Surely you’ve seen them many times. They show up as banners at the top or bottom of webpages or as distracting popups. Virtually every website based in the EU is supposed to display them. What am I referring to? Cookie consent notices.
Have you ever wondered why some sites display a cookie consent notice? Do you know whether or not your site should be displaying such a notice? Maybe you know that your site probably should have a notice displayed, but you haven’t gotten around to setting one up.
In this article, I’ll help you figure out if you need to display a notice, explain what the notice should include, and show you how easy it is to add a cookie consent notice to your WordPress site.
But before we dig into the details, let’s set the stage. Why do these consent notices even exist and what is their purpose?
What Is the Cookie Law?
In May 2011, a European Union (EU) Directive was adopted by all EU member countries to protect consumer privacy online. This piece of privacy legislation requires that covered websites:
- Let users know if they are using cookies
- Explain what data is gathered through the use of cookies and how that data is used, and
- Gather user consent to the use of cookies
The law is enforced by governing bodies in the EU, and therefore cannot apply unilaterally to everyone. If you live outside of the EU, have a website hosted on a server outside of the EU, and are targeting consumers anywhere other than the EU, you don’t need a cookie consent notice.
Who Does the Cookie Law Apply To?
- Any person or organization that is physically located in the EU and has a website
- Any website that targets EU consumers
However, there is one additional qualification. In order to be covered by The Cookie Law your website has to use cookies.
Does My Site Use Cookies?
Yes. All WordPress websites use cookies.
The WordPress core software uses cookies for user authentication and for commenting, and plugins use cookies in a wide variety of ways.
This blog has covered the topic of how WordPress uses cookies before. If you want to learn more about this topic you should read Cookies and WordPress: How to Set, Get and Delete.
Not all Cookies are Created Equal
Even if your site is based in the EU and targets EU consumers, you still might not need a cookie consent notice (but you probably do). It all depends on the type of cookies your site uses.
The Cookie Law distinguishes between two different kinds of cookies: Session cookies and persistent cookies.
- Session cookies are the cookies that are strictly required for website functionality and don’t track user activity once the browser window is closed. Examples of session cookies include faceted search filter cookies, user authentication cookies, cookies that enable shopping cart functionality, and cookies used to enable playback of multimedia content.
- Persistent cookies are cookies used to track user behavior even after they have moved on from your site or closed the browser window. Cookies used by analytics programs and advertising tracking cookies are the most common types of persistent cookies.
Sites that make exclusive use of session cookies do not require a cookie consent notice. However, sites that make use of any persistent cookies do require a cookie consent notice.
The cookies used by the WordPress core are session cookies. So, it’s theoretically possible to run a WordPress site that doesn’t require cookie consent.
In reality, you would be very hard-pressed to find a WordPress site that only uses session cookies.
Use any sort of analytics program, display advertisements or affiliate links, use a single sign-on authentication system, or track visitors in any other way, and your site is using almost certainly using persistent cookies.
In short, if your website is based in the EU or if you are targeting consumers in the EU, and your site uses even a single persistent cookie, you need to display a cookie consent notice.
You might be wondering to yourself: “Well, what if I don’t want to do this? Who’s going to make me?”
Good question.
Unless your site is quite popular, abuses user data in some way, or someone complains to a governing authority, there’s a good chance nothing will happen if you don’t comply. However, failure to comply can include a sizeable fine, and the cost of complying is incredibly low–at least for WordPress users.
Better safe than sorry, right?
How to Comply with The Cookie Law
To comply with the law you need to do three things:
- Let users know that you’re using cookies
- Provide a link where they can learn more about how you use the data you gather
- Provide a way for users to consent to the use of cookies
The most common way to do this is to display a small banner at the top or bottom of your website with a link to a detailed privacy policy and a button to consent to the use of cookies and hide the banner.