GDPR&CCPA Cookie Consent plugin makes a website comply with the GDPR & CCPA law for the usage of cookies on a website. To name a few you can:

• add a cookie notice bar on the front end of the website to notify the users of the cookies being used, either restricted to EU or CA visitors or all.
• scan your website for cookies and add it to your cookie list.
• render or block the scripts of these cookies based on the user’s consent either via the automatic script blocker or by manually adding scripts.
• maintain an audit log of user consents
• consent withdrawal

The GDPR & CCPA Cookie Consent plugin when installed and activated on a WordPress website, adds a message bar on the website to inform the users that the website uses cookies and allows them to accept or reject(opt out) the use of cookies. It is only based on this consent that the cookies are installed on the user’s browser by the website.

GDPR regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The plugin gives the users granular control over the categories of cookies that they want to enable or disable on their browser. When the user has accepted the cookies, and only when accepted, the scripts of the cookies are rendered on the user’s browser. If they have rejected the use of the cookies on the website, the scripts will be blocked from loading on the browser and the cookies will not be functional.

Using the plugin you can also choose to show the cookie message bar to the users of the EU or CA only. This way you can assume implicit consent for the users of the non-EU countries.

To block or render any cookies on the website, the cookies and their scripts have to be added to the plugin. To add the cookies, the plugin can automatically scan the website and add the cookies being used. It also gives the provision to import the cookies into the plugin and manually add each of the cookies to the plugin.

GDPR Cookie Consent plugin also allows you to automatically block the scripts of the cookies installed by Google Analytics, Facebook Pixel, and Google Tag Manager. This makes it possible to block the scripts of these services that may be installed from any source including the GDPR Cookie Consent plugin.

The default style of the cookie message bar may not be everyone’s cup of tea. So using the GDPR Cookie Consent plugin you can customize the cookie bar and any of its components to look any way you want or to match with the theme of your website. You can also display the cookie notification as a popup on the screen that the users can not ignore. Using this plugin you can customize the color, text, or size of any of the components on the message bar very easily.

The GDPR law also requires that the users be informed of all the cookies being used on the website, the purpose of the cookies, and the data they collect. Using this plugin you can easily display all the cookies that have been added to the plugin anywhere on the website using a simple shortcode.

FYI – the Cookie Law Info cookie is a persistent cookie called “viewed_cookie_policy” and is set for 365 days. It is used to remember whether the visitor has “accepted” your cookie policy (i.e. chosen to close the header). If set, it contains the word “yes”. Clearly, it doesn’t track anybody’s personal data.

The right to opt out in the California Consumer Privacy Act-CCPA gives consumers the ability to direct a business not to sell their personal information to a third party. If the user considers to not sell their personal information, all the scripts related to the categories which are configured to sell personal information will be blocked. Using the plugin you can also restrict to show the notice for visitors from California only.

Now let’s see in detail how to get started with the GDPR & CCPA Cookie Consent plugin.

After purchasing the GDPR Cookie Consent by WebToffee, the plugin will be available as a zip file in the API Downloads section of your MY ACCOUNT page.

1. Download the zip file from API Downloads by logging into your WebToffee MY ACCOUNTS page.
2. Log in as the WordPress Admin of your website.
3. Navigate to Plugins > Add New to upload the downloaded plugin.
4. Choose the plugin file to upload.
5. Finally, activate the plugin.

Note:

• Please uninstall the basic version (in case you have it installed) prior to installing the premium version to avoid any conflicts.
• The plugin requires a minimum of WordPress v4.5 or above.

After you have installed and activated the GDPR Cookie Consent plugin on your website, you need to activate the license of the plugin so that you will be notified of the plugin updates. To do so, from the WordPress admin dashboard, go to GDPR Cookie Consent > Cookie Law Settings > License.

The page looks as in the screenshot below:

Enter the license key and the license email that you will get from the My Account page in WebToffee and click activate.

Once the license has been activated, you can begin setting up the plugin

After you have activated and installed the GDPR Cookie Consent plugin on your WordPress website, on your dashboard, you will see a menu for the GDPR Cookie Consent plugin.

And on the user end of the website, you will be able to see a cookie message bar at the bottom end of the screen.

The setting up of the plugin can be described in two parts.

1. Cookie law selection and customisations.
2. Identifying the cookies used on the website and the scripts of the non-necessary cookies and add them to the plugin.

You can explicitly enable the required law and customise the appearance of the cookie notice bar to match with the theme of your website from the Cookie Law Settings page as shown below.

The different tabs of the Cookie Law Settings page allow you to customize the different parts of the cookie notification bar. Let’s go through each of these tabs of the settings page in detail.

General Settings

The General tab is further divided into three sections: General and Other.

General

You can select the type of law and manage its country restrictions from the general window

The general settings consists of the following options:

• Enable Cookie law: You can enable or disable the cookie law on your website. The cookie bar will not be shown on the front-end of the website if this option is turned off, and the cookies will be installed without any consent from the user.
• Select the type of law: You can either choose GDPR, CCPA or both based on your site requirement.
• GDPR Settings: GDPR regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  • Show only for EU Countries enables you to show the cookie notice only to the visitors from the European countries.
• CCPA Settings: The right to opt out in the California Consumer Privacy Act gives consumers the ability to direct a business not to sell their personal information to a third party. If the user considers to not sell their personal information, all the scripts related to the categories which are configured to sell personal information will be blocked. The DO NOT SELL option is facilitated via a shortcode  [wt_cl i_cc pa.optout]
  • Enable CCPA: Check the option to enable CCPA for your site.
  • Restrict CCPA only to California: When enabled this regulation will be applicable only to visits from California; applicable to all visitors when disabled.
  • Enable CCPA notice: Enabling the notice will display the banner with the relevant text as per your configuration. Use this option particularly to record prior consent from the website visitors.
• More options
  • Enable the Auto-hide cookie bar after delay option and configure time if you want to assume the user acceptance if he/she lingers in the web page for the specified amount of time.
  • Enable the Auto-hide cookie bar (Accept on scroll) option if you want to assume the user acceptance if he/she scrolls the web page. 

Other

The screenshot of the Other section is as shown below.

The fields in this section are explained below.

• Enable Consent Logging: If this field is set to yes, the consent of each visitors will be recorded in the database and displayed on the Consent Report page.
• Reload after “scroll accept” event: Choose yes to reload the page automatically when the cookies are accepted on page scroll.
• Reload after Accept button click: Choose yes to reload the webpage automatically when the user clicks on the accept button.
• Reload after Reject button click: Choose yes to reload the webpage automatically when the user clicks on the Reject button.

Customize Cookie Bar 

Additional cookie message customization features are incorporated in the Customise Cookie Bar tab.

Following are the fields in this tab:

• Enter an appropriate message title for the cookie bar in the field provided. Leave it blank if you don’t need one.
• Content for the cookie bar can be entered in the Message text area. It supports basic HTML  tags and other shortcodes for Accept button, Reject button, etc as described within the plugin.
• You also have a provision to control the colour of the Cookie Bar and/or the message font. By default, the plugin will take the active theme font.
• Cookie Bar can be set as a Banner, Pop up or as a widget.
  • With the banner option, you get to choose if you want to place the banner in the header or footer. Here, I have placed the banner in the footer.
  • If the popup is chosen, then the cookie notification will be shown as a popup instead of a notification bar. You can set an overlay along with the popup, which will block the user from browsing the website unless consent is obtained. 

As for the widget, you can position it to the left or right of the website.

On load option allows you to either animate the notification or make it sticky while loading the website.

On hide option allows you to either animate the way the notification disappears or to disappear without any visual effect.

Revisit Consent

Below is the screenshot of the Revisit Consent section and its fields explained.

• By enabling the revisit consent, a small privacy widget is automatically displayed at the footer of your website.
  This can be done via a widget and/or a shortcode. You can also manually insert a link to manage consent by adding the shortcode  Privacy & Cookies Policy to your website.
• The Tab Position can be set to either left or right
• Use the From left margin to position the show again tab. Enter a value in either pixel or percentage to specify the distance from the respective margin, to place the dialog accordingly.
• The Title field allows you to customize the text on the widget. For instance, you can key in ‘Privacy and Cookie Policy’ as a title or whatever you may like.

Customize Buttons 

The look and feel of the Accept, Reject, Settings buttons and Read More Link cab be customized in the Customize Button tab.

The tab has four different sections for customizing Accept, Reject, Settings buttons and Read More Link that can be added to the cookie bar.

• Enable accept all feature?: This will enable all cookie categories on clicking the accept button, no matter whether they are in the enabled or disabled state. Please note that you will not be able to extend the cookie consent bar with cookie settings once this option is enabled.
• The Accept, Accept All, Reject and Settings Button section consists of the following fields as shown below:
  • The Text field lets you add the button text.
  • Text Color lets you choose the text color.
  • Show as field lets you choose whether the shortcode should appear as a button or as links. In the case of a button, the background colour can be changed.
  • You have the option to set an action against the button/link. The close header option simply closes the cookie bar upon a user action whereas the Open URL option opens the specified URL in a new or existing window as the case may be.
  • Select the desired size for the button from the drop-down as either Extra large, Large, Medium, or Small.
• The Read More Link can be used to provide a link to your Privacy & Cookie Policy page to describe your sites cookie policy/usage in detail.
  

• The additional fields for the Read More Link apart from the common options are the following:
  • You can either key in a URL of the page where you want your visitors to be directed to or select a page from the list of available pages on the website (My Account, Checkout, Cart).
  • Choose yes if you want to open your Privacy & Cookie Policy page to be opened in a new window.

Themes

There are two main panels within the Themes: a Cookie bar-Design editor and a Cookie message-Text editor.

• The Cookie bar-Design editor window will display the cookie bar that is currently active in the website. Each of the elements within the design editor panel like the cookie text, buttons, etc can be customized via a control panel by clicking on the individual elements respectively. You can customize the font size, colour, weight, border or even include a custom CSS from the control panel.

• The Cookie message-Text editor can be used to edit the content of the cookie bar displayed in the design editor.

You can save and publish the changes when you are done or look for other templates by clicking on the Change template or even Cancel to revert to your previously active template.

Alternatively, you may use the Change template button to adopt a cookie bar from some of our default templates under the Banner or Pop up or Widget formats in the following manner.

Just select any template from the list and click on the Live preview button to experience it against your website. If you like what you see click on Customize to get it onto your design editor. Besides if you need to customize further you may make the necessary changes from the design editor.

Once the styling is done click on Save and Publish button.

Advanced 

The settings come with an Advanced tab with the following options:

• Reset all values: The Delete settings and reset button will restore the plugin to its default state overriding all your settings.
• Override caching: Enable this option only if you are experiencing issues with loading cached versions especially if you are using a server-side caching or any caching plugins that may not be compatible with our plugin. When enabled, the GDPR plugin overrides the cached webpages to show the webpage with respective user consent.
• Cookie scanner URL per request is used to Reduce or control the number of URLs scanned per request depending on the server limitation. For example, if you see an error “Unable to connect..retrying ” during a scan try reducing this number to ‘2’.

Once done, click on the Update Settings button.

The Help Guide Tab

The Help guide tab consists of two sections Shortcodes and Help links.

Shortcodes

The shortcode section lists all the shortcodes that are used in the plugin. These shortcodes can be used anywhere on the website, pages, and posts, not just the cookie bar. To add the shortcodes inside a template file, you can use the ‘do_shortcode’ function.

To know more about the shortcodes used in the plugin, read this article.

Help Link

This section gives you links to resources related to the GDPR Cookie Consent plugin. The screen looks as below:

Cookie Law Settings-Help Links

In the setting up of the plugin, you need to add the cookies being used by the website into the plugin. For this, you will need to identify the cookies being used by the website and recognize from them which of these cookies are necessary cookies, the ones that are essential for the website to function in the proper way, and the which of these cookies are non-necessary, the ones that are used for analytical and advertisement purposes.

So before adding the cookies into the plugin, you need to identify the cookies being used on the website. You can refer to this article on how to Identify the cookies your website installs on a browser.

For necessary cookies, the users’ consent need not be taken but the users should be informed of such cookies being used on the website. The non-necessary cookies are the ones to look out for. You need to add the scripts that install the non-necessary cookies to the plugin for the plugin to block them until the user’s consent.

Using the GDPR plugin, the cookies need to be added to the plugin. To do that, navigate to GDPR Cookie Consent > Cookie List. This will take you to the Cookie List page as shown below:

The GDPR Cookie Consent plugin comes with multiple ways with which you can add the cookies to the plugin. They are listed below.

1 – Scan and Import

The plugin lets you automatically scan the cookies and add them to the plugin. From GDPR Cookie Consent > Cookie scanner, Click on the Scan Now button.

Clicking on the Connect and Scan button, the plugin will start scanning all the URLs of the website.

After the scan is complete, you have the option to view the scan result, add the scanned cookies to the cookie list, download the cookies into a CSV file, and perform the scan again.

You can view all the cookies that have been scanned and the URLs that they have been scanned from the Scan result by clicking on the View scan result button. The result will look as shown below:

When you choose to add the scanned cookies to the cookie list, you are presented with three options as shown in the screenshot below:

In the first option, you can replace all the existing cookies in the list and add the newly scanned cookies. With the second option, the plugin performs a check whether the scanned cookies are already present in the list and skip those cookies that exist. This is the recommended method to add cookies. In the third method, you can append the newly scanned cookies with the existing cookies in the list. This is not recommended since it could result in duplicate entries in the cookie list.

After you select an option, click on the Start Import button.

All the scanned cookies and its related data will be added to the cookie list. The data added to the cookie list are the cookie ID, cookie-type, cookie category, and the duration of the cookies.

By default, the values in the cookie type field thus added will be persistent, all the cookies will be assigned to the non-necessary category or necessary category which are the two predefined categories of the plugin, and the value in the cookie-sensitivity field will non-necessary.

All these, of course, can be edited from the Edit Cookie Type page by clicking on the cookie name.

2 – Import Using a CSV

You can import the cookies into the plugin using a CSV file. You find the option to import cookies under GDPR Cookie Consent > Cookie List. Prepare a CSV in the required format, click on the Import from CSV button.

This will take you to the Import from a  file page.

From this page, upload the CSV to the plugin and import. All the cookies and their details can be seen on the Cookie List page after the import.

Click here to download the sample CSV.

The plugin also has an export feature that helps to export the cookies and its related details to a CSV file. To do that, click on the Download as CSV button from the Cookie List page.

This becomes very useful if there are websites using GDPR plugin that uses similar cookies or if you want to migrate the cookies you set up in the plugin from the development site to the production site. All you need to do is export the cookies of one website into a CSV file and then import them to the other.

3 – Add Cookies Manually

To add the cookies manually, click on the Add New button under GDPR Cookie Consent > Cookie List. Add the cookies and the cookie details from the Add New Cookie Type page. The following is a screenshot of the Add New Cookie Type page.

The following are the fields in the Add New Cookie Type page.

• Cookie Title – Add the title of the cookie. This field is for audit purposes, so this field allows you to add the name of the cookie in a user-friendly manner.
• Cookie description – This allows you to add the description of the plugin so that you can explain what the purpose of the cookie is, what it does, what data it collects, etc.
• Cookie Category – Add the category that the cookies belong to.
• Cookie Type – This is to indicate the type of the cookie. The types include persistent, session, or third-party. Persistent cookies are those that generally persists even after the browser is closed. Session cookies are those cookies that will expire when the session is over. Third-party cookies are the cookies that are installed by third-party services being used on the website.
• Cookie Duration – This is the time duration the cookies will be active on the browser. The easiest way to find out the duration of a cookie is from the developer console of the browser.
• Cookie Sensitivity – Cookies are either necessary or non-necessary. The necessary cookies are those cookies that, as the name indicates, are absolutely necessary for the website to function in its intended way. The users do not have the control to disable this category of the cookies. The non-necessary cookies are those cookies whose scripts need to be added in the plugin and that the users can enable/disable.
• Head Scripts/Body Scripts – This is where the scripts related to the cookies are to be added. If the scripts are added in the Head Scripts field, the scripts, on user consent, will be rendered in the head of the website and the scripts will be rendered in the body if added in the Body scripts area.

The screenshot below shows an example of adding Google Analytics cookies to the Cookie list from the Add New Cookie Type page:

After all the details have been added as above, click on the update button and the cookie will be added to the Cookie List.

Adding the Cookie Category

The GDPR Cookie Consent gives the users granular control over the cookies that they want to allow. They can turn the cookies on/off in their browser depending on their category.

For this, the plugin gives you two predefined categories named Necessary and Non-necessary. You can add the necessary cookies of your website to the Necessary category. The users will not be able to disable the cookies that are categorized as Necessary. So the cookies that are essential for the functioning of the website should be added to this category.

For the rest of the non-necessary cookies used by the website, you can either add them to the Non-necessary category or you can create categories of your own. This allows you to create cookie categories like Analytics, Statistics, Advertisement, etc. based on the nature of the cookies.

To create a new category for the cookies, go to GDPR Cookie Consent > Cookie Category. This will take you to the Cookie Category page where you can add the name of the category, slug, description of the category, and give the priority to determine the order in which the categories will appear on the front end. 

If you enable Load on Start option, scripts under the created category will be rendered without waiting for user consent on the first page visit. This option is discreetly used only if you are sure that no user sensitive data is being obtained via the specified scripts.

If you enable the Category default state option, the category toggle button will be in the active state for cookie consent.

If you enable Sell Personal Information option, scripts under this category will be considered as personal data collecting scripts and will be blocked if opted out from CCPA.

The categories thus added will be visible on the user-end on a pop-up when the user clicks on the Settings button on the cookie bar. When clicked on each category, the users will be shown the description of the category as added by the admin. The user can then choose to enable or disable the cookies of each category from the popup.

Note: The categories, either predefined or user-defined, are only visible on the popup when there are cookies added into that category.

Policy Generator

You can easily create and generate the cookie policy from the Policy generator module. Policy generator will help you in creating a separate page for cookie policy which will list out various details like:

• About the cookie policy
• What are cookies?
• How do we use cookies?
• What types of cookies do we use?
• How can I control the cookie preferences?

You can even add additional details from the Add New button. You will get a live preview of the cookie policy from here. Subsequently, a new cookie policy page can be created or an existing page can be updated.

On creating a new policy page it can be published for it to be made available in your store.

Blocking Cookies Automatically – The Script Blocker

Using the GDPR Cookie Consent plugin you can automatically block the scripts of the cookies being rendered on the website.

The script blocker lists out services/plugins currently supported for auto-blocking. Enabled services/plugins will be blocked by default on the front-end of your website prior to obtaining user consent and rendered respectively based on consent. 

It is further categorized into script and plugin sections.

The third-party services that are currently being auto blocked are the following: 

• Google Analytics
• Facebook Pixel
• Google Tag Manager
• Hotjar Analytics
• Google Publisher Tag
• Youtube Embed
• Vimeo Embed
• Google Maps
• AddThis Widget
• ShareThis widget
• Twitter Widget
• SoundCloud Embed
• SlideShare Embed
• LinkedIn Widget
• Instagram Embed
• Pinterest Widget
• Google Adsense
• Hubspot Analytics
• Matomo Analytics

To automatically block the scripts of the cookies installed by these services using the GDPR Cookie Consent plugin, go to GDPR Cookie Consent > Script Blocker > Scripts tab. This will take you to the Manage Script Blocking page as shown in the screenshot below.

To block the scripts automatically from rendering on the website, enable the toggle button for the selected scripts. This will block the scripts from any sources rendering on the website unless the user consents. If the toggle buttons are in the disabled state, the scripts from other sources other the GDPR plugin will not be automatically blocked.

To autoblock scripts of plugins, move on to the Plugins section. It will allow you to manage automatic script blocking for your website. The following three plugins are currently supported for auto-blocking.

• Official Facebook Pixel
• Smash Balloon Instagram Feed
• Smash Balloon Twitter Feed

Plugins marked inactive are either not installed or activated on your website. Enabled plugins will be blocked by default on the front-end of your website prior to obtaining user consent and rendered respectively based on consent.

If you wish to disable automatic script blocking for any of these plugins, you can do so by simply toggling the button against the respective plugin.

For more information on automatic script blocking read: How to Automatically Block Cookies Using the GDPR Cookie Consent Plugin.

Logging the Users Consent

You can keep a record of the users who have given their consent using the GDPR Cookie Consent plugin. To log the consent given by the users, make sure that you have enabled the Enable Consent Logging field under GDPR Cookie Consent > Cookie Law Settings > General > Other. When the consent is being logged, the IP addresses of the users that have given their consent and the cookie categories that they have given consent to will be recorded in the Consent Report page, along with the date and time of the visit and the user ID if the user has logged in.

It is completely up to the admin to decide whether he wants to keep a record of the consent. However, when the consent logging is enabled, the users should be notified that their IP address will be collected for the consent logging purposes.

All this data in the consent report can be exported to a CSV file by clicking on the Export Report button on the Consent Report page.

Show the Cookie Bar Only for the EU Countries

You can make the cookie message bar to be visible only for the visitors from the European Union. Using this feature, the consent for using the cookies on the website will only be taken from the visitors of the European Union.

To set the cookie notification only for the EU visitors, go to the Cookie Law Settings page under GDPR Cookie Consent. Click on ‘yes’ for Show only for EU Countries ( GeoIP ) field and update the settings.

The GeoIP feature can be extended to more countries using the code snippet in this article.

To know more about the GDPR Cookie Consent plugin, visit the plugin product page.