WordPress Cookie Consent

I was recently asked by a client if it was necessary to add a cookie consent message to their WordPress website. If you are reading this with the same question, the short answer is maybe!

There is no definitive answer for this question but there are some guidelines and recommendation that are worth reading. Before we get to that, it is worth asking a few questions…

  1. How do people interact with the website?
  2. Do I need to track pageviews?
  3. What plugins am I using?

WordPress Core Cookies

I would start by thinking about the core WordPress installation for a few minutes.

There are 2 features of WordPress that create cookies. The first is when a user logs in to WordPress and the second is when a user posts a comment. If you intent to use either of these features then I would consider adding some form of cookie consent (More about that later). We use WordPress as the foundation of most of our websites but for many of them, we disable comments straight away and also have minimal user accounts – our own admin account and then one for our client if they choose. So in this case the average user browsing the website will not generate a cookie.

Google Analytics

As soon as you configure google analytics on your WordPress site (and I would recommend using this google analytics plugin by monster insights) you will be adding cookie in to the user experience. Google analytics generates two cookies.

_ga – This cookie is used to distinguish users and records the IP address of the users computer.
_gat – This cookie is used to throttle requests.

You can find out more about google analytics cookies in their developer guide.

If you install google analytics then I would recommend adding cookie consent to your website, however google analytics gives the option to anonymise the IP address stored. You can do this using the monster insights plugin.

anonymise_ip

Google Analytics Cookies and the ICO

The Information Commissioner’s Office do give guidance regarding which cookies require consent (because there are some exceptions).

…you are unlikely to need consent for:

  • cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
  • session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
  • load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

I would argue that the _gat cookie is purely there for load balancing and therefore does not require consent, so really it is the other _ga cookie that we are really interested in. The analytics cookies are first party cookies which are solely used to provide a way of tracking the interaction with the website and provide aggregated statistics such as number of page views.  There is more detail given in their cookie guidance document, which states:

Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

WordPress Plugins and themes

As there are such a large number of plugins and themes available it would be a huge task to list each one that uses cookies, but as a good rule I would recommend using cookie consent for any site that involves your users creating accounts, logging in to the site, posting comment or making payments (basically any further interaction beyond viewing the page content).

What cookies am I using?

So at this point its a good idea to do an audit of your site to see what cookies you are using. There are a couple of extension for Google Chrome that are free and will give you plenty of information:

Attacat Cookie Audit Tool is a simple way of checking your site for cookies and involve pressing record, browsing your site and then pressing stop to generate a comprehensive report of the cookies that were generated.

Ghostery Browser Extension is another hand tool to see what cookies (it calls them ‘trackers’) are created by your site.

How do I get consent?

There are two types of consent that you can seek regarding cookies.

Explicit consent – This type of consent would not allow the cookie to be created until the user accept the cookie policy. This is a more rigorous way of getting consent and will limit the functionality of the site until the use accept the terms.

Implied consent – This would usually be in the form of a message telling the user that the site uses cookies with an option to dismiss the message. If the user does not accept the conditions they can always leave the site or disable cookies themselves.

I recommend using the UK Cookie Consent plugin which uses the implied consent method. It has a range of styling options but keep everything fairly unobtrusive. It also generates a cookie policy page to get you started. – This is still a great free plugin, and it is running on many of our clients sites, but we are going to be transitioning all of our client websites over to a new system ready for next May.

UPDATE (05/12/2017) – As a result of investigation in GDPR compliance for both my own and my clients websites. I now recommend the Iubenda Privacy and Cookie Policy Generator.

Here are a couple of reasons why we chose to use iUbenda:

They host both your Cookie and Privacy Policies and will update your policies as and when the law changes so you don’t have to worry about it.
When you add a new feature to your website, you can simply tick the tools that you have installed on your site and it will add the correct policy statements.
Oh and to top it all off, the Iubenda WordPress Cookie Plugin also supports explicit consent (which is an awesome feature).

 

You’ve already seen the cookie plugin in action because it’s running on this site right now! Try clicking the policy links in the footer to see how they work!

cookie law banner

 

Conclusion

I collated all of this information to hopefully help you to make an informed decision about whether your website needs cookies as I was struggling to find the information myself.

Perspective design can offer a service to both audit your site for cookie and also give you advise and support with adding cookie consent to your site to ensure that you are meeting the EU regulation. If you need help, then why not drop us a message.

I hope you have found this article useful. Feel free to leave a comment below.

Pin It on Pinterest