So what’s to be done to bring this site, and the dozens of others I’ve built over the years, into compliance with the new rules? That’s where it gets complicated. The ICO has released guidance about how this should be done, but it’s as clear as mud. So I’ve experimented a bit, and spoken to a few people, and these are my conclusions.
Firstly, I have looked at explicit consent plugins for WordPress – essentially displaying some sort of warning message to site visitors, telling them that cookies will be set. I’ve particularly evaluated EU Cookie Directive and Cookie Control. There are pros and cons of each. EU Cookie Directive displays a prominent message at the top of any page – it’s in your face and almost forces people to comply as a result. Cookie Control is more subtle, sitting at the bottom left of your screen, and also has better compatibility with Google Analytics and has better control over which countries should show the warning.
BUT the first day running this site with Cookie Control installed, site visitors to Google Analytics plunged 80%. Visitors were either not giving consent, or did not understand what the whole thing was about. Also how all of this applies to mobile devices, and old browser versions (IE) is a minefield.
So I am – for now – going for the same sort of approach that the UK government itself is using for its own sites, as explained by the Cabinet Office here. Hence I am not going to be seeking prior approval for cookies, but – for this site and for any others that I host – explaining clearly and simply what first party and third party cookies are set, how these can be controlled by an individual visitor, and explaining clearly what will be done with any data submitted by users of sites. The privacy statement for this blog can be found here.