Businesses all around the world have been working to implement changes to help them comply with the GDPR. Unfortunately, it’s very difficult to know just what changes are required for small businesses to comply, especially around cookie consent.

In our previous blog post, we looked at the differences between the EU/UK Cookie Law and the new GDPR requirements. The biggest change is around implied vs active consent, and how granular consent is managed. So, with all the GDPR snake oil on sale, and with no knowledge of how the various national authorities will actually choose to enforce it, it’s hard to give any recommendations.

Is cookie consent a GDPR priority?

From what we’ve seen in early 2018, cookie notifications are a much lower priority for decision-makers than data storage, security, record-keeping and processing policies. If you’re just starting your GDPR compliance journey, start there!

However, cookie consent is a part of the law, and compliance here seems to be top of mind for small business and WordPress site owners. So, let’s take a look at what you can do about cookies on your site.

Implied consent vs active, granular consent — this is the important bit!

It’s our understanding that the GDPR requires active consent before non-necessary cookies are dropped, and granular options so each user can choose to accept or reject the download of other cookies. There’s also a need to be able to remove or revoke consent (which is particularly tough).

If a user chooses to sign into your site, a cookie is dropped in the browser to keep them logged in. This is normal functionality; the cookie can be dropped without issues.

But a social ‘like’ button may also drop or update a cookie; this is non-essential to the functionality of, say, a blog post. Under the new rules this like button should not drop or modify a cookie without explicit permission; and as the site owner, you are responsible for that — every third-party embed, every new plugin, every dynamic advert. Yep. It’s a huge burden to comply.

But do I have non-necessary cookies?

Good question! The short answer is that if you own a website, it’s very probable that you do.

If you’re the owner of a WordPress site that runs Jetpack or any social sharing plugin, or have ever embedded a Youtube video or Instagram photo on your site, then you almost certainly have non-necessary cookies. You can run this free test that crawls five pages of your site to find out.

So, which is the best WP plugin to help comply with the GDRP and EU cookie laws?

We tested several popular plugins (which were running on at least one of our Performance Foundry Managed Hosting and Maintenance sites) using this criteria:

  • Is the consent implied or active?
  • Is granular consent available?

Of the many plugins we tested, only three WordPress plugins met the requirements for active consent:

Of those, only Cookie Notice and Cookiebot allowed for any level of granular consent.

Did you know Performance Foundry can help with a WordPress retainer or WordPress hosting with maintenance built in? (We have AWS servers based in the EU as well as the Americas and Australia.)

We’re only shortlisting two plugins! I was surprised that out of hundreds of sites and dozens of options, only two of those plugins met my understanding of the law.

We did not test the following plugins, as — at time of testing — they only created implied consent, and therefore were not going to be compliant with the active consent/granularity requirements:

The GDPR Framework plugin also showed up often on our servers, but did not have a cookie consent tool at time of testing.

The shortlist

Cookie Notice (version 1.2.42)

Cookie Notice is nice and lightweight, and has an open and editable GitHub Repository. Winning! There are only a few issues and related pull requests — it looks quite stable, and it looks a little like this:

Cookie Notice screenshot.
Cookie Notice screenshot. Supplied.

It handles the need for active consent, granular consent and removal of consent. But it does this through the site manager needing to find and add these non-essential cookies as code.

That’s quite a high burden. Even as the owner of a development company, I don’t want a quarterly task to scan pages, be aware of the cookies, and then recode this plugin, test what breaks, try and fix it, and move on.

This plugin would be best for a time-rich, technical user that’s highly engaged in the behind-the-scenes areas of their site. Most of our clients do not fit into that category.

Cookiebot (version 1.5.0)

Cookiebot also fulfils every requirement on our checklist: active consent, granular control, ability to revoke consent. In addition to that, it has a shortcode which it automatically updates, that to ensure that your cookie declaration is specific and accurate. The declaration automatically provides the mandatory options for the user to change or withdraw consent.

It has an open GitHub repo for add-ons, but not the core product. It’s a paid, software-as-a-service tool, but the plugin is available from the WordPress repo. Cookiebot does not have a complex WordPress plugin settings. Instead, it uses an API connection, along with advice on how to update your markup when needed, to show what kind of granularity a plugin has.

First draft of the Performance Foundry website options. Notice how different categories are optional.

As a paid business tool that has the goal of ensuring GDPR cookie compliance, it’s going to have some of the best support and tools. Cookiebot’s main difference is that it scans your whole site every month and presents you with an audit. From that audit, it will be able to tell you what it’s dealing with automatically, let you know what you need to do next, and recommend changes to be made to your mark-up.

Audits (and permissions) can be cross-domain, so we can handle both performancefoundry.com and support.performancefoundry.com with one acknowledgement, and not bug our users.

By default, you have four levels of granularity:

  • Necessary
  • Preferences
  • Marketing
  • Statistics

Cookiebot will try to categorise each cookie into one of these levels. If it is unable to, it will leave the cookie uncategorised for you (the user) to add to the correct level. Over time, I’d expect more and more plugins to set up their cookies so that they are automatically categorised into the correct level of granularity.

You can also choose to only display this pop-up to everyone, or only EU visitors.

The Cookie Policy can be added to your privacy policy or a standalone page with a shortcode. It will be constantly updated as the service crawls your site:

Performance Foundry’s ‘living’ privacy policy.

This is still not a pain-free process! But it’s a lot easier than Cookie Notice and it keeps up with the ongoing compliance issues.

Cookiebot does use more resources than other plugins, but that’s because it’s doing a lot more work; especially when spidering your site.

Conclusion: The best plugin for GDPR cookie compliance

GDPR compliance is a bit like religion: it’s personal, it’s connected to a community of other practitioners, it’s sometimes contradictory. Some like to believe that it doesn’t exist and that it will never affect them. Others believe in a punitive, capricious power that’s in control of their fates. At some point, lightning may strike the non-believer or the believer (or both at the same time).

I’d never tell you what spiritual code to follow, and I can’t advise on how your business can comply with the GDPR. But, given our understanding, I believe Cookiebot is the best current offer for a strict compliance.

According to their materials, Cookiebot is a cloud-driven solution that offers:

  • A highly customizable consent banner to handle user consents and give the users the required possibility to opt-in and -out of cookie categories.
  • A cookie policy and declaration, with purpose descriptions and automatic categorization of your cookies (strictly necessary, preference, statistics, marketing).
  • Full monthly scans to detect all tracking in place on the website as well as detection of where data is being sent to and where in the source code the cookie can be found.
  • A scanner that detects various online trackers such as Cookies, HTML5 Local Storage, Flash Local Shared Object, Silverlight Isolated Storage, IndexedDB, ultrasound beacons, pixel tags etc.
  • An easy way to allow the users to change or withdraw their consent.
  • Translations for 44 languages and the ability to change the text on the banner and declaration for any language.
  • Storage of user-consents in our cloud-driven environment, which are downloadable and can be used as proof.

Is all that overkill? In all honesty, it probably is for businesses under the major staff and turnover thresholds, but if you’re looking for the best fit on compliance vs cost vs hassle, it ticks all the boxes. We’ve decided to use it here at Performance Foundry.

You can download Cookiebot from within the WordPress plugins dashboard, or from their site. If you’re a Performance Foundry hosting or maintenance client, please use this reseller link to sign up. This will allow us access to your account so we can provide some support for this service. We do receive a commission if you sign up using that link, which is nice, but being able to help with your settings is the most important part!

If you have just one domain and a small site of fewer than 100 pages, Cookiebot has a free subscription level that’s perfect.

I want a free option…

If you want to fully comply with the GDPR’s cookie requirements as we understand them, it’s possible to do it with a free plugin, like Cookie Notice that we reviewed above, but it’s a ton more manual work.

This is because to truly record active and granular consent, the plugin needs to do be aware of what cookies you have on each page and manage them. You also need to categorise them, which needs manual input, keep your records up to date, and keep good records of user consents.

We don’t see the value in installing a cookie pop-up that doesn’t meet these requirements — it affects your visitors’ experience of your site without taking you closer to compliance. However, if you already have one (and don’t want to move to Cookiebot), it may be best to leave it in place until more guidance emerges around cookie compliance.

I’m sorry. I know you were looking for an easy, free solution — and we don’t have one for you. We wanted one too.

If you find a free or cheap plugin that specifies that it records active, granular consent, please email us on hello@performancefoundry.com so we can check it out.

What next?

We’re trying to answer as many GDPR and digital privacy questions as we can. Read, and ask!

Disclaimer: We are not lawyers and are certainly not experts on the GDPR. The information in this article represents our interpretation of the information available online and should not be taken as legal advice. Performance Foundry assumes no responsibility in relation to the use of the information in the blog post.