All GDPR and Cookie plugins are NOT created equally!
Discover which ones offer features you need, and which ones you want to stay away from.
!!!!!! Important !!!!!!
I have not tested the plugins listed in this article .
This list is for informational purposes, so you have a clue what the different types are.
Please do your own research for the plugin that works best for your site needs.
This list is not exhaustive.
Installing one of these plugins or services does not make your site fully GDPR compliant.
See my GDPR Guide for more.
Types of GDPR and Cookie Plugins
There are 4 main categories:
- Plugins that only provide notification that cookies are in use
- Plugins that only provide:
- Notification that cookies are in use
- Block all scripts until consent is give
- Record that consent was given or rejected
- Plugins that provide a way to automate requests to modify info tracked
- Some of these plugins may also provide the features above
- Some of these plugins may also be connected to a 3rd party service
- Location blocking – to block certain countries from having any access to your site
Features for Compliance
To be fully GDPR compliant, at a minimum, you are required to:
- notify visitors immediately that tracking cookies are in play on your site.
- must postpone turning that tracking on until they give you consent.
- keep all tracking off for the entire time they are visiting your site, in that single session, if they rejected cookies.
- be able to record that they either accepted or rejected consent.
What You Are Not Required to Have
And What Scares Me
It is not likely that you will get requests from site visitors to remove the tracking info you have on them.
So, at this time, I am not recommending any plugin or service that automates that feature.
You can do it manually if you need to.
The other reason I am advising that you don’t install a service like this, at this time, is because some of them look like a major security breach waiting to happen.
Now, to be fair, some of the paid 3rd party services have been in business for years.
But, I would suggest you vet them further.
I’m including them in this post for reference, so you’ll know which plugin/service provides which function.
Skirting the Letter of the Law
Many U.S. based sites that do not target EU citizens are choosing not to tank their analytics (cookie tracking) by:
- simply notifying that cookies are in use
- not turning off tracking prior to consent being given or rejected
- not requiring explicit consent, like a click. Some use the act of a scroll as consent
These methods were acceptable for just the EU Cookie Law. However, they are not fully GDPR compliant.
You’ll need to decide what method works best for your site and business, and your understanding of the regulations.
Cookie Consent Plugins
The following plugins offer the features required by the GDPR.
Some offer even more features, but they are optional, like automated ways to allow visitors to remove their data.
!!!!! Important !!!!!
These plugins are not activate and forget it!
Most must be configured for the cookies you use on your site.
Some help auto detect the cookies and tracking methods you use, but don’t count on it detecting all of them, especially 3rd party cookies for Facebook and Google Analytics and such.
The following plugins are listed in no particular order of preference.
This is a VERY popular plugin for cookie notification and has been updated to be GDPR compliant.
- Provides notification
- Provides method to lock scripts before acceptance and ways to control after acceptance or rejection
- Consent by clicking, scrolling, and navigation
- Shortcode to revoke cookie consent – must be entered around each cookie script
- Shortcode to show a list of cookies
- Compatible with Disqus and Jetpack InfiniteScroll
- FAQs page with more shortcodes and PHP functions
- Free – in WP plugin repository
- Provides pop up cookie notification
- Can style the look
- Can customize the message
- Can redirect users to your policy/cookie page
- Link for more info
- Animate message box after cookie accepted
- Set cookie expiry
- Option to accept cookies on scroll – this is outside the boundary of clear consent
- Option to reload page after cookies accepted – can fire all of your tracking anew, that’s good, but can make page load slow for user to have to wait again
- Can have dev code a functionality depending on cookie acceptance value
You might also want to visit the dFactory home page. They have LOTS of other plugins, including galleries.
- Free and pro version
- Provides notification banner and accept/reject buttons with minimal styling options on free version, and has link back to dev on free version too
- Provides consent expiration with default at 90 days
- Identifies common WordPress cookies, but not 3rd party cookies. These can be added in a single opt-out string via the plugin interface
- Provides a Necessary Cookies interface, for scripts that are required to run the site, like security scripts
- Requires at least one Cookie Category to be added to work
- Requires registration, even on the free version, to get API key and product license
- Free version covers domain. Pro version covers domain and sub-domains
- Only offers explicit consent to accept or reject cookies. They will remain off until consent is given
- Can exclude countries – see why this won’t work and is not a good idea
- Country control
- Notifies that cookies are in use.
- Has 3 modes – Informational, opt-out, opt-in
- Informational – users have “no direct control over disabling cookies.” They have to leave the site in order to not be tracked or disable via their browser. Requires you to add code to your existing pages.
- Opt-in option – Accept button is more prominent – no cookies are enabled until consent is given. Also requires you to modify your site so cookies are disabled until consent is given. This is the most GDPR compliant option.
- Provides notification banner of cookies in use with Accept/Reject options
- Can fully customize the banner
- Turns off cookies until visitor accepts
- Cookie details can be added by admin
- List of cookies added can be displayed on your policy page via shortcode
- Has a Cookie Audit feature that may help detect cookies in use on your site
- Option to accept cookie tracking on scroll – this is outside the guideline of clear and expressed consent
- Provides a notification template that can be customized for style
- Provides accept/reject option
- Can disable cookies until they are accepted, but requires bespoke developer to ensure all cookies on the site are added
All-in-One Plugins and Services
NOTE: The following plugins provide automation services for visitors to manage the data you collect on them. I do not recommend using such a service at this time.
This is in no way to be misconstrued that there is anything wrong or bad with any of the plugins and services listed below. Some of them have been in business for years and may be perfectly good and safe.
The other major consideration about these plugins and services is that you may or may not be able to take your data with you if you move to another service. Be sure to read the fine print on that.
- They are aggressively marketing via email solicitation and ads based on intimidation and fear.
- Paid service
- Provides cookie notification, policies, ability to manually delete user data
- Can refuse EU traffic based on IP address
- Data breach notification
- Doesn’t say where data is stored – assume it is their cloud service
- Don’t know if you can take those reports with you if you leave the service
- Free – with premium add-ons for contact forms, Woo, Flamingo, and MailChimp
- Provides a page where users can access their data
- Visitors can request their data to be deleted
- Requires them entering their email address
- not sure if there is admin authorization or if it just deletes it.
- Free – available in the WP plugin repository
- Provides extension for visitors to automate the process of requesting and retrieving their data from your site.
- They must give their email address.
- Confirmation is sent to that address. If they click the consent link, the info is provided to them on the web. An email is also sent to them with the info.
- Once account ownership is verified, an automated process is provided so the visitor can remove their data or have it anonymised.
- Paid plugin
- Requires the Redux Framework
- Has a cookies in use pop up
- Provides an interface for visitors to automate the process of requesting and retrieving their data from your site.
- Provides data breach notification
- Interfaces with popular email list services to automate unsubscription from a single interface
- Paid service
- Provides comprehensive dashboard and self-service tools to automate erasure requests and withdraw consent
- Integrates with MailChimp, Woocommerce, and Gravity Forms
- Provides a customizable cookie notification banner for consent/reject
Country Blocking Plugins
READ: Blocking EU Countries: Why it won’t work for GDPR compliance before you consider using any country blocking option.
Some site owners who cater strictly to a U.S. based audience have elected to simply block all other countries from accessing the site in an effort to bypass becoming GDPR compliant.
That actually makes sense for some site owners.
But, how you go about blocking countries can have a serious downside, too.
If you’re on shared hosting, you don’t have the option to country block through the host.
You don’t have that option on anything less than the rather expensive Enterprise level at Cloudflare either.
But, several firewall plugins have this option.
The caveat is, these plugins go into action only after a visitor or a bot hit your hosting account. Some still have to open an instance of WordPress to do their thing.
Most of these plugins don’t actually block countries. They do a redirect. That is also a heavy resource load.
In other words, firewall plugins waste a TON of hosting resources.
Also, several of these plugins carry a lot of other settings that may conflict with other security you may already have on your site. I know for sure they will for my site audit clients because we did this type of security at the root of the host, below WordPress, and at the CDN, before anything has a chance to get near the site.
That means we don’t need these types of plugins and we don’t chew up precious hosting resources.
And that means I can’t recommend or vet them for you either. But here are a few, in case you’re curious.
Need More Help?
See all of my GDPR posts.
Subscribe to BlogAid News so you never miss a hot site success tip!
Follow me on your favorite social media channel (see links at the top of the site or below), especially the BlogAid Facebook page for interactive livestreams as site news breaks.
Update 5/26/18: Added Cookie Consent plugin. Updated EU Cookie Law plugin, as it is now GDPR compliant
Update 5/27/18: Added link to post on Blocking EU countries. Added Cookie Control V8 plugin notes.