POPI and your website
Before discussing which popup plugins to use, we need to say a few words about Google Analytics and your website statistics.
Google Analytics and POPI compliance
One of the main non-essential cookies affected by cookie consent popups is your Google Analytics tracking code. If a user selects to reject all non-essential cookies, your tracking code will not be loaded and their visit will not be registered in your website statistics. Clearly, this is something we want to avoid as accurate stats are essential to running a business. There are two ways to make Analytics GDPR/POPI compliant:
- Automatically anonymize or disable personal data tracking (and avoid the necessity of asking permission to track visits)
- Use a cookie notice to get explicit consent
A detailed explanation of the two methods is described in this article by Monster Insights. We’ll summarise the main points of it here, beginning with Option 1 – Automatically anonymize or disable personal data tracking. The basic Google Analytics installation is actually very close to being transparent in a GDPR and POPIA sense. Most of the data that is collected is already anonymised and cannot be used to identify any particular user. The one exception to this is that Analytics knows the general location of the visitor based on their computer IP address. So what you can do is tell Analytics to also anonymise IP addresses. You do this by inserting a function in your Analytics tracking code in your website. Read about how to anonymise IP address data.
The great advantage of doing this simple operation is that you can continue using Analytics WITHOUT having to ask users for permission to track them. In other words, you can either dispense with a cookie notice altogether (probably not recommended) or just have an OK/Accept option in your cookie notice without any option to reject cookies. This is the solution we are using for our own websites where we have a basic Analytics installation and are not using remarketing.
If you are using any kind of remarketing (i.e., you have a complex installation), you need to use option 2, which is a detailed cookie notice asking visitors to consent to being tracked. Carry on reading for advice on choosing a detailed cookie notice.
Choosing cookie notice plugins
Simple cookie consent
For a simple cookie popup for a WordPress website, you can try the very popular Cookie Notice & Compliance by hu-manity.
It’s free to use and is quite simple to install and set up. There are other similar plugins in the WordPress plugin repository that will also do a good job. Here’s an example of the cookie consent popup created using the Cookie Notice & Compliance plugin.
Detailed cookie consent
If you need a WordPress popup that offers cookie selection, you can try Cookiebot. We haven’t used it yet, but we like it already because it is free and because it incorporates POPI and not just GDPR. The premium version is 9 euros/month and allows you to customise the popup. You can also try the paid version of Cookie Notice & Compliance by hu-manity at around $14/month.
Dealing with requests for data deletion
Your WordPress website provides an automated function to export or delete information relating to particular users. If someone contacts you to request details of their data or to ask for their data to be deleted, ask them for the email address they used when interacting with their site. Then log into your WordPress dashboard and go Tools > Export Personal Data or Tools > Erase Personal Data. You will then be asked to enter the email address of the user to locate the data and you can then export it or delete it.
Whatever you do … don’t panic!
We know all of this can seem quite overwhelming for business owners and you might be feeling some concern over the need to do POPI absolutely right to avoid trouble. However, from our research, we have found various POPI authorities admitting that the whole thing is a bit of a mystery and that everyone is proceeding by trial and error. So our position right now is not to panic but just to make sure we are applying the basic principles of transparency, honesty and care when dealing with client information and website visitors. If you don’t do anything to annoy people and you make an effort to be compliant, it is unlikely you will receive a call from the Regulator. Naturally, the bigger you are as a company and the more client information you process, the more stringent the requirements become and you are well advised to spend money on specialist advice. For the majority of our website clients and the thousands of small and micro enterprises in South Africa, the general advice in this series of articles should suffice to get you broadly compliant with POPI.
If you have a more complex business and you want to be sure of your POPI implementation, try the following:
Read Part 1 of this article: Introduction to POPIA