In July, Termly announced its acquisition of the GDPR/CCPA Cookie Consent Banner plugin. The new direction was an overhaul of the WordPress extension, turning what was once a free offering into, essentially, a commercial SaaS product. Users could run the service for up to 100 visitors. After that, the cheapest tier would cost $180 per year.
Despite multiple notices that changes were coming and making sure auto-updates were disable so that users would find no surprises, the move has not sat well with many people. Since the plugin update, users have taken to the WordPress.org review system. Across the board, they have left nothing but one-star ratings in the past month and a half.
The free tier limit of 100 monthly visitors did not feel free at all to many. By the middle of August, the Termly team had responded after listening to this feedback and making some changes.
The company bumped the limit to 10,000 unique visitors, making it a free solution for far more users. Termly is also dedicating more team members to responding to questions on the WordPress forums.
“Termly has offered a consent management solution for years, and our pricing structure has been this way for 1,000s of existing customers,” said Raffaele Riconosciuto, Director of Marketing at Termly, when asked whether the 100-visitor limit came up in discussions before launch. “In all honesty, we simply did not consider it since our new customers view our pricing structure favorably. In hindsight, the structure is less favorable for people who are currently getting something for free, and thus why we made the changes as quickly as we could.”
A 10,000 visitor limit on the free tier is likely to be a much more reasonable limit for the average website. Beyond that, site owners will need to account for a monthly or yearly fee.
Some users may still have issues with the plugin being rolled into a SaaS offering, needing to sign up for a third-party service. However, Riconosciuto said Termly needed to go in this direction.
“The SaaS structure we’ve adopted is ubiquitous for most consent management platforms (CMPs) today,” he said. “Given that data privacy laws are constantly evolving, as are mechanisms for tracking users on the web, CMPs require a high degree of maintenance and upkeep just to keep their users meeting base legal requirements. We are also continuing to develop new functionality to make the process more painless and robust. Hence why we charge a recurring subscription cost to our more advanced users, who subsidize the always-free tier.”
Termly already had a robust platform in place that serves customers inside and outside of the WordPress ecosystem. It did not make sense to rebuild the entire platform within the plugin and maintain them separately. It would have created duplicate development work without a need to do so.
Users can still install the cookie consent banner without leaving the WordPress admin panel, but further customizations happen via the Termly dashboard. Riconosciuto said the team may extend the UI integration between the plugin and service in the future if that is where user feedback leads them, pulling more functionality into WordPress.
The other side of this is that previous plugin versions were not compliant with several data privacy laws, including the GDPR and ePrivacy Directive.
“The GDPR and ePrivacy Directive are the main EU legislation governing the use of cookies and similar tracking technologies,” said Riconosciuto. “In the context of cookie consent management and cookie banners, the most important takeaway is that a business must obtain consent from an end-user before they serve them non-essential cookies. Consent must be free, specific, informed, and unambiguous. The old banner does not block cookies or contain the information required to ensure when an individual interacts with the banner, they have provided consent to the satisfaction of these legal requirements.”
Of the legal mazes businesses must navigate, Riconosciuto said that each EU member state had “transposed the ePrivacy Directive into local cookie laws.” Termly looks at the guidance issued from each of these member state regulators when determining how to implement the cookie banner.
“Why does following the law and related guidance matter?” asked Riconosciuto. “Recently, we have seen regulators in these regions taking enforcement action against entities that fail to comply with the guidance they have provided for how to comply with the cookie laws. Unlike the GDPR, ePrivacy directive, and France’s cookie law, guidance, and recommendations from an EU regulator is considered ‘soft law’ and not binding. However, the guidance typically explains how a regulator will determine if a business is violating a local cookie law (i.e., how they will enforce the cookie law). That means if your business’s cookie practices fail to satisfy the requirements laid out in regulator guidance, you are likely violating cookie law and may be subject to enforcement action. Even more, organizations in the EU like NYOB are relying on these laws and soft guidance to determine whether they will file draft complaints with regulators against businesses in violation of these laws.”
Riconosciuto mentioned several areas where the older versions of the plugin did not comply with the laws. However, the updated plugin and service take care of these issues. The following is a non-exhaustive list:
- The solution must actually block cookies and tracking. Cookie consent banners must honor user choices.
- The language must adequately notify users of what they are agreeing to before consenting.
- Consent banners must allow the granular selection of cookies by category (e.g., performance and functionality, advertising, analytics, social networking, etc.).
- Provide clean and easily accessible information and options for accepting or rejecting at the first level without being deceptive (e.g., all buttons should be the same size and format).
- The banner must generate and save an audit log of consent interactions. These may need to be presented to regulators.
While users may continue using an older version of the plugin, Termly does not recommend it because it is non-compliant. The company has no plans to restore any parts from the previous version.
“We are committed to making sure businesses are educated and compliant the right way,” said Riconosciuto. “Termly is built on quality, trust, and collaboration, and we can promise that we will continue to listen to feedback and adjust our platform to accommodate all of our customers — including the WordPress community — without sacrificing compliance to all laws and regulations.”
Just for anybody experiencing this problem in the future, think ahead, and ask the plugins team for advice. We’re happy to help out with this sort of thing.
We can tell you what is allowed, sure, but we’ve also been doing this a long time, and we can tell you what the, honestly, very easily predictable, response will be to any move of this type. We’ve seen it all at this point.
Happy to answer questions. Just email the plugins team. 🙂