GDPR Cookies
You should consult your lawyer or other legal professional before making decisions with legal implications. We will not be held responsible for any violations levied against you as a result of implementing strategies in this article or use of the compliance tools provided by the Groundhogg WordPress plugin.
GDPR (General Data Protection Regulation) is a regulation in the European Union (EU) and European Economic Area (EEA). We do have a help document on remaining compliant with GDPR, but we wanted to expand it and specifically talk about cookies here.
What are cookies?
If we want to know about how to make cookies compliant with GDPR then we first need to know what cookies are. These aren’t the delicious cookies that you can have at snack time, they are small text files that are placed in your computer as you go from website to website.
These cookies can be created for many different reasons, for keeping your login so you don’t have to re-login every time you close a website and come back to it is the most common, and another one is to have a website be customized to the way you like it.
Cookies are almost like getting a ticket for a coat check, you hand over your coat, they give you a ticket that identifies your coat, you leave and come back some time later to get your coat with your ticket.
What does cookies and GDPR have to do with each other?
GDPR requires informed consent from the user before storing or accessing any cookies on the user’s device. Which means the user has to agree to the consent before the cookies can be stored and accessed.
What are some examples of this?
Someone could be logged into Facebook (and stay logged in, which means the user has agreed to the storing of that cookie) then they visit your website which has a Facebook messenger plugin (so the visitor can message you on Facebook for help). If the user doesn’t agree to you accessing the cookies that Facebook has stored, then that plugin (the Facebook messenger one) can’t know who the person is on your website. It will have to show a general message telling the user they can still chat with the company but they first have to agree to accessing the cookies stored by Facebook.
Another example is ads, if someone doesn’t agree to the storing or access of cookies then ads cannot store or access cookies and may have to rely on other information for what ads to show. It could end up with showing general ads, and while that may not help your website you have to accept what the user has or hasn’t agreed to.
What cookies does my website use?
It all depends on what plugins you have installed. Some plugins promote no cookies and no tracking, and some do tracking without you knowing it. Look into the privacy policy of all the plugins you use, some plugins may require you to contact them to get this information, and some will make it public ( like Groundhogg has).
Some common cookies on your website could be because of, Google Analytics (which could be considered statistics cookies or marketing cookies depending on how you have it setup), retargeting ads like Facebook pixel (which is considered marketing cookie), Cloudflare (which could be considered strictly necessary cookie), YouTube (if you have a YouTube video showing in your website, it could be a marketing cookie). It may take you a while to find all the cookies that your website uses, and there may be some you don’t even think about.
If you can’t think of what cookies your website could use then we suggest you run your website through an online cookie checker which will show you what cookies your website uses. There are so many online available, we suggest Cookieserve, CookieMetrix, Cookie Scanner, or 2GDPR. Please keep in mind that no online scanner or tool will be 100% accurate.
Do I need a cookie banner?
You most likely need a cookie banner, especially if you are based in the EU, the business is based in the EU, or you have any EU customers. It is good practice to have a cookie banner for everyone as it shows that you care about their privacy and that you want to give them choice over what cookies are stored or accessed.
When GDPR was first announced, many businesses used a cookie banner, which many people disliked and wanted to start blocking them. Businesses kept up the cookie banners because they wanted to make sure they were following the GDPR law, even if it was a bit excessive.
Should this discourage you from putting up a cookie banner? No, because it shows you're following the GDPR law (which can come with fines if you don’t follow them) and you are giving your visitors a choice.
What choices should the cookie banner allow? Allow not just for accepting all, but also rejecting all. You may also want to allow or reject cookies per site, which means someone would want to accept the Groundhogg cookies but not cookies for YouTube videos.
Whatever cookie banner you decide to use, know that you can configure Groundhogg to only work when consent has been given.
Do I need to include cookie information in my privacy policy?
Yes, you need to list out all the cookies that are used on your website, what data is collected by them, what happens to that data (including if it is shared with anyone), and how a visitor can change or revoke their cookies.
You may wish to create a separate cookie policy, that is on a separate page, it all depends on your business and advice you have been given.
Should I care about this if my company isn’t based in the EU?
Yes you should, as GDPR applies to everyone who lives or is currently in the EU.
Thanks to Kaspersky, Sucuri, iubenda, Privacy Policies for their articles that helped to explain this all.