Are you looking for a legally compliant cookie plugin for WordPress? Or are you wondering if a cookie notice is enough to legally protect your website? In this blog article I would like to help you to protect your website against warnings and show you the 3 best cookie plugins for WordPress.
Now certain cookies may only be set with the consent of the visitor.
Update 29.05.2020: A new ruling makes an opt-inunavoidable.
Attention: Even though the information presented here has been carefully researched, I am not a lawyer. Therefore, I do not assume any guarantee or legal security for the information here.
The Cookie Plugin from Borlabs is the best cookie plugin for WordPress. Unfortunately, it is a premium plugin and therefore costs a bit. Borlabs Cookie comes with all the necessary features to make your WordPress website legally compliant. You have the choice between an opt-out solution (cookies are set and user can object) or an opt-in solution (only after user consent cookies are set). For more information on the types of so-called cookie consent plugins, see 4. 2Cookie types.
You can block your cookies with this cookie plugin until the user clicks on accept. In addition, the Borlab Cookie Plugin also offers you the possibility to divide your cookies into groups. This way you give your visitors the possibility to deactivate certain cookie groups.
The opt-in prompt is loaded when you visit your website. You can customize the design of the opt-in prompt as you like.
In addition, a script blocker has been added to your WordPress website since Borlabs Cookie Version 2.1. This means that embedded content (YouTube videos, Vimeo videos, Google Maps, Facebook posts, etc.) are only loaded after the user’s consent. Pretty cool: Borlab’s cookie creates a preview image of the video and stores it on your server. This way, the blocked video does not interfere with the rest of your WordPress website design.
Unfortunately, the pricing model is now annual and costs 39 € per year for a single website. However, for this you get very good German support and are legally on the safe side.
- WPML compatible
- Cookies can be managed in groups
- Opt-in solution for ePrivacy and DSGVO
- Easy integration of common cookies via tracking ID
- Works also with Page Builder
- Made in Germany
- German support
- Statistics to track the opt-in conversion
- Supports the most popular caching plugins
- Block any content with shortcodes
- Cookies to be blocked must be added manually
- Annual pricing model
While the Borlabs Cookie Plugin requires you to add cookies manually, Cookiebot uses a different concept. Cookiebot automatically scans your website for cookies. Thus, this cookie plugin is aimed at absolute website beginners. Here you can just sit back and Cookiebot does the work. The scanned cookies are also automatically sorted into groups.
Thus, Cookiebot has a special position, because you don’t have to maintain your cookie scripts manually. Nevertheless, it is only on place 2 in this wordpress cookies plugin list. Why?
Unfortunately, the Cookiebot can not block as much content as the Borlabs solution and in addition, blocked videos are also replaced only with an ugly notice. The fact that the Cookiebot is integrated into your WordPress website via an external script is also not exactly the best way.
The provider also pays well for this all-round carefree solution. The pricing model is a bit idiosyncratic. Up to 100 subpages you can use this cookie plugin for free. That sounds a lot – but it is not for WordPress. Every category, tag, archive and media subpage is counted here. And so even small WordPress blogs quickly come to 100 subpages. The Premium Small tariff costs 9 € per month (108 Euro per year) and with that you can make up to 499 subpages legally compliant. Not exactly cheap compared to the Borlabs Cookie Plugin.
- Cookies are automatically detected
- No need to rummage around in the code (automatic cookie scan)
- One-Click Solution
- Script Blocker can block content
- compatible with any website (not only WordPress)
- free for WordPress websites up to 100 subpages
- Integration via an external script
- Script Blocker offers only a text hint (no nice thumbnails)
- Not all external scripts are blocked
- Only cookies are blocked, not the entire connection (IP address is transmitted)
The DSGVO Pixelmate Cookie Plugin can be seen as an alternative to the Borlabs Cookie Plugin. Especially easy is the integration of Google Analytics and Facebook Pixel. You only need your tracking ID of the two services and the plugin does the rest. If you need other scripts, you can of course also include them in the cookie plugin.
This cookie plugin can also block external resources and only enable them after your visitors have given their consent. The placeholder for videos is not quite as nice as Borlabs Cookie. However, this only works with Youtube, Vimeo, Google Maps and Twitter.
Ultimately, this cookie plugin offers simple and quick workarounds for integrating cookie opt-in into your website. It is also supported by a lawyer. Nevertheless, there is (as with any WordPress cookie plugin) no legal guarantee from this provider. However, this is understandable given the fuzzy legal states on the subject of cookies.
With the functions of DSGVO Pixelmate, you have to make sacrifices (compared to the Borlabs Cookie Plugin). But it costs you only 39€ per website and you don’t have to subscribe.
- comfortable operation
- Blocks external resources (third-party cookies)
- Facebook group as support forum
- Cookie banner can be customized
- Analytics and FB Pixel can be integrated very easily
- Opt-in and opt-out is supported
- Facebook posts, iFrame and other services cannot be blocked
- No overlay possible via website
- Content Blocker design cannot be customized
- Plugin is not updated full-time
- With many cookies it becomes easily confusing
There are three types of cookie banners that differ in the way they handle the setting of cookies.
This cookie banner is not (anymore) legally secure.
2.2 Opt-In Cookie Banner
With the opt-in cookie banner, the user is asked to allow the cookies to be created. Only after the consent of the user, the cookies are set.
This is the current and legally compliant version of the cookie notice. With it, you can integrate cookies into your WordPress website in a privacy-compliant manner.
In contrast to opt-in, the cookies are set automatically when the website is called up, and when the user clicks on reject, the cookies are deleted again. The user can only object to the setting of cookies afterwards.
This is now no longer privacy compliant and should be urgently changed to the opt-in cookie banner.
3. the current legal situation
For years, the legal situation regarding cookies was confusing and partly unclear. There is already a cookie directive at EU level. Unfortunately, however, this was never implemented in Germany. Even the GDPR in May 2018 could not clearly clarify the issue. Since the two court rulings of the European Court of Justice in July 2019 and October 2019, the handling of cookies is now more clearly regulated. In July 2019, the handling of social plugins was regulated:
As for the consent pursuant to Art. 2 letter h and Art. 7 letter a of Directive 95/46, this must be declared before the data of the data subject is collected and disclosed by transmission. Therefore, it is up to the operator of the website and not the provider of the social plugin to obtain this consent, since the processing process of the personal data is triggered by a visitor accessing this website.
This was about the Facebook Like button – i.e. social plugins. Now the website operators had to obtain the explicit consent of the visitor. This ruling could also be applied to other tracking cookies.
Absolute clarity was then brought by the ECJ ruling of 01.10.2019. In this, the European Court of Justice ruled that all tracking cookies require the consent of the user. All cookies that are not technically necessary now require the explicit consent (opt-in) of the website user. Furthermore, consent must always be “active, unambiguous and informed” by the user (Art. 4 No. 11 GDPR). Thus, no checkboxes may be preselected.
The use of opt-out consent or simple cookie notices are now no longer allowed. You must get opt-in consent from the user when using tracking or other cookies that are not technically necessary.
At what point do you need legally compliant opt-in consent from the user for cookies? Tracking cookies and marketing cookies are not technically necessary and require active consent from the user. This is a straightforward matter.
But there are still cookie types that are not so easy to classify. As you can see, it’s a complex topic that doesn’t really have any simple answers. Nevertheless, I will try to express myself as briefly and clearly as possible:
Some cookies are not served with coffee. They are used to make a website more user-specific or to store information. Technically, a cookie is a small text file in which information is stored. These are used to store information about the respective user across several sub-pages. This doesn’t have to be just “evil” tracking: session cookies can also contain shopping carts or logins, for example. This means that the user does not have to log in again for each sub-page.
4.2 Cookie types
These “good” cookies are used to store certain user-specific information. This can be, for example, a shopping cart or, even more trivially, a cookie to store the user’s cookie setting. These cookies are not affected by the current ECJ rulings. There should be the ePrivacy Directive of 2002 (Art 5 para. 3) for this:
This shall not prevent technical storage or access if the sole purpose is to carry out or facilitate the transmission of a communication over an electronic communications network or, where strictly necessary, to provide an information society service explicitly requested by the subscriber or user.
Unfortunately, this regulation has not yet entered into force.
These cookies belong to the dark side of cookies. Tracking cookies are an important part of online marketing. However, for the user, the tracking cookies mean monitoring of the user’s behavior. The persistent cookies are permanently stored on the user’s computer. Thus, his behavior can be stored over several sessions.
Tracking cookies are also divided into first-party cookies and third-party cookies. First-party cookies are played by the server of the visited website. Third-party cookies are integrated externally – i.e. from an external server. This can be used, for example, by Facebook or Google to play out interest-based advertising. You have certainly observed this before, when you are shown the same advertising across websites.
The supercookie is a further development of the conventional cookie and is stored in the web browser. It is a topic in itself and should only be mentioned here for the sake of completeness. The supercookie does not play any role for your website.
You can use the online tool Cookie Metrix for this. This also shows you the third-party cookies and whether your website is already legally compliant.
This list is only valid for a WordPress installation without plugins. Since plugins can also set cookies, you should explicitly test your website with CookieMetrix.
For logged in administrator:
Cookies when you comment:
However, some themes also set cookies for the user’s selection at the cookie banner.
Even if you have activated the IP anonymization of Google Analytics, you need an opt-in for Google Analytics. Since the storage of IDs and identifiers could be used to identify users, anonymization is not considered a pseudonymization measure in the sense of the GDPR.
Some themes like Enfold now also offer cookie opt-in functions in the theme. Additionally, you can also use the CookieBot service, which is embedded into the website via a script.