Do you want to create GDPR-compliant forms in WordPress?
European Union’s new GDPR law requires explicit user consent to store personal information so that users can have more personal control over their data stored on websites.
In this article, we will show you how to easily create GDPR-compliant forms in WordPress.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that became effective on May 25th, 2018. This new law aims to give EU citizens control over their personal data and change how companies and businesses handle data privacy around the world.
A typical WordPress site may collect users’ personal information in a number of ways. One of which is by adding forms to the site. Most forms collect personal information, and you may want to make sure that your WordPress forms comply with GDPR.
What is Required to Make a Form GDPR Compliant
In order to make your WordPress forms GDPR compliant, you will need to add the following features:
Ask users to give explicit consent for storing and using their personal information.
Allow users to request access to their own personal information stored on your website.
Allow users to request the deletion of their data from your website.
Having said that, let’s take a look at how to easily create GDPR-compliant WordPress forms. You can click the links below to jump ahead to any section:
We recommend using WPForms to make GDPR-compliant WordPress forms. It is the best contact form plugin for WordPress and has built-in GDPR enhancement features.
For instance, you get a 1-click GDPR Agreement field for your forms, GDPR-compliant data retention best practices, easy entry management system to quickly find, export, or delete user data upon request.
For this tutorial, we’ll use the WPForms Pro version because it includes the disable user cookies and user details options. However, you can also use the WPForms Lite version to create a GDPR-compliant form.
Upon activation, you need to visit WPForms » Settings page and enter your license key. You can find the license key in the WPForms account area.
Next, you’ll need to scroll down to the GDPR section.
There, you need to check the box next to the GDPR Enhancements option.
Enabling the GDPR Enhancements option will reveal two more GDPR-related settings.
The first option, ‘Disable User Cookies,’ will stop WPForms from storing user sessions. This cookie contains a random unique identifier that helps WPForms add features like related entries, form abandonment, and geolocation. Disabling it will also disable those features.
The second option, ‘Disable User Details,’ will stop WPForms from storing user IP addresses and browser information. Both of these settings are optional, and you can check them if you feel that you don’t need these features.
Don’t forget to click the ‘Save Settings’ button to store your changes.
Select Form Template and Add GDRP Agreement Field
WPForms is now ready to create GDPR-compliant forms in WordPress. You can now go to WPForms » Add New page to create a new form.
You will be asked to enter a title for your form and select a template. These templates are ready-made forms that you can use as a starting point. In this tutorial, we’ll use the ‘Simple Contact Form’ template.
This will launch the WPForms builder interface.
You will see your form preview in the right column, and on the left, you will see all the fields that you can add to your form.
Simply drag the ‘GDPR Agreement’ field and add it to your form.
You will now see it appear at the bottom of your form. If you click on it, more options will appear in the settings panel on the left.
You can change the title of the form field and agreement text, and then use the description box to add details like a link to your privacy policy or terms and conditions pages.
Note: The GDPR Agreement field is always a required field, and it cannot be pre-checked to comply with the GDPR law. You can only add one GDPR agreement field to each form.
Next, you can go to the Settings » Confirmations tab in the form builder. Here, you’ll get different options to select when a user submits a form. For instance, you can show a message, a page, or to redirect users to another URL.
Once you are satisfied with the form, don’t forget to store your changes.
Adding GDPR Compliant Form to WordPress
WPForms allows you to easily add forms anywhere on your website.
You can simply click the ‘Embed’ button at the top of the form builder to get started.
Next, a popup will open, which will ask you to create a new page or select an existing page.
We’ll use the ‘Create New Page’ option for this tutorial.
After that, you’ll need to enter a name for your page.
Once that’s done, simply click the ‘Let’s Go’ button.
Your form will now appear in the WordPress content editor.
Another way to add forms to any page or post is using the WPForms block. Simply add the block to your content and select your form from the dropdown menu.
You can now save or publish your post or page.
Simply visit your website to see your GDPR-ready WordPress form in action.
Managing Data Access and Deletion Requirements with WPForms
One of the requirements for GDPR compliance is to give users access and allow them to request the deletion of their data.
To do that, you can create a ‘Data access/delete form’ and add it to your privacy policy page. Users who wish to access their stored data or want it to be deleted can use that form to send you a request.
WPForms has an excellent entry management system that allows you to quickly find any data submitted via your forms.
You can access all form entries by visiting WPForms » Entries page from your WordPress dashboard and selecting the form you wish to view.
WPForms will show you all entries submitted using that form. You can search for a form entry by entering a name, email address, IP address, or keyword.
From here, you can simply click the ‘Delete All’ option at the top to remove form entries.
You can also delete individual entries or click the view button to see all data stored for that entry.
Disabling User Details for Specific Forms
With WPForms, you get full control over which forms can store user data. You can disable user details to be stored for each individual form.
First, you’ll need to go to WPForms » Settings from your WordPress dashboard and scroll down to the ‘GDPR’ section.
Here, ensure that the ‘Disable User Details’ option is unchecked.
Don’t forget to click the ‘Save Settings’ button when you’re done.
After that, you can change each form’s settings in the form builder.
All you have to do is head to Settings » General in the form builder. Next, click the ‘Advanced’ section to expand it. From here, simply click the toggle for the ‘Disable storing user details (IP address and user agent)’ option.
This will prevent extra user information from being stored for individual forms.
If you want to start hosting webinars but have no idea where to start, you’ve come to the right place.
Sometimes selling through email sequences or social media posts alone isn’t enough to show your audience why they should buy what you’re selling.
Hosting a webinar and putting a face to a brand, and demonstrating the benefits of your product or service, can be that extra push they need to know, like, and trust your brand. Then you can turn your audience into happy customers.
However, webinars can be as complex or as simple as you want them to be. This is why you want to choose the software that’s able to deliver the exact customer experience you’re looking for. Read on to find the best webinar software on the market and what you should think about when choosing one.
WebinarJam might have a fun name, but they mean business when it comes to creating webinars with highly interactive tools.
Webinars keep your audience highly engaged, with features like live chat and the ability to spotlight attendees and bring them onto the webinar with you.
WebinarJam has no shortage of interactive tools to make sure you capture your audience’s attention from beginning to end. For instance, with their polling option, you can quiz and survey your audience in real-time to encourage participation.
If you want your webinar registration page optimized for sales, you can use WebinarJam’s mobile-responsive page builder and split-test which page your audience interacts with most for higher conversion rates.
You can also fully customize your email automation, send interactive SMS texts, handwrite notes on your presentations as you go with their drawing board feature, and integrate clickable offers while your webinar is in session for instant sales.
WebinarJam offers a $1 14-day trial you can use as a test drive. If you decide to commit, they charge yearly, starting with their Basic tier at $499 for 500 attendees, or try the Professional level for 2,000 attendees at $699. Their Enterprise option starts at $999 yearly for up to 5,000 attendees.
If you start with WebinarJam, it’s doubtful you’ll ever have to migrate to another webinar software. They’re that well-rounded. Many marketers love it because the long list of things you can do with the software is designed to make your audience take action. But if you’re still on the fence, I recommend taking advantage of their trial.
With Livestrom’s simplicity and ease of use, you can create your next webinar and have it up and ready to go in five minutes. This makes them the best webinar software for businesses that want to create simple webinars quickly.
Everything can be done from your browser without needing to download and install anything for Livestrom. You can host an unlimited amount of webinars with their HD streaming capabilities, so you never have to worry about needing more webinar streaming and hitting your limit.
For instance, if you want to show a live demo, you can easily share your computer screen with your audience with one click. Though their biggest strength is being a simple webinar software option, Livestrom also offers all of the standard webinar features like scheduling, pre-recording webinars to use later, audience insight and analytics, and landing page options to gather leads.
Livestrom’s simplicity goes beyond how they’re built. They let you try them out for free or request a live demo by filling in a few details. Better yet, you can attend their weekly live demo webinar and ask any questions you want during their Q and A session.
How much is software like Livestrom? They offer a free plan, but it only lets you host 20-minute webinars with up to 10 attendees. If you’re serious about using their webinar tools extensively, the next level plan is $89 monthly plan billed yearly, which lets you host up to 100 attendees. You can increase that to either 250 or 1,000 attendees for an additional fee. For the enterprise option and beyond, you’ll have to speak to them directly.
If you’re invested in choosing a straightforward and functional webinar software for your business, I recommend attending their free weekly webinars. It’s a great way to check out everything they offer without any of the commitment.
You don’t have to worry about GDPR compliance with WebinarGeek if you cater to a large EU audience. Their software is fully GDPR ready, so you don’t have to worry about taking that extra step for every webinar.
Their user-friendly interface makes creating your webinar a seamless process, from the landing page to the opt-in forms and each page’s branding. If you happen to get stuck in the process, their live chat goes as far as offering support in multiple languages, as they’re built with the European audience in mind.
WebinarGeek hosts a free webinar challenge to help you launch your first webinar in seven days if you’re starting the process and want some hand-holding. Their prices start at $11 a month charged annually for up to 25 viewers, and $35 a month billed annually for up to 100 viewers with the option to add more for additional fees. Anything beyond that requires you to speak with them to get a quote.
If ensuring GDPR compliance is a particular headache with your webinars, WebinarGeek easily eliminates that problem and provides an excellent webinar experience.
#4 – LiveWebinar — Best For Advanced Cloud-Based Webinars
Are you looking for advanced webinar software fully tailored to your business, highly customizable, and cloud-based? Enter LiveWebinar, the most advanced webinar software.
LiveWebinar lives up to its promise by delivering on advanced cloud-based webinar capabilities.
With their cloud-based software, you can easily and safely store any files to share with your audience without worrying about your webinar crashing or being interrupted. What’s more, you can also live stream your HD-quality webinar on YouTube, Facebook, and Periscope for greater reach.
LiveWebinar equips you with the ability to invite your audience via video and text to watch from virtually anywhere. They’re easily accessible through your browser without the need for confusing downloads. Once you design your perfect webinar, you can embed it on your site for easy access and a touch of more personalized branding thanks to their cloud-based feature.
If you want to take it a step further, LiveWebinar lets you create quizzes and certificates to go right along with your webinars, turning them into courses. They integrate with Slack, Mailchimp, Constant Contact, Aweber, HubSpot, Mailerlite, and a ton of others. If you don’t see your preferred integration as an option, you can always connect it with Zapier or use their API key function.
LiveWebinar’s free tier might not be the best for growing businesses since it only allows up to five attendees. But you can go pro for $11 a month charged annually for up to 100 attendees, or $95.20 a month billed yearly for up to 500 attendees. If you want the capacity for more than 1,000 attendees, you’ll have to contact them for a customized package.
If you want a webinar tool that ensures a highly customizable cloud-based webinar experience that delivers quality, give LiveWebinar’s free trial a try.
EverWebinar is outstanding for creating pre-recorded, on-demand webinars that feel and look live. They’re the best option if you prefer to create pre-recorded webinars that virtually cut your webinar management time in half.
One of their best on-demand features is what they coined as their Replica Replay. With it, you can import past webinars from WebinarJam and convert them into evergreen webinars to play again and again. They also keep every live interaction that happened during the initial webinar to make it seem more live upon rewatching. This effectively saves you the hassle of possibly hosting hundreds of live webinars that repeat the same points and sales pitches.
If you’re hosting a live webinar and don’t want to have a live chat simultaneously, you can simulate one with their live chat simulator. This way, it seems like your audience is actively interacting with you. With their just-in-time option, you can make sure your audience doesn’t skip your webinar if they’re pressed for time, with the ability to watch your webinar within minutes of signing up.
To get access to all of EverWebinars pre-recorded webinar features, you can start with a yearly three-payment installment plan of $199. Otherwise, you can try the $499 annual plan or upgrade to a biennial plan for $799.
How to Find The Best Webinar Software For You
Most webinar software combines marketing automation with video conferencing functionalities. They overlap with the basics like polling features, several automation options, email sequences, and sign up features.
But to personalize things further, these are the points to consider when choosing the best webinar software for you.
Marketing Strategy
Think carefully about what marketing strategies you use or want to use to capture leads, record how your audience interacts with your webinar, and how you’ll segment them to maximize sales. These strategies will help you choose between software options, as some will support your needs better than others.
Some webinar software comes with tools that let you dive deep into the analytics of your attendees. Others are more straightforward and focus on delivering reliable, quality video streaming. It’s up to you to decide the level of complexity you need your webinar software to handle. This, in turn, will be a deciding factor in choosing the appropriate software, attendance limit, and price point.
Business Goals
This guide wouldn’t be complete without mentioning that webinars aren’t only for directly selling your audience a product or service. Webinar software can also be used for online training, video conferencing, and group meetings that don’t necessarily revolve around direct selling.
Maybe you are looking to create video conferencing or online training as well as direct sales webinars. In that case, you’ll want to find software that delivers more than one webinar function.
Reach
Webinar software generally has an attendance cap, which is largely what they use to set their prices. So, if you’re expecting to have hundreds of people at a time join your webinars, you’ll want a more robust software that allows for more attendees without abruptly capping your audience at the last minute or lagging.
However, more attendants almost always means paying more for more software bandwidth. Taking your budget into account when weighing different webinar options is essential. You don’t want to invest in webinar software that ends up costing you more than your expected sales revenue.
Quality and Reliability
HD streaming and connectivity are crucial webinar features if you care about your brand image. If you deliver a sub-par webinar that starts late, glitches, fails to connect with your microphone, or goes off the air halfway through the presentation, your results will reflect that.
Quality matters, especially because chances are you aren’t the only business in your niche offering webinars. Keep in mind it doesn’t take much for your audience to click away, especially if they can’t follow your pitch due to malfunctions. Additionally, while not all webinar software offers HD streaming, it can be an excellent addition if you have the budget for it.
Summary
The beauty of webinar software is that once you find the right one, you can save time and grow your sales quickly by creating a more personalized online video experience that reaches a massive audience.
In my experience, the best webinar software tools to have in your marketing toolbox are WebinarJam and EverWebinar. They enable you to create time-saving evergreen webinar funnels you can use indefinitely with plenty of engaging features. You can also try using them in tandem, as they easily integrate with one another.
On July 16, 2020, the European Court of Justice got rid of the four-year-old Privacy Shield agreement struck between the U.S. and the EU that had exposed Europeans to possible U.S. surveillance. The agreement had also allowed U.S. companies like Facebook and Google to store data about European residents outside of the region.
This move is yet another great example of the EU doing “right” by their constituents and holding tech companies responsible for their users' data privacy. The news also builds on the EU’s General Data Protection Regulation (GDPR) leadership, extending its consumer protections and providing a model for the rest of the world to work from as global data privacy policies continue to evolve.
OpenPayd, an API-based banking as a service provider, now has direct access to the Single Euro Payments Area (SEPA) scheme. SEPA was created and adopted by EU members to make cross-border payments as easy as domestic payments. Until recently, OpenPayd had to rely on a partner bank for its SEPA capabilities.
Over the past few years, many online business owners have taken steps to comply with privacy laws and regulations. The biggest change for many website owners came with the introduction of the General Data Protection Regulation (GDPR) in 2018. When GDPR came into effect in the EU, online businesses had to implement cookie banners that […]
GDPR in a year: changes that have already affected the tech world, ambiguities of GDPR interpretation, and how businesses are supposed to address them.
On May 25, 2018, the new European Data Protection Regulation became mandatory for execution in the European Union and the rest of the world where the data of EU citizens are being processed. Back in 2018, the majority of tech companies, hailing from the ad tech industry, in particular, were nervous about the inability to adapt their tech stack to the new standards in time. This was quite understandable, given that the consequences of a violation of the GDPR were promised to be severe, ranging from the following: a fine of 10 million euros, a 2 percent of the annual turnover, a fine of 20 million euros or 4 percent of annual turnover.
The Internet has become a serious threat to our privacy. — Jeff Chester of the Center for Digital Democracy
Your online profile is being sold on the web. It's kind of crazy and it's not harmless. — Sharon Goott Nissim of the Electronic Privacy Information Center
There are no limits to what types of information can be collected, how long it can be retained, with whom it can be shared or how it can be used. — Susan Grant of the Consumer Federation of America
While there’s been talk of introducing a “Do Not Track” program into U.S. legislation, the EU is the first one to actually take steps to make the Internet a safer place for consumers.
With these initiatives holding businesses accountable for the information they track and use online, web developers have to add another thing to their list of requirements when building a website:
The protection of user privacy.
In this post, we’re going to look at:
Where we currently stand with GDPR,
What changes we’ve seen on the web as a result,
What’s coming down the line with ePR,
And take a look CookiePro Cookie Consent tool that helps web developers make their websites compliant now.
GDPR: Where Are We Now?
With the one-year anniversary of GDPR upon us, now is a great time to talk about what the updated legislation has done for online privacy.
GDPR Recap
It’s not like the EU didn’t have privacy directives in place before. As Heather Burns explained in a Smashing Magazine article last year:
All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era. It also tightens up requirements for transparency, disclosure and, process: lessons learned from 23 years of experience.
One other key change that comes with moving from the previous privacy directive to this privacy regulation is that it’s now consistently implemented across all EU states. This makes it easier for businesses to implement digital privacy policies and for governing bodies to enforce them since there’s no longer any question of what one country has done with the implementation of the law. It’s the same for all.
What’s more, there are clearer guidelines for web developers that are responsible for implementing a privacy solution and notice on their clients’ websites.
Has GDPR Led to Any Changes in How Websites Handle Data?
It seems as though many companies are struggling to get compliant with GDPR, based on a test done by Talend in the summer of 2018. They sent data requests to over a hundred companies to see which ones would provide the requested information, per the new GDPR guidelines.
Here is what they found:
Only 35% of EU-based companies complied with the requests while 50% outside of the EU did.
Only 24% of retail companies responded (which is alarming considering the kind of data they collect from consumers).
Finance companies seemed to be the most compliant; still, only 50% responded.
65% of companies took over 10 days to respond, with the average response time being 21 days.
What Talend suggests, then, is that digital services (e.g. SaaS, mobile apps, e-commerce) are more likely to fall in line with GDPR compliance. It’s the other companies — those that didn’t start as digital companies or who have older legacy systems — that are struggling to get onboard.
Regardless of what actions have been taken by businesses, they know they must do it.
A 2018 report published by McDermott Will & Emery and Ponemon Institute showed that, despite businesses’ inability to be compliant, they were scared of what would happen if they were found not to be:
Those that said they feared financial repercussions were right to do so. The GDPR assesses fines based on how severe the infringement is:
Lower level offenses result in fines of up to €10 million or 2% of the the revenue made in the prior fiscal year.
Upper level offenses result in fines of up to €20 million or 4%.
Some high-profile cases of fines have already popped up in the news, too.
Google received a €50 million penalty for committing a number of violations.
Mainly, the issue taken with Google is that it buries its privacy policies and consent so deep that most consumers never find it. What’s more, a lot of their privacy policies are ambiguous or unclear, which leads users to “Accept” without really understanding what they’re accepting.
Facebook is another company we shouldn’t be too surprised to see in GDPR’s crosshairs.
Their penalty was only for £500,000. That’s because the fine was assessed for grievances issued between 2007 and 2014 — before GDPR went into place. It’ll be interesting to see if Facebook changes its privacy policies in light of the much larger sum of money they’ll owe when another inevitable breach occurs.
In June of 2018, there were 1,700 reports of companies in violation of GDPR. Now, the average is roughly 400 a month. Even so, Eckersley estimates that there will be double the amount of reports in 2019 than there were in previous years (36,000 vs. 18,000).
So, not only are the governing bodies willing to penalize businesses for failure to comply. It seems that consumers are fed up enough (and empowered!) to report more of these violations now.
Let’s Talk About ePR For A Second
The ePrivacy Regulation has not yet become law, but it’s expected to soon enough. That’s because both GDPR and ePR were drafted to work together to update the old Data Protection Directive.
Although they’re separately defined, it’s best to think of ePR as an enhancement of GDPR. So, not only do businesses have to take care with data collected from individuals, the ePR says that they have to be careful with protecting the identity of individuals, too.
As such, when the ePR rolls out, all digital communications between business and consumer will be protected. That includes:
Skype chats
Facebook messages
VoiP calls
Email marketing
Push notifications
And more.
If a consumer has not expressly given permission for a business to contact them, the ePR will prohibit them from doing so. In fact, the ePR will take it a step further and give more control to consumers when it comes to cookies management.
Rather than display a pop-up consent notice that asks “Is it okay if we use cookies to store your data?”, consumers will decide what happens through their browser settings.
However, we’re not at that point yet, which means it’s your job to get that notice up on your website and to make sure you’re being responsible with how their data is collected, stored and used.
What Web Developers Need To Do To Protect Visitor Privacy
Do a search for "How to Avoid Being Tracked Online":
Search for “How to Avoid Being Tracked Online” on Google. (Source: Google) (Large preview)
There are over 57 million pages that appear in Google’s search results. Do similar keyword searches and you’ll also find endless pages and forum submissions where consumers express serious concerns over the information gathered about them online, wanting to know how to “stop cookies”.
Clearly, this is a matter that keeps consumers up at night.
The GDPR should be your motivation to go above and beyond in putting their minds at ease.
While you probably won’t have a hand in the actual data management or usage of data within the business, you can at least help your clients get their websites in order. And, if you already did this when GDPR initially was enacted, now would be a good time to revisit what you did and make sure their websites are still in compliance.
Just make sure that your client is safely handling visitor data and protecting their privacy before providing any sort of privacy consent statement. Those statements and their acceptance of them are worthless if the business isn’t actually fulfilling its promise.
Once that part of the compliance piece is in place, here’s what you need to do about cookies:
1. Understand How Cookies Work
Websites allow businesses to gather lots of data from visitors. Contact forms collect info on leads. eCommerce gateways accept methods of payment. And then there are cookies:
Cookies are pieces of data, normally stored in text files, that websites place on visitors' computers to store a range of information, usually specific to that visitor — or rather the device they are using to view the site — like the browser or mobile phone.
There are some that collect bare-bones details that are necessary to provide visitors with the best experience. Like preserving a logged-in session as visitors move from page to page. Or not displaying a pop-up after a visitor dismissed it on a recent visit.
There are other cookies, usually from third-party tracking services, that pry deeper. These are the ones that track and later target visitors for the purposes of marketing and advertising.
Regardless of where the cookies come from or what purpose they serve, the fact of the matter is, consumers are being tracked. And, until recently, websites didn’t have to inform them when that took place or how much of their data was stored.
2. Don’t Use Cookies That Are Irrelevant
There’s no getting around the usage of cookies. Without them, you wouldn’t have access to analytics that tell you who’s visiting your website, where they come from and what they’re doing while they’re there. You also wouldn’t be able to serve up personalized content or notifications to keep their experience with the site feeling fresh.
That said, do you even know what kinds of cookies your website uses right now?
Before you go implementing your own cookie consent notice for visitors, make sure you understand what exactly it is you’re collecting from them.
Go to the CookiePro website and run a free scan on your client’s site:
After you enter your URL and start the scan, you’ll be asked to provide just a few details about yourself and the company. The scan will start and you’ll receive a notice that says you’ll receive your free report within 24 hours.
Just to give you an idea of what you might see, here are the report results I received:
CookiePro runs a scan on all data collection elements and trackers. (Source: Cookie Consent) (Large preview)
As you can see, CookiePro does more than just tell me how many or which cookies my website has. It also includes forms that are gathering data from visitors as well as tags.
Be sure to review your report carefully. If you’re tracking data that’s completely unnecessary and unjustified for a website of this nature to get ahold of, that needs to change ASAP. Why put your clients’ business at risk and compromise visitor trust if you’re gathering data that has no reason to be in their hands?
CookiePro’s cookies report tells you what purpose they serve and where they come from. (Source: Cookie Consent) (Large preview)
Note: if you sign up for an account with CookiePro, you can run your own cookie audit from within the tool (which is part of the next step).
3. Provide Transparency About Cookie Usage
GDPR isn’t trying to discourage businesses from using cookies on their websites or other marketing channels. What it’s doing, instead, is encouraging them to be transparent about what’s happening with data and then be responsible with it once they have it.
So, once you know what sort of cookies you’re using and data you’re handling, it’s time to inform your visitors about this cookie usage.
Keep in mind that this shouldn’t just be served to EU-based visitors. While those are the only ones protected under the regulation, what could it hurt to let everyone know that their data and identity are protected when they’re on your website? The rest of the world will (hopefully) follow, so why not be proactive and get consent from everyone now?
To provide transparency, a simple entry notice is all you need to display to visitors.
This is an example of a cookies notice found on the Debenhams website. (Source: Debenhams) (Large preview)
As you can see, it’s not as simple as asking visitors to “Accept” or “Reject” cookies. They’re also given the option to manage them.
To add your own cookies entry banner and advanced options, use CookiePro’s Cookie Consent tool.
Signup is easy — if you start with the free plan, it takes just a few seconds to sign up. Within an hour, you’ll receive your login credentials to get started.
Before you can create your cookie consent banner, though, you must add your website to the tool and run a scan on it. (You may have already completed that in the prior step).
When the scan is complete, you can start creating your cookie banner:
By publishing a cookie consent banner to your website, you’re taking the first big step to ensuring that visitors know that their data and identity is being protected.
In our research, the vast majority of users willingly provide consent without reading the cookie notice at all. The reason is obvious and understandable: many customers expect that a website ‘probably wouldn’t work or the content wouldn’t be accessible otherwise.’ Of course, that’s not necessarily true, but users can’t know for sure unless they try it out. In reality, though, nobody wants to play ping-pong with the cookie consent prompt and so they click the consent away by choosing the most obvious option: ‘OK.’
While ePR will eventually rid of us of this issue, you can do something about it now — and that’s to design your cookie consent form to stand out.
A word of caution: be careful with using pop-ups on a mobile website. Although consent forms are one of the exceptions to Google’s penalty against entry pop-ups, you still don’t want to compromise the visitor experience all for the sake of being GDPR compliant.
As such, you might be better off using a cookie banner at the top or bottom of the site and then designing it really stand out.
What’s nice about CookiePro is that you can customize everything, so it really is yours to do with as you like. For example, here is one I designed:
And you get to decide how the banner will function if or when visitors engage with it.
5. Educate Visitors on Cookies
In addition to giving your cookie consent banner a unique look, use it as a tool to educate visitors on what cookies are and why you’re even using them. That’s what the Cookie Settings area is for.
With Cookie Consent, you can inform visitors about the different types of cookies that are used on the website. They then have the choice to toggle different ones on or off based on their comfort level.
That’s what’s so nice about CookiePro taking care of the cookie scan for you. That way, you know what kinds of cookies you actually have in place. All you have to do, then, is go to your Cookie List and choose which descriptions you want to display to visitors:
CookiePro lets you educate visitors about cookies used on the site. (Source: Cookie Consent) (Large preview)
Just make sure you explain the importance of the most basic of cookies (“strictly necessary” and “performance) and why you recommend they leave them on. The rest you can provide explanations for in the hopes that their response will be, “Okay, yeah, I’d definitely like a personalized experience on this site.” If not, the choice is theirs to toggle off/on which kinds of cookies they want to be shown. And the Cookie Consent tool can help.
In other words, a cookie consent bar is not some superficial attempt to get consent. You’re trying to help them understand what cookies do and give them the power to influence their on-site experience.
Wrapping Up
There’s a lot we have to be thankful for with the Internet. It closes geographic gaps. It presents new opportunities for doing business. It enables consumers to buy pretty much anything they want with just a few clicks.
But as the Internet matures, the ways in which we build and use websites become more complex. And not just complex, but risky too.
GDPR and ePR have been a long time coming. As websites gather more data on consumers that can then be used by third parties or to follow them to other websites, web developers need to take a more active role in abiding by the new regulations while also putting visitors’ minds at ease. Starting with a cookie consent banner.
These are tough times for businesses in the EU. Is the UK going to be in or out? Will it be a managed deal or no deal? Will it happen next week, next month, or never? What's the latest twist in the tale? Quite simply, businesses are finding it difficult to plan anything when everything is up in the air, and no one can confirm what will happen next.
All of which is making many businesses wary of making a decision to invest in their IT infrastructure. So much so that a survey by Beaming at the beginning of this year found that 53% of small to medium-sized businesses in the UK, and 77% of larger organizations, had put at least one IT project on hold due to Brexit concerns. The picture is likely to be the same right across the EU, so a lot of IT initiatives are in a holding pattern until clarity emerges from the confusion.
With the advent of the EU General Data Protection Regulation (GDPR) in May 2018, the web has turned into a vast exhibition of consent pop-ups, notifications, toolbars, and modals. While the intent of most cookie-related prompts is the same — to get a user’s consent to keep collecting and evaluating their behavior the same ol’ way they’ve been doing for years — implementations differ significantly, often making it ridiculously difficult or simply impossible for customers to opt out from tracking.
On top of that, many implementations don’t even respect users’ decisions anyway and set cookies despite their choices, assuming that most people will grant consent regardless.
Admittedly, they aren’t entirely wrong. In our research, the vast majority of users willingly provide consent without reading the cookie notice at all. The reason is obvious and understandable: many customers expect that a website “probably wouldn’t work, or the content wouldn’t be accessible otherwise.” Of course, that’s not necessarily true, but users can’t know for sure unless they try it out. In reality, though, nobody wants to play ping-pong with the cookie consent prompt, and so they click the consent away by choosing the most obvious option: “OK.”
Note: It’s important to understand that cookies and consent mechanisms discussed in this article go beyond GDPR. In Europe, they are addressed by a separate piece of legislation, the ePrivacy Directive, which is currently in draft for a revamp (as of April 2019). It may be finalized by summer 2019. We do not know what its final form will take, but it will determine the future of cookie consent prompts.
Now, with this common behavior online, what might come across is that cookie prompts aren’t particularly useful, and that’s partly true. But they certainly helped raise awareness about privacy and data collection on the web. In fact, users now know that websites track their data, which they weren’t aware of a few years ago. But they often see it as a necessary evil in exchange for accessing the content “for free.”
It’s not that users always happily share their personal data, but they don’t really feel that revoking consent is a viable alternative. To many of them, the only reasonable option is to provide consent while opting in for an ad-blocker extension or any other tracking blocker in their browser.
Cookie consent pop-ups don’t have to be tiny and unreadable. We could try to integrate them into our overall experience too. Case in point: Oreo, with an Oreo’s cookie displayed as a cookie consent prompt. (Large preview)
Since cookie consent prompts always stand in the way of the content, they are often dismissed almost instinctively, not unlike carousels during onboarding. Hence, from the designer’s perspective, spending weeks refining that one-of-a-kind prompt might be a waste of time. (Sorry for crushing your dreams at this point.)
Iamsterdam.com allows visitors to adjust cookie settings and explains the different types of cookies, with an option to easily opt out from certain ones. (Large preview)
Since many websites heavily rely on collecting data, running A/B tests, and serving users with targeted advertising, often the design of the cookie consent notice is heavily influenced by business requirements and business goals. Is it acceptable for the business to allow users to quickly dismiss all tracking? Which cookies are (apparently) required for the site to work, and which ones are optional? Which cookies should be selected for approval by default, and which ones would require a manual opt-in? Should the customer be able to easily revoke the consent once it’s provided, and if so, how exactly would it be done if they don’t have an account on the site?
These business decisions have a major impact on design decisions, although from the user’s side, the optimal design would be quite obvious: no cookie consent at all. That would mean, for example, that users could define privacy settings in their browsers, and choose what cookies they’d like to provide consent to. The browser would then send a hint to each website a user chooses to visit and automatically opt-in or opt-out cookie settings, depending on the provided preferences.
In fact, a Do Not Track (DNT) header is already implemented and widely supported by browsers (although it was removed from Safari to prevent potential use for fingerprinting), yet there is no established mechanism for transforming this preference into a granular selection of accepted cookie groups. It shouldn’t be very surprising that most advertisers wouldn’t be particularly happy about this pattern gaining traction either, but perhaps it could be a slightly better way forward, as preferred by users, to no cookie consent at all.
Admittedly, users sometimes find a way around anyway. Some users who already use an ad-blocker are using a cookie prompt blocker as well. The latter, however, usually grants full consent on user’s behalf by default. Obviously, it goes against the very purpose of the cookie prompt in the first place, and ideally such extensions would automatically opt in only for essential cookies while opting out for everything else (if it’s possible at all).
As designers, though, we have a legal obligation to explain what happens to a user’s data and how it will be stored within the mandate of provided business requirements. As Geoffrey Keating mentioned in his article, “The Cookie Law and UX,” focusing specifically on legislation in Ireland, according to the Office of the Data Protection Commissioner, “the minimum requirement is clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent.”
It’s worth noting that consent has to be “unambiguous” and “freely given,” as it must “leave no doubt as to the data subject’s intention, should be an active indication of the user’s wishes and can only be valid if the data subject is able to exercise a real choice.” Hence, silent, pre-ticked checkboxes or inactivity shouldn’t constitute consent.
This might sound obvious, but some solutions explore the uncharted legal territory that’s left for interpretation. For instance, sometimes the website visitor “automatically submits a cookie consent by clicking a link on the website”, and sometimes you can choose which actions are “obvious enough” for you to perceive them as a silent consent. Obviously, this isn’t an informed decision and such technique rightly belongs to the realm of mischievous culprits that should be avoided at all costs.
With this in mind, there are a couple of options we could consider:
Avoid Optional Cookies And Keep Only Functional Ones: No Prompt Required
It might appear that every single website needs to display a cookie consent notice to their European visitors, but if your website doesn’t collect, track, and evaluate any personal data from users, or it collects only anonymous data, you may not need one. In fact, one of the fundamental principles of the Privacy by Design framework is that non-essential cookies should be off by default and the user needs to actively opt in.
Now, cookies might be required for maintaining the logged-in state or user preferences, for example, and according to EU regulations you don’t need explicit consent for that. That’s also why many prompts have functional cookies enabled by default, without an option to disable them. And some sites, like GOV.UK, merely inform users about cookies, not requiring any input at all, but also not providing a choice to opt out from the optional Google Analytics cookie.
GOV.UK stores at least 18 cookies, and many of them are required for better experience; e.g. to track progress when applying for a licence, multivariate testing, making secure connections to websites, YouTube videos, email subscription updates. However, only one cookie is optional: Google Analytics (anonymized). (Large preview)
Nudging Users Towards Implicit Consent
Not every website can get away without ad-related third-party cookies, though. One seemingly light way out would be to add a plain notification such as “By using our website, you are consenting to our use of cookies.” But this alone isn’t enough. As we need an active indication of the user’s consent, we have to require some sort of unambiguous action. For that reason, some sites add a “close” icon, making the consent box appear as a notification that can be dismissed. To ensure a more obvious acknowledgement, it’s a good idea to replace the “close” icon with a button. In many implementations, the button would simply say “Close” or “Save” or “Continue,” although “Accept and continue” is more clear.
In most cases, the notification doesn’t disappear until it is acted upon, hence being the very first thing that users see when visiting any page on the website. Do you need user consent on every page, though? You could be more selective and ask for the cookie consent only when it’s actually required; for example, when the user is setting up an account or wants to save their settings.
Twitter informs its visitors about the cookies used, but there is no option to adjust cookie preferences. The prompt will be clicked away by clicking on the ‘×’ in the top-right corner. Beware, however: some people see it as consent, while others see it as postponing the decision for a later time, similar to snoozing notifications. (Large preview)
JetBrains chose to display a plain text-only prompt as if it were in a terminal window. There are balanced options to opt in or opt out of cookie consent. (Large preview)
Allowing Users To Adjust Privacy Settings
While the previous option dictates complete obedience or complete lock-out, you could be more empathetic to the user’s intent. The user might have strong feelings about the exposure of their personal data, so providing a way out — not dissimilar to the personal questions we mentioned earlier — could keep them on the site. To achieve that, we could add an option to change settings, followed by an overview of different groups of cookies, with some of them being required for the site to function flawlessly, and others being optional.
The grouping could relate to the purpose of cookies such as advertising, analytics and statistics, or testing. It could also be much broader, allowing users to choose between “I am OK with personalized ads” or “I do not want to see personalized ads”. It’s also a good idea to explain to the user which features on the site will be unavailable once a certain group of cookies is blocked. TrustArc does that with a slider, allowing for a number of privacy levels, from allowing only required cookies to functional cookies to advertising cookies, while also showing its impact on the overall functionality of the site.
On Nielsen Norman group, all cookies are grouped. Necessary cookies can’t be opted out of, but all other groups can be dismissed with a few taps. Ideally, there’d be a way to opt out from all optional ones at once. (Large preview)
Tabbed groups for cookies on MailChimp. (Large preview)
(Large preview)
The Guardian provides clear options which have equal weight on the 'Your privacy' page (not in the initial prompt, though). The modal on the front page is large but it provides clear options. (Large preview)
The Daily Mash provides an option to adjust privacy settings (albeit de-emphasized), and in the settings panel visitors can easily reject or accept all cookies. Also, 'Save & Exit' is a very clear label for a button at the bottom. The experience might not be delightful, but it’s pretty clear. (Large preview)
MyFitnessPal, powered by TrustArc, displays a slider which explains which functionality is allowed or disallowed with every group of cookies. (Large preview)
A fantastic pattern on how a cookie settings dashboard could be designed to improve transparency. A mock-up by Matthias Ott and Joschi Kuphal built at the last @indiewebcamp in Dusseldorf. You can also download the Adobe XD source file, kindly provided by the authors. (Large preview)
A Subtle Or Prominent Display Of The Request For Consent
In terms of layout, the prompt could be subtle and hardly noticeable, or obvious and difficult to ignore. We could place it in the header of the page, or at the bottom of the viewport, or we could also position it in the center of the page as a modal. All of these options could be floating and persistent as the user scrolls the page, thereby blocking access to a portion of the content (or entire content) until consent is granted.
De Telegraaf, for example, places a verbose cookie consent in the middle of the page, blurring out the content underneath, literally hijacking the page and standing in the way. It shouldn’t be a big revelation that from all the options we’ve tested, this one seems to be the most annoying one to users. In general, subtle prompts should be preferred, and the less space they need to be displayed, the better the overall user’s reaction has been.
It’s becoming common to blur out the content while displaying a cookie consent prompt. This technique brings focus to the prompt, but it also makes visitors more likely to click it away, often trading privacy for access to content. A slightly more subtle prompt would be more effective and helpful as users might browse around and leave without committing. Example: Telegraaf.nl. (Large preview)
Blurring out the content is rarely a good idea. Also, there’s a very clear primary action and secondary action in play here. It doesn’t look like a fair choice between the two options. Example: Pathe.nl. (Large preview)
Can you spot the cookie? A little notification in the bottom-right corner asks for the user’s consent on Empirebio.dk. (Large preview)
On HoistGroup, there is no way to dismiss cookies — they are required, and there is no way out. (Large preview)
On Zeit Online, there is no way to dismiss cookies — they are required, and there is no way out. (Large preview)
Ticketveiling.nl displays a cookie prompt at the bottom, but also a chat widget. Only one interviewed person expected that the chat was here to provide help with the cookie settings. It’s probably a good idea to not display the widget alongside the cookie display prompt, though. (Large preview)
Appearance And Wording On Buttons
We also need to give some thought to the appearance of the consent form, especially to the design of buttons and the wording on those buttons. Wording such as “Just proceed” or “Save and Exit” or “Continue using the site” nudges users to move on with a default option, and in fact, many users are likely to do just that. It’s more respectful to have two buttons, a primary one for granting consent, and a secondary one for adjusting settings, with both buttons having neutral microcopy such as “Accept” and “Reject,” or “Okay” and “No, thanks.” That’s the path we’ve chosen with Smashing Magazine.
Accept or dismiss. It shouldn’t be harder than that. (Large preview)
NHS provides very clear options to accept cookies or 'Turn cookies off'. (Large preview)
Large radio buttons to select what kind of cookies the visitor accepts. A fantastic example of privacy settings designed in an honest and transparent way. The only missing bit is to opt out from all optional cookies by default. Example: NHS. (Large preview)
Accept or reject with a single tap, although both options don’t have the same weight. Example: Fandom.com. (Large preview)
It shouldn’t be surprising that of all the options, users feel surprisingly pleased and appreciative of the option to reject all cookies with a single click on a button. Some users were surprised that this option was even provided, and while a majority chose to grant consent, every fifth user refused consent. By doing so, they assumed the website would be fully functional without cookies, and rightfully so.
Adjusting Cookie Preferences
Not many users would consider revoking or adjusting cookie settings after granting consent, but when asked to do so, they expected to find the options in the header or the footer of the website, either in the privacy policy or in the cookie policy. It’s not very surprising, and of course that’s where we need to place the options to adjust settings should the user wish to do so.
(Large preview)
By default, all options on the Jamie Oliver website are off, with an option to turn them on. However, the main call-to-action button is 'Accept recommended settings', which turns all toggles to on. The option to proceed without cookies is positioned at the very bottom of the page, with a subtle 'Close'. It’s probably not obvious enough, and another button on the top would be more helpful. (Large preview)
Users Understand When They Are Being Tricked
So far, the entire experience should be quite straightforward, right? Well, if a business model heavily relies on collecting and tracking data, you might be forced into shady areas when selecting anything but the easiest option is confusing and generates a lot of work. In our interviews, users could easily see through the companies’ agendas, even saying something along the lines of “Ah, I see what you did there.” Some things were less obvious than others, though.
Whenever the cookie consent suggested an option to review cookies or adjust cookie settings, users expected to see an overview of all cookies and be able to adjust which cookies should be allowed to be set and which not. In terms of interface design, usually it’s done with tabbed sections within a cookie consent widget, with some groups selected by default. It’s common to see functional cookies, analytics cookies, advertising cookies, and website settings cookies. This level of granular control isn’t often expected but it’s considered to be helpful and friendly, and as such preferred — however, only if the entire category of cookies could be unselected at once, with a single tap on a single checkbox.
Oddly enough, some implementations go to extremes, providing users with an overwhelming overview of every single cookie set by third parties. It’s not uncommon for all of them to be opted in by default, and opting out requires a tap on every single one of them, one by one. It might not seem like a big deal with five cookies, but it’s a monstrosity with over 250 cookies generously provided by dozens of trackers on the site. In such cases, many users gave up after a few opt-outs, providing full access to their data and moving on.
What would you expect to happen when clicking on the 'close' icon? How is a click on a button different from a click on the cross? Is there a difference? On Kayak, users were confused during the test. (Large preview)
Unfortunately, that’s just scratching the surface. Imagine a cookie settings prompt with a “Close ×” button. What behavior would you expect from clicking “Close”? Would you expect the prompt to be dismissed and then eventually reappear? Or would you expect all tracking scripts to be opted out by default? Opted in? Unsurprisingly, most users weren’t even thinking that far — they just wanted the pop-up to disappear. Nobody expected the trackers to be opted out by default, yet many users felt that it was a “temporary thing” that would show up again “at some point.” In practice, almost all of the time, closing the prompt was perceived by website owners as user consent and, in fact, all cookies were stored to their full extent. That’s not necessarily what the user was expecting.
A slightly confusing experience on Speisekarte.de, with an option to accept or ‘deselect all’ options in the top-left corner, in the same color, with a delimiter > in between. Also, the wording ‘Agree and Proceed’ or ‘Learn more’ isn’t obvious. (Large preview)
The wording on buttons and links caused major confusion for users. On Speisekarte.de, you can either “Agree and Proceed” (primary, large green button) or “Learn more” (subtle grey link, not even underlined). What would you expect to appear after clicking “Learn More”? While many users expect a privacy policy to appear, the action actually prompts the management of cookies, with 405 ad selection, delivery, and reporting partners, 446 information storage and access partners, 274 content selection, delivery, and reporting partners, 372 measurement partners and 355 personalization partners. “Agree and Proceed” grants access to the storage and evaluation of customers’ personal data for 1,852 partners. That’s not too shabby, isn’t it?
It’s not obvious that the listing area for all those partners is scrollable at all, and there is no obvious way to unselect all of them. Would you find it enjoyable to manually opt out 1,852 toggles, one by one? Probably not. As it turns out, you can “deselect all” partners in the top-left corner of the window — however, this option is conveniently presented in a way that resembles breadcrumb navigation rather than a button. And, of course, all partners are opted in by default. That’s deceptive, dishonest, and disrespectful.
Once you get into the habit of rejecting cookies by default, you can find a number of shady and questionable practices that seem to be widespread. Sometimes companies place Facebook and Twitter tracking cookies in the “Necessary” category. Sometimes the option to reject cookies is conveniently hidden behind an extra “Manage” option. And sometimes there is an option to opt out from analytics, but a user is automatically opted in for “Anonymous analytics.”
Some companies go beyond that, inventing new ways of making business should the user wish to avoid tracking. Sometimes it shows up with a “Premium EU Subscription” without on-site advertising and tracking scripts, and sometimes with a website being unavailable, or an “EU experience” (which, frankly, is much faster and lightweight than its non-EU counterpart). Not a single person accessing the site appreciated either of these options. That shouldn’t be a big revelation, but there is a significant amount of users who, being confronted with such treatment, have nothing left but to leave the site in search for alternatives.
USA Today provides an EU experience which happens to be much cleaner and faster than the original one. For EU visitors, the 'site does not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union.' (Large preview)
The Washington Post has introduced a 'Premium EU Subscription' that doesn’t contain any on-site advertising or third-party ad tracking. (Large preview)
For a while, Los Angeles Times displayed a message stating that the website was unavailable in most European countries. (Large preview)
Guidelines And Strategies For Better Design
According to the EU regulation, each cookie, its provider, purpose, expiry date, and type should be explained and elaborated in detail in a privacy policy, and many services such as TrustArc, IAB Consent Framework, Cookiebot, OneTrust, Cookie Consent, and many others provide this feature out of the box. They also provide an option to customize which groups of cookies should be presented as choices to the user, and while the default experience is decent, often it can be used to make it unnecessarily difficult for the customer to adjust their settings.
At the end of the day, we need to provide good experiences while also achieving our business goals. We can do that with a series of steps:
We need to audit and group all cookies required on the site;
We need to decide how each of these groups would be labelled, which ones would be required, and which would be optional;
We need to understand what impact disabling a group of cookies would have on the functionality of the site, and communicate each choice to the user;
Last but not least, we need to decide what settings should be selected by default, and what customization options we want to present to the user.
The simplest design pattern seems to be obvious. If you need user consent, display a narrow notification notice in the header or at the bottom of the viewport. No need to blur out or darken the content to make the notification noticeable; just make sure it doesn’t blend in with the rest of the site. If possible, allow users to accept or reject cookies with two obvious buttons: “Okay” and “No, thanks.” Otherwise, provide an option to adjust settings, following an overview of cookie categories. There, you have to make obvious the consequences each choice has on the website functionality, and enable users to “Approve all” or “Reject all” cookies at once — for the entire site, and for each category.
Where to place the notification notice? The position doesn’t seem to really matter — it didn’t make any difference in decision-making. The overlay covering half of the page, however, was perceived as the most annoying option — and it shouldn’t be too surprising as it literally blocks a large portion of the content on the page. Most users almost instinctively know what they are presented with, and they also know what action they’d prefer to take to get on with the site, so lengthy explanations are ignored or dismissed as swiftly as push notifications or permission requests.
In the next article of the series, we’ll look into notifications UX and permission requests, and how we can design the experience around them better — and with user’s privacy in mind.
Even months after the interest in GDPR compliance peaked, some companies are struggling to make sure they comply with this new set of regulations aimed at protecting the privacy and security of European citizens. The regulation applies to businesses anywhere as long as their users are in the EU, and with the highest penalties potentially reaching the millions of euros, they’re right to worry.
Take the case of British Airways, for example. On September 6th, 2018, the airline announced that it had suffered a breach that affected around 380,000 users, and that part of the stolen data included personal and payment information.
They’re the “hottest tech ticket in town,” according to Reuters. Now, with GDPR — after two years of scrambling (and yes, some denial) within affected organizations, it finally went into effect in May — data protection officers are now officially part of the C-Suite.
After years of the DPO already being the norm in countries like Germany, France, and Sweden, Article 37 of GDPR specifically calls on all organizations involved in the handling of EU resident data to appoint a data protection officer, who shall among other things train and empower organizations and relevant employees on GDPR requirements, monitor for compliance, and conduct audits.
Okay, so you’ve created a kickass design, your site’s running in tip-top shape, and your visitors are more than ready to convert. What more could you ask for?
But then your soon-to-be-customers get to the payment gateway and don’t see their preferred provider listed. Or there’s a security warning that’s thrown them off-guard. Or, even worse, they change their minds, want to go back to the site to add another item to their cart, but they realize they’re no longer on your site and don’t know how to get back.
So, what can you do to ensure that UX issues like the ones mentioned above don’t keep your visitors from converting? There’s really only one thing you can do: choose a payment gateway provider (or providers) that will provide a reliable and secure experience.
In this post I’m going to:
Explain what payment gateways are and how they work
Show you some popular payment gateways, how much they cost and how to use them
Talk about how you can integrate these payment gateways with WordPress
If you already know what a payment gateway is, feel free to skip ahead to the section on popular gateways and WordPress integration. :)
What Is a Payment Gateway?
To briefly describe what a payment gateway is, it’s a third-party tool that evaluates and processes payments from your customers. So, rather than set up a basic contact form that requires customers to fill in their information to place an order—which you would then need to manually process on your end—the payment gateway handles it on your behalf.
There are a number of benefits to using a payment gateway. The time savings is obviously one of them. There’s also the matter of PCI compliance. And there’s the flexibility in payment types you can accept by using a payment processing tool.
Of course, like with any other third-party system you bring into your WordPress site, there are a number of things that must be taken into consideration. Here is what you will need to think about:
Cost
With most third-party integrations, there’s almost always an upfront cost associated with it. However, when it comes to payment processors, you also need to take a closer look at the fine print as there are fees you’ll need to pay for each transaction processed. There are some that also charge your customers a fee in order to use the payment gateway—and nothing screams “depart this transaction immediately” more than an unexpected cost.
Payment Location
Some payment gateways enable users to add the payment gateway directly onto their site through an API. This can be a good thing as it prevents that feeling of disruption as visitors are shuttled to a different website to enter their payment information. However, there are some payment gateway providers that are so well-known and trusted (think of PayPal) where the disruption might not matter that much if customers feel more confident submitting payment information through that site instead of your own.
That’s ultimately what you need to keep in mind here: what will your customers be more comfortable with. Do they want one seamless process that occurs entirely on your site or would they be more comfortable paying through a well-known provider? You can use A/B testing to see which option leads to higher conversions or you can solicit feedback from your customers and ask them directly what they prefer.
Merchant Account
You may run into a number of payment processors who require you to have a separate merchant account into which funds are deposited, which means yet another step you have to take care of in order to get your online payment system up and running. However inconvenient that may seem right now, though, it’s important to note that payment gateways who don’t require merchant accounts and are willing to directly deposit funds into your account are more likely to charge you a higher processing fee.
Security
Obviously, this point can’t be stressed enough as security shouldn’t stop even if the purchase experience is handed over to another party. Your payment gateway should be just as secure to use, if not more, than your own website. This means they need an SSL certificate, additional encryption, and must be PCI compliant.
Countries Accepted
The first thing to do before signing with any payment processor is to check your site’s analytics. This will tell you which countries your visitors are located in, so you can include country-compatible payment methods, currencies, and translations in your payment gateway.
Taxes
If you’re collecting revenue through your site, you need an easy way to collect the appropriate amount of taxes. While there will, of course, be local taxes, you’ll also have to be aware of country or region-specific taxes, like the value-added tax (VAT) in the EU. So, if you know you’re going to sell goods out of state or country, your payment gateway should be equipped to calculate those taxes for you.
Automated Payments
For product sales, this might not be something you need to worry about. However, for those of you offering a recurring service or something that customers will purchase frequently enough, automated payments are definitely worth thinking about. One way to do this is to create an option for recurring payments. You may also want to create an auto-pay method whereby payment information from previous transactions can be saved so customers don’t have to re-enter it every time.
Plugin Compatibility
If your site is making sales, then you most definitely have an eCommerce or shopping cart plugin at your disposal. Not every payment gateway will work with your plugin of choice, so confirm compatibility before signing up.
Design
And, of course, you’ve got to think about the design of the payment gateway. Will it allow for branding personalization so that it matches your site? Is it mobile responsive? How intuitive is it in terms of layout, numbers of steps or pages, etc.? Again, this is still part of your customers’ experience and you don’t want bad design to ruin that.
Best Payment Gateways for WordPress
Alright, so now that you know what you’re looking for, let’s narrow down that search and compare the best payment gateway providers for WordPress.
PayPal Payments Pro
If you need a little extra out of PayPal, their Pro option is worth consideration:
Cost: There’s a $30 monthly fee to use this service, in addition to the per-transaction fee assessed.
Payment Location: You won’t have to send customers to PayPal. They’ll see the recognizable and trusted logo on your site, but they can stay right where they are to make a payment.
Merchant Account: There’s no need for one with PayPal, but you do have the option if you want a quick and easy way to deposit funds into your bank account.
Security: PayPal provides you with options to keep transactions on your site PCI compliant.
Global Friendliness: PayPal accepts only six currencies from credit card providers. If customers make PayPal payments, though, they’ll take over 25 currencies from 200+ markets.
Payment Methods Accepted: Because this is PayPal, a good portion of the payment types available come from them, including: PayPal standard payments, PayPal credit, as well as PayPal special financing. You can also accept credit cards, bank transfers, and even phone-based credit card payments.
Automated Payments: I don’t believe this is an option.
Plugin Compatibility: PayPal Pro supports most major shopping carts.
Design: The UI is fully customizable. It also works across all devices, so you won’t have to worry about the mobile payment experience.
Stripe
Stripe is definitely not lacking in features:
Cost: There are no setup or monthly fees. Aside from the usual per-transaction charges, the only costs you have to worry about are from customer chargebacks.
Payment Location: You can create a totally custom checkout for your site or you can use their pre-built Checkout.
Merchant Account: No need for a merchant account.
Security: If you’re keeping customers on your site to process payments, Stripe offers developers the option to use client-side tokenization to ensure PCI compliance.
Global Friendliness: Strips works in over 100 countries (for your and your customers’ base of operations) and accepts over 135 currencies. There’s no change for currency conversion either.
Payment Methods Accepted: Stripe accepts all major credit cards, bank and debit payments, Bitcoin, and digital payments from Apple Pay and Android Pay. Their API tools also enable developers to set up alternative payment processing options like selling products from a tweet.
Automated Payments: Stripe is set up to help all e-commerce business types: basic stores, on-demand marketplaces, subscription services, and even crowdfunding.
Design: This tool was built with the developer in mind, so its capabilities can be extended with simple APIs.
2CheckOut
Here are just a few of 2CheckOut’s features:
Cost: In addition to the standard fees per transaction, they also charge for international transactions and currency conversion.
Payment Location: You can either use the API to put the checkout on your site or you can use “inline” checkout which moves the process to their site while making it still look like it’s on yours.
Merchant Account: You need a merchant account in order to accept payments.
Security: They are Level 1 PCI compliant.
Global Friendliness: Their payment gateway is offered in 15 languages, includes 87 currency options, and they’ll process payments in over 200 markets.
Payment Methods Accepted: They accept credit card, debit card, and PayPal payments, among others.
Automated Payments: You can create pricing plans, flexible billing schedules, automated payments, and more.
Plugin Compatibility: Works with WooCommerce, WP e-commerce, Zoho, Shopify, osCommerce, and more.
Design: You can brand the gateway to match your site. The checkout page is also mobile-friendly.
Authorize.net
Authorize.net is another widely accepted gateway that might offer precisely what you need:
Cost: There’s an initial $49 setup fee, a $25 monthly fee, as well as per-transaction fee.
Payment Location: It’s up to you: this can go on your site or on Authorize.net’s.
Merchant Account: You’ll need a merchant bank account to collect your payments.
Security: You’ll have free access to Authorize.net’s fraud protection tools if you integrate gateway on your site. Otherwise, Authorize.net is PCI DSS certified.
Global Friendliness: While you’re free to accept payments from around the world, you must reside in the U.S., Canada, UK, Europe, or Australia in order to use this service.
Payment Methods Accepted: Payment types include credit card, Authorize.net e-checks, as well as digital payments like Apple Pay, PayPal, and VisaCheckout.
Automated Payments: There are a number of options available. You can store customer information for future transactions, set up subscriptions, or create dynamic recurring billing schedules.
Plugin Compatibility: Works with e-commerce and banking plugins like BigCommerce, Shopify, Magento, Moolah, QuickBooks, and Wells Fargo.
Design: You’re free to personalize the look of your checkout page to match your brand.
Braintree
Braintree offers another way to accept payments on your WordPress site. Check out some of its features:
Cost: There are no monthly fees to use Braintree, just the standard per-transaction fee. Note that the fee depends on which country you’re processing payments from.
Payment Location: You can use Braintree’s hosted service or you can use their drop-UI to put it directly on your site.
Merchant Account: Since this is a PayPal service, you don’t need a merchant account.
Security: Advanced fraud protection is included with this service.
Global Friendliness: Braintree’s service will process payments in over 130 currencies and for customers in 44 countries.
Payment Methods Accepted: You can accept payments from PayPal, credit cards, Apple Pay, Venmo, Masterpass, and more. In addition, you can split payments with other partners or providers.
Automated Payments: There are recurring billing options for repeat customers, subscription-based services, as well as donations.
Plugin Compatibility: This tool will integrate with a huge range of e-commerce and sales tools like Salesforce, Magento, Freshbooks, BigCommerce, and 3dcart.
Design: You can customize the design of the checkout or use their ready-made interface.
Square
Square also lets you accept payments online easily. Check out Square’s features:
Cost: No monthly fee and 2.2% per transaction.
Payment Location: Although Square provides its own online store building platform, you can use Square’s APIs to accept payments directly on a WordPress website that you build yourself, or use plugins like a WooCommerce extension to integrate Square’s payment processing and other tools with your online store.
Merchant Account: You need a transactional bank account in case of refunds or disputed payments.
Security: They are Level 1 PCI compliant and offer layered security with fraud prevention methods.
Global Friendliness: At this time, WooCommerce Square is currently only available for the U.S., Canada, Australia, Japan and the UK.
Payment Methods Accepted: All major credit and debit cards are accepted. Payments are deposited into your linked bank account next business day with their standard schedule, or you can create a custom payment schedule to suit odd business hours.
Automated Payments: You can receive automated payments for single and recurring transactions.
Plugin Compatibility: Works with WooCommerce, WP EasyCart, Ecwid.
Design: You can customize the gateway to match your site. The checkout page is also mobile-friendly.
Integrating Payment Gateways with WordPress
Here’s the thing about payment gateways: you might not be responsible for designing them or developing the code that processes payments in the first place, but that doesn’t mean you can wipe your hands clean of what happens once your visitors land on them. If you’re including a payment gateway on your site, then it’s a part of your visitors’ experience and needs to be accounted for as you shape that experience for them, so it’s important to integrate your payment gateway correctly not just with WordPress, but also any plugins used to enhance or extend your site’s functionality.
For example, our Forminator plugin not only lets you add forms, quizzes, polls, and calculators to your site, but also take payments, donations, down payments, and sell merchandise with built-in Stripe and PayPal integrations. The video below shows you how to build order forms with payments for free in WordPress using the plugin’s payment integration features:
Different types of applications like Learning Management Systems (LMS), membership sites, and listing directories have built-in payment integrations with WordPress.
Below are some plugins that help to make integrating payment gateways and WordPress easier:
WooCommerce Square
WooCommerce Square is a free plugin that lets you integrate the Square payment gateway on WordPress to sync inventory and product data between WooCommerce and Square POS.
Some of the benefits and features of using this plugin for payment integration with WordPress include:
PCI compliant payment processing option that meets SAQ A levels of compliance.
Support for WooCommerce Subscriptions
Support for WooCommerce Pre-Orders
Allow customers to save payment methods and use them at checkout
Use an enhanced payment form with automatic formatting, mobile-friendly inputs, and retina card icons
Sync product data automatically between WooCommerce and Square.
See the plugin documentation for setup instructions.
WP Easy Pay – Square for WordPress
WP Easy Pay – Square for WordPress is another free plugin you can use to integrate WordPress with the Square payment gateway and accept simple payments and donations if you are not using WooCommerce or don’t need to add a shopping cart to your store.
Some of the highlights of using this plugin for payment integration with WordPress include:
SCA (Strong Customer Authentication) support.
Sandbox support allows you to see test transactions in Square Dashboard.
Use a single button to collect donations and simple payments.
Users can enter custom amounts to make payments for donations.
The plugin also has a premium version with additional features like support for digital wallets, email notifications, and reports.
WooCommerce Stripe Payment Gateway
WooCommerce Stripe Payment Gateway is a free plugin that lets you accept Stripe payments through WooCommerce and add payment request buttons like Apple Pay and Google Pay and other payment methods on your website. It also supports recurring payments like subscriptions.
Stripe Payments
The Stripe Payments plugin lets you integrate your WordPress site with the Stripe payment gateway to accept credit card payments.
Once installed and configured, you can add ‘Buy Now’ buttons anywhere on your site using a simple shortcode and accept donations. After users purchase online with one-click payments, they are redirected to a “Checkout Result” page showing details of the transaction. Payment and order information can then be accessed from your WordPress dashboard.
Stripe Payments for WordPress – WP Simple Pay
WP Simple Pay is a free standalone Stripe Checkout plugin that lets you accept credit card payments with Stripe Checkout on your WordPress site with no complex shopping cart, form builder or membership site plugin required.
The free version comes with many built-in features, including unlimited payment forms, mobile responsive Stripe Checkout pages, product images display in Stripe Checkout page, optional verification and capture of user details, and the ability to specify payment success & failure pages. The paid version offers additional features including support for subscription payments and options.
WooCommerce PayPal Checkout Payment Gateway
If you’re using WooCommerce, you can add this free plugin to integrate your site with a PayPal in-context checkout payment gateway, which remains hosted on PayPal’s servers, allowing your site to meet security requirements without affecting your theme.
Refer to the documentation to learn how to integrate this plugin using PayPal’s easy setup method.
WordPress Simple PayPal Shopping Cart
WordPress Simple PayPal Shopping Cart is a free plugin that lets you insert an ‘Add to Cart’ button on any post or page using shortcodes and display the shopping cart on your pages or sidebar. The plugin also has an option to use smart PayPal payment buttons and various additional features.
See the plugin’s documentation section and video tutorials for setup and integration information.
2Checkout Payment Gateway for WooCommerce
If you want to process payments online using 2Checkout (2CO), this plugin integrates with your WooCommerce store to provide itemized checkout and pass all billing and shipping data to the 2CO purchase page.
Getting Paid Is The Easy Part
By this point, you should have a pretty good idea of what you want your payment gateway to do and have a few providers you’re thinking of using:
Square offers relatively low processing fees and lets small businesses and independent sellers accept most consumer credit cards and facilitate cashless transactions.
Stripe is the most developer-friendly platform, so if you really want to get into personalizing your checkout page, this is a good option to have.
PayPal is a great choice if you want to leverage the trusted name of a payment processor that over 184 million people already use.
2Checkout seems to be the most global-friendly of the options, so if you’re hoping to cast a wider net, that may be the one you want to turn to.
Probably the easiest way to integrate payment processing gateways with WordPress is to use an eCommerce plugin that already has an extensive list of payment options built-in. Many eCommerce plugins not only give you this option, most will even provide links, wizards, and helpful tooltips to facilitate this process, so all you have to do is sign up for an account with the merchant, enter a registration code or special key into a settings field, and boom diggity… you’ve saved a whole lot of time!
One last thing to think about when researching payment gateways is how you’re going to deliver customers their goods after collecting their money, especially if you plan to sell physical goods. That’s why we’ve written a companion piece on the top eCommerce plugins for shipping products.
Over the past few years, many online business owners have taken steps to comply with privacy laws and regulations. The biggest change for many website owners came with the introduction of the General Data Protection Regulation (GDPR) in 2018. When GDPR came into effect in the EU, online businesses had to implement cookie banners that […]
These are tough times for businesses in the EU. Is the UK going to be in or out? Will it be a managed deal or no deal? Will it happen next week, next month, or never? What's the latest twist in the tale? Quite simply, businesses are finding it difficult to plan anything when everything is up in the air, and no one can confirm what will happen next.
