In the last few posts, Zip installed Google Analytics and Search Console and then played around with using Google Site Kit. Now that he has something on his website that’s tracking visitors, though, should he be letting them know that and, perhaps, giving them the option of opting out? Let’s look at some of the GDPR WordPress plugins available that he might use on his website.
If you’re the impatient type and want to know my recommendation up front: my current favorite GDPR WordPress Plugin is Complianz. It seems to offer the best mix of features, even in its free version, and has caused me the fewest issues.
I had been planning on doing a separate review of each particular plugin as I did with Smart Cookie Kit, but Zip’s anxious (as anxious as a sloth can be) to get on with Slothverse.com, so, perhaps, I’ll get back to the individual reviews later.
Do I Need a GDPR WordPress Plugin?
Zip lives in the United States, in a state that’s NOT California (with its CCPA law). And his site is small with low traffic (hmmm, maybe he should stop being slothful and add some content.) Does he even need to use one of the GDPR WordPress plugins?
I’ve wrestled with this issue on my websites1. The conclusion I came to was that, as I live near California and know that some of my visitors, even on my mostly local website, are from California, I should make an effort to be CCPA compliant. On this website, I’m aware that not all of my traffic is in the US — and I should make an effort to comply with the GDPR.
True, as a small blogger, I’m unlikely to run into legal issues right now. However, I do run Google Adsense ads, and they require that you either allow them to limit personalized ads via geolocation or have a way to enable consent based on the users’ local laws.
What Should I Look for in a GDPR WordPress Plugin?
As I both browsed websites as an end-user and created them — for both a few clients and for myself — I started thinking about these cookie bars I kept seeing. Most offered a simple warning that thar be cookies on this site. If you continued to browse, you, de facto, accepted these mystery cookies!
The website loaded scripts for ads and analytics immediately and didn’t give the user the option (unless they blocked analytics and ads from their browser) of opting out before consent. Informative, but NOT GDPR-compliant2.
However, when I decided to add a cookie bar that I considered meaningful, I found that it was screwing up my analytics. Of course, you’ll probably tell me, if you allow users to opt-out, it IS going to screw up your analytics, sillyhead!
Of course, if Zip allows his website visitors to opt-out, analytics will not capture those visits.
However, for some of the GDPR plugins we tried, the analytics script didn’t get loaded, even for contenting visitors, without a page refresh. That meant that his referral source would be off.
For instance, suppose a visitor comes from Google and lands on Zip’s page about “20 Sloth Home Decor items You Simply Must Have Right Now.” This visitor to the Slothverse then accepts the cookies. However, analytics is not loaded. The visit doesn’t get tracked until one of two things happens: the visitor navigates to another page, or the page automatically refreshes on accept. In either case, analytics would show this visit as being “direct.” Zip would lose the real referral source: organic search.
If you’re running analytics, you probably don’t want all of your organic (search engine) visits to show as “direct.” For this reason, it became essential to me to find a plugin that would block scripts like analytics and ads and then allow them without a page reload. Not to mention that constant page reloading can be hard on your server!
Here’s my list of what I look for in an ideal GDPR WordPress Plugin:
Here’s what I was looking for in a “good” GDPR WordPress plugin. I’ll acknowledge that if I had to review GDPR plugins on a percentage point scale for each of the criteria that I mention here, I’d not give ANY 100%! That doesn’t mean they’re not excellent plugins. It’s just that I had at least one issue with every one of them, my favorite included. One blocked too much, another not enough, etc.
So, here’s my list of demands:
1. It blocks scripts in advance and then allows them on acceptance.
As I mentioned previously, if a visitor allows analytics, I want to capture that first-page visit. I want to know from whence they came.
No, I don’t mean that I want to know if you came from Santa Claus, IN or Boring, OR–though I might if I’m interested in my visitors’ physical locations. But I definitely want to know if they came from organic search and, more specifically, from Google or Bing. I want to know if they got there via social media (though Zip doesn’t have any yet). Do I get no traffic from Twitter, but a lot from Pinterest?
That’s a good thing to know. If I hate Twitter and love Pinterest, maybe I can focus more of my effort there and quit tweeting away. Or, if I consider Twitter an essential part of whatever promotion I’m trying to do but nobody’s clicking, perhaps I can revisit my strategy.
2. It doesn’t require a page reload after acceptance.
OK, this is pretty much the same as #1 but, apparently, I think it bears emphasizing yet again. One popular GDPR plugin, I found, required that you enter header or body codes within the plugin. Then, when the visitor accepted, you would either need to allow a page reload or would have to wait until the visitor went to another page to track anything or show any ads.
Besides the fact that this throws off your tracking, I found that page reloads 1) made a significant impact on server resources 2) were likely frustrating for visitors.
3. It doesn’t block things it’s not supposed to block.
I’ve had an issue with all other GDPR WordPress plugins that were more than a mere warning. Either they didn’t block something I wanted them to block or — more often — they blocked something too well. Usually when this happened it was an issue with blocking either maps, videos, or reCaptcha v3.
In some cases, this has to do with configuring your caching plugin. However, there are a couple of instances where I’ve just had to disable part of the advance blocking. One of my websites is map-heavy, and I found that one of the plugins blocked maps even after acceptance.
Another one interfered with videos.
The good news is that most of the plugins have excellent customer support — at least for their premium versions. The bad news is that my patience wears thin with constant problem-solving. That’s been my prime reason for plugin-abandonment.
4. It’s easy to configure the appearance of your cookie bar.
Most of the GDPR plugins I’ve tried have some capacity for configuring the appearance of your notification. Of course, you can always change the appearance via CSS. Still, it’s a nice feature to have right inside the plugin. Both Complianz and WebToffee are my favorites in this respect.
5. It scans for cookies.
It’s nice if your GDPR plugin will scan for cookies — both block them until acceptance and compile a list to disclose to interested visitors.
Of the plugins I’ve tried, Complianz does an excellent job of this. CookieYes! also does this well. However, on one of my websites with many pages, the CookieYes scan took such a long time that it made me very afraid to run future scans. A scan via Complianz on the same site took perhaps a minute or two. Cookiebot is another plugin that scans for cookies. However, I never actually used it because I found it would be expensive for my website with tons of pages.
6. It allows for geo-location.
For many of the GDPR plugins, this is a premium feature. The CookieNotice by Hu-manity plugin can be configured per country if you add another plugin, but if you use the free version of Complianz, you need to choose one region.
7. It does not slow your website significantly.
I came to believe that some GDPR plugins affected website speed. However, for a few of those, I’ve proven to myself that they don’t make a dramatic difference. But for ones that require you to install a third-party script, it’s might possible that some latency might be a side-effect.
Let’s Look at Some GDPR WordPress Plugins
The WordPress plugin repository has plenty of GDPR WordPress plugins. Zip decides to give a few the good ol’ college try.
1Cookie Notice by Hu-manity
What he finds is a new screen to setup GDPR/CCPA compliance and customize the colors. But the “Compliance Live Demo” won’t load. He finds that using the plugin’s new features (GDPR vs. CCPA, cookie scanning, prior blocking, etc.) will cost $14.95/month. As he’s a sloth of very little cash, he doesn’t sign up — so I haven’t had the chance to try this.
The old dFactors plugin didn’t include autoblocking or GDPR/CCPA-specific features. You could set up whether to show the plugin to certain countries if you used the Category Country Aware plugin, but that required some additional setup.
The free version of the plugin, it appears, offers the same features as the old one. You can enter scripts directly into the plugin and then allow the page to reload — not something I like to do, for reasons I mentioned previously.
But, if you look on the WordPress plugin repository, you’ll note that the plugin has a five-star rating. It’s been a long-time favorite cookie notice plugin for many users as it’s straightforward to set up and use.
Pros of Cookie Notice:
- Easy to set up.
- Little impact on site speed.
Cons of Cookie Notice:
- The free version doesn’t have a cookie scanner.
- It has limited appearance configuration options in its free version.
- The free version does not include advance blocking. You can choose to have it be a simple disclosure of cookies, or you can enter scripts directly in the plugin, and it will load them after acceptance. After acceptance AND after reloading the page!
- Currently, the plugin doesn’t appear to include an AMP-consent component. Note that this isn’t an issue if you’re using the AMP for WP Plugin, as it has a cookie bar included. However, as I’m writing this, you won’t have a cookie bar on AMP if you’re using the official AMP plugin.
I cannot comment on the premium version here or plugin support as I haven’t tried it.
2Complianz GDPR (My Top Pick)
Complianz GDPR is the plugin I’m currently using on this website in its premium version. The good news is that the premium and free versions have most of the same features. The big differences here are that in the premium version, you can do A/B testing to see which cookie notice gets the best response, and — more importantly — you can configure the opt-in by geolocation. In the free version, you need to select one opt-in for all. It will also configure your disclosure pages if you would like.
Of course, when you have a plugin auto-configure your privacy and disclosure pages, some awkwardness can ensue. I’d recommend checking and editing them individually (I still need to get around to doing more of this!)
You can even enter your Google Tag Manager code in the plugin if you want, and it will add the correct Google Tag Manager tracking script for you. However, this isn’t essential. You can still choose to install GTM some other way, and it will still block analytics before acceptance.
The Complianz plugin includes a wizard for easy setup and will scan your website for current cookies and then scan again regularly:
The Complianz plugin includes switchable “Integrations” to toggle the blocker on or off for various services:
The ability to customize the look of your cookie bar in the plugin is pretty robust, as well. It offers several styles of cookie bars, the ability to customize colors, and an area to add custom CSS directly in the plugin.
Overall, this plugin has worked the best for me of any I’ve tried. And, when I’ve contacted support, they’ve been very responsive. However, I switched the automatic maps and YouTube blocker in the “integrations” area off. I found that, at least with my caching plugin enabled (in the case of YouTube videos), sometimes videos got totally blocked. I also found that trying to block Google ReCaptcha v3 resulted in my rating plugin not working, even after consent.
Pros of Complianz GDPR
- Advance blocking of scripts and script integrations in both the premium and free versions.
- Good support.
- Easy to configure appearance; plenty of options.
- It worked well with advance blocking and allowing of Google Adsense ads and analytics.
- Overall, the pro version is affordable, especially if you have several websites.
- It will configure privacy pages and a cookie notice page for you.
- It has an AMP-compatible cookie bar.
Cons of Complianz GDPR
- It blocked videos and maps a bit too well.
- Blocking ReCaptcha conflicted with some plugins using it, even after acceptance.
- Not really a “con,” but it only has geolocation and A/B testing in the paid version.
Zip is only installing the free version of the plugin but will likely move to the paid version eventually. After he configures the plugin, he gets a nice cookie bar like this:
WebToffee’s plugin has been renamed to CookieYes since I last used it on a website. I can verify that WebToffee offers excellent and responsive customer support if you have an issue. I also really liked their appearance features in the premium version. So why did I switch? I just kept having problems — or at least perceiving ones on my end that they gave their 200% to solve. My main concerns were that it wasn’t blocking Adsense ads I added via a popular ads plugin, I was concerned about how it was affecting website speed, and its cookie scan took a LONG time as I had a lot of pages on the website3
But let’s revisit this plugin on Zip’s website as it’s one of the top GDPR plugins. And it offers a lot of features, even in its free version.
Once Zip has installed the plugin, he can scan for cookies. Doing so requires that he create an account. After that, he runs a scan which finds all of the cookies on his website. Fortunately, it takes only a minute or two as Zip doesn’t have that many pages on his website, nor that many cookies. As I think I mentioned previously, this took all night to run on my website hosting an events calendar.
Once it’s complete, he gets a list of all of the cookies it found:
After that, he needs to import the cookies. From there, he can categorize them if he wants to allow visitors to toggle specific categories off or on (i.e., allow maps but block ads and analytics).
The ease of configuring per-category consent is one area where I felt WebToffee exceeded Complianz. I still haven’t got category-specific with the Complianz plugin. However–and perhaps it was due to caching–I had difficulty with the per-category toggles sometimes not working.
The plugin offers some customization options for color. The paid version of the plugin, however, offers an improved selection of appearance options.
For both the paid and free versions, you can choose between CCPA, GDPR, or both.
As I had mentioned, I had been concerned about site speed with the WebToffee plugin. Let’s revisit that on a website that doesn’t have a bunch of third-party scripts (other than Google Analytics):
As you can see here, both plugins didn’t have a significant effect on speed. Additionally, one didn’t outperform the other. Ah, the good old days of seeing all green numbers on the GTMetrix test! At some point, we’ll add a bunch of scripts and see what happens to those lovely, green speed scores (evil laugh)! We’ll also take a look at how he GOT those excellent, green scores.
I’m sticking with Complianz as it’s worked well for me, but CookieYes, I think, is an excellent choice among cookie bars. And I say that as a now-veritable connoisseur of cookie bars!
Pros of CookieYes
- Excellent customer support, at least in their premium version.
- It has good appearance options, which are even better in their premium version.
- Cookie scanner in both paid and free versions (but the paid version will do automatic cookie scans.)
- Easy to configure per-category acceptance (though it can be time-consuming if you have tons of cookies).
- Can choose between GDPR, CCPA, or both.
Cons of CookieYes
- I had trouble with Google ads blocking at the time that I used it. Customer support worked hard, however, to fix this issue.
- As mentioned above, if you have many cookies, it can be time-consuming to identify and categorize all the cookies for per-category acceptance.
- The scanner can take a long time to run if you have a large website.
- It does not appear to have an AMP cookie bar.
4Smart Cookie Kit
I wrote a Smart Cookie Kit review a while back.
Overall, I liked the plugin a great deal. It was simple to install. It effectively blocked Adsense and Analytics “out of the box” and then allowed them, on acceptance, without the visitor doing a page reload.
The appearance configuration, however, was not as intuitive as with some of the other plugins. However, if you know CSS, it wasn’t too difficult to edit the opt-in appearance. The downside was that it totally blocked my maps, and for my map-heavy website, that was a huge issue. It’s a free plugin, and for that, the support is excellent. But I never solved the maps issue and ended up switching to another plugin.
Some Other GDPR WordPress Plugins to Consider:
I’ve tried some of these. Others are ones that I know of but have not had the chance (or willingness) to try:
You can do an AMP content component with Ibuenda — they have a tutorial on their website about AMP configuration — but it may be challenging to configure for the average WordPress user.
Osano offers a cookie solution. I can’t offer much in the way of a review here as I tried it for a very brief time quite a while back. I think I stopped for the same reasons I stopped using Ibuenda — the addition of a third-party script showing up in speed tests. It also did not offer an AMP consent component.
CookieBot seems to be a popular GDPR solution that scans for cookies, does prior blocking of scripts, and will add per-category consent. However, I did not try it during my period of sampling many cookie bars. Why? I found that, though, for a small website, it would be free. However, my website had an event calendar that generated multiple pages. Using CookieBot on that website would have vastly exceeded any revenue I was earning from it at that time.
A couple of other GDPR WordPress Plugins:
I haven’t tried these, but they’re available in the WordPress Plugin repository:
We’ve taken a look at some of the most popular GDPR WordPress Plugins. Zip has tried a few and added the Complianz plugin to his website. For now, he’s using the free version and has it configured for GDPR.
So, what’s next? Likely, Zip will look at whether he wants to enter the
cesspool wonderful world of social media for his blog. Hmmm…he’s been pretty lazy lately. Maybe he should actually stop napping and add some content!
We are sorry that you found this post to be like a weak cup of decaf.
Let us improve this post!
Tell us how we can improve this post?
- Disclaimer: I’m NOT a lawyer or expert in this area!
- On this site, too, that might happen depending on where you live as the plugin I’m using is configured differently for each area’s laws
- By a long time, I mean that I left it scanning overnight and it still was not done by morning.
OK, we can't send you caffeine--or even coffee-- but we can send you new content. Subscribe to our email list and get new posts delivered to your inbox. If you don't specify preferences, you'll be signed up for a weekly digest of new posts in all categories, as well as occasional promotional emails and surveys. However, if you would like to customize the frequency and type of content you receive, you can sign up here.