If you’d like a printable policy, completed for you – skip to the form here.
What kinds of cookies do I have?
The most common classification system for cookies, was proposed and developed by The UK International Chamber of Commerce (ICC). The ICC proposes these four classes of cookies:
- Strictly Necessary Cookies
- Performance Cookies
- Functionality Cookies
- Targeting/Advertising Cookies
Strictly necessary cookies
“These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.
“These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. [emphasis mine]
“These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance… these cookies can be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
“These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.
As I understand it, GDPR requires some common sense stuff. We must answer these questions in language that the average user can understand:
- what personal information about me do you collect?
- how is my personal information used?
- to whom is my personal information shared?
- how do I opt out of cookies?
Earlier this week, I recommended the passive/implied consent approach. But with WordPress 4.9.6, it is far easier to export and erase user data on request. And it’s not cost prohibitive to get active and informed consent.
Our recommendations have changed this week to the following:
New with WordPress 4.9.6 is a privacy tab under “Settings” in your dashboard. Login, navigate to Settings >> Privacy.
On the Privacy tab, select your privacy page, if it is already created. If not – and this is the course of action I recommend – click on “Create New Page”.
The automatically created page will give you a great template as a starting point. It looks something like this:
At this point, things need to get customized for each bloggers’ site. This is where you need to declare your cookies (or groups of cookies), why you need them, what they do, and how one can opt out. First there’s a blank section for Contact Forms.
To assist with sending you requested information, we use ______ to collect and store your email address. _______ outlines their use of your personal data and anonymized data [link here]here. You may opt out of the collection of your data by unsubscribing (we will remove your data) and contacting them using the instructions on their privacy page[link here].
Find out what cookies you use
Now we can add the cookie information. First you need to know which are in use on your site! The easiest way to do this is to get the free report from CookieBot.com. It will scan a limited number of pages. Be aware that if you add code from advertisers, youtube, or anywhere else to single pages or posts, those cookies will only show up on those pages. I’ll show you what to do with that a little later.
It can take a couple hours for your report to arrive. Be patient. When it comes, it will look something like this:
Strictly Necessary Cookies
Consent to use strictly necessary cookies is not needed. (source) A Strictly Necessary Cookie is anything required to carry out the transaction that the user requested. If they went to your site to shop, it doesn’t make sense to ask them if they want the shopping cart to work (it won’t work without cookies).
Necessary cookies include: CSRF (security tokens), Cookietest (enable cookie notice), content distribution networks (CDN or Cloudflare)
A paragraph like this is a good idea:
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.
Cookies in use: cfduid, csrftoken, xsrf-token, cookietest
Functionality & Performance Cookies
Most of these cookies will be found in the “marketing section” of the CookieBot report. These are cookies set to help your site serve your visitors better – language, mobile, liking, caching, anti-spam, logins. These remember the user’s language, whether they’ve liked/shared a post, etc.
It would be appropriate to include a paragraph like this:
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Without these cookies, certain functionality may become unavailable.
Cookies in use: _ga, _gat, _gid, _pinterest_cm, _ck_form, collect, onesignal-pageview-count, visitor_info1_live, gps
These cookies are used to display relevant advertising to visitors, as well as to track the volume of visitors. They track details about visitors such as the number of unique visitors, number of times particular ads have been displayed, the number of clicks the ads have received, and are also used to measure the effectiveness of ad campaigns by building up user profiles. These are set by trusted third party networks, and are generally persistent in nature.
Cookies in use: ysc, tr, rur, nid, fr, impression.php#, _mailapp_session, v3
If you have cookies that are “unclassified” you can view where they’re coming from for clues. Oftentimes it is quite obvious. A couple of mine say, “Convertkit”, and “Youtube”… In the description it says what they’re used for. For example, the YouTube cookie is used to discover the bandwidth of the device to serve a better user experience. It is separate from the YouTube cookie that tracks their history of viewed videos for marketing purposes.
We use Google analytics to record information about the pages a user has seen, for example the URL of the page, time of day, device used, etc. The information that we collect anonymized and sent to Google Analytics for analysis.
Google Analytics mainly uses first-party cookies to report on visitor interactions on this website. Users may disable cookies or delete any individual cookie. Learn more
In addition, Google Analytics supports an optional browser add-on that – once installed and enabled – disables measurement by Google Analytics for any site a user visits. Note that this add-on only disables Google Analytics measurement.
Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from (also known as “IP geolocation”).
Who We Share Your Data With
This is a good time to say you don’t! I got this section from the ConvertKit website and edited it for my use. You’ll have to edit some of it for your situation – if you don’t offer a service, some of it will not apply to you!
Who we share your data with
Service Providers and others who help with our business operations and assist in the delivery of our products and services including, but not limited to, application development, site hosting, maintenance, data analysis, infrastructure provision, IT services, customer service, email delivery services, payment processing, marketing, analytics, and enforcement of our Terms of Service Agreement and other agreements;
Other users of the site to identify you to anyone to whom you send messages or make comments through the Services;
Persons or entities with whom you consent to have your Personal Data shared;
Third parties in order to prevent damage to our property (tangible and intangible), for safety reasons, or to collect amounts owed to us;
Merchants and payment processors; and
Third parties as we believe necessary or appropriate, in any manner permitted under applicable law, including laws outside your country of residence to: comply with legal process; respond to requests from public and government authorities, including public and government authorities outside your country of residence; enforce our Terms of Service Agreement and other agreements; protect our operations; protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others; and allow us to pursue available remedies or limit the damages that we may sustain.
We will never sell, rent, or lease your Personal Data to a third party.
How Long we Retain Your Data
To the end of this section, you can add the date that you chose when you edited the Google Analytics settings last week. (see this tutorial) And you’ll want to ask your contact form plugin how long they keep data for on your site. Something like this will do nicely:
What Rights You Have Section
“What Rights You Have Over your Data” is a section in the template that outlines how the user can control or request deletion of their data. In another tutorial, I’ll show you how to comply with any requests sent your way.
Most advertising networks offer you a way to opt out of Interest Based Advertising. If you would like to find out more information, please visit http://www.aboutads.info/choices/ or http://www.youronlinechoices.com.
If people want to remove cookies from third parties, they will have to take it up with the third party themselves, or use the browser extension mentioned above.
Where We Send Your Data
The comment/spam thing is a good idea – as noted in the template, but I’d also add this if you use tracking software, comment forms, or advertising:
Third parties have access to your data as noted within this agreement.
As I’ve already stated, I’m not here to give legal advice. I’m only offering suggestions that you might want to use as a starting point. I found this in one of the privacy policies I studied and have included it in my own.
Users under 13 years of age
Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at ________________. By using the Services, you are representing to us that you are not under the age of 13.
Protection of Personal Data
Assuming you have an anti-virus program on all computers with administrative access to your website, you have anti-spam and security measures on your website, you use a reputable host, and keep your plugins and software up to date, I’d say that is reasonable protection. That means you’re doing everything that is reasonably expected of a website owner to protect their data. I’d say this includes using an SSL certificate! If that isn’t done yet -get on it!
With all those pieces in place, I would use a paragraph like this:
We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.
Another section under “additional” that I found is this gem:
Industry regulatory disclosure requirements
I believe this section is for lawyers, accountants or any professional that answers to a governing authority. The standard disclaimer should go here. This may be a good place to put your affiliate disclosure information.
Sources for this article:
Index of Plugin Cookies & Policies
Email Marketing Companies
Complete these fields and we’ll send you a template that you can use on your blog. As always please remember that this is not legal advice.