The web was created to deliver documents to browsers. At first, there was no mechanism for maintaining state to keep track of information between requests. Without state, WooCommerce shopping carts, the WordPress admin interface, and other interactive web experiences couldn’t work.
The cookie was introduced so that the web could remember, but a web that can remember what is in your shopping cart can also remember who you are. Cookies are used by site owners to track us on their site and by advertising companies to track us across hundreds of sites.
With enough information, cookies — small files containing a unique code — can identify individuals and keep track of them as they move around the web. Because cookies are a form of personally identifiable information, they fall under the scope of the GDPR.
In this article, I’m going to focus on cookies, which are a specific technique for maintaining state and identifying users. It’s important to note that the GDPR applies to all technologies that play the same role, not just cookies. You can’t get around the GDPR by using the Web Cache API to store identifying information, for example.
The Old Cookie Regime
The GDPR is not the first EU regulation to deal with cookies. We have all seen the cookie warning banners that say something like: “By using this site you consent for cookies to be used”. By continuing to use the site, the visitor gave implicit consent to its cookies. The GDPR is much stricter and implied consent is no longer sufficient, as we’ll discuss.
Essential vs. Non-Essential Cookies
The GDPR doesn’t care about cookies per se. It cares about data that can be used to personally identify individuals. Some cookies aren’t used to identify shoppers: the session cookies used for shopping carts, for example. These “essential” cookies, do not need consent.
Consent
Consent is another word for permission. Under the GDPR, implied consent is not sufficient. Consent has to be active, unambiguous, specific, and modifiable.
For WordPress site owners, that means:
- Visitors must actively opt-in. Sites that automatically tick opt-in boxes or as users to opt-out are not compliant.
- Visitors must be able to opt-in or out to each cookie that you plan to store on their computer. For some sites that might be hundreds of cookies. In the first instance, it is acceptable to group cookies by category so that users can opt-out of “social media cookies,” or “analytics cookies,” but they must also be able to opt-in and out for individual cookies.
- Consent must be modifiable. That means it should be easy for users to change their mind about consent.
Additionally, consent can’t be used as a condition for showing content. The GDPR specifically forbids denying access to content if consent is not given.
Cookies And WordPress
There are a number of plugins to help WordPress site owners manage cookie permissions, including:
These plugins — with a little coding in some cases — can display a consent banner and block the loading of cookies and scripts until after consent has been given.
Getting consent to use cookies is straightforward enough, but it can be a real headache to identify exactly which cookies a site is serving. Many sites include tracking scripts and embeds, which use their own cookies and may include more scripts which use still more cookies, and so on.
Cookiebot is a cloud service with a WordPress plugin that can scan websites to identify the cookies they serve and create a cookie listing that can be used to obtain consent.