GDPR feels like a messy burden for most website owners. Most owners aren’t likely to do anything untoward with data, but the many suffer because of the few. On the flip side, making it clear how data will be used and the ability to make an informed decision about your behaviour is probably a good thing.
This post provides a list of things to do on your site and provides a multitude of ways those things can be done. So many guides out there have been written by plugin and service sellers who are simply self-serving. This isn’t helpful. It’s over-complicated and biased.
The aspects of GDPR as we see them
This is based on research done on other blogs and websites and does not constitute legal advice. That’s out of the way.
- Cookie consent – with all cookie types identified
- Data usage based on entry and submission – providing a clear explanation of how data being entered will be used
When it comes to the business as a whole, there’s more to GDPR, the business processes that sit outside your website are outside of scope here.
There are two schools of thought out there.
- Create a complicated “User Interface” for users to select which types of cookies to accept.
- Create a simple “acceptance” option with a link to more information if the site visitor can be bothered
Neither are strictly “implied consent” but option 1 is definitely “explicit consent”.
Basically the discussion concludes the following:
- You can place cookies from the moment a visitor lands on your site
- The Cookie Notification should lead them to a page explaining what cookies are used and why
- The cookie explanation page should also explain to them how they can use the standard browser functionality to delete cookies
- The cookie explanation page could also include information on how to prevent cookies in the first place
- Explicit consent is deemed as needing to select “accept” or similar to dismiss the banner
- Explicit consent doesn’t include dismissing after an elapsed time or through scrolling
- Selecting “accept” ultimately places another cookie to prevent the banner from continuing to appear
Ok that’s all great. But we’re after an example of a ‘big dog’ or at least a decent sized one applying this interpretation.
These guys appear to be applying the above principles.
There’s a brief explanation of cookies. But if you want to be selective about cookies, they firmly direct you towards using your browser settings. They even provide a helpful link for each browser on how to configure your cookies.
How do you manage Cookies?
Most internet browsers are initially set up to automatically accept Cookies. You can change the settings to manage Cookies being sent to your device.
- Disable Cookies in Internet Explorer >> Click here
- Disable Cookies in Chrome >> Click here
- Disable Cookies in Safari >> Click here
- Disable Cookies in FireFox >> Click here
- Disable Cookies in Safari IOS >> Click here
- Disable Cookies in Google Android >> Click here
It’s not slopy shouldered. It’s just sensible. It’s practical. And it’s completely in line with their brand anyway. But that’s not really the point.
This is validation that the above interpretation is not a standalone view. It’s one being taken in common law.
Anonymising Cookie Data
PII or Personally Identifiable Information is the key consideration when it comes to the the difference between “implied” and “explicit” consent.
Google Analytics allows the anonymising of IP addresses through modification of the tracking code. Find more detail about anonymising Google Analytics Here.
Cookiebot provides a service where the plugin will scan your website on a monthly basis and tabulate the cookies found and their uses. They use a global repository (database) of cookies and their uses to do this.
Amazon Associates Affiliate Programme Cookies & GDPR
The Amazon Associates Programme, more readily known as the Amazon Affiliates Programme utilises a tracking cookie to enable the attribution of commissions. These are classed as “Third Party Cookies” as they’re placed by the Amazon marketplaces.
Services like Facebook, Twitter, Google, Pinterest plus many others, offer a retargeting or remarketing service. The user data is recorded to allow you to use that information to either;
- Market directly to that user or;
- Market to other users who have a related digital profile as determined by the retargeting or remarketing platform
Retargeting and remarketing can be achieved simply by the use of tracking pixels on your website, which fall into the category of “third party cookies”.
Clear Explanation of use of Entered Data – like emails
Basically if you’ve got an email signup form or a comments form or a contact form, you need to be clear how you’re going to use the information.
There are again a couple of schools of thought.
- You need a thorough explanation or at least a link to a more detailed explanation at entry point
- You need a checkbox to force people to acknowledge what they’re agreeing to
Now practically, most form plugin providers, comments box providers etc. Got their shit together and just took the option 2 ‘belt and braces’ approach. But there’s still an argument that says, if you’ve provided a clear explanation of what’s going to happen if a user enters their data and clicks “submit” you’re pretty much covered. Maybe there’s an issue here with “recording” their agreement, however, I don’t see how a checkbox resolves this any more than a button click.
As long as you explain how the information will and could be used this would appear compliant.
So if for example they’re signing up for a blog email, but you also use the email to create lookalike or retargeting audiences on Facebook, these uses need to be explained. So that’s an explanation for:
- Receiving a weekly article by email
- Receiving retargeting Ads on third party platforms
- Used to identify people with similar interests to more tactfully advertise to others
Most of this explanation will go well over the head of most individuals who aren’t savvy marketers.
Dealing with Data That Is Captured
So, many of your WordPress plugins may not even capture user data – nothing to worry about there. But which one’s do?
Before looking at plugins, look at Core WordPress. If you’re utilising the core WordPress comments functionality, this is storing data. If someone requests you delete their data, you can find their comments and delete them. Simple.
If you’re capturing email addresses, names, addresses etc. (PII) and you’re saving this data in ‘databases’ you need to be able to erase this data upon request.
Some plugins, such as AMZ Coupon Server do collect data, such as email addresses and store them in your WordPress database (well a sub-database within the plugin). Once again, this is data you’d have to delete if a data deletion request came in.
Further to that, you can also connect AMZ Coupon Server to email marketing automation services such as Getresponse or Aweber. If you’re integrating with these services, ultimately you’re storing data in yet another database.
Advised Plugins and Settings
When setting up UK Cookie Consent, ensure the Cookie Banner dismissal is as a result of an active click. So don’t set the banner to disappear after a certain length of time, or after scrolling.
More Examples Of Other Serious Sites taking the same approach to GDPR
More coming soon…
GDPR plugins that have a belt and braces approach
What I mean by this is that the plugin provides granular explicit opt in options. The key differentiating feature here is that the cookies are NOT placed until consent has been given for that specific cookie type.
First up EziGDPR…
GDPR Cookie Consent
Even the free version allows you to enter scripts into the “Non-Necessary Cookie” section of the plugin settings – meaning non-necessary cookies are not placed until “Accept” is clicked, if “Reject” is clicked, these cookies aren’t set.
The non-necessary cookies and their scripts have to be manually scoured with the free version. The paid version however does have some automation – which reduces the manual work.
The plugin is $99 for up to 5 sites for the first year, reduced to $49 for renewals thereafter (not bad for $10 a year per site).
If you’ve got a bigger requirement than that, you can implement it on up to 25 sites for $199 for the first year and $99 thereafter. A serious deal at $4 per site per year!
Summary of Features
- Load cookies only on Acceptance
- Will scan and find all cookies being used, allowing you to categorise as necessary and non-necessary – so you can use the “granular acceptance” capabilities (Premium functionality)
GDPR Cookie Compliance
This is a paid solution (mostly) there is a free version for small sites, but it doesn’t come with their “Cookie Scanning” capability for automatic documentation of the Cookies.
The paid solutions aren’t “cheap” for small-ish sites.
This plugin also allows users to be very selective over which Cookies they want to accept or not. i.e. functional cookies vs marketing cookies.
Summary of Features
- Load cookies only on Acceptance
- Will scan and find all cookies being used on a MONTHLY basis, allowing you to categorise as necessary and non-necessary – so you can use the “granular acceptance” capabilities (Premium functionality)
Complianz | GDPR Cookie Consent
Action Plan for WordPress GDPR Compliance
- Install a cookie consent plugin (make the choice as to whether you want to prevent cookies from loading before clicking ‘Accept’)
- Provide information to users on how they can delete or completely block Cookies for each of the browsers that they may be using
- Anonymise your data on Google Analytics to avoid issues with PII