Description
CookieKita is the WordPress companion plugin to cookiekita.com, a GDPR/ePrivacy consent management platform. It does the on-site work — blocking trackers before consent, installing your tags consent-aware, and executing data requests — while the dashboard handles the consent log, cookie scanner and compliance reporting.
What it does
- 🍪 Cookie consent banner — auto-injects the CookieKita banner, localized to the WordPress site language.
- 🛡 Real tracker blocking — holds back Google Analytics, Google Tag Manager, Meta Pixel, Hotjar, Clarity, LinkedIn, TikTok and 30+ other services until the visitor consents. A banner that only shows without blocking is not compliant — CookieKita actually blocks.
- 🔌 Integrations directory — a catalogue of 37 recognised services, each auto-blocked and mapped to the right consent category.
- ⚡ Consent-aware tag installer — paste your GA4 / Meta Pixel / GTM (and many more) ID and CookieKita installs the official tag for you as a blocked script that only fires after the matching consent. You become the bridge, not just the blocker.
- 🛒 WooCommerce eCommerce tracking — automatically sends
view_item,add_to_cart,begin_checkoutandpurchaseto GA4 / Google Tag Manager and your ad pixels (Meta, TikTok, Pinterest, Snap, Reddit). Analytics events fire on analytics consent; ad events on marketing consent — fully consent-gated. - 🟢 Google Consent Mode v2 & Microsoft UET Consent Mode — consent signals are forwarded automatically.
- 🌐 GPC / DNT signals — honours Global Privacy Control and Do Not Track.
- 📊 Cookie declaration shortcode —
[cookiekita_cookies]renders a live table of the cookies discovered by the CookieKita scanner. - 📨 DSAR form shortcode —
[cookiekita_dsar]adds a GDPR data-subject-request form to any page. - 🤖 Auto-execute DSAR (opt-in) — verified deletion/export requests are executed via the WordPress Personal Data API and WooCommerce privacy hooks, with an audit log.
Requirements
- A free or paid account at cookiekita.com.
- Your Site Key (32 hex characters) from the CookieKita dashboard. If you download the plugin from your dashboard, the key is pre-configured for you.
External services
This plugin connects to the CookieKita service (cookiekita.com) — it is a companion plugin for that platform and requires a CookieKita account to function. The connection is used for the features below.
1. Banner script & configuration — On every front-end page the plugin loads the consent banner script from https://cookiekita.com/banner.js and fetches your banner configuration and cookie list from https://cookiekita.com/functions/v1/. Your public Site Key is sent so the correct configuration is returned. No personal data is sent for this.
2. Connection / heartbeat — When you save your Site Key (and roughly once a day afterwards) the plugin sends your site URL, plugin version, WordPress version and PHP version to https://cookiekita.com/functions/v1/verify-wp-site so the dashboard can show connection status and register the DSAR webhook. It also checks whether the site was disconnected from the dashboard.
3. DSAR webhook — When auto-execute DSAR is enabled, CookieKita sends signed data-subject requests (containing the requester’s email) to the plugin so they can be fulfilled on your site.
By using this plugin you agree to the CookieKita Terms of Service (https://cookiekita.com/terms) and Privacy Policy (https://cookiekita.com/privacy).
Optional third-party tags (only loaded if you enable them)
CookieKita does not load any of the third-party services below by default. The consent-aware tag installer loads a provider’s official script only when you, the site administrator, enter that provider’s ID / enable it, and even then the script is held back until the visitor gives the matching consent (analytics or marketing). When a tag fires, the visitor’s browser loads the provider’s script directly and that provider receives standard analytics/advertising data (e.g. page views, events, IP address, cookie/device identifiers) — what is sent and when is determined by that provider. Review each provider’s terms and privacy policy before enabling it:
- Google (Tag Manager, gtag, GA4) — googletagmanager.com — terms: https://policies.google.com/terms — privacy: https://policies.google.com/privacy
- Meta Pixel (Facebook) — connect.facebook.net — terms: https://www.facebook.com/legal/terms/ — privacy: https://www.facebook.com/privacy/policy/
- Microsoft Clarity / UET — clarity.ms — terms: https://www.microsoft.com/legal/terms-of-use — privacy: https://privacy.microsoft.com/privacystatement
- TikTok — analytics.tiktok.com — terms: https://www.tiktok.com/legal/terms-of-service — privacy: https://www.tiktok.com/legal/privacy-policy
- LinkedIn Insight — snap.licdn.com — terms: https://www.linkedin.com/legal/user-agreement — privacy: https://www.linkedin.com/legal/privacy-policy
- X (Twitter) Ads — static.ads-twitter.com — terms: https://legal.twitter.com/ads-terms.html — privacy: https://twitter.com/en/privacy
- Pinterest Tag — s.pinimg.com — terms: https://policy.pinterest.com/terms-of-service — privacy: https://policy.pinterest.com/privacy-policy
- Snap Pixel — sc-static.net — terms: https://snap.com/terms — privacy: https://snap.com/privacy/privacy-policy
- Reddit Pixel — redditstatic.com — terms: https://www.redditinc.com/policies/user-agreement — privacy: https://www.reddit.com/policies/privacy-policy
- Amazon Ads — c.amazon-adsystem.com — terms: https://www.amazon.com/gp/help/customer/display.html?nodeId=508088 — privacy: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
- Criteo — static.criteo.net — terms: https://www.criteo.com/terms-and-conditions/ — privacy: https://www.criteo.com/privacy/
- Outbrain — amplify.outbrain.com — terms: https://www.outbrain.com/onyx/term-of-use/ — privacy: https://www.outbrain.com/privacy/
- Taboola — cdn.taboola.com — terms: https://policies.taboola.com/terms-of-service/ — privacy: https://policies.taboola.com/privacy-policy/
- Hotjar — static.hotjar.com — terms: https://www.hotjar.com/legal/policies/terms-of-service/ — privacy: https://www.hotjar.com/legal/policies/privacy/
- Segment (Twilio) — cdn.segment.com — terms: https://www.twilio.com/en-us/legal/tos — privacy: https://www.twilio.com/en-us/legal/privacy
- Heap — cdn.heapanalytics.com — terms: https://www.heap.io/terms — privacy: https://www.heap.io/privacy
- Amplitude — cdn.amplitude.com — terms: https://amplitude.com/terms — privacy: https://amplitude.com/privacy
- Mixpanel — cdn.mxpnl.com — terms: https://mixpanel.com/legal/terms-of-use/ — privacy: https://mixpanel.com/legal/privacy-policy/
- FullStory — fullstory.com — terms: https://www.fullstory.com/legal/terms-and-conditions/ — privacy: https://www.fullstory.com/legal/privacy-policy/
- Crazy Egg — script.crazyegg.com — terms: https://www.crazyegg.com/terms — privacy: https://www.crazyegg.com/privacy
- Mouseflow — cdn.mouseflow.com — terms: https://mouseflow.com/legal/terms/ — privacy: https://mouseflow.com/legal/privacy-policy/
- Inspectlet — cdn.inspectlet.com — terms: https://www.inspectlet.com/terms-of-service — privacy: https://www.inspectlet.com/terms-of-service
- Plausible Analytics — plausible.io — terms: https://plausible.io/terms — privacy: https://plausible.io/privacy
- PostHog — posthog.com — terms: https://posthog.com/terms — privacy: https://posthog.com/privacy
- Simple Analytics — simpleanalyticscdn.com — terms: https://www.simpleanalytics.com/terms — privacy: https://www.simpleanalytics.com/privacy-policy
- HubSpot — js.hs-scripts.com — terms: https://legal.hubspot.com/terms-of-service — privacy: https://legal.hubspot.com/privacy-policy
- Intercom — widget.intercom.io — terms: https://www.intercom.com/legal/terms-and-policies — privacy: https://www.intercom.com/legal/privacy
- Drift — js.driftt.com — terms: https://www.drift.com/terms-of-service/ — privacy: https://www.drift.com/privacy-policy/
- Crisp — client.crisp.chat — terms: https://crisp.chat/en/terms/ — privacy: https://crisp.chat/en/privacy/
- Tawk.to — embed.tawk.to — terms: https://www.tawk.to/terms-of-service/ — privacy: https://www.tawk.to/privacy-policy/
- LiveChat — cdn.livechatinc.com — terms: https://www.livechat.com/legal/terms/ — privacy: https://www.livechat.com/legal/privacy-policy/
- Zendesk — static.zdassets.com — terms: https://www.zendesk.com/company/agreements-and-terms/master-subscription-agreement/ — privacy: https://www.zendesk.com/company/agreements-and-terms/privacy-notice/
Installation
- Install through Plugins Add New, or upload the
cookiekitafolder to/wp-content/plugins/. - Activate the plugin through the Plugins menu.
- Open the CookieKita menu and paste your Site Key (skipped automatically if you downloaded a pre-configured copy from your dashboard).
- (Optional) Activate integrations and paste your tag IDs under CookieKita Integrations.
- (Optional) Add
[cookiekita_cookies]to your Privacy Policy page and[cookiekita_dsar]to your Data Requests page.
FAQ
-
Yes. CookieKita is a companion plugin for the cookiekita.com platform and needs a Site Key from your account. Core banner, blocking, scanner and DSAR form work on the free plan.
-
Will it slow down my site?
-
The banner script is small, async-loaded and CDN-served. The tracker blocker runs a single fast pass per page render.
-
It blocks. Recognised tracking scripts and embeds are held back (rendered as inert, consent-gated scripts) and only execute after the visitor consents to the matching category.
-
How does the consent-aware tag installer work?
-
You paste a service ID (e.g. a GA4 Measurement ID or Meta Pixel ID). The plugin emits the vendor’s official loader as a blocked inline script tied to a consent category, so it fires only after the visitor accepts that category.
-
Is DSAR auto-execution safe?
-
It is opt-in (off by default), refuses to delete administrator accounts, and records every action to an audit log. Take a backup before enabling.
-
Does it work with WooCommerce?
-
Yes. It adds consent-gated eCommerce event tracking (view_item, add_to_cart, begin_checkout, purchase) and uses WooCommerce’s privacy hooks for DSAR.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“CookieKita — GDPR Consent & Cookie Banner” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “CookieKita — GDPR Consent & Cookie Banner” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.8
- Admin UI no longer gates any panel behind the account connection. The Settings, Integrations and Shortcodes tabs are now always fully accessible and every option is editable and saved locally at all times — nothing is hidden or disabled while unconnected. A small, non-blocking hint simply notes that the consent banner goes live on the front-end once the site is connected (the banner script needs the Site Key to load its configuration). This addresses the review concern that locally-implemented features (tracker blocking, tag installer, shortcodes) appeared to be locked behind the service connection.
- Removed the last padlock icon from the Integrations activation modal (replaced with a shield), so no “lock” iconography remains anywhere in the admin.
- Full audit of every third-party terms/privacy URL in the External services section; refreshed the ones that had moved or now return an error: Criteo (privacy /privacy/, terms /terms-and-conditions/), Meta/Facebook (added trailing slashes so the pages return 200), Taboola ( policies.taboola.com), Outbrain terms ( /onyx/term-of-use/), Mouseflow ( /legal/…), Inspectlet ( /terms-of-service) and Segment ( Twilio legal, since Segment’s terms/privacy are now governed by Twilio). All remaining links were verified reachable.
1.0.7
- Removed the custom update checker (
update_check_enabled/ajax_check_update/fetch_latest_version) — updates are handled exclusively through the standard WordPress.org update flow. - Renamed
render_lock_gate()torender_service_connection_notice()and replaced lock-icon UI with a neutral “connect your account” prompt. The tabs show a connection prompt because they are managed through the CookieKita external service (Guideline 6), not because features are locked behind a payment or licence. - Removed lock-icon decorations from Integrations / Settings / Shortcodes tab buttons.
- Fixed dead readme URLs: Criteo terms updated; Mouseflow terms/privacy updated.
1.0.6
- No functional changes. Submitted in response to review R-29Jun26: confirmed that HubSpot (js.hs-scripts.com) and LiveChat (cdn.livechatinc.com) are fully documented in the External services section, including terms and privacy links. The privacy link for HubSpot (legal.hubspot.com/privacy-policy) is their official URL; the timeout reported by the automated checker is caused by HubSpot’s CDN anti-bot protection on their legal subdomain, not an invalid URL.
1.0.5
- Branded the “Connect to CookieKita” button to match the CookieKita visual style.
1.0.4
- Fixed “Connection could not be completed” — the connect state token is now shared across all Connect buttons on the page instead of being regenerated per button.
1.0.3
- The admin now lands on the Connection tab first when the site is not yet connected (all tabs remain accessible).
- Updated the brand logo in the admin header.
1.0.2
- Text domain now matches the plugin slug (
cookiekita-gdpr-consent-cookie-banner) so the plugin is translatable via the directory. - Admin notice-hiding CSS is enqueued via
wp_add_inline_styleinstead of an inline<style>echo. - Public
/pingendpoint no longer exposes configuration state, feature flags or secret status — it returns only a minimal reachability response. - The tracker-blocking output buffer is now explicitly closed (paired
ob_start/ob_end_flush). - Removed an unnecessary
requireof a WordPress core admin file in the DSAR exporter path. - Documented all optional third-party tag services (with terms/privacy links) in the External services section.
1.0.1
- Security hardening: proof-of-possession required to disconnect, stronger DSAR deletion guard (super-admins), reduced anonymous info in the health endpoint, and a hardcoded update link.
1.0.0
- Initial public release.
- Cookie consent banner with real tracker blocking (37+ services) until consent.
- Integrations directory + consent-aware tag installer (GA4, GTM, Meta Pixel, and more).
- WooCommerce eCommerce events (view_item, add_to_cart, begin_checkout, purchase), fully consent-gated.
- Google Consent Mode v2 + Microsoft UET Consent Mode, GPC/DNT signals.
- Cookie declaration and DSAR shortcodes, with optional auto-execution of verified requests.
- One-click “Connect to CookieKita” onboarding, with manual Site Key entry as a fallback.
