The rules for getting a website visitor’s consent before you use tracking cookies are about to change again, and no one is ready.
This week the German Federal Court of Justice ruled that websites now have to comply with the letter of EU privacy regulations, and not just the lax interpretation that many regulators had been enforcing.
I am going to skip over the specifics of who sued whom, and instead focus on the result.
Basically this ruling said that the “Yes button” cookie consent notices that you see on websites everywhere do not comply with EU privacy regulations.
What explicit consent means in this situation is that websites cannot run cookies until after the visitor has clicked yes. To give you a couple examples, you can’t run a Google Analytics tracking script on your site, or for that matter the FB Pixel, until after the visitor clicks yes.
That has been the letter of the EU privacy regulations since they were codified, and yet surprisingly the industry standard doesn’t even come close. In the WordPress sphere, for example, many website owners are using the cookie consent banner found in the Jetpack plugin from Automattic. As a result, none of those websites are in compliance with EU regulations. (Even in countries such as the UK which have passed national regulations that comply with the EU’s rules, few comply with the regulations, and in fact hardly anyone in the UK is even aware of the rules they are breaking.)
Luckily for you I helped a client put his websites in compliance with UK privacy regulations last fall, so I have a better than passing understanding of what has to be done.
The following advice applies to self-hosted WordPress sites, and in fact might not be in compliance with Germany’s rules when the dust settles. It will, however, bring your website much closer to being in compliance than you are right now.
The short version is that we’ll need to install a plugin that will control whether the cookies are activated/run. Cookie Notice and CookieBot are two WP plugins that fits the bill. (Both plugins are being maintained and updated, and I’d expect that their functionality will be updated to comply with the changing regulations.)
I was going to lay out the steps required to set up these plugins, but the plugins are so very different that I got confused when reading my own instructions. So let me just add that you need to set up and configure one of these plugins so that it controls the cookies on your site. (Or, you could have me do it.)
Of the two, CookieBot comes closer to what the privacy regulations appear to require; you can use it to give visitors the option of accepting only necessary cookies, or also accepting various categories of cookies (marketing, statistics, preference), or accepting all cookies.
I also found CookieBot really easy to set up, but I’m not sure it’s actually blocking the cookies from running (I am still testing it, and will update). I hope it really does what it claims, because CookieBot is capable of working with just about any website platform, and not just WordPress. (I would love to have a universal solution to recommend to authors on services such as Squarespace and Blogger.)
Any questions? (Can someone pass the aspirin?)