WordPress Cookie Consent
I was recently asked by a client if it was necessary to add a cookie consent message to their WordPress website. If you are reading this with the same question, the short answer is maybe!
There is no definitive answer for this question but there are some guidelines and recommendation that are worth reading. Before we get to that, it is worth asking a few questions…
- How do people interact with the website?
- Do I need to track pageviews?
- What plugins am I using?
WordPress Core Cookies
I would start by thinking about the core WordPress installation for a few minutes.
There are 2 features of WordPress that create cookies. The first is when a user logs in to WordPress and the second is when a user posts a comment. If you intent to use either of these features then I would consider adding some form of cookie consent (More about that later). We use WordPress as the foundation of most of our websites but for many of them, we disable comments straight away and also have minimal user accounts – our own admin account and then one for our client if they choose. So in this case the average user browsing the website will not generate a cookie.
As soon as you configure google analytics on your WordPress site (and I would recommend using this google analytics plugin by monster insights) you will be adding cookie in to the user experience. Google analytics generates two cookies.
_ga – This cookie is used to distinguish users and records the IP address of the users computer.
_gat – This cookie is used to throttle requests.
You can find out more about google analytics cookies in their developer guide.
If you install google analytics then I would recommend adding cookie consent to your website, however google analytics gives the option to anonymise the IP address stored. You can do this using the monster insights plugin.
Google Analytics Cookies and the ICO
The Information Commissioner’s Office do give guidance regarding which cookies require consent (because there are some exceptions).
…you are unlikely to need consent for:
- cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
- session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
- load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.
However, it is still good practice to provide users with information about these cookies, even if you do not need consent.
I would argue that the _gat cookie is purely there for load balancing and therefore does not require consent, so really it is the other _ga cookie that we are really interested in. The analytics cookies are first party cookies which are solely used to provide a way of tracking the interaction with the website and provide aggregated statistics such as number of page views. There is more detail given in their cookie guidance document, which states:
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
WordPress Plugins and themes
What cookies am I using?
So at this point its a good idea to do an audit of your site to see what cookies you are using. There are a couple of extension for Google Chrome that are free and will give you plenty of information:
Attacat Cookie Audit Tool is a simple way of checking your site for cookies and involve pressing record, browsing your site and then pressing stop to generate a comprehensive report of the cookies that were generated.
Ghostery Browser Extension is another hand tool to see what cookies (it calls them ‘trackers’) are created by your site.
How do I get consent?
There are two types of consent that you can seek regarding cookies.
Here are a couple of reasons why we chose to use iUbenda:
They host both your Cookie and Privacy Policies and will update your policies as and when the law changes so you don’t have to worry about it.
When you add a new feature to your website, you can simply tick the tools that you have installed on your site and it will add the correct policy statements.
Oh and to top it all off, the Iubenda WordPress Cookie Plugin also supports explicit consent (which is an awesome feature).
You’ve already seen the cookie plugin in action because it’s running on this site right now! Try clicking the policy links in the footer to see how they work!
I collated all of this information to hopefully help you to make an informed decision about whether your website needs cookies as I was struggling to find the information myself.
Perspective design can offer a service to both audit your site for cookie and also give you advise and support with adding cookie consent to your site to ensure that you are meeting the EU regulation. If you need help, then why not drop us a message.
I hope you have found this article useful. Feel free to leave a comment below.