Practical guide to tackling GDPR for your site

GDPR feels like a messy burden for most website owners. Most owners aren’t likely to do anything untoward with data, but the many suffer because of the few. On the flip side, making it clear how data will be used and the ability to make an informed decision about your behaviour is probably a good thing.

This post provides a list of things to do on your site and provides a multitude of ways those things can be done. So many guides out there have been written by plugin and service sellers who are simply self-serving. This isn’t helpful. It’s over-complicated and biased.

The aspects of GDPR as we see them

This is based on research done on other blogs and websites and does not constitute legal advice. That’s out of the way.

  • Cookie consent – with all cookie types identified
  • Cookie policy – a clear explanation of what the visitor is consenting to
  • Privacy policy – providing guidance on data procedures, how to request data or request its deletion
  • Data usage based on entry and submission – providing a clear explanation of how data being entered will be used

When it comes to the business as a whole, there’s more to GDPR, the business processes that sit outside your website are outside of scope here.

Cookie Consent & Cookie Policy

There are two schools of thought out there.

  1. Create a complicated “User Interface” for users to select which types of cookies to accept.
  2. Create a simple “acceptance” option with a link to more information if the site visitor can be bothered

Neither are strictly “implied consent” but option 1 is definitely “explicit consent”.

Here’s an interesting WordPress support thread that discusses the use of the UK Cookie Consent Plugin

Basically the discussion concludes the following:

  • You can place cookies from the moment a visitor lands on your site
  • The Cookie Notification should lead them to a page explaining what cookies are used and why
  • The cookie explanation page should also explain to them how they can use the standard browser functionality to delete cookies
  • The cookie explanation page could also include information on how to prevent cookies in the first place
  • Explicit consent is deemed as needing to select “accept” or similar to dismiss the banner
  • Explicit consent doesn’t include dismissing after an elapsed time or through scrolling
  • Selecting “accept” ultimately places another cookie to prevent the banner from continuing to appear

Ok that’s all great. But we’re after an example of a ‘big dog’ or at least a decent sized one applying this interpretation.

Enter Frank Body…

These guys appear to be applying the above principles.

There’s a brief explanation of cookies. But if you want to be selective about cookies, they firmly direct you towards using your browser settings. They even provide a helpful link for each browser on how to configure your cookies.

Here’s a snippet of their Cookie Policy;

How do you manage Cookies?

Most internet browsers are initially set up to automatically accept Cookies. You can change the settings to manage Cookies being sent to your device.

Click here for more information on Cookies and how to manage them.

It’s not slopy shouldered. It’s just sensible. It’s practical. And it’s completely in line with their brand anyway. But that’s not really the point.

This is validation that the above interpretation is not a standalone view. It’s one being taken in common law.

Anonymising Cookie Data

PII or Personally Identifiable Information is the key consideration when it comes to the the difference between “implied” and “explicit” consent.

Google Analytics allows the anonymising of IP addresses through modification of the tracking code. Find more detail about anonymising Google Analytics Here.

Privacy Policy Implications Of GDPR

Privacy Policies are the umbrella term for how users data is collected and used. Therefore a Cookie Policy is not a Privacy Policy, but instead a sub-section of a Privacy Policy.

Using a Privacy Policy & Cookie Policy Generator

Using a more sophisticated Privacy Policy & Cookie Generator does allow you to select things like which types of tracking pixels and services you’re using from a list of common ones. e.g. Google Analytics and Facebook Pixels.

This gets you so far, but doesn’t take you all the way. Each plugin on your site also has the potential to utilise Cookies and process personal data. Snippets from each of those plugins are therefore required within your cookie policy (if you’re going belt and braces).

Cookiebot provides a service where the plugin will scan your website on a monthly basis and tabulate the cookies found and their uses. They use a global repository (database) of cookies and their uses to do this.

However, Cookiebot DON’T provide a general “Cookie Policy Generator” or template.

The combination of Cookiebot’s specific tabulated list of Cookies, with a general Cookie Policy Template may appear to be a solution to a “Customised Template” that’s specific to your site.

Termsfeed.com is a pretty cool Cookie Policy & Privacy Policy generator website (it’s paid) but allows a degree of customisation based on “plain english” questions and answers.

Amazon Associates Affiliate Programme Cookies & GDPR

The Amazon Associates Programme, more readily known as the Amazon Affiliates Programme utilises a tracking cookie to enable the attribution of commissions. These are classed as “Third Party Cookies” as they’re placed by the Amazon marketplaces.

These types of Cookies should be covered off in your customised Cookie Policy whether generated with a combination of a site scan for cookies (as with Cookiebot), plus a Generated Cookie Policy OR you just used a Cookie Policy Generator.

Dealing with Retargeting & Remarketing within your Privacy Policy

Services like Facebook, Twitter, Google, Pinterest plus many others, offer a retargeting or remarketing service. The user data is recorded to allow you to use that information to either;

  • Market directly to that user or;
  • Market to other users who have a related digital profile as determined by the retargeting or remarketing platform

Retargeting and remarketing can be achieved simply by the use of tracking pixels on your website, which fall into the category of “third party cookies”.

However, you can also use users’ email addresses to form ‘audiences’ within these platforms. This therefore isn’t covered by the Cookie Policy, but is rather a consideration for the Privacy Policy.

Clear Explanation of use of Entered Data – like emails

Basically if you’ve got an email signup form or a comments form or a contact form, you need to be clear how you’re going to use the information.

There are again a couple of schools of thought.

  1. You need a thorough explanation or at least a link to a more detailed explanation at entry point
  2. You need a checkbox to force people to acknowledge what they’re agreeing to

Now practically, most form plugin providers, comments box providers etc. Got their shit together and just took the option 2 ‘belt and braces’ approach. But there’s still an argument that says, if you’ve provided a clear explanation of what’s going to happen if a user enters their data and clicks “submit” you’re pretty much covered. Maybe there’s an issue here with “recording” their agreement, however, I don’t see how a checkbox resolves this any more than a button click.

As long as you explain how the information will and could be used this would appear compliant.

So if for example they’re signing up for a blog email, but you also use the email to create lookalike or retargeting audiences on Facebook, these uses need to be explained. So that’s an explanation for:

  • Receiving a weekly article by email
  • Receiving retargeting Ads on third party platforms
  • Used to identify people with similar interests to more tactfully advertise to others

Most of this explanation will go well over the head of most individuals who aren’t savvy marketers.

As a result, the risk here is fear through complication and lack of clarity. A real balance needs to be struck in the privacy policy and any ‘at entry’ messaging.

Dealing with Data That Is Captured

So, many of your WordPress plugins may not even capture user data – nothing to worry about there. But which one’s do?

Before looking at plugins, look at Core WordPress. If you’re utilising the core WordPress comments functionality, this is storing data. If someone requests you delete their data, you can find their comments and delete them. Simple.

If you’re capturing email addresses, names, addresses etc. (PII) and you’re saving this data in ‘databases’ you need to be able to erase this data upon request.

Some plugins, such as AMZ Coupon Server do collect data, such as email addresses and store them in your WordPress database (well a sub-database within the plugin). Once again, this is data you’d have to delete if a data deletion request came in.

Further to that, you can also connect AMZ Coupon Server to email marketing automation services such as Getresponse or Aweber. If you’re integrating with these services, ultimately you’re storing data in yet another database.

Advised Plugins and Settings

UK Cookie Consent Plugin

GeoIP Detection Plugin

Using the combination of these plugins you can limit the annoying cookie policy notice only to global regions where it’s relevant.

When setting up UK Cookie Consent, ensure the Cookie Banner dismissal is as a result of an active click. So don’t set the banner to disappear after a certain length of time, or after scrolling.

More Examples Of Other Serious Sites taking the same approach to GDPR

More coming soon…

GDPR plugins that have a belt and braces approach

What I mean by this is that the plugin provides granular explicit opt in options. The key differentiating feature here is that the cookies are NOT placed until consent has been given for that specific cookie type.

First up EziGDPR…

https://www.ezigdpr.com

GDPR Cookie Consent

GDPR Cookie Consent

Even the free version allows you to enter scripts into the “Non-Necessary Cookie” section of the plugin settings – meaning non-necessary cookies are not placed until “Accept” is clicked, if “Reject” is clicked, these cookies aren’t set.

The non-necessary cookies and their scripts have to be manually scoured with the free version. The paid version however does have some automation – which reduces the manual work.

The plugin is $99 for up to 5 sites for the first year, reduced to $49 for renewals thereafter (not bad for $10 a year per site).

If you’ve got a bigger requirement than that, you can implement it on up to 25 sites for $199 for the first year and $99 thereafter. A serious deal at $4 per site per year!

Further to that, the free version even comes with an inbuilt Cookie Policy Generator. Note, not a Privacy Policy Generator – The Cookie Policy would be a sub-section of the Privacy Policy.

Summary of Features

  • Load cookies only on Acceptance
  • Generate a Cookie Policy (general wording not specific to the plugins used)
  • Will scan and find all cookies being used, allowing you to categorise as necessary and non-necessary – so you can use the “granular acceptance” capabilities (Premium functionality)

GDPR Cookie Compliance

GDPR Cookie Compliance

Cookiebot

Cookiebot | GDPR Compliant Cookie Consent and Notice

This is a paid solution (mostly) there is a free version for small sites, but it doesn’t come with their “Cookie Scanning” capability for automatic documentation of the Cookies.

The paid solutions aren’t “cheap” for small-ish sites.

The fact that the plugin scans your site on a monthly basis to identify each individual cookie being used by the plugins and tracking software you’re using is a big attraction. You can then insert a shortcode into your Cookie Policy which generates a table of all the Cookies on your site and their uses.

This plugin also allows users to be very selective over which Cookies they want to accept or not. i.e. functional cookies vs marketing cookies.

Summary of Features

  • Load cookies only on Acceptance
  • Will scan and find all cookies being used on a MONTHLY basis, allowing you to categorise as necessary and non-necessary – so you can use the “granular acceptance” capabilities (Premium functionality)
  • The scanned cookies are put into a table which can be inserted into your Cookie Policy with a simple shortcode that will automatically update

Complianz | GDPR Cookie Consent

Complianz | GDPR Cookie Consent

Action Plan for WordPress GDPR Compliance

  1. Install a cookie consent plugin (make the choice as to whether you want to prevent cookies from loading before clicking ‘Accept’)
  2. Provide information to users on how they can delete or completely block Cookies for each of the browsers that they may be using
  3. Create a Cookie Policy which explains what each of the Cookies on your site is used for. (The level of specificity here is up to you – if you want more specificity, go with a solution like Cookiebot, otherwise go with broader descriptions).
  4. Clearly state by each and every form where users input data what the data will be used for – plus provide a link to your privacy policy (If you’re using Jetpack, Akismet and WordPress native comments, this is a setting you can enable for comments). Other forms will need some wording placed by them by you. (WooCommerce Reviews may also be covered by Akismet – just check your theme)
  5. Anonymise your data on Google Analytics to avoid issues with PII
  6. Create a Privacy Policy which covers all standard required aspects, paying special attention to the use of retargeting pixels and utilising emails to create lookalike audiences