Search
Close this search box.

Removing cookies after revoking consent

Available by default in 6.1 onward, called the CookieShredder. Read more here.

With Complianz, users can ask website visitors within the EU for approval to place and read cookies and local storage according to the ePrivacy Directive. Users also request consent within the rules of the GDPR for processing the personal data that can be gathered through reading those cookies and local storage. According to the GDPR, consent must also be easy to withdraw. The system provided to withdraw such consent must be as easy as the technique used to grant such consent. That means that a cookie management system should offer the website visitor the possibility to push a button or uncheck a checkbox as a method of withdrawing consent.

But does this also mean that a website should remove or change the cookies on a visitor’s computer?

A difference between withdrawing consent, disabling or removing cookies.

It is essential to understand that there is a difference between withdrawing consent, disabling cookies, and removing cookies.

When visitors withdraw their consent, they no longer want a controller and their processors to process the personal data they receive and have received through the use of cookies and local storage. In some cases, this also means those non-functional cookies should be disabled. That should make it impossible for third parties to keep receiving the information from the previously accepted cookies.

For this goal, a cookie management system should offer its users a blocking functionality. Those third-party services that place and read cookies within the WordPress ecosystem should use the WP Consent API for that goal or integrate with a cookie management system. With Complianz, it is possible to block most of the scripts that collect or read the information from cookies or Local Storage.

Removing cookies on third-party domains

If a cookie management system does not allow to disable third-party cookies once users have accepted them, the Data Protection Authorities suggest that information must be provided to the website visitor, with the warning that if those visitors accept third-party cookies and subsequently wishes to remove them, they must do so from their own browser or through the system enabled by third parties for such purpose.

Complianz disables third-party scripts that set cookies prior to consent, and after a revoke. When a visitor withdraws their consent, already set cookies are no longer useful, but cannot be removed on third-party domains. Manipulating cookies or data on third-party domains like ‘Facebook.com’ or ‘Google.com’ is not possible as this would cause major security issues if anyone could manipulate data stored on other domain names.

Within the ePrivacy Directive context, this means a website is not obliged to remove the placed cookies.

Clearing cookies from your domain

Although not obligated in the context of the ePrivacy Directive, and impossible on third-party domains, it is possible to clear unused and disabled cookies from the visitor’s browser. This does not change consent behavior or compliance efforts, but it might be a personal preference. Keep in mind, deleting cookies from someone’s browser can be considered invasive.

You can use below MU plugin to clear all cookies on your domain, with the exception of known administrator cookies, needed to keep you logged in.

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.