GDPR requires that individuals visiting websites can find out what cookies are in use and have the ability to block them. Cookie Manager lets you enter a list of cookies which display in the cookie pop-up once the cookie setup process has been followed.


1. Cookie Message Displayed To First Time Visitors


First time visitors will automatically see a cookie message advising cookies are used on the site, with a linking to your cookie policy and cookie settings and a Continue button. If they click the cookie settings link, they will be able to turn off non-essential cookies by disabling the categories they are in.



Illustration: The cookie notification message that appears the first time a site is viewed and replaces your previous cookie message (but keeps it's colour scheme)

Tip: Use a newly opened incognito or private browser to see the cookie message if it doesn't appear on your regular browsing session  


What You Need To Do: Check / Change This Message

Ensure the title and text in the message reflects what you track and any legal wording you need to use. 

Via Site Definitions you can change the title COOKIE_POPUP_DEFAULT_TITLE and text COOKIE_POPUP_DEFAULT_TEXT


Example Alternative Text:


This website uses cookies

By continuing to browse or by clicking “Accept All Cookies,” you agree to the storing of first- and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.


Cloudflare user? 

The changed text may not be displayed immediately due to caching and you many need to bump your cache. 

You will also need to make sure you sign and return the Cloudflare DPA.


2. Reviewing Your Terms, Privacy & Cookie Notices


We recommend you review and update your terms, privacy and cookie notices to ensure they are in line with GDPR and ensure the links to these notices are visible on your site.  


Note: Clicking on the Cookie Policy & Settings link will allow the visitor to re-open the full cookie message so they can click on Cookie Settings or your Cookie Policy (which has been set up in the Cookie Policy URL). 


What You Need To Do: Update Your Notices & Link Clearly To Them

A. Read and update your policies 

Your existing policies may need to be updated now. You can find templated policies written specifically with GDPR in mind on sites such as SEQ Legal. We advise you have separate pages for your terms, privacy and cookie policies. 

By way of example, you can also look at how we have written our Wildfire cookie policy and privacy notice. Please note, if you copy our text it is at your own risk and we are not giving any warranty as to its use plus you must buy a SEQ licence to use it. We always recommend businesses seek their own legal advice on terms and conditions, privacy and cookie policies and notices.


Tip: You may wish to take this opportunity to make sure you include the correct legal information required on your website and emails as set out in the Companies Act 2006 & Ecommerce Regulations 2002. See this external article on what to include.


B. Link to your policies in Cookie Manager

Go into Cookie Manager and put in the last part of the page URL for each of your policies.



Note: If no link is entered in a field then the corresponding line will not be displayed on the site.


C. Clearly display your links to your policies

Use the code below in your footer template to display links added in Cookie Manager for each policy. Make sure these links are not hidden inside a collapsible footer if you have one. 


{% if TERMS_POLICY_URL %}<a href="{{ TERMS_POLICY_URL }}">Terms & Conditions</a> |{% endif %}

{% if PRIVACY_POLICY_URL %}<a href="{{ PRIVACY_POLICY_URL }}">Privacy Policy</a> |{% endif %}

<a title="Review your cookie settings with our site." onclick="CookiePolicy.show(); return false;" href="#">Cookie Policy & Settings</a>


3. Cookie Information Displayed To the Visitor When They Click Cookie Settings

When the Cookie Settings link is clicked in the cookie message, a pop-up will be displayed with the categories of non-essential cookies in use which the visitor can turn off. Essential cookies cannot be turned off via the pop-up as they are required for the functioning of the site, however there are other ways for the visitor to turn them off which are covered later.


This is available for responsive design sites currently, non-responsive sites will follow at a later date.

Illustration: Visitors can click on Cookie Settings and then choose which cookies to allow on a category-by-category basis. 


Q. What happens if a visitor turns off some of the categories?

  • If visitors turn off categories which have cookies from other service providers, such as live chat, then it may result in the service not working anymore for that visitor.
  • If visitors turn off statistics their activity will not be recorded in analytics, which means you may see a recorded fall in the number of visitors or sales compared to your actual numbers taken from Order Manager for example. 

Q. How else can users block tracking cookies?

  • Visitors can set DNT (Do Not Track) in their own browsers*. We respect DNT settings and will automatically disable all non-essential cookies if it has been selected. Note that private browsing in many browsers automatically sets DNT.
  • Visitors with DNT enabled will not be recorded in Google Analytics, Adwords or other analytics programs

Q. Can users block ALL cookies including essential ones and what happens then?

  • Essential cookies can be blocked by visitors via their own browser settings. If they do they will lose core functionality on the site which depends on cookies, such as being able to perform the checkout process. In this rare cases, the user will be notified of this via a message and prompted to switch to the DNT (Do Not Track) feature available in most modern browsers. 


*Note: IE10 is an exception to this because it was released with DNT automatically enabled with no option for users to turn it off during install. Industry practice is to ignore IE10 DNT, however the cookies can still be turned off via the pop-up which ensures GDPR is still followed.


What You Need To Do: Audit Your Cookies & Include/Configure Cookies In The New Cookie Manager Program

You need to understand what cookies are being used on your site, ensure they are included in the cookie pop-up message, and amend 3rd party script blocks used on your site so they can be turned off properly by visitors. 3rd party scripts are typically services such as live chat, survey pop-ups etc or custom development you have had which might have introduced cookies. NB You should do this on a regular basis in case new cookies are introduced on your site by adding new services or from 3rd party domains.


Note: We have provided a list of our standard cookies in Cookie Manager (plus a few popular services our sites use) which might be all you need if you have not added other web services to your website such as live chat, surveys or had custom development work done. However you can make sure you have included all your cookies by following these steps: 


A. Perform A Cookie Audit

Audit your site to identify all the services and associated cookies you have in use, which will either be cookies in use by you, or cookies in use by 3rd party domains service providers. You can use a service like Cookiebot to help identify cookies used on your site which offers free and paid plans. Other methods of finding cookies include using browser add-ons like Edit This Cookie or Attacat (for Chrome). A database of cookies is also being built up on Cookiepedia.


Tip: Cookies are mainly introduced via scripts which are embedded in your website via site settings, design templates or content. You can use the Script Finder program to find where these scripts are embedded into the site so you can track them down easier.


B. Review The List Of Standard Cookies We Have Provided

Check which cookies are already enabled/disabled in both lists in Cookie Manager and change their status as appropriate. For example, twitter and facebook cookies are set to be disabled in the 3rd party services list and so if you use their widgets to show tweets or facebook posts on your site then these need to be enabled. 


C. Add Cookies Not In The List 

For any cookies you have found in your audit that are not already in the list, find their code on your website (normally they will be in the template system or scripts inserted into pages via Page Manager) and modify it to allow Cookie Manager to enable or disable their cookies. We have included some examples of how to do this at the bottom of this article. 


Immediately afterwards add them in Cookie Manager either as: a cookie on this domain or a 3rd party service or both if they set cookies on your domain AND on their domain. For example, Tawk sets cookies on your site and their domain, whereas Reviews.co.uk only sets cookies on their domain and not yours. 


D. Test Your Cookies Can Be Turned Off

Test the cookies appear in the cookie pop-up and that when the category is disabled (that those cookies are in), that the cookies no longer appear when the page loads (typically via developer tools in your browser or browser add-ons like Edit This Cookie). 


E. Admin Action: After you have added new cookie records you will probably need to go back into your cookie settings and click Save, which then includes these new cookies, otherwise you may not be able to see the services which the cookies relate to (e.g. Live Chat buttons that stop appearing for you but others can see them).


Do you need help to do this? 
We understand this sounds like gobbledygook to most people. We can run a cookie audit for you and set up at our prevailing hourly rates + the cookiebot crawl charge (where required). Contact your account manager to book this.



Example Cookie Policy JS `<script>` Changes

Here's an example for changing the Tawk.to script


When you signed up to Tawk.to they would have given you a script like this to be added onto the site:


<!--Start of Tawk.to Script-->
<script type="text/javascript">
var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date();
(function(){
var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0];
s1.async=true;
s1.src='https://embed.tawk.to/xxxxxx/default';
s1.charset='UTF-8';
s1.setAttribute('crossorigin','*');
s0.parentNode.insertBefore(s1,s0);
})();
</script>
<!--End of Tawk.to Script—>


Some other `<script>` blocks might not contain any JavaScript, instead they might be a link to a 3rd party script, for example:


<script href="https://www.somewebsite.com/scripts/app.js" type="text/javascript"></script>


To allow these to work with our Cookie Policy JS you'll need to change the `type` attribute to `text/plain` instead or `text/javascript`, which will prevent the script from running initially, and then you'll need to add a `data-cookiepolicy` attribute set to the category that relates to this cookie in Cookie Manager.


For example, in the case of Tawk.to, this would be in the "functionality" category, so the code would need to change as shown in bold


<!--Start of Tawk.to Script-->
<script data-cookiepolicy="functionality" type="text/plain">
var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date();
(function(){
var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0];
s1.async=true;
s1.src='https://embed.tawk.to/xxxxxx/default';
s1.charset='UTF-8';
s1.setAttribute('crossorigin','*');
s0.parentNode.insertBefore(s1,s0);
})();
</script>
<!--End of Tawk.to Script—>


Or for an example linking direct to the file:


<script data-cookiepolicy="functionality" type="text/plain"></script>


Some `<script>` blocks might not mention the type="text/javascript" by default as it's an optional setting and browsers treat that as the default for `<script>` blocks. So in these cases you'll need to add the type in, but again set it to `text/plain`.


Pure JS API


If needed, you can access both javascript methods to initiate the cookie policy popup, as well as a simple way to check if a category is enabled or not using the `window.CookiePolicy` object.

  • To show the popup: `CookiePolicy.show();`
  • To check if a category is in use: `CookiePolicy.check('functionality');`


iframes


iframes are normally used to pull in content such as videos which in turn can introduce 3rd party cookies, for example Vimeo is embedded via an iframe and introduces cookies to the page it is on. In these situations we believe these cookies should be entered into Cookie Manager as 'essential' 3rd party cookies because they actually allow your content to work (and you don't therefore have to turn off the iframe like you do with JS scripts).