Title: CookieKita — GDPR Consent &amp; Cookie Banner
Author: gdimitrov
Published: <strong>July 4, 2026</strong>
Last modified: July 4, 2026

---

Search plugins

![](https://ps.w.org/cookiekita-gdpr-consent-cookie-banner/assets/banner-772x250.
png?rev=3596075)

![](https://ps.w.org/cookiekita-gdpr-consent-cookie-banner/assets/icon-256x256.png?
rev=3596075)

# CookieKita — GDPR Consent & Cookie Banner

 By [gdimitrov](https://profiles.wordpress.org/gdimitrov/)

[Download](https://downloads.wordpress.org/plugin/cookiekita-gdpr-consent-cookie-banner.1.0.8.zip)

 * [Details](https://wordpress.org/plugins/cookiekita-gdpr-consent-cookie-banner/#description)
 * [Reviews](https://wordpress.org/plugins/cookiekita-gdpr-consent-cookie-banner/#reviews)
 *  [Installation](https://wordpress.org/plugins/cookiekita-gdpr-consent-cookie-banner/#installation)
 * [Development](https://wordpress.org/plugins/cookiekita-gdpr-consent-cookie-banner/#developers)

 [Support](https://wordpress.org/support/plugin/cookiekita-gdpr-consent-cookie-banner/)

## Description

**CookieKita** is the WordPress companion plugin to [cookiekita.com](https://cookiekita.com),
a GDPR/ePrivacy consent management platform. It does the on-site work — blocking
trackers before consent, installing your tags consent-aware, and executing data 
requests — while the dashboard handles the consent log, cookie scanner and compliance
reporting.

#### What it does

 * 🍪 **Cookie consent banner** — auto-injects the CookieKita banner, localized 
   to the WordPress site language.
 * 🛡 **Real tracker blocking** — holds back Google Analytics, Google Tag Manager,
   Meta Pixel, Hotjar, Clarity, LinkedIn, TikTok and 30+ other services until the
   visitor consents. A banner that only _shows_ without blocking is not compliant—
   CookieKita actually blocks.
 * 🔌 **Integrations directory** — a catalogue of 37 recognised services, each auto-
   blocked and mapped to the right consent category.
 * ⚡ **Consent-aware tag installer** — paste your GA4 / Meta Pixel / GTM (and many
   more) ID and CookieKita installs the official tag for you as a _blocked_ script
   that only fires after the matching consent. You become the bridge, not just the
   blocker.
 * 🛒 **WooCommerce eCommerce tracking** — automatically sends `view_item`, `add_to_cart`,`
   begin_checkout` and `purchase` to GA4 / Google Tag Manager and your ad pixels(
   Meta, TikTok, Pinterest, Snap, Reddit). Analytics events fire on analytics consent;
   ad events on marketing consent — fully consent-gated.
 * 🟢 **Google Consent Mode v2 & Microsoft UET Consent Mode** — consent signals 
   are forwarded automatically.
 * 🌐 **GPC / DNT signals** — honours Global Privacy Control and Do Not Track.
 * 📊 **Cookie declaration shortcode** — `[cookiekita_cookies]` renders a live table
   of the cookies discovered by the CookieKita scanner.
 * 📨 **DSAR form shortcode** — `[cookiekita_dsar]` adds a GDPR data-subject-request
   form to any page.
 * 🤖 **Auto-execute DSAR** (opt-in) — verified deletion/export requests are executed
   via the WordPress Personal Data API and WooCommerce privacy hooks, with an audit
   log.

#### Requirements

 * A free or paid account at [cookiekita.com](https://cookiekita.com).
 * Your Site Key (32 hex characters) from the CookieKita dashboard. If you download
   the plugin from your dashboard, the key is pre-configured for you.

### External services

This plugin connects to the **CookieKita** service ([cookiekita.com](https://cookiekita.com))—
it is a companion plugin for that platform and requires a CookieKita account to 
function. The connection is used for the features below.

**1. Banner script & configuration** — On every front-end page the plugin loads 
the consent banner script from `https://cookiekita.com/banner.js` and fetches your
banner configuration and cookie list from `https://cookiekita.com/functions/v1/`.
Your public Site Key is sent so the correct configuration is returned. No personal
data is sent for this.

**2. Connection / heartbeat** — When you save your Site Key (and roughly once a 
day afterwards) the plugin sends your site URL, plugin version, WordPress version
and PHP version to `https://cookiekita.com/functions/v1/verify-wp-site` so the dashboard
can show connection status and register the DSAR webhook. It also checks whether
the site was disconnected from the dashboard.

**3. DSAR webhook** — When auto-execute DSAR is enabled, CookieKita sends signed
data-subject requests (containing the requester’s email) to the plugin so they can
be fulfilled on your site.

By using this plugin you agree to the CookieKita Terms of Service (https://cookiekita.
com/terms) and Privacy Policy (https://cookiekita.com/privacy).

#### Optional third-party tags (only loaded if you enable them)

CookieKita does not load any of the third-party services below by default. The consent-
aware tag installer loads a provider’s official script **only when you, the site
administrator, enter that provider’s ID / enable it**, and even then the script 
is held back until the visitor gives the matching consent (analytics or marketing).
When a tag fires, the visitor’s browser loads the provider’s script directly and
that provider receives standard analytics/advertising data (e.g. page views, events,
IP address, cookie/device identifiers) — what is sent and when is determined by 
that provider. Review each provider’s terms and privacy policy before enabling it:

 * Google (Tag Manager, gtag, GA4) — googletagmanager.com — terms: https://policies.
   google.com/terms — privacy: https://policies.google.com/privacy
 * Meta Pixel (Facebook) — connect.facebook.net — terms: https://www.facebook.com/
   legal/terms/ — privacy: https://www.facebook.com/privacy/policy/
 * Microsoft Clarity / UET — clarity.ms — terms: https://www.microsoft.com/legal/
   terms-of-use — privacy: https://privacy.microsoft.com/privacystatement
 * TikTok — analytics.tiktok.com — terms: https://www.tiktok.com/legal/terms-of-
   service — privacy: https://www.tiktok.com/legal/privacy-policy
 * LinkedIn Insight — snap.licdn.com — terms: https://www.linkedin.com/legal/user-
   agreement — privacy: https://www.linkedin.com/legal/privacy-policy
 * X (Twitter) Ads — static.ads-twitter.com — terms: https://legal.twitter.com/ads-
   terms.html — privacy: https://twitter.com/en/privacy
 * Pinterest Tag — s.pinimg.com — terms: https://policy.pinterest.com/terms-of-service—
   privacy: https://policy.pinterest.com/privacy-policy
 * Snap Pixel — sc-static.net — terms: https://snap.com/terms — privacy: https://
   snap.com/privacy/privacy-policy
 * Reddit Pixel — redditstatic.com — terms: https://www.redditinc.com/policies/user-
   agreement — privacy: https://www.reddit.com/policies/privacy-policy
 * Amazon Ads — c.amazon-adsystem.com — terms: https://www.amazon.com/gp/help/customer/
   display.html?nodeId=508088 — privacy: https://www.amazon.com/gp/help/customer/
   display.html?nodeId=468496
 * Criteo — static.criteo.net — terms: https://www.criteo.com/terms-and-conditions/—
   privacy: https://www.criteo.com/privacy/
 * Outbrain — amplify.outbrain.com — terms: https://www.outbrain.com/onyx/term-of-
   use/ — privacy: https://www.outbrain.com/privacy/
 * Taboola — cdn.taboola.com — terms: https://policies.taboola.com/terms-of-service/—
   privacy: https://policies.taboola.com/privacy-policy/
 * Hotjar — static.hotjar.com — terms: https://www.hotjar.com/legal/policies/terms-
   of-service/ — privacy: https://www.hotjar.com/legal/policies/privacy/
 * Segment (Twilio) — cdn.segment.com — terms: https://www.twilio.com/en-us/legal/
   tos — privacy: https://www.twilio.com/en-us/legal/privacy
 * Heap — cdn.heapanalytics.com — terms: https://www.heap.io/terms — privacy: https://
   www.heap.io/privacy
 * Amplitude — cdn.amplitude.com — terms: https://amplitude.com/terms — privacy:
   https://amplitude.com/privacy
 * Mixpanel — cdn.mxpnl.com — terms: https://mixpanel.com/legal/terms-of-use/ — 
   privacy: https://mixpanel.com/legal/privacy-policy/
 * FullStory — fullstory.com — terms: https://www.fullstory.com/legal/terms-and-
   conditions/ — privacy: https://www.fullstory.com/legal/privacy-policy/
 * Crazy Egg — script.crazyegg.com — terms: https://www.crazyegg.com/terms — privacy:
   https://www.crazyegg.com/privacy
 * Mouseflow — cdn.mouseflow.com — terms: https://mouseflow.com/legal/terms/ — privacy:
   https://mouseflow.com/legal/privacy-policy/
 * Inspectlet — cdn.inspectlet.com — terms: https://www.inspectlet.com/terms-of-
   service — privacy: https://www.inspectlet.com/terms-of-service
 * Plausible Analytics — plausible.io — terms: https://plausible.io/terms — privacy:
   https://plausible.io/privacy
 * PostHog — posthog.com — terms: https://posthog.com/terms — privacy: https://posthog.
   com/privacy
 * Simple Analytics — simpleanalyticscdn.com — terms: https://www.simpleanalytics.
   com/terms — privacy: https://www.simpleanalytics.com/privacy-policy
 * HubSpot — js.hs-scripts.com — terms: https://legal.hubspot.com/terms-of-service—
   privacy: https://legal.hubspot.com/privacy-policy
 * Intercom — widget.intercom.io — terms: https://www.intercom.com/legal/terms-and-
   policies — privacy: https://www.intercom.com/legal/privacy
 * Drift — js.driftt.com — terms: https://www.drift.com/terms-of-service/ — privacy:
   https://www.drift.com/privacy-policy/
 * Crisp — client.crisp.chat — terms: https://crisp.chat/en/terms/ — privacy: https://
   crisp.chat/en/privacy/
 * Tawk.to — embed.tawk.to — terms: https://www.tawk.to/terms-of-service/ — privacy:
   https://www.tawk.to/privacy-policy/
 * LiveChat — cdn.livechatinc.com — terms: https://www.livechat.com/legal/terms/—
   privacy: https://www.livechat.com/legal/privacy-policy/
 * Zendesk — static.zdassets.com — terms: https://www.zendesk.com/company/agreements-
   and-terms/master-subscription-agreement/ — privacy: https://www.zendesk.com/company/
   agreements-and-terms/privacy-notice/

## Installation

 1. Install through **Plugins  Add New**, or upload the `cookiekita` folder to `/wp-
    content/plugins/`.
 2. Activate the plugin through the **Plugins** menu.
 3. Open the **CookieKita** menu and paste your Site Key (skipped automatically if 
    you downloaded a pre-configured copy from your dashboard).
 4. (Optional) Activate integrations and paste your tag IDs under **CookieKita  Integrations**.
 5. (Optional) Add `[cookiekita_cookies]` to your Privacy Policy page and `[cookiekita_dsar]`
    to your Data Requests page.

## FAQ

### Does this require a CookieKita account?

Yes. CookieKita is a companion plugin for the cookiekita.com platform and needs 
a Site Key from your account. Core banner, blocking, scanner and DSAR form work 
on the free plan.

### Will it slow down my site?

The banner script is small, async-loaded and CDN-served. The tracker blocker runs
a single fast pass per page render.

### Does it actually block trackers, or just show a banner?

It blocks. Recognised tracking scripts and embeds are held back (rendered as inert,
consent-gated scripts) and only execute after the visitor consents to the matching
category.

### How does the consent-aware tag installer work?

You paste a service ID (e.g. a GA4 Measurement ID or Meta Pixel ID). The plugin 
emits the vendor’s official loader as a blocked inline script tied to a consent 
category, so it fires only after the visitor accepts that category.

### Is DSAR auto-execution safe?

It is opt-in (off by default), refuses to delete administrator accounts, and records
every action to an audit log. Take a backup before enabling.

### Does it work with WooCommerce?

Yes. It adds consent-gated eCommerce event tracking (view_item, add_to_cart, begin_checkout,
purchase) and uses WooCommerce’s privacy hooks for DSAR.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“CookieKita — GDPR Consent & Cookie Banner” is open source software. The following
people have contributed to this plugin.

Contributors

 *   [ gdimitrov ](https://profiles.wordpress.org/gdimitrov/)

[Translate “CookieKita — GDPR Consent & Cookie Banner” into your language.](https://translate.wordpress.org/projects/wp-plugins/cookiekita-gdpr-consent-cookie-banner)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/cookiekita-gdpr-consent-cookie-banner/),
check out the [SVN repository](https://plugins.svn.wordpress.org/cookiekita-gdpr-consent-cookie-banner/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/cookiekita-gdpr-consent-cookie-banner/)
by [RSS](https://plugins.trac.wordpress.org/log/cookiekita-gdpr-consent-cookie-banner/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.8

 * Admin UI no longer gates any panel behind the account connection. The Settings,
   Integrations and Shortcodes tabs are now always fully accessible and every option
   is editable and saved locally at all times — nothing is hidden or disabled while
   unconnected. A small, non-blocking hint simply notes that the consent banner 
   goes live on the front-end once the site is connected (the banner script needs
   the Site Key to load its configuration). This addresses the review concern that
   locally-implemented features (tracker blocking, tag installer, shortcodes) appeared
   to be locked behind the service connection.
 * Removed the last padlock icon from the Integrations activation modal (replaced
   with a shield), so no “lock” iconography remains anywhere in the admin.
 * Full audit of every third-party terms/privacy URL in the External services section;
   refreshed the ones that had moved or now return an error: Criteo (privacy  /privacy/,
   terms  /terms-and-conditions/), Meta/Facebook (added trailing slashes so the 
   pages return 200), Taboola ( policies.taboola.com), Outbrain terms ( /onyx/term-
   of-use/), Mouseflow ( /legal/…), Inspectlet ( /terms-of-service) and Segment (
   Twilio legal, since Segment’s terms/privacy are now governed by Twilio). All 
   remaining links were verified reachable.

#### 1.0.7

 * Removed the custom update checker (`update_check_enabled` / `ajax_check_update`/`
   fetch_latest_version`) — updates are handled exclusively through the standard
   WordPress.org update flow.
 * Renamed `render_lock_gate()` to `render_service_connection_notice()` and replaced
   lock-icon UI with a neutral “connect your account” prompt. The tabs show a connection
   prompt because they are managed through the CookieKita external service (Guideline
   6), not because features are locked behind a payment or licence.
 * Removed lock-icon decorations from Integrations / Settings / Shortcodes tab buttons.
 * Fixed dead readme URLs: Criteo terms updated; Mouseflow terms/privacy updated.

#### 1.0.6

 * No functional changes. Submitted in response to review R-29Jun26: confirmed that
   HubSpot (js.hs-scripts.com) and LiveChat (cdn.livechatinc.com) are fully documented
   in the External services section, including terms and privacy links. The privacy
   link for HubSpot (legal.hubspot.com/privacy-policy) is their official URL; the
   timeout reported by the automated checker is caused by HubSpot’s CDN anti-bot
   protection on their legal subdomain, not an invalid URL.

#### 1.0.5

 * Branded the “Connect to CookieKita” button to match the CookieKita visual style.

#### 1.0.4

 * Fixed “Connection could not be completed” — the connect state token is now shared
   across all Connect buttons on the page instead of being regenerated per button.

#### 1.0.3

 * The admin now lands on the Connection tab first when the site is not yet connected(
   all tabs remain accessible).
 * Updated the brand logo in the admin header.

#### 1.0.2

 * Text domain now matches the plugin slug (`cookiekita-gdpr-consent-cookie-banner`)
   so the plugin is translatable via the directory.
 * Admin notice-hiding CSS is enqueued via `wp_add_inline_style` instead of an inline`
   <style>` echo.
 * Public `/ping` endpoint no longer exposes configuration state, feature flags 
   or secret status — it returns only a minimal reachability response.
 * The tracker-blocking output buffer is now explicitly closed (paired `ob_start`/`
   ob_end_flush`).
 * Removed an unnecessary `require` of a WordPress core admin file in the DSAR exporter
   path.
 * Documented all optional third-party tag services (with terms/privacy links) in
   the External services section.

#### 1.0.1

 * Security hardening: proof-of-possession required to disconnect, stronger DSAR
   deletion guard (super-admins), reduced anonymous info in the health endpoint,
   and a hardcoded update link.

#### 1.0.0

 * Initial public release.
 * Cookie consent banner with real tracker blocking (37+ services) until consent.
 * Integrations directory + consent-aware tag installer (GA4, GTM, Meta Pixel, and
   more).
 * WooCommerce eCommerce events (view_item, add_to_cart, begin_checkout, purchase),
   fully consent-gated.
 * Google Consent Mode v2 + Microsoft UET Consent Mode, GPC/DNT signals.
 * Cookie declaration and DSAR shortcodes, with optional auto-execution of verified
   requests.
 * One-click “Connect to CookieKita” onboarding, with manual Site Key entry as a
   fallback.

## Meta

 *  Version **1.0.8**
 *  Last updated **23 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [consent mode](https://wordpress.org/plugins/tags/consent-mode/)[cookie banner](https://wordpress.org/plugins/tags/cookie-banner/)
   [cookie consent](https://wordpress.org/plugins/tags/cookie-consent/)[DSAR](https://wordpress.org/plugins/tags/dsar/)
   [GDPR](https://wordpress.org/plugins/tags/gdpr/)
 *  [Advanced View](https://wordpress.org/plugins/cookiekita-gdpr-consent-cookie-banner/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/cookiekita-gdpr-consent-cookie-banner/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/cookiekita-gdpr-consent-cookie-banner/reviews/)

## Contributors

 *   [ gdimitrov ](https://profiles.wordpress.org/gdimitrov/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/cookiekita-gdpr-consent-cookie-banner/)