Faster WordPress with Amazon's new Aurora
How we're delivering faster WordPress to our clients, with help from our partners and Amazon's new Aurora database technology.Read More
The EU’s General Data Protection Regulation (GDPR) is a new regulation that comes into effect on 25 May 2018 (See: GDPR: changes to the EU regulations around data protection, and what that means for you). We’re going to break down what EU cookie law means for small websites, especially WordPress websites, and take a look at how to deal with it.
The GDPR is far-reaching, applies to any site that targets visitors from the EU (not just businesses in the EU!), and is causing a ton of changes across the web.
Many of these changes are for the better: we’re generally fans of privacy, security, and faster websites! However, we appreciate it’s causing a headache for small businesses that don’t have big teams to deal with it.
One of the big areas of change is with cookie usage and compliance. Most site owners have no idea what cookies are or which cookies are on their sites, but now they’re being asked to manage them?!
Because I embedded this gif, I probably dropped some tracking cookies from the third-party site I embedded it from.
Yes, it’s really that much of a headache.
Every time you embed anything from a third party, install a plugin, or use a social sharing widget, they’ll probably be dropping cookies, and now you — the website owner — are legally liable for managing that. Even though you have no idea what they are.
And if the embed or widget provider changes what cookies they drop in the future, you’re still meant to know about that and manage it.
Let’s see what we can do about it…
The old EU Cookie Law allowed implied consent: if you told people that you used cookies, that was enough to comply. You’ll have seen notifications like this:
But now, things have a chance to get better! (For us as human beings, if not for us as website managers, business owners and marketers.)
It’s our understanding that the GDPR requires active consent before non-functional cookies are dropped, and granular options so each user can choose to accept or refuse the download of other cookies. There’s also a need to be able to remove consent.
This requires each site manager to actually understand which cookies are dropped, to categorise them, and to control them. We’re going to start seeing more notifications like this:
The options above allow us to drop the cookies we need to serve and secure the site, and to enable normal behaviour, like storing shopping carts between sessions and emailing the right person when a purchase is made. But they also give you the option to not share your data with Facebook, even if you’re logged in to Facebook.
How did we do this? See WordPress Cookie Consent Notification Plugins Reviewed.
So, as a website owner I can drop essential cookies as soon as a user starts using the website (but maybe not as soon as the website loads). However, to drop any others, I need individual user consent that:
Here’s the thing… the web isn’t static. It changes all the time.
If you use an ad network, they’re dropping dozens of cookies that you have no control over, that you just can’t manage. If you embed something from Youtube or add a Facebook share button, you have no control over which cookies they drop today, or what they may change to next week.
Every ad and every embed likely has different trackers and entry points to different trackers. It’s turtles all the way down. It’s such a pain that we’re seeing pop-overs like this, that don’t allow you to access any part of the site until some options are ticked:
This popover, assuming it does accurately record and block/allow all cookies, fulfils the letter of the law, but it does create a negative web experience. It’s a shame that both privacy and publisher income can’t easily live side by side.
Many, if not most, publishers make their money from serving ads. But the ad networks don’t make their real money from selling the ad that you see. They make their real money from all the unseen trackers that get downloaded or activated at the same time.
The GDPR is going to cause some issues for online ad networks, especially if people do take up the option to reclaim some privacy and turn off marketing and stats cookies. That will have a negative trickle-down effect to publisher incomes and could impact your favourite sites.
The economic changes this law will bring about if adequately policed, and if rolled out in a similar way worldwide, could be massive.
Your ad network may require (or suggest that) you use a pop-up like the one pictured above. Some of these have granular options for consent, which is great.
However, you’ll need to check with your ad network regarding whether the popup meets GDPR criteria for your whole site. You’ll be able to see pretty easily if the consent is active and if granular controls are available, but also check if the settings can be easily modified and consent revoked.
Specifically, ask your ad network if the tool also audits other cookies on your site not dropped by the ad network itself.
We’re excited about the potential to clean up some of the excesses of invasive web practices! Big businesses do need to prioritise privacy and security more, but we feel the burden of that active management and control is very high for small businesses and other small organisations, like community groups and sports teams.
The toughest thing is that most people don’t know how their websites work, and don’t know what cookies do. They are also expected to keep up to date with changes that they are likely unaware of.
Tools are arriving to fill that gap. See our GDPR WordPress plugin review for some examples. We’re hoping to see free, sponsored or community-driven ways to help everyday-people-who-run-a-website to manage their cookie content, just like LetsEncrypt has helped make SSL so much cheaper.
Until then, we’re expecting to see some common sense applied in the enforcement of the rules, and that large corporations who handle the most data to be targeted for compliance first, providing more best-practise examples for smaller organisations.
This is going to be interesting! While we’re expecting to see headline stories about big tech companies being pulled into government meetings all around the world, it would be really unusual for a boutique pastry blogger with 25,000 pageviews/month and a five-figure income being pulled into a foreign court.
It’s important to remember that while the GDPR is an EU-wide directive, each country has its own national authority that will interpret and police the regulations. If you’re based in the EU, you’ll get the best guidance on compliance from your own government department. If you’re not EU-based, we just need to do our best until more guidance is given.