This weekend, I spent a lot of time going down the rabbit-hole of investigating the best solution for managing cookies on a self-hosted WordPress website. Actually, I should have done this a long time ago, since this is one of the requirements to be compliant with GDPR – but since I don’t currently have any clients that target European countries, I’ve pretty much just gotten by on a simple cookie notification and a prayer. But the California Consumer Privacy Act (CCPA) taking affect as of January 1st 2020 is bringing these privacy considerations a lot closer to home. I took care of my legal policies a long time ago, but figured now was the time to get my cookies in order.
If you need help with your cookie consent and don’t feel comfortable fixing it yourself, we can take care of it for you! Contact us at [email protected]
The solution that I decided on is the GDPR Cookie Consent Plugin by Web Toffee. There are a lot of “cookie popup” plugins available, but this is one of the few plugins that actually gives you the capabilities required to be compliant. This plugin can be found for free in the WordPress repository. In this article, we will go over how to configure it so your cookies will be compliant.
Start out by installing the plugin – you can find it by searching for “cookie consent” under your add new plugins dashboard. It looks like this –
Then, once you activate it, go the the “Cookie Law Settings” menu. Most of the default settings on this page are fine, but I do like to change a setting under “Show Again Tab” to not use the show again tab. If you leave this setting on, your users will get a small (but annoying) persistent popup at the bottom of the screen that allows them to go back to the cookie consent banner.
Once you have these basic settings in place, we need to list out all the cookies that are in use on your website. This is the most onerous part of the process, because you will have to input these cookies in one-by-one. Although that part is a bit of a pain, luckily there is an awesome free website that gives us all the data that we need to input. Open another browser tab, and go to https://www.cookieserve.com/. Input your url into the handy search box, then hit the “Find Cookies” button to see what cookies are lurking on your site. You’ll get a list like this one –
With this info, we can just enter all of our cookie data into our plugin. I’ve highlighted the most important areas to fill in below – I put the cookie name for both the title and the id. Also – for cookie sensitivity, you want to put either necessary or non-necessary. If you are using the paid version of the plugin, you can get more granular as it gives the user the ability to just disable certain classes of cookies. If you need that capability, definitely look into the paid version of the plugin. For most of the sites that I deal with, the free version is sufficient.
For the sites I deal with, these non-necessary scripts are mostly marketing and analytics related, and they were all injected into the page <HEAD> section either manually or via a plugin. So, in order to give the user the ability to disable these scripts, we will need to remove whatever mechanism is currently injected them into the <HEAD> section of the website, and instead let the Cookie Consent plugin takeover this function.
I’ve previously used a plugin called “Insert Headers and Footers” as an easy way to insert these scripts. So, I was able to easily copy the tags from that plugin, and move them to the Cookie Consent plugin, then delete the Insert Headers and Footers plugin since it was no longer needed.
Once you’ve copied the code you need, go to the “Non-necessary cookie” settings for the Cookie Consent plugin, and paste that code into the box labeled “This script will be added to the page HEAD section if the above settings is enabled and user has give consent.” Now, these scripts will only be run if the user authorizes it.
Keep in mind, you may have these scripts run by other plugins on your site, so you’ll need to account for those as well. For example, I let my SEO plugin (All In One SEO) handle the Google Analytics piece instead of manually inputting the code for GA into the Headers and Footers plugin. I had to disable that functionality in my SEO plugin, and instead insert the GA tag code in with the other scripts on the non-necessary cookie page.
The steps above should give you a basic idea of what needs to be done in order to be compliant, but be sure you thoroughly audit your site to see what scripts/cookies are in use to make sure you’ve accounted for everything. Also, it’s a good idea to look over the other available settings in the Cookie Consent plugin to make sure it is set up the way you want.