Let me start by saying I'm not trying to cause another panic, but I do think it's noteworthy that we spent a great deal of time chewing on how GDPR affected mailing lists and no time (at least not that I noticed) on how it might affect our author websites.
While it is true that the law was inspired by the actions of large companies, those of us who are risk averse may wish to take steps to comply with requirements. In that spirit, I'm going to talk about a few things I learned (so that you don't have to spend three days getting your website properly compliant the way I did). My experience is only relevant to those of you with self-hosted Wordpress, but hopefully, people on other platforms will also contribute to the conversation.
Here's link that lays out the requirements (according to one source): https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies As with other aspects of GDPR, not everyone says the same thing--and plugin developers tend to imply that GDPR requires exactly what their particular plugin does.
Everyone seems to agree that implied consent is no longer sufficient. A visitor has to actively consent. Continuing to use the site is no longer proof of consent. Also, visitors have to be able to withdraw consent if they change their mind.
Sites that require users to log in to visit the site (which most of us don't), sell things on the site (which some of us do), or have discussion forums (which some of us do) are likely to be the most affected, but those sites won't be the only ones. Allowing people to comment on posts, for example, stores user data on your site. Using Google Analytics or any similar product puts cookies on the visitors' machine. (Yes, not personally identifiable data, but GDPR also covers data which could make someone identifiable in combination with other data People who surf the web enough have an awful lot of data out there). Using ad software typically generates cookies. Using giveaway software generates cookies if entrants use a widget on your site. Using those nifty Amazon book previews generates cookies. Some plugins may be generating cookies without your knowledge.
If you're not a programmer, you're going to have to rely on the plugin makers out there to help you make your site compliant. Here are four I experimented with during my three-day odyssey, together with what I found.
Cookiebot: This is a great, comprehensive approach, and it's free if you use it only for one domain and have a site with fewer than 100 subpages (each post counting as a subpage). There are two caveats, however. First, to use it, you need to edit plugin scripts--and every time you update the plugin, you have to update the scripts again. (That means checking all of them, because without looking at the scripts, you don't know whether they're using cookies or not.) Editing plugin scripts is above my expertise. Also, the elements that do work automatically--the injection of consent banner code into the header and cookie policy and audit results onto a page you designate--didn't function on my site. I didn't have the patience to deactivate all my plugins and reactive them one by one to see which one was causing the problem. All of that said, Cookiebot's audit reports are great. They are complete analyses of all the conceivable cookies your site might generate, and a description of what they do (best for informed consent). I couldn't get that report to install properly in my site, but Cookiebot also emails the report, so I was able to incorporate it manually. That's a plus, because none of the other plugins I tried have that good a reporting function.
Weepie Cookie Allow ($21 on Code Canyon). It has lots of options, blocks cookies until a user consents, and allows users to consent to some kinds of cookies without having to consent to all. This would have been a winner for me and is great for the basic consent machinery (if you pick the right options), but I was concerned that it lacked some of Cookiebot's data management functions, so I kept experimenting.
GDPR Ultimate ($19 on Code Canyon). It provides consent mechanics and automates information requests (for example, if someone wants to know what data you have stored on your site about them or wants to be forgotten.) I had this one all set up when I realized two things. First, the cookie consent banner has options to accept and read more, but not to decline. That's dubious under GDPR, but also there's no way to dismiss the notice until you accept cookies--which means on a mobile device much of the screen is taken up with an annoying notice a visitor can't escape without accepting. The author has promised to fix that issue by providing a decline button (which may be in the update scheduled for today) but I panicked and moved on when I found another issue. In my testing, consent is accurately recorded in Chrome, but in IE, Edge, and Firefox it didn't record properly, which would mean a user would have to consent every time. The author believe that to be a browser issue (the browser itself disallowing cookies), but I didn't have any of mine set that way when I tested. Anyway, I have confidence this plugin will get sorted out, but, being impatient, I moved on.
Wordpress GDPR ($20 on Code Canyon). This one automates the consent process smoothly, furnishes an area for visitors to change their preferences, provides easy support for handling GDPR information requests automatically, and doesn't have any glitches I've been able to find. I wish I had tried it first.
My impression is that the plugin makers are scrambling to meet the May 25 deadline. A lot of them still use old, pre-GDPR language in their descriptions and/or offer consent options that are no longer valid. Only one (Cookiebot) collects consent reports so that you'd have proof people consented. I'd worry about that more, except that, unless a user has created an account or logged in, I don't think you can tell which specific person consented, so that may not really matter, except to membership-based sites.
One thing none of them will do so far is show the consent dialogue only to visitors from the EU, but I don't think indicating that you care about people's privacy and want to respect their wishes is a bad thing.
While it is true that the law was inspired by the actions of large companies, those of us who are risk averse may wish to take steps to comply with requirements. In that spirit, I'm going to talk about a few things I learned (so that you don't have to spend three days getting your website properly compliant the way I did). My experience is only relevant to those of you with self-hosted Wordpress, but hopefully, people on other platforms will also contribute to the conversation.
Here's link that lays out the requirements (according to one source): https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies As with other aspects of GDPR, not everyone says the same thing--and plugin developers tend to imply that GDPR requires exactly what their particular plugin does.
Everyone seems to agree that implied consent is no longer sufficient. A visitor has to actively consent. Continuing to use the site is no longer proof of consent. Also, visitors have to be able to withdraw consent if they change their mind.
Sites that require users to log in to visit the site (which most of us don't), sell things on the site (which some of us do), or have discussion forums (which some of us do) are likely to be the most affected, but those sites won't be the only ones. Allowing people to comment on posts, for example, stores user data on your site. Using Google Analytics or any similar product puts cookies on the visitors' machine. (Yes, not personally identifiable data, but GDPR also covers data which could make someone identifiable in combination with other data People who surf the web enough have an awful lot of data out there). Using ad software typically generates cookies. Using giveaway software generates cookies if entrants use a widget on your site. Using those nifty Amazon book previews generates cookies. Some plugins may be generating cookies without your knowledge.
If you're not a programmer, you're going to have to rely on the plugin makers out there to help you make your site compliant. Here are four I experimented with during my three-day odyssey, together with what I found.
Cookiebot: This is a great, comprehensive approach, and it's free if you use it only for one domain and have a site with fewer than 100 subpages (each post counting as a subpage). There are two caveats, however. First, to use it, you need to edit plugin scripts--and every time you update the plugin, you have to update the scripts again. (That means checking all of them, because without looking at the scripts, you don't know whether they're using cookies or not.) Editing plugin scripts is above my expertise. Also, the elements that do work automatically--the injection of consent banner code into the header and cookie policy and audit results onto a page you designate--didn't function on my site. I didn't have the patience to deactivate all my plugins and reactive them one by one to see which one was causing the problem. All of that said, Cookiebot's audit reports are great. They are complete analyses of all the conceivable cookies your site might generate, and a description of what they do (best for informed consent). I couldn't get that report to install properly in my site, but Cookiebot also emails the report, so I was able to incorporate it manually. That's a plus, because none of the other plugins I tried have that good a reporting function.
Weepie Cookie Allow ($21 on Code Canyon). It has lots of options, blocks cookies until a user consents, and allows users to consent to some kinds of cookies without having to consent to all. This would have been a winner for me and is great for the basic consent machinery (if you pick the right options), but I was concerned that it lacked some of Cookiebot's data management functions, so I kept experimenting.
GDPR Ultimate ($19 on Code Canyon). It provides consent mechanics and automates information requests (for example, if someone wants to know what data you have stored on your site about them or wants to be forgotten.) I had this one all set up when I realized two things. First, the cookie consent banner has options to accept and read more, but not to decline. That's dubious under GDPR, but also there's no way to dismiss the notice until you accept cookies--which means on a mobile device much of the screen is taken up with an annoying notice a visitor can't escape without accepting. The author has promised to fix that issue by providing a decline button (which may be in the update scheduled for today) but I panicked and moved on when I found another issue. In my testing, consent is accurately recorded in Chrome, but in IE, Edge, and Firefox it didn't record properly, which would mean a user would have to consent every time. The author believe that to be a browser issue (the browser itself disallowing cookies), but I didn't have any of mine set that way when I tested. Anyway, I have confidence this plugin will get sorted out, but, being impatient, I moved on.
Wordpress GDPR ($20 on Code Canyon). This one automates the consent process smoothly, furnishes an area for visitors to change their preferences, provides easy support for handling GDPR information requests automatically, and doesn't have any glitches I've been able to find. I wish I had tried it first.
My impression is that the plugin makers are scrambling to meet the May 25 deadline. A lot of them still use old, pre-GDPR language in their descriptions and/or offer consent options that are no longer valid. Only one (Cookiebot) collects consent reports so that you'd have proof people consented. I'd worry about that more, except that, unless a user has created an account or logged in, I don't think you can tell which specific person consented, so that may not really matter, except to membership-based sites.
One thing none of them will do so far is show the consent dialogue only to visitors from the EU, but I don't think indicating that you care about people's privacy and want to respect their wishes is a bad thing.