They bear the name of a treat, yet they are not loved by all, most cookies are subject to a request for consent, expressed by what is commonly called the "cookie band".
Almost all websites have them and yet not all conditions are necessarily met to be up to standards.
How do I get a cookie banner "GDPR Compliant"? What are the criteria to be met? What are the special cases? We'll take stock.
Yaka take a plugin
AsWordPress agency, our approach was naturally to turn to the resources of the community to select a plugin to propose to our customers to comply.
There are a lot of candidate plugins for this feature. We therefore decided to make a benchmark. It was carried out by the department of Be API which is responsible for operations of "RUN" = the team that performs all the services accompanying the sites that are online, including the maintenance services.
How to choose this plugin: which selection criteria?
Since the objective is to comply with the GDPR requirements, let's begin by listing the criteria to be met. To be exhaustive, there is the page Cookies and tracers: what does the law say? of CNIL.
In summary, the plugin and cookie banner that it will generate must:
1 – Inform users : clear and specific information on the cookies that are used, the data that are processed, by whom and for what purposes.
2 – Obtaining consent prior before configure cookies on the website.
3 – Document consent, Keep a record of all consents received as evidence in case of control.
4 - Allow the user to change his mind: Possibility to see and change your choice of cookies.
5 - Duration of validity of cookies: the validity of this consent is 13 months maximum.
Clarification on criterion 5 – This criterion is not necessarily managed through your cookie plugin, but sometimes directly with the transmitter of each cookie.
It is therefore necessary to find a plugin that will allow to respect these rules (this is the minimum) but which also has ergonomic and technical qualities such as:
- Simple implementation
- The ability to work with static cache
- The ability to work in multisite / multilingual
- Compatibility with the main plugins used for projects
- Quality of source code
- Good quality of support/assistance if needed.
As such, choosing a plugin is not necessarily simple. Especially as the offer of plugins for this feature was really very uneven. It is true that this benchmark dates from the beginning of 2020, so positions may have evolved since then.
You have to make a choice.
Be API & GDPR Cookies Consent
We chose GDPR Cookies Consent which is a plugin proposed by WebToffee which offers quite a lot of WordPress plugins and extensions for WooCommerce.
- GDPR Cookies Consent allows to scan the site to make the list of cookies that are present
- We can manage the organisation of these cookies in category
- The cookie banner can be graphically customized to be adapted to the site design
- The text content of the cookie banner is administrable
- Cookie reissue button, to "change reviews"
- There are shortcodes to display the list of cookies by category in your page "Privacy Policy"
There are some limitations, however, the cookies scan is not very deep in the site. Some cookies that are present on deep pages of the site do not appear in the list. Verification is therefore necessary. The support service of GDPR Cookies Consent is informed of this limitation.
Currently, we must have about 30 sites that use this extension with different configurations (mono site / multi site, multilingual, and different combinations of plugins). No blockage or incompatibility at this stage.
Documentation for this solution
Be API's RUN/Maintenance department has made documentation for developers to achieve a coherent basic plugin setting on our clients' web platforms.
The RUN department also made a documentation for clients to help them complete the plugin settings according to their privacy policy.
The purpose of this documentation is also to « give back your hand » the customer because he must get involved and participate, after all it is a matter of respecting a regulation and the publisher of the site is on the front line in terms of responsibility.
Whatever the solution you use, take the time to properly configure your cookie banner. Mobilize your DPO, your legal service (if you have these in-house resources) to validate the content of the cookie banner. There are practical aids and tips on the CNIL website: Cookies and tracers: how do I bring my website into compliance?
Of course, your web agency can assist and advise you in this task.
Other solutions used by Be API
We also had the opportunity to develop alternative solutions for other Agency clients:
- "Lemon spread" obviously.
- Onetrust or Didomi: SAAS solutions that allow the customer to independently generate cookie banners. Each cookie banner is then placed on a site through a script.
Once the cookie banner is in place on the site
Check regularly
You have to stay vigilant, make a periodic update on the list of cookies on your website. If you add features to your site, the list of cookies may change.
Maintain consents
Keep consents given by Internet users. If you think there is a risk with your site, you must provide for a periodic backup procedure for the consents that are registered on your site.
And now my site is in line with the GDPR?
For the cookie banner question, yes. But compliance with the GDPR is a broader issue than that.
If you are using Google Analytics to measure the audience and traffic of your site, know that you need to make settings and settings of your Google Analytics account to comply with the GDPR. See our article dedicated to this topic.
And in a broader way, whenever a personal data file is present on the site, there are GDPR questions to deal with: newsletter subscribers, form respondents, internet user having created an account, e-commerce customer, etc.
For us, other articles in perspective to write and share with you on these topics.
