GDPR compliance verification for my website

Question

We have a WordPress website that sells and ships products all over the world including European countries. We have modified UK-Cookie-Consent plugin to our needs. We currently display the following warning at the top of the page where clicking on "Find out more" takes the user to our privacy page:

At the same time, we do not display cookie warnings on continents other than Europe. We also have several 3rd party tracking cookies such as facebook, google analytics and klaviyo that we use for various tracking purposes.

When I scanned our website for GDPR compliance via various web scanners such as cookiebot, cookieserve.com, gdprcookiescan.eu and ezigdpr.com, the website shows up as non-compliant.

My question is as a wordpress developer, what additional steps if any I can take to make the website GDPR compliant.

My additional question is on whether the results of the GDPR scans from aforementioned scanners should be taken with concern and whether there are other more respected scanners out there that are recommended to use to ensure GDPR compliance.

Answer 1

You may use this Cookie Consent Solution for GDPR, it will automatically block the cookies prior to the consent. It works for all platforms like WordPress, Drupal...etc.

Answer 2

Some background info first:
This is important since there is a lot of misinformation and confusion about this topic out there. I'll do my best to clarify it. There are 2 different laws(regulations/directives) that come into play here.

1. ePrivacy Directive:
   This is the directive responsible for the cookie banners, which was actually implemented in 2003 already and had its last amendment in 2009. Its currently being reworked again at the moment. Since its a directive and not a regulation, each EU member country is responsible for implementing their own "version" of it. This has resulted in different requirements depending on the country. (I know, not helpful) Some countries required an opt-out for cookies, others just an informational banner, which is what you see most of the time.
2. GDPR (General Data Protection Regulation):
   The new buzz in the industry, doesn't actually explicitly deal with cookies. This deals with the processing of personal data and "personally identifiable information" (PII), which is any data that can be used to identify an individual. Examples: Name, Email address, phone number, credit card number, IP-Address (under certain conditions). According to the GDPR, you need to have a so-called legal basis (why am I legally permitted to process the data) for processing any personal data. There are 6 of these you can look them up here: Lawfulness of processing

So what does all that mean and how does it fit together?
You need to show a cookie banner because of ePrivacy and you need to have a legal basis for processing data retrieved via cookies because of GDPR which can vary depending on what the cookie is used for. There are 3 types of legal bases that will probably be relevant for your website: Legitimate Interests, Consent and contract (To process the customers purchase) IMPORTANT: According to the GDPR you are required to provide your users with the information about which data is processed, under which legal basis as well as the purpose of the processing. This needs to go into your privacy policy.

So when can I set which types of cookies?

Strictly necessary cookies: Can be set without explicit consent. (still required your to inform your users that you use cookies via banner) These are cookies which your website requires in order to operate. Like your customer's login session and shopping cart.
Statistics: Assuming that your site uses some kind of analytics service that doesn't share any data with an ad network. You could argue that you have the legitimate interest, in this case being something like "improving the website by analyzing website usage". I would definitely at least provide an opt-out for this type.
Targeting/Marketing Cookies: Here it's difficult to argue that you have a "legitimate interest" since users are being tracked and profiled. For these opt-in is a must. That means if a user opts-in, your legal basis is consent. Facebook pixel, for example, should be opt-in.

Answers:

My question is as a WordPress developer, what additional steps if any I can take to make the website GDPR compliant.

You need to do a lot more than just handle the cookies properly. That is only a small aspect of what you need for GDPR compliance. You need to determine what your processing purposes for all types of personal data you collect from your customers/users. This needs to be included in your privacy policy, not forgetting the legal basis for processing. You need to be able to inform (privacy policy) your users/customers about the following when you collect any personal data: GDPR Article 13

My additional question is on whether the results of the GDPR scans from aforementioned scanners should be taken with concern and whether there are other more respected scanners out there that are recommended to use to ensure GDPR compliance.

I would not rely on scanners in general, except maybe to figure out what types of cookies your site is setting that you may have overlooked. These scanners can not tell you if your site is GDPR compliant, in the best case they can tell you if your cookie consent dialogue is working by it only finding "strictly necessary" cookies for example. That banner that you have is for implicit consent, by the way, that would have been ok in most cases before GDPR, however, is no longer ok. If you are setting cookies like those of Facebook before the user clicks "I consent" then that is probably why the scanners are saying you are not compliant.

Hope I didn't freak anyone out ;) Everyone is in the same boat of not being entirely sure of some aspects, even the big enterprises. There are a lot of aspects of the GDPR where the text is not entirely clear, leaving room for interpretation.


Side note:
We built a solution for some customers that continuously auto-generates the privacy policy, keeping it aligned with the website, central updates for policy changes as well as managing the privacy controls for cookies, social media etc. We're in the process turning it into a generic solution that anyone can use. We're looking for pilot customers that we can work with to further develop it. You can check it out here: TRUENDO