Close to 9/10 websites are not compliant with the GDPR cookie laws. In fact, most websites have a cookie warning but they do not give the user a choice to opt-out. You might not know, but that’s actually not enough to be GDPR compliant. So, how do you become GDPR compliant on WordPress? To become GDPR compliant on WordPress is one of those things that tend to be very complex and hard to grasp. Nonetheless, not understanding the regulation is not a valid excuse if you want to avoid astronomical fines from the data authorities.

Are you GDPR compliant on WordPress?

Like most, you probably know that you need consent from the customer to sign them up for your newsletter. You might also know that you need to be careful about how you treat emails with sensitive information. But how do you handle unknown visitors? Are you allowed to track them on your website without consent? On the one hand, you want to stay compliant with the European laws, but on the other hand, you want to keep using your beloved tools like Google Analytics and Hotjar.  You also want to keep tracking important marketing KPIs like your top 10 SEO KPIs. Don’t worry, you can do both! And, you don’t need to spend thousands on consultant fees to do it. Just keep reading! In this article, we are going through the steps needed to become GDPR compliant on WordPress. In other words, you want to make your WordPress website handle cookies correctly. 

Cookies? No thanks, I’m not hungry

Of course, your website needs to have a cookie consent warning if you are using cookies. And you will definitely have some of those if you are using a CMS system like WordPress! But how do you know what cookies your website is placing on your users’ devices? To make things even more complicated, how do you know which cookies are placed by third parties like the providers of the plugins you use? These are really important questions if you want to become GDPR compliant on WordPress. It is time for the first trick in the GDPR-book: a tool for showing the cookies placed by your website – your browser. That’s right, you don’t need any fancy plugins or websites to know which cookies there are on your website. In Google Chrome, you simply go to your website and click the lock in the upper left corner next to the address bar. It will reveal the cookies placed by the site.
Don’t be afraid if you are seeing a lot of cookies since there might be good reasons for placing all the cookies. Also, remember that some cookies are needed by your site to function properly. In our case, most cookies are placed by third-party tools like Hotjar, HubSpot and Google Analytics. This is a good way to explore unwanted cookies. If you are unsure of what some cookies do, then try to Google the name of the cookie. This might give you a better understanding of its usage. 

How do I give my users a choice?

The GDPR cookie directive implies that the user should
  • Be presented with the cookies used by a website and the purpose of them
  • Accept the use of cookies before getting any that are not needed to run the website.
  • Be given a choice that is not based on a consent for using the service

Remove unnecessary cookies

It might sound easy, but in fact, it can be a struggle to control cookies from third parties. That’s why the easiest is to try to limit the number of cookies coming from third-party plugins. Start by looking at the plugins that place cookies and see if you can find alternative plugins that don’t do it. An example could be some of the social media plugins for sharing your blog posts. Many of the free ones place a tracking cookie on your users’ computers. This way the companies behind them collect user data as their “payment”. The data might then be sold for advertising purposes among other things. But, there are often free open source alternatives that will not place any tracking cookies. Those will make your job as a cookie compliant company a lot easier, and therefore, it will help you become GDPR compliant on WordPress.

Now deal with the existing cookies

When all unnecessary cookies are gone, then what do you do with the cookies placed by your favorite tools? The tools where you would never consider using an alternative, e.g. Google Analytics or Hubspot. These tools are a necessity from a business point of view, yet they aren’t from a customer’s point of view. Therefore, users need a way to be able to decline them.  Well, here comes the tricky part. You need a way to show the content of your page before placing tracking cookies on your users’ computers. But, you also want to preserve the valuable knowledge that you get about how the users use your page. There are different ways to solve this issue. An easy way is to buy a plugin or tool that takes care of handling the cookies and consent. These tools are called consent management platforms. Yet, a recent study shows that only 11.8% of these platforms comply with European laws. So, not only are these tools expensive, but some of them are not even enough to avoid the GDPR fees. But don’t worry, you can continue reading and learn how to do it yourself for free. 

Getting your hands dirty

The thing you want to do to become GDPR compliant on WordPress is to identify the parts of the code running on your website that places a cookie. This would usually be some javascript code. You then want to place this code in a separate place to only run it when the user has given consent. You might be using some of the popular marketing services that have plugins for WordPress. This could be plugins like HubSpot or the MonsterInsights for Google Analytics. Those plugins do not require any extra javascript. Very convenient, but it might also come with a downside. We are going to add three popular services to our consent screen. The services need to be added in three different ways hence they are good examples of what you might encounter.

Setting up a cookie consent screen

To set up a cookie consent screen, we are going to recommend you use a plugin called Complianz | GDPR Cookie Consent. This plugin has some major benefits. The biggest is that it has a pretty good free version. Another benefit is that it has an extensive guide for setting up a consent screen. It even comes with an automatic cookie policy page. Yes indeed, pretty handy!
Follow the installation guide on the plugin page to get started. A wizard will guide you through some steps by asking a lot of questions. It will also show you the cookies running on your site. One of the cool things about Complianz is that it is using an extensive database of known cookies. The database describes what the different cookies do. This data will then be available on the cookie policy page to give your users an overview of everything that runs on your site.
Moving on, you will need to make sure that only the functional cookies are placed if the user chooses that option. Now that the cookie consent screen is set up, we will be going through Hotjar, MonsterInsights, and Hubspot in the following sections. Yet, beware that you might have other plugins that require some extra steps.

Adding Hotjar

If you are using the official Hotjar plugin for WordPress, you’ll want to change to a more old fashioned way of installing it. This is despite the recommendation by Hotjar, but it is much easier to control. This way, you’ll know when tracking cookies are placed and you’ll be able to control them. And yes, you might want to grab your best developer friend at this point or pay close attention, because things are going to get a bit technical.

Step 1

Disable or remove the Hotjar plugin from your WordPress site. We are going to use a snippet of code instead to set up Hotjar.

Step 2

Get the tracking code from insights.hotjar.com/site/list. Click the little “Tracking Code” button. It should look something like this:

Step 3

Instead of pasting the code into the header section of the website as explained in Hotjar, you need to go to the “Integrations” sub-menu of the Complianz menu. Then, paste the code into the part called “Scripts to add services, for example, Facebook Pixel, Hotjar, etcetera.”. This section of code will only run when you get the needed consent from the user.  

That’s it. Wasn’t that bad, right? 

MonsterInsights

If you look at the top of the “Integrations” page of the Complianz plugin you’ll notice a tab called “Plugins”. If you click there, you’ll see all the plugins that Complianz found and recognized. You will also notice that the MonsterInsights plugin is recognized. This means that you do not need to deal with JavaScript code to block Google Analytics – Hurrah. You’ll simply have to be sure that the plugin is enabled.

HubSpot 

HubSpot has a great plugin for WordPress which means that we do not need to deal with any code when setting it up. This comes with a problem: how do we prevent it from placing the tracking cookie when the site loads? HubSpot comes with a build-in GDPR compliant consent screen, great. The problem though is that you are not interested in having multiple consent screens. So, you cannot really use it in this case. Instead, you can incorporate it into your newly created consent screen. Let’s see how you can do that. HubSpot has a cookie API that lets you control the cookie flow yourself. That sounds cool but it definitely requires some development skills. We will skip that option in this blog post and try another approach that is easier. Instead, to make it easier for you, I found the piece of code that places the cookie. You can also find it yourself if you go to “Setting > Reports & Analytics Tracking”. It looks like the following:
If you take a closer look at that piece of code, you’ll see a script that is loaded from the domain “js.hs-scripts.com”. To prevent cookies from this domain, you only need to add it to this section of Complianz’s integration page.
And voila, Bob’s your uncle. In other words, by simply copy-pasting “js.hs-scripts.com” into the right section of Complianz, you’ll make sure that HubSpot only enables cookies after you have received the consent. You might want to apply the same technique for other plugins you are using. Find the right code, and copy-paste the URLs into the Complianz plugin. That way, you’ll make sure all your plugins are GDPR compliant.

To conclude…

Let’s take a look at the result. Now that we are using Complianz, if you go to our page in an incognito browser session and look at the cookies, you’ll see the following:
Once you have accepted our cookie consent by clicking on “All cookies” in the orange box, go and click again on the lock icon. Now, you can see that we have 21 cookies in use. If you visit our cookie policy page that is provided by Complianz, you’ll find a description of all the cookies that we are using. Now it’s your turn. Go and get GDPR compliant on WordPress! Let us know in the comments what other plugins you would like examples with.