How to Comply With Germany’s New Cookie Consent Rules

The rules for getting a website visitor’s consent before you use tracking cookies are about to change again, and no one is ready.

This week the German Federal Court of Justice ruled that websites now have to comply with the letter of EU privacy regulations, and not just the lax interpretation that many regulators had been enforcing.

I am going to skip over the specifics of who sued whom, and instead focus on the result.

Basically this ruling said that the “Yes button” cookie consent notices that you see on websites everywhere do not comply with EU privacy regulations.

In fact, those notices never complied with the letter of the law because the EU’s rules required explicit consent, while the existing cookie consent notices are set up so that the websites use cookies whether the visitor likes it or not.

What explicit consent means in this situation is that websites cannot run cookies until after the visitor has clicked yes. To give you a couple examples, you can’t run a Google Analytics tracking script on your site, or for that matter the FB Pixel, until after the visitor clicks yes.

That has been the letter of the EU privacy regulations since they were codified, and yet surprisingly the industry standard doesn’t even come close. In the WordPress sphere, for example, many website owners are using the cookie consent banner found in the Jetpack plugin from Automattic. As a result, none of those websites are in compliance with EU regulations. (Even in countries such as the UK which have passed national regulations that comply with the EU’s rules, few comply with the regulations, and in fact hardly anyone in the UK is even aware of the rules they are breaking.)

Luckily for you I helped a client put his websites in compliance with UK privacy regulations last fall, so I have a better than passing understanding of what has to be done.

The following advice applies to self-hosted WordPress sites, and in fact might not be in compliance with Germany’s rules when the dust settles. It will, however, bring your website much closer to being in compliance than you are right now.

The short version is that we’ll need to install a plugin that will control whether the cookies are activated/run. Cookie Notice and CookieBot are two WP plugins that fits the bill. (Both plugins are being maintained and updated, and I’d expect that their functionality will be updated to comply with the changing regulations.)

I was going to lay out the steps required to set up these plugins, but the plugins are so very different that I got confused when reading my own instructions. So let me just add that you need to set up and configure one of these plugins so that it controls the cookies on your site. (Or, you could have me do it.)

Of the two, CookieBot comes closer to what the privacy regulations appear to require; you can use it to give visitors the option of accepting only necessary cookies, or also accepting various categories of cookies (marketing, statistics, preference), or accepting all cookies.

I also found CookieBot really easy to set up, but I’m not sure it’s actually blocking the cookies from running (I am still testing it, and will update). I hope it really does what it claims, because CookieBot is capable of working with just about any website platform, and not just WordPress. (I would love to have a universal solution to recommend to authors on services such as Squarespace and Blogger.)

Any questions? (Can someone pass the aspirin?)

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader. He has been blogging about indie authors since 2010 while learning new tech skills weekly. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

1 Comment

  1. Andrew Girdwood31 May, 2020

    I feel your pain and your post has been very helpful.

    I think these plugins (and all site based solutions) require the visitor to be running JavaScript, which you be sure of. They also break if the visitor has an extension that messes with JavaScript, such as an adblocker.

    It’s not clear in the regulations that a site should delete call cookies if a user opts in at some point and turn opts out. Of course, site based solutions can only delete cookies if the programmer knows the name of the cookie and this is tricky because there’s no way of knowing the name of future cookies that might be delivered by third party scripts.

    Lastly, I feel vulnerable with my WordPress site because I’ve no way of knowing that a plugin I’m currently using will start to drop cookies in the future.

    I think your guide is one of the best I’ve seen. I share my concerns only out of frustration that this well intended law is getting muddled in browser politics (there would be no issues if readers used their browsers to control cookies).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top