Table of Contents
The GDPR is live since May 2018 and the EU Cookie Law has been around since the 2009, yet there still are a lot of websites non compliant with both of them. In this post we'll try to summarize the basic steps that system administrators and webmasters need to do to achieve such compliance. While doing so, we'll take for granted that you already know the basics about privacy and GDPR: in case you don't, we strongly suggest to take a look at these posts before proceeding.
Basic requirements
As we already said a minute ago, the two regulations we need to consider to understand what we need to do are the following:
- General Data Protection Regulation (EU 2016/679), better known as GDPR.
- EU Cookie Law (2009/136/CE), adopted in Italy with the decree n. 126 03/06/2014.
According to these regulations, if you're hosting a standard website - in our example, a WordPress-based blog or newspaper - you need to have the following:
- A Privacy Policy containing the Data Controller contact info and a list of processing activities.
- A Cookie Policy, explaining what cookies actually are and which kind of cookies you will create on their browser.
- A GDPR & Cookie Law plugin to show to your users to explain them how to read your policies and also how to opt-in / opt-out from your cookies.
Let's see how we can deal with all that.
Privacy Policy
The Privacy Policy is a document - usually a web page or a downloadable PDF file - that is expected to contain the following info regarding your website:
- The Data Controller info and e-mail contact.
- A list of the Types of Data collected by the website.
- Mode and place of processing activities, including the retention period.
- A list of the various processing activities currently in place.
- A list of the various User rights and info regarding how to exercise them.
- A link to the Cookie Policy (see below) or instructions on where to find it.
If you need an actual sample, you can take a look at our own GDPR Privacy Policy (updated on December 2018). A sample document based upon that is also available in PDF and DOCX formats for your convenience:
Cookie Policy
The Cookie Policy is a document - usually a web page or a downloadable PDF file - that should contain the following:
- General info about Cookies: what cookies are, how the website uses them and why, how to control them and so on.
- Detailed info about the Cookies used on the website: technical, analytics, tracking, profiling, third-parties, social, and so on.
- Opt-in and/or opt-out measures available to the users that do not want to have non-required cookies installed on their browser.
- A link to the Privacy Policy (see above) or instructions on where to find it.
If you need an actual sample, you can take a look at our own Cookie Policy (updated on December 2018). A sample document based upon that is also available in PDF and DOCX formats for your convenience:
GDPR & Cookie Law Plugin
Last but not least, you need to provide your website with a dedicated, GDPR-compliant and Cookie Law-aware notification pop-up (or modal window) that will inform your users about the existance of cookies, the privacy policy and the cookie policy within your website. In the example below we'll take for granted that you're using WordPress, therefore we will talk about a couple of Worpdress plugins that can handle such task. If you're not using WordPress, just find a comparable alternative for your Blog or CMS engine, or look for similar JQuery-based plugins around the web: if you do, follow the steps below.
Installing the Plugin
Install the GDPR plugin by Trew Knowledge. This is a free plugin specifically designet to help Data Controllers, Data Processors and/or Data Protection Officers (DPO) to perform their obligations and rights enacted under the GDPR. The plugin documentation can be found here, while a bunch of shortcodes, helper functions and samples can be found here.
This plugin works just like any other "Cookie Law" WordPress plugin, with some neat additional features which are required for stricter local regulations regarding the Cookie Law enforcing requirements (such as Italian decree n. 126 03/06/2014):
- A "Privacy Preference Center" modal window that can be used to summarize all the cookies and even to allow the users to interactively exercize their opt-in and/or opt-out rights in real-time.
- A JavaScript and PHP interface that can be used by the webmaster / developer to conditionally enable or render the JavaScripts and/or PHP code lines creating the cookies, or embed the third party scripts that do that.
Since this website is using the GDPR plugin as well, you can take a look at how the plugin works by deleting its cookies (those with the gdpr[whatever] name) and then refresh this page. If you're too lazy to do that, here's some screenshots to see the plugin in action:
Configuration
As soon as the plugin is installed and activated, a new GDPR menu item will appear on the WordPress admin page. Click there and go to the Settings page, where all the magic will happen. Here's the relevant options that you'll most likely want to change:
- Privacy Center > Privacy Bar: ensure that the Privacy Bar is enabled.
- Privacy Center > Privacy Bar Content: this is the text that will appear on the cookie banner overlay (screenshot #1 above). Review the default text to meet your standards. Here's a good example: "We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off by clicking the Cookie Settings button".
- Privacy Center > Privacy Excerpt: this text will appear in the consent section of the Privacy Preference Center modal window (screenshot #2 above). Review the default text to meet your standards. Here's a good example: "We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off by clicking the Cookie Settings button".
Cookie Categories
The Cookies section is arguably the most important part of the whole plugin: this is where you'll need to create the various cookie categories that will be shown on the Cookie Preference Center: each category will have a dedicated tab as well as custom contents and features depending on how you want to configure it.
Here's an example that you might want to use if you have the following sets of cookies:
- Technical Cookies (required): WordPress cookies, PHP session cookies, GDPR cookies and so on.
- Advertising Cookies (soft opt-in): Google AdSense and/or other advertising networks: for those we'll implement a soft opt-in.
- Analytics Cookies (soft opt-in): Google Analytics and/or other measurement tools & trackers.
As we can see, we've set the first category with a required status, while the other two have the soft opt-in status: let's try to understand the difference.
- Required status is for cookies that cannot be opted out of and are needed for the site to function properly.
- Soft opt-in status will allow cookies on first landing but can be opted-out of.
The plugin supports two additional statuses, which we are not using in our example but you can use at will:
- Checked: these cookies will be checked by default and will be set after the user agrees to them.
- Unchecked: similar as checked, but the user needs to manually toggle the category on to allow these cookies to be set.
Consents
The last section of the GDPR plugin settings page is called consents and can be used to register one or more policy pages that you would want your users to read and give consent to. You can set there the Privacy Policy and the Cookie Policy: for each one of them you'll also be asked to provide a long and a short description that will be used within the Privacy Preference Center.
Implementation
Once you've set the plugin has been set, you might want to know how you can enforce the opt-ins and/or opt-outs within your WordPress website. To put it in other words: if a user asks us to not bother him with Google Analytics cookies, our website must comply with that request.
Such feature is called Enabling or Disabling functionality based on consent and cookies and is well explained here. In very short words, the plugin provide two helper functions that can be used to check if the user has given consent and/or accepted a cookie or not:
Consent
1 2 3 4 5 6 |
if (has_consent($consent_id)) { // consent to this policy has been given } else { // no consent } |
The $consent_id variable value should match one of the pages registered within the Consents section of the plugin (see above).
Cookie
1 2 3 4 5 6 |
if (is_allowed_cookie($cookie_name)) { // consent to this cookie has been given } else { // no consent } |
The $cookie_name variable value should match one of the cookies mentioned in the Cookie Categories section of the plugin (see above).
Both of these functions are available in PHP and JavaScript, meaning that you can check for consent and/or cookies on server-side and/or on client-side (or even both) according to your specific scenario.
Example: opt-out Analytics
Here's a quick implementation example: a GDPR opt-out feature for the typical Google Analytics "Universal Analytics JavaScript snippet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<!-- GDPR opt-out for Google Analytics --> <script type="text/javascript"> if (!is_allowed_cookie('_ga')) { window['ga-disable-UA-999999-1'] = true; } </script> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-999999-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-999999-1'); </script> |
As we can see by looking at the above code, we took advantage of the ga-disable- switch following the Google Developers official recommendations to implement the user opt-out feature. This is what you need to do with all the cookies (and/or third-party snippets) that you want your users to opt-in or opt-out from.
Translations
The GDPR plugin is currently available in 12 languages: Catalan, Croatian, Czech, Dutch, English (US), Esperanto, Finnish, French (France), Romanian, Slovak, Spanish (Spain), and Swedish.
In case your language isn't listed above, don't worry: you can create your custom localized strings with the awesome Loco Translate plugin. If your website supports multiple languages with a plugin such as Polylang, WPML, TranslatePress, Weglot or any other WP multi-language plugin, you can still use Loco Translate to create the .po files that you miss: additionally, if your multi-language plugin natively supports the string translation feature, you can even specify one or more localized versions for all the policy pages registered within the Consents section (see above).
All these plugins are pretty easy to use and configure: however, in case you need help with the translation part, feel free to contact us: we'll be happy to help you!
Conclusion
That's it, at least for now: we sincerely hope that this GDPR and Cookie Law tutorial guide will help other system administrators and/or webmasters to make their website compliant with the GDPR and Cookie Law requirements.