Privacy and cookies

Overview

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force and the cookie law differ from country to country. It is up to the owner of a website to ensure the site is compliant to the rules of the country your visitors come from. You need to check this with a reliable lawyer.

Under the GDPR act, EU citizens got the power to control the personal information they wish to share online but there is much discussion about what is really necessary and what is compliant to the law.

You need to inform users that your site uses cookies. By publishing your site privacy policy which serves as a legal document (in privacy law) you can disclose some or all of the ways your site gathers, uses, discloses, and manages a customer or client’s data. This fulfills your legal requirement to protect a customer or client’s privacy.

One of the latest increase in the EU rules is, that users have to accept cookies and have to opt-in for external services. With Enfold 4.6 we added support to implement the Cookie policy.

Cookie introduction

Cookies are nothing but a text file supplied by the server to your browser whenever a user access the site. The main purpose of a cookie is to profile user activity and send this information back to the server so the web page can be customised for the user based on his activity. Cookies can also be used for many other things like:

• Keep a user Logged-in
• Save the shopping cart items
• Product recommendations
• Custom user interfaces

Every time a user visits a web site the browser will establish a new connection with the sever but without any knowledge about the previous connections. The only way for the browser to track the user is by using a cookie provided by the web server.

For example: If you login to a shopping site and open a product in a new tab the browser will establish a new connection without any knowledge about the previous tab in which the user is already logged in but for the browser to retain your information such as logged in status, cart items etc it uses the cookie supplied by the server.

You can manually clear cookies from your browser and verify the same.

Cookie Handling and Cookie Consent Messages

According to the EU cookie law the users should have the choice to accept or refuse the cookies. Lets take a look at different scenarios:

• You can decide if he must opt-in for nonessential cookies.

• If the user decides to refuse essential cookies only 2 cookies are kept to save this selection and to hide the message bar and another one if he must opt-in – all other cookies will be removed.

• Silent accept is enabled by default which will accept all cookies and services on page load.

  • If the user decides to refuse cookies (and implicitly all services) we store this information in browser session storage and do not show the message bar again on subsequent page loads in this window. If this visitor opens a new window or a new tab he starts a new session and he is treated as a new visitor again.  See MDN documentation for more info.
  • A customizable popup message appears to inform the user that some crucial functions of the site like e.g. sessions, shopping cart,… will not work properly.
  • We also try to remove all cookies set in the site domain, but this is not guaranteed because of browser security or WP or plugins (e.g. WooCommerce) may continue to add cookies after removing.
  • Third-party plugins might add their cookies to a specific path. To remove these cookies you need to add the cookie path manually to custom cookies in theme options (case sensitive, path must be exactly the same as seen in developer tools).
  • Cross-domain cookies from external services are only loaded when needed and it cannot be removed at all by a script. Enfold offers the possibility to opt-in/opt-out of services provided by our theme to solve this.

Shortcodes

In order to offer your users a better experience you can use the shortcodes listed below, these shortcodes can also be found in the Enfold theme options > Privacy and Cookies > Shortcode tab:

Refuse cookies and hides message bar.
[av_privacy_allow_cookies] 

Opt out from all the cookies (except 2 from av_privacy_allow_cookies)
[av_privacy_accept_essential_cookies] 

Disable Google tracking
[av_privacy_google_tracking] 

Disable Google webfonts
[av_privacy_google_webfonts] 

Disable Google reCaptcha
[av_privacy_google_recaptcha] 

Disable Google Maps
[av_privacy_google_maps] 

Disable video embeds
[av_privacy_video_embeds] 

Disable custom cookies 
[av_privacy_custom_cookie cookie_name=''] 

Displays a link to the privacy policy page set in your WordPress admin panel
[av_privacy_link] 

Display a list of used cookies
[av_privacy_cookie_info id="" class=""]

Adds an accept cookies button
[av_privacy_accept_button wrapper_class="" id="" class=""]your button text[/av_privacy_accept_button]

Adds a do not accept cookies button
[av_privacy_do_not_accept_button wrapper_class="" id="" class=""]your button text[/av_privacy_do_not_accept_button]

Adds a button that opens the privacy modal popup window you have to enable cookie consent message bar
[av_privacy_modal_popup_button wrapper_class="" id="" class=""]your button text[/av_privacy_modal_popup_button]

One button to accept all cookies and services with a single click.
[av_privacy_accept_all_button]

Please note: To change the default text in the shortcodes please use the shortcode in the below format
[av_shortcode_name] Your text here [/av_shortcode_name]

GDPR Settings

Enable cookie consent message bar or modal window

Enfold theme is GDPR ready! To access the GDPR Settings go to Enfold > Privacy and Cookies here you can change the settings for the
following:

If for some reason you do not wish to use the cookie concent option. If required, you can enable the simple message bar option to display a message or a notification on your site from Endold > Privacy and Cookies > Cookie Handling and Cookie Consent Messages > Enable cookie consent messages 

After the cookie concent options is activated please scroll down and enable the Advanced Options > Select use of the message bar > Use as a simple message bar without cookie logic

To use the cookie logic without displaying the cookie message bar to your users please add the below code to your functions.php file:

// Use cookie logic but hide the cookie message bar
add_theme_support( "avia_gdpr_permanent_hide_message_bar" );

Note: If the cookie settings are updated (changes to the message bar buttons, labels, message etc) users will be prompted again for confirmation accepting essential cookies will be enabled.

Cookie consent buttons

Cookie consent buttons can be accessed from Enfold > Cookies and privacy when you enable the cookie consent option. The buttons can have the below options:

  • Accept settings and dismiss notification.
  • Accept all cookies and services, dismiss notification.
  • Do not accept and hide notification.
  • Open info modal on privacy and cookies.
  • Link to another page.

Cookie badge

A cookie badge can be displayed at the bottom of your site so that users who alreadt accepted the cookies can access the cookien options again if they like to change any settings after accepting them.

Enable the cookie badge from Endold > Privacy & Cookie > Advanced Options > Show reopen badge after the cookie concent options is activated.

Default Cookie and Services Option Settings

All cookies are selected, user can opt out, all services are already active (implicit acceptance of cookies – not DSGVO compilant). When the user click the ok button all cookies and services are accepted.

All selected, user can opt out, cookies and services blocked until user accepts settings.

Only the 2 toggles “permanent hiding message bar” and “enable essential cookies”  selected, all other unchecked, services blocked until user accepts settings.

If a user does not address the settings and only accepts cookies the site will have all basic functions excluding external services – this is an intuitive behaviour and what a user would expect.

As everything is blocked until user clicks the accept button this is GDPR compliant (there are discussions, but many people interpret the rules that a user cannot refuse essential website cookies).To allow website owners to be on the safe side using add_theme_support('avia_privacy_basic_cookies_unchecked'); will also uncheck the 2 toggles.

Essential cookies are expected to be accepted by user by default – cookies needed by Enfold are stored and cookies from 3rd party like WooCommerce, WPML, …. are not removed. External services provided by Enfold are blocked until user opts in.

The big difference to the options “User must accept …” is, that a user cannot refuse cookies at all and Enfold does no longer try to remove cookies.

Please remember that it is the responsibility of the website owner to fulfill the local rules for data privacy. We added this option because some user requested it. If you are in doubt recheck with a lawyer if you can use this option.

In case you use plugins and you want to allow visitors to opt in for these specific cookies you have to find out what cookies are set by the plugin and use Additional Custom Cookies section (located in advanced options section) to add checkboxes for these cookies.

Note: Essential cookies are all cookies needed by the site to work properly e.g. Enfold cookies for WooCommerce the cart, for WPML etc. aviaCookieConsent and aviaPrivacyRefuseCookiesHideBar are the 2 basic cookies needed to hide the message bar permanently on returning visits to the site but blocks all services and other cookies.

How to style the message bar?

To style your Cookie consent message bar, go to Enfold options > Advanced styling and select the Cookie Consent Message Bar from the drop-down list.

Can users update the cookie settings?

If you are looking for a way to provide your users with an option to select the cookie options after they accept the cookies. Enable cookie badge in the footer which will open the Privacy Policy page so the user can change the cookie settings even after they have checked the OK button.

You can find this option in Endold > Privacy & Cookie > Advanced Options > Show reopen badge

User have the possibility to opt out or opt in with toggles. These toggles are shortcodes you can add to the modal popup widow and additionally to a privacy page. See theme options page or scroll to the shortcode section on this page for shortcodes.

How to add a privacy policy link to the footer?

To add a Terms of Service and Privacy Policy links to the footer of your site.

  • First, go to WordPress Dashboard > Pages and create the Terms of Service and Privacy Policy page.
  • Then go to Appearance > Menus and create a new footer menu.
  • Select the newly created pages from the list of pages, check “Enfold footer menu” under Menu settings and save your menu.

For step by step instructions to add a menu item to the menu please check Menu Setup.

Manually clear the cookies from the browser

  • Open Chrome developer tools from Settings > More Tools > Developer Tools or by using the keyboard shortcode Ctrl + Shift + I
  • Go to Application tab
  • On the sidebar under Storage expand the Cookies
  • A list of visited sites will appear. To clear all the cookies you can right-click the domain name and select “Clear” or individually delete the cookies from the result tab.

If you clear the cookies and refresh the page the browser will treat this as a new connection without any reference to your previous session in case you were already logged in you will be asked to log in again.

How to check for enabled cookies?

We provide a shortcode

[av_privacy_cookie_info]

to display a list of cookies that can be read by Enfold. Due to browser and js security only the name and value of cookies are available. To remove/manipulate them also the path would be necessary – Enfold only uses path “/”. If you have cookies with a path you must define them in Additional Custom Cookies – then Enfold can try to remove them (but this cannot be guaranteed).

For basic cookies enfold already provides a description. You can alter or extend the description text using filter avf_privacy_cookie_infos. An example how to use the filter: https://github.com/KriesiMedia/enfold-library/blob/master/actions%20and%20filters/Privacy%20and%20Cookies/avf_privacy_cookie_infos.php

To display this list in an own tab in default privacy modal popup you must add
add_theme_support( 'avia_privacy_show_cookie_info' );

Additional Custom Cookies

Using Additional Custom Cookies section, you can define 3rd party cookies and include them in your cookie modal window. Due to browser security limitations, it might not be possible to remove them using JavaScript or PHP.

There are 5 fields in this section:

  • Cookie Name: Name of the cookie you would like to define
  • Cookie Path: Path of the cookie
  • Description For Toggle: Description displayed next to enable/disable toggle
  • Description for Cookie Info List: Description in cookie list displayed using “av_privacy_cookie_info” shortcode
  • Compare Action:
    • Cookie Equals Cookie Name: Only cookies with “plugin_cookie” name would be removed
    • Cookie Starts With Cookie Name: Cookies that start with “plugin_cookie” would be removed (E.g.: “plugin_cookie-one”, “plugin_cookie-two”)
    • Cookie Contains Cookie Name: Cookies that have “plugin_cookie” in their name would be removed (E.g.: “my_plugin_cookie_cookie”, “custom_plugin_cookie”)

To define custom cookies, you would need to know cookie name and cookie path. You can find them in developer tools of your browser:

Let us take “tk_ai” WooCommerce cookie for example (more information on WooCommerce cookies can be found here).

After adding custom cookie, you can display it in your privacy policy page and/or cookie modal window using shortcode as following

[av_privacy_custom_cookie cookie_name="tk_ai"]

Developer info

Cookies from enfold start with avia. aviaCookieConsent is set when user has clicked the accept button, if this is missing it is a new visitor or he refused cookies at all.

aviaPrivacyRefuseCookiesHideBar AND aviaPrivacyEssentialCookiesEnabled have to be set if user allows to use cookies and services.

Enfold saves opt out cookies for services (corresponding to the toggles):

aviaPrivacyGoogleTrackingDisabled
aviaPrivacyGoogleMapsDisabled
aviaPrivacyGoogleReCaptchaDisabled
aviaPrivacyGoogleWebfontsDisabled
aviaPrivacyVideoEmbedsDisabled

aviaPrivacyMustOptInSetting is used to store if you selected option “User must opt in” in backend.
aviaCookieSilentConsent is used when you selected option “All cookies and services accepted” in backend.

Samesite cookie message

you can solve the samesite cookie message by adding this to your wp-config.php:

define( 'WP_SAMESITE_COOKIE', 'Lax' );
“Lax” is default, you can try “strict” or “none” as well.