Compliance Alert for WordPress & Woo Site Owners in the EU

Aug 14, 202407 minute read

Compliance Alert for WordPress & Woo Site Owners in the EU

blogdetail image
Compliance Alert for WordPress & Woo Site Owners in the EU

Data privacy has become a paramount concern, particularly in the European Union (EU). Recent findings in the AesirX Privacy Scanner, from hundreds of thousands of scans using the European Data Protection Supervisor (EDPS) Inspection Tool, unveil a startling revelation – over 97% of all sites and e-commerce solutions in the EU fail to comply with consent requirements. This blog post will look into these findings and guide WordPress and Woo site owners on achieving full compliance.

Key Findings from the EDPS Inspection Tool

The EDPS Inspection Tool highlights that third-party scripts are commonly loaded before user consent is granted. Among the frequent offenders are:

  • Google Analytics
  • Google Tag Manager
  • Google Fonts
  • Google Maps
  • Third-party consent/cookie solutions like CookieInformation and CookieBot
  • First-Party Analytics like Matomo
  • Third-Party Analytics like Plausible and other “GDPR” compliant solutions
  • Meta Pixel Tracker / Linkedin Insights Tag / Other Social Media Pixel Trackers
  • Third-party CRMs like HubSpot and Salesforce
  • Payment Processors like Stripe and PayPal
  • UX Tools like Hotjar & A/B Split Testing Tools
  • Third-party Recommended Product services
  • Third-party Newsletters and Mailing lists

The Importance of Informed Consent

The GDPR and ePrivacy Directive mandate that consent must be explicit, informed, and freely given. This means users should be fully aware of what data is being collected, the purposes for which it is collected, and must have the ability to opt out or revoke their consent at any time. 

Informed consent is not just a checkbox exercise; it is about providing users with understandable and transparent information on data collection and processing activities. Websites must ensure that consent is obtained through clear, concise, and non-deceptive information.

The language used in consent requests should be easy to understand, free from legal jargon, and should explicitly state all data processing activities that will occur once consent is given. 

Furthermore, websites must also provide easy-to-use mechanisms for users to manage their consent preferences, ensuring users can change or revoke their consent as easily as they can give it.

Common Issues

Many website owners mistakenly believe they are compliant because they use third-party cookie consent solutions. However, these solutions often overlook other significant data collection methods such as beacons (JavaScript and Pixel Trackers) and analytics tools, which also require user consent. 

It’s also a common misconception that the presence of a consent management tool equates to compliance; in reality, these tools need to be configured correctly to ensure all forms of data collection are accounted for. 

Additionally, some analytics providers claim their tools are inherently GDPR-compliant, which misleads website owners into thinking additional consent is unnecessary. This misunderstanding can lead to substantial compliance gaps, as third-party services collecting data without explicit user consent are in direct violation of GDPR rules.

the importance of informed consent

Misconceptions and Legalities

Another widespread fallacy among website owners is that it is acceptable to load scripts before obtaining user consent, under the guise of technical necessity or as a preliminary setup. 

However, this practice is explicitly prohibited by the GDPR and the ePrivacy Directive. 

Loading any third-party service that accesses the user’s device and collects information before explicit consent is obtained is illegal. This includes commonly used tools like Google Analytics, Google Tag Manager, and various social media pixel trackers. 

The legal framework is designed to protect user privacy by ensuring that data collection does not begin until the user has been informed and has given consent. Any deviation from this protocol is not only a breach of user trust but also a violation that could result in significant fines and legal repercussions.

Legitimate Interest and Its Non-Applicability

A further area of confusion for many website owners is the concept of legitimate interest as a lawful basis for data processing under the GDPR. While legitimate interest can be a valid basis for some types of data processing, it does not override the requirements for explicit consent, especially in light of the ePrivacy Directive (ePD) Article 5(3). This article explicitly states that accessing and storing information on a user’s device, such as cookies or similar technologies, requires the user's explicit and informed consent.

Legitimate interest is often misinterpreted as a catch-all justification for data collection without consent, but this is a fundamental misunderstanding of the GDPR and ePrivacy framework. The ePrivacy Directive takes precedence in cases involving the processing of data through electronic communications services and mandates explicit consent for such activities. This directive highlights that any data collection involving accessing a user's device – such as through cookies, beacons, or trackers – must be preceded by transparent and informed consent from the user.

Even if a website owner believes that their data processing is for a legitimate interest under the GDPR, it does not supersede the requirement for explicit consent as mandated by ePD 5(3). For instance, using Google Analytics, third-party advertising networks, or social media pixel trackers to track user behavior across websites necessitates explicit consent, regardless of any claimed legitimate interest. This is because the ePrivacy Directive is specifically designed to address concerns related to privacy in the digital realm, complementing and, in this context, taking precedence over the GDPR.

The GDPR and ePrivacy Directive together form an effective framework to ensure user privacy and data protection. Using legitimate interest as a loophole can lead to significant compliance issues and potential fines. Therefore, it is essential that website owners clearly distinguish between data processing activities that might be justified under legitimate interest and those that undeniably require explicit consent under ePD 5(3). They must always err on the side of obtaining clear, informed, and explicit consent from users for any activities involving access to and storage of information on user devices.

Recent Legal Developments

A recent ruling in Germany has brought to light the legal intricacies involved in using third-party cookie consent solutions. 

The ruling establishes that third-party cookie consent solution providers are considered joint data controllers alongside the website owners. This means both parties are legally responsible for ensuring that consent is properly collected before any data processing begins. 

The ruling has significant implications for website owners who rely on these third-party solutions, as they now share legal liability for any compliance failures. This requires a critical evaluation of existing consent management practices and potentially a shift towards first-party consent solutions. 

By doing so, website owners can retain full control over consent collection and processing, thereby mitigating the risk of non-compliance and legal penalties. It emphasizes the need for ongoing vigilance and proactive management of consent practices to stay compliant with evolving data protection laws.

recent legal developments

9 Steps to Achieve Compliance

  1. Avoid Pre-Loading Third-Party Scripts: Ensure that third-party cookies or scripts are only loaded after user consent.
  2. First-Party Cookie / Consent Solutions: To avoid shared liability, use a first-party consent solution. This approach ensures you retain control over consent collection and data processing and that you can collect an informed and explicit consent before loading the consent solution.
  3. Detailed Consent Information: Provide transparent information about data collection, its purposes, and all entities involved. Avoid using dark patterns in consent modals.
  4. First-Party Data: Prioritize first-party data collection to minimize risks associated with third-party data processors. Remember that First-Party Analytics solutions also require consent.
  5. Data-Minimization: Collect only the data necessary for achieving the specific purposes stated in your consent request. Consider using Opt-In and Granular Consent.
  6. Granular Consent: Implement mechanisms allowing users to opt in, opt out, and revoke consent for specific types of data processing. Only ask for consent for what is needed and when it's needed.
  7. Decentralized Consent: Consider using technologies like AesirX Shield of Privacy that support decentralized consent management to enhance transparency and user control by giving the data ownership to the user.
  8. Regular Audits and Updates: Conduct frequent audits to ensure new third-party services aren't added without proper consent collection protocols in place and consider using a Privacy Monitoring service to monitor ongoing.
  9. User Control and Transparency: Strengthen user control by ensuring consent can be easily revoked and all data processing ceases immediately upon revocation. Remember you can not do half compliance.

Get Compliant!

Achieving GDPR and ePrivacy Directive compliance is not just about adhering to legal requirements but also about building trust with your users. By implementing transparent, user-friendly consent mechanisms and choosing first-party solutions, you not only protect your site from potential fines but also improve your reputation as a responsible data handler.

For more guidance on making your WordPress or Woo site compliant, explore tools like AesirX’s Unified Analytics & Consent Solution for WordPress, which offer a range of solutions tailored to enhancing data privacy and ensuring regulatory compliance.

Ready to ensure your site is fully GDPR and ePrivacy Directive compliant? Scan your website with AesirX’s Free Privacy Scanner and receive a detailed compliance report today! 

Ronni K. Gothard Christiansen // VikingTechGuy 

Creator, AesirX.io

Join our community and catch up with all the latest information and news on Telegram https://t.me/aesirx_official_community 


About AesirX Privacy Scanner: 

The AesirX Privacy Scanner is a powerful tool designed to ensure that websites comply with the stringent requirements of the ePrivacy Directive and GDPR. Using the EU's EDPS (European Data Protection Supervisor) Inspection Tool, AesirX Privacy Scanner thoroughly scans websites to identify non-compliant elements, including cookies, trackers, and beacons. 

AesirX also offers a free Privacy Advisor AI Assistant that helps to explain the scanned results from the EDPS Inspection Tool and offers concrete recommendations on what is needed to resolve compliance issues found in your scan result.

Enjoyed this read? Share the blog!