The EU’s General Data Protection Regulation (GDPR) is a new regulation that comes into effect on 25 May 2018 (See: GDPR: changes to the EU regulations around data protection, and what that means for you). We’re going to break down what EU cookie law means for small websites, especially WordPress websites, and take a look at how to deal with it.

The GDPR and you

The GDPR is far-reaching, applies to any site that targets visitors from the EU (not just businesses in the EU!), and is causing a ton of changes across the web.

Many of these changes are for the better: we’re generally fans of privacy, security, and faster websites! However, we appreciate it’s causing a headache for small businesses that don’t have big teams to deal with it.

One of the big areas of change is with cookie usage and compliance. Most site owners have no idea what cookies are or which cookies are on their sites, but now they’re being asked to manage them?!


Because I embedded this gif, I probably dropped some tracking cookies from the third-party site I embedded it from.


Yes, it’s really that much of a headache.

Every time you embed anything from a third party, install a plugin, or use a social sharing widget, they’ll probably be dropping cookies, and now you — the website owner — are legally liable for managing that. Even though you have no idea what they are.

And if the embed or widget provider changes what cookies they drop in the future, you’re still meant to know about that and manage it.

Let’s see what we can do about it…

Wasn’t there an old cookie pop-up and consent law?

The old EU Cookie Law allowed implied consent: if you told people that you used cookies, that was enough to comply. You’ll have seen notifications like this:

HSBC UK’s ‘old’ cookie compliance notice

Since almost every website in the world uses cookies, everyone ignored it. No companies changed their data processing systems. The law itself was pretty wasteful.

But now, things have a chance to get better! (For us as human beings, if not for us as website managers, business owners and marketers.)

Did you know Performance Foundry can help with a WordPress retainer or WordPress hosting with maintenance built in? (We have AWS servers based in the EU as well as the Americas and Australia.)

How the GDPR changes cookie notification needs

It’s our understanding that the GDPR requires active consent before non-functional cookies are dropped, and granular options so each user can choose to accept or refuse the download of other cookies. There’s also a need to be able to remove consent.

This requires each site manager to actually understand which cookies are dropped, to categorise them, and to control them. We’re going to start seeing more notifications like this:

First draft of the Performance Foundry website options. Notice how different categories are optional.

The options above allow us to drop the cookies we need to serve and secure the site, and to enable normal behaviour, like storing shopping carts between sessions and emailing the right person when a purchase is made. But they also give you the option to not share your data with Facebook, even if you’re logged in to Facebook.

How did we do this? See WordPress Cookie Consent Notification Plugins Reviewed.

Any human can also go to our privacy policy and see an up-to-date list of cookies and see how we’ve categorised these cookies, and to change their consent for any category. It’s a living privacy document, and that’s pretty cool.

Performance Foundry’s ‘living’ privacy policy.

What’s the lifecycle of cookie consent?

So, as a website owner I can drop essential cookies as soon as a user starts using the website (but maybe not as soon as the website loads). However, to drop any others, I need individual user consent that:

  • Is active,
  • Is granular (i.e. divided into plain-language categories),
  • Can be modified, and
  • Can be revoked.

Here’s the thing… the web isn’t static. It changes all the time.

If you use an ad network, they’re dropping dozens of cookies that you have no control over, that you just can’t manage. If you embed something from Youtube or add a Facebook share button, you have no control over which cookies they drop today, or what they may change to next week.

Every ad and every embed likely has different trackers and entry points to different trackers. It’s turtles all the way down. It’s such a pain that we’re seeing pop-overs like this, that don’t allow you to access any part of the site until some options are ticked:

Blocking pop-over that stops site access without explicit consent

This popover, assuming it does accurately record and block/allow all cookies, fulfils the letter of the law, but it does create a negative web experience. It’s a shame that both privacy and publisher income can’t easily live side by side.

What do you mean by publisher income?

Many, if not most, publishers make their money from serving ads. But the ad networks don’t make their real money from selling the ad that you see. They make their real money from all the unseen trackers that get downloaded or activated at the same time.

The GDPR is going to cause some issues for online ad networks, especially if people do take up the option to reclaim some privacy and turn off marketing and stats cookies. That will have a negative trickle-down effect to publisher incomes and could impact your favourite sites.

The economic changes this law will bring about if adequately policed, and if rolled out in a similar way worldwide, could be massive.

Your ad network

Your ad network may require (or suggest that) you use a pop-up like the one pictured above. Some of these have granular options for consent, which is great.

However, you’ll need to check with your ad network regarding whether the popup meets GDPR criteria for your whole site. You’ll be able to see pretty easily if the consent is active and if granular controls are available, but also check if the settings can be easily modified and consent revoked.

Specifically, ask your ad network if the tool also audits other cookies on your site not dropped by the ad network itself.

The burden of cookie consent

We’re excited about the potential to clean up some of the excesses of invasive web practices! Big businesses do need to prioritise privacy and security more, but we feel the burden of that active management and control is very high for small businesses and other small organisations, like community groups and sports teams.

The toughest thing is that most people don’t know how their websites work, and don’t know what cookies do. They are also expected to keep up to date with changes that they are likely unaware of.

Tools are arriving to fill that gap. See our GDPR WordPress plugin review for some examples. We’re hoping to see free, sponsored or community-driven ways to help everyday-people-who-run-a-website to manage their cookie content, just like LetsEncrypt has helped make SSL so much cheaper.

Until then, we’re expecting to see some common sense applied in the enforcement of the rules, and that large corporations who handle the most data to be targeted for compliance first, providing more best-practise examples for smaller organisations.

How can the EU enforce laws on US-only companies?

This is going to be interesting! While we’re expecting to see headline stories about big tech companies being pulled into government meetings all around the world, it would be really unusual for a boutique pastry blogger with 25,000 pageviews/month and a five-figure income being pulled into a foreign court.

It’s important to remember that while the GDPR is an EU-wide directive, each country has its own national authority that will interpret and police the regulations. If you’re based in the EU, you’ll get the best guidance on compliance from your own government department. If you’re not EU-based, we just need to do our best until more guidance is given.

More about the GDPR:

Head back to our privacy hub, for more on GDPR and web privacy or read about our recommended WordPress plugin to manage cookie consent and control in the GDPR era.

Disclaimer: We are not lawyers and are certainly not experts on the GDPR. The information in this article represents our interpretation of the information available online and should not be taken as legal advice. Performance Foundry assumes no responsibility in relation to the use of the information in the blog post.