Complianz Review: How Does It Handle Cookie Compliance?

Over the last seven or so years, the internet has seen a lot of changes, but one of the most visible is the proliferation of the cookie consent box. It went from something you never saw to something you saw on a handful of websites and business sites that did business in Europe to something seemingly every website has.

There are a lot of questions about cookie compliance. I wrote a deeper dive in another post recently, so I'm not going to go too deep into it today, but there's still a lot to discuss.

The biggest question I'm focusing on today is this: when you're looking for a way to manage cookie consent on your website, what's the best way to do it? Is Complianz, one of the biggest WordPress cookie management plugins, the best option? Let's take a look.

Do You Need a Cookie Compliance Plugin at All?

First, I want to cover this briefly: Do you need a cookie compliance plugin?

This is actually a slightly more difficult question to answer than you might expect, but if you're looking for a one-word guideline and don't care about nuance, the answer is yes, you need a cookie compliance plugin.

Now, let's talk a bit about that nuance.

Cookie compliance is part of general user data privacy protection. The big-name law governing this is the European General Data Protection Regulation or GDPR. While the GDPR gets all of the attention, there are also dozens of other related privacy regulations around the world, including a similar national-level law in Brazil, a similar national law in Canada, and even some state-level laws in US states like California, Virginia, and Colorado.

Broadly speaking, any website that does business in an area covered by one of these privacy laws needs to comply with those laws.

However, you can get away with not having a cookie consent plugin if you meet certain criteria.

• If you don't do business anywhere that has privacy protection laws. If you really want to go through a bunch of IP blacklisting and geotargeting that changes every year as laws change, or if you're a hyper-local business and you know your local city/state doesn't care, you can probably ignore the law, for now.
• If you want to take the "security through obscurity" route and bank on the fact that you're much too small of a target for a government to come after. I very much do not recommend this since all it takes is your URL ending up on a list that gets sent a letter (and later a fine), but I know some people are relying on this.
• If your site simply doesn't use cookies of any sort, you are free to not have a cookie consent plugin. Most websites are going to use cookies, though, especially if you're taking marketing seriously. Even something as basic as adding Google Analytics to your site means you're using cookies.

I recommend that you err on the side of caution and add a cookie consent management plugin just because it's simple, easy, and puts you on the right side of the law in case it ever matters. It's also not going to harm your SEO, might have some indirect benefits to user trust and search ranking, and provides some evidence of your commitment to user privacy.

What Does a Cookie Compliance Plugin Need to Do?

In order to be legal, valid, and effective, what does cookie compliance need to do? This list is generic, so any cookie compliance system you use, whether it's a WordPress plugin, custom code, or something in between, needs to adhere to these guidelines.

Note that these are mostly GDPR guidelines. Specific guidelines from other rules and local laws can vary, though in most cases, the GDPR is more stringent, so complying with GDPR will work for those other laws as well.

It needs to provide information on the cookies your site uses.

Part of consent, in general, is knowing what you're consenting to. While our society is full of ways to "provide" this information while effectively hiding it (has anyone here read an EULA recently? No?), the information does need to be there.

This is why cookie consent boxes tend to have a bunch of moderately complex information in them about what kinds of cookies are used and how they're used. People who care should be able to read this information and know what your site uses.

It needs to allow users to customize their cookie preferences.

In most cases, it's not as simple as just on/off for cookies. Cookies can be divided into different categories, including essential/non-essential, session/tracking, persistent/temporary, and so on. My other post has more information on this, so read it when you get the chance.

The cookie consent plugin you use should allow users to opt in or opt out, but it should also allow them to decide if they want to opt into certain cookies and out of others if you use them.

It needs to gather specific, informed, unambiguous consent.

The GDPR requires that consent for information tracking like cookies needs to have four attributes. The first is that it's freely given, which several of the later points on this list focus on.

The other three are:

• Specific. Cookie consent must be not just for the use of cookies in general but for specific cookies with specific purposes. If one cookie has more than one function, consent needs to be given for each of them. This is why you can find cookie consent boxes with dozens of checkboxes.
• Informed. You can't just refer to cookies by their GUID or whatever; the user has to know what each cookie does when they agree or deny permission to that cookie.
• Unambiguous. Consent must be clearly and unambiguously given. You can't use implied consent or assume consent based on inactivity. Several other points on this list also refer to this.

Most privacy protection legislation focusing on tracking will have similar definitions, so using the GDPR as the model is ideal.

It needs to maintain records of user consent.

This one surprises some people, but the GDPR actually requires that you maintain records of cookie consent. Getting consent requires records of that consent. Fortunately, you don't need to harvest a ton of information for this; pretty much every cookie consent plugin will do it automatically, and there are no restrictions on what methods you use to do it.

Realistically, will you ever need to provide these logs? Probably not. Fortunately, it's only a few bytes of data per site visitor, and the logs can be purged when the cookie expires, so you aren't wasting a ton of space on your site for it.

It needs to provide an avenue for the withdrawal of consent.

Another part of the GDPR is that cookie consent needs to be easy to change.

If a user clicks yes to opt-in and later decides they don't want to be tracked, they should be able to access your cookie consent box at any time and should be able to revoke consent with the click of a button. The same goes for the other direction, too.

It cannot use cookie walls.

A cookie wall is a barrier. If a user says no to cookies and you redirect them away from your site or reject access, that's a wall. It's effectively saying, "You can only see my site if you accept cookies," which is a violation of the regulations. Cookies can't be used like age verification walls, basically.

Now, if your site doesn't function without certain cookies, like session login cookies, that's fine. Those are classified as essential cookies, and the GDPR allows sites to enforce those kinds of cookies, but the user still needs to be able to opt out of tracking and marketing cookies.

It cannot make use of "implied consent" activity.

Another loophole people have tried to use in the past is to just put up a notice – sometimes even a mostly hidden one – saying something like "use of this site constitutes an acceptance of cookies" or something similar.

This violates the rules on explicitly given consent. Scrolling, swiping, or ignoring a cookie consent box (or even ad-blocking it) does not constitute consent and needs to be taken as an opt-out of all non-essential cookies.

It cannot make opting out harder than opting in.

This is another commonly-violated rule that surprises many people, but it's actually part of these privacy laws that opting out can't be harder than opting in.

If you have a big "accept cookies" button but you hide the "reject cookies" button six layers and a hundred checkboxes deep, that's a violation. Both accept and reject need to be equal.

What Does Complianz Offer for Cookie Compliance?

Complianz is one of the largest and most popular cookie compliance plugins for WordPress. It boasts over a million users, flexible and varied configurations, and a 30-day money-back guarantee.

Feature-wise, they're fairly robust.

• They perform an automatic scan to figure out what cookies your site is using to build the consent list automatically.
• They integrate and work with over 250 plugins and third-party services that have their own cookies to manage.
• They record logs and proof of consent as appropriate.
• They comply with various standards like Google's CMP and Consent Mode, and they even work with AMP pages.
• Setup is fast and easy with a wizard that helps you choose how you want everything to be displayed and function.
• It can be customized based on specific geographic regions and needs based on local laws.
• It can also manage other forms of compliance, like the use of disclaimers, privacy statements, and processing agreements.
• You can customize the appearance of the consent box using templates and have full control over the HTML and CSS yourself.

Pricing-wise, they have a free version and three paid versions.

The free version gives you a cookie banner, the option to generate a cookie policy, and limited support. It's really basic but enough to get the job done in the most basic sense.

Premium versions get the option to customize the cookie banner, unlimited support, visitor consent management, stat tracking, translations, multi-region support, consent records, split testing, privacy statement support, cookie scans, and Google integration.

The pricing is annual, using the "buy it and get a year of support and updates" model. Presumably, if you don't keep paying, you just don't get updates. The three tiers of plan are identical but allow you to use the plugin on more sites.

• Personal is 1 website for $59 per year.
• Professional is up to 5 websites for $179 per year.
• Agency is up to 25 websites for $399 per year.

All in all, it's a fairly flexible and robust cookie management plugin while still offering both a free option and a relatively cheap plan for individual sites.

My Gripes with Complianz

While I've made it sound like Complianz is pretty good, I do have a few gripes with it.

One issue I encountered when using it is that it can fail silently. That list of 250+ integrations isn't comprehensive, and I had an issue with Google SiteKit, where it basically broke Complianz and injected tracking code anyway. GTM4WP also broke it, which is even worse because Complianz claims they're compatible with it. If I wasn't actively watching cookies to see how they were managed, I wouldn't have even known these were problems.

Basically, the script manager and the system that supposedly actively removes cookies when consent is revoked didn't work, and even in tests using a VPN in the UK, it just let cookies load in even though consent was denied. Kind of defeats the whole purpose!

I also had to dig around for script elements to identify and load into the allowlist for WP Rocket to get WP Rocket to handle it properly. It would have been nice if they had documentation on their system so I didn't have to dig into the code directly to figure it out - I had to follow this guide, which is one of many outdated guides with a similar title, and it's entirely unclear what works and what doesn't until you throw yourself at it for hours. Then, the configuration I needed to use wasn't labeled correctly and used settings that didn't seem intuitive.

I do have some questions about some of their features, too. For example, they offer a "soft cookie wall," and it's unclear if it just requires some action or if it's an actual wall-until-acceptance. The fact that they put the consent records behind the paywall is also not great; it technically makes the free version non-compliant with GDPR.

Overall, I honestly give it a 7 out of 10. Once you get it working, it's fine, and some of their features, like the documentation generators, were pretty slick. I'm also entirely aware of the possibility that some of the issues come from my very customized site, and it's possible that someone with a mostly stock WordPress install won't have nearly the same issue.

Even so, definitely double-check how it handles cookies once you install it, to be sure. The only thing worse than being uncompliant is making it appear as though you're compliant and then still silently loading cookies that violate these international laws. And thats a real risk with this plugin if you aren't doing thorough testing, which is not something your average WordPress user can do themselves without the help of a developer.

Still - we use it, we're developers, and after ironing out these bugs and doing a lot of debugging, it's finally working for us, and we'll keep using it for the time being. But your mileage may vary.

What did you think of Complianz? Do you have any alternatives you recommend? Your thoughts are valuable and help others make their decisions too - please let me know in the comments!