Plain Cookie Consent

Description

Plain Cookie Consent is a no-frills GDPR + ePrivacy consent banner for WordPress. It ships a single banner, Google Consent Mode v2 defaults, a server-side audit log with pseudonymised subject hashing, a DSAR lookup helper, and constant-gated Meta Pixel / Microsoft Clarity / LinkedIn Insight Tag helpers — all under GPL v2, with no upsells and no external telemetry.

The plugin is designed to support a GDPR/ePrivacy-compliant consent setup. Final compliance depends on the site owner’s configuration and linked privacy policy.

Core compliance features

• Google Consent Mode v2 defaults injected at wp_head priority 1, before any tag manager or gtag snippet.
• Early inline consent replay with a revision gate — consent recorded before a policy revision bump is not replayed; the banner re-prompts instead.
• Server-side audit log (wp_plain_consent_log) with a privacy-preserving SHA-256 subject hash over a daily-rotating salt, and a 730-day default retention purge (filterable via constant).
• Consent revision system with a “Force re-consent for all users now” admin action and strict rollback if the audit insert fails.
• Two-step choice pattern: the first layer offers Accept All and Show Options; the preferences screen (one click away) offers equal-weight Accept All, Reject All, and Save Preferences buttons.
• Server-mirror consent cookie via a cache-safe GET /mirror-nonce endpoint (Cache-Control: no-store), so full-page caching does not break nonce validation.
• Geo targeting: the consent-required region set is the EEA (EU-27 plus Iceland, Liechtenstein, Norway) plus the United Kingdom. Detection uses the Cloudflare CF-IPCountry header when present, with a fail-safe default: if the country cannot be determined, the visitor is treated as in-scope.
• CSV/JSON streamed export of the consent log, plus a pre-uninstall evidence warning with one-click export.
• DSAR lookup admin tool: recompute a visitor’s subject hash from IP + User-Agent and list matching consent-log entries (GDPR Art. 15 support).

Integrations

• Meta Pixel: define PLAIN_COOKIE_CONSENT_FACEBOOK_PIXEL_ID in wp-config.php.
• Microsoft Clarity: define PLAIN_COOKIE_CONSENT_CLARITY_PROJECT_ID in wp-config.php.
• LinkedIn Insight Tag: define PLAIN_COOKIE_CONSENT_LINKEDIN_PARTNER_ID in wp-config.php.
• Public window.plainCookieConsent JavaScript API (getCategories, hasConsent, onChange, onGrant, onRevoke) for site-specific vendors.
• Cookie cleanup on revoke with curated defaults for LinkedIn, TikTok, Hotjar, Clarity, Yandex Metrica, and Snapchat (plain_cookie_consent_autoclear_cookies filter).
• localStorage / sessionStorage cleanup on a real granted-to-revoked transition (plain_cookie_consent_clear_storage_keys filter).

Accessibility

• The banner and preferences modal are attested against WCAG 2.1 AA.
• axe-core smoke tests (wcag2a, wcag2aa, wcag21aa tags) run on every push and pull request via GitHub Actions.
• Site-level accessibility remains the operator’s responsibility.

Languages

Translation catalogs ship for nine languages: English, German, Russian, Spanish, French, Italian, Dutch, Polish, and Portuguese. Banner language auto-resolution covers all nine shipped languages, including regional variants (for example de-AT or pt-BR), with any other locale falling back to English. Any shipped catalog can also be selected explicitly, and translators can override strings the standard WordPress gettext way.

Not included

• TCF v2.2 (programmatic publishers).
• Consent analytics dashboards beyond the read-only Consent Health widget.
• Multi-domain consent sync.
• Banner A/B testing.
• Script auto-blocking beyond Consent Mode and the documented vendor helpers.

External services

This plugin has no telemetry and never sends data to its own or the author’s servers. Consent records stay in your own WordPress database.

The plugin can optionally load three well-known third-party marketing/analytics tags on your behalf. Each one is OFF by default and only ever loads when BOTH of the following are true:

1. You explicitly enable it by defining the matching constant in wp-config.php, and
2. The visitor grants the relevant consent category in the banner.

If you do not define these constants, the plugin makes no third-party requests at all. Once enabled, the tag still loads only after the visitor grants the relevant consent category in the banner.

Meta (Facebook) Pixel

Optional advertising measurement. Enabled by defining PLAIN_COOKIE_CONSENT_FACEBOOK_PIXEL_ID. When a visitor grants advertising consent, the plugin loads https://connect.facebook.net/en_US/fbevents.js and initialises the Pixel with your Pixel ID. From then on, on each page view, Meta receives standard Pixel data: your Pixel ID, the page URL and referrer, the visitor’s IP address and browser/user-agent, and a PageView event. Nothing is sent before advertising consent.
Provider: Meta Platforms, Inc. Privacy Policy: https://www.facebook.com/privacy/policy/ — Business Tools Terms: https://www.facebook.com/legal/terms/businesstools

Microsoft Clarity

Optional session analytics (heatmaps and session insights). Enabled by defining PLAIN_COOKIE_CONSENT_CLARITY_PROJECT_ID. When a visitor grants analytics consent, the plugin loads https://www.clarity.ms/tag/<your-project-id>. From then on, on each page view, Microsoft receives Clarity analytics data: your project ID, the page URL, the visitor’s IP address and browser/user-agent, and interaction events such as clicks and scrolls. Nothing is sent before analytics consent.
Provider: Microsoft Corporation. Privacy Statement: https://www.microsoft.com/privacy/privacystatement — Clarity Terms of Service: https://clarity.microsoft.com/terms

LinkedIn Insight Tag

Optional advertising measurement on LinkedIn. Enabled by defining PLAIN_COOKIE_CONSENT_LINKEDIN_PARTNER_ID. When a visitor grants advertising consent, the plugin loads https://snap.licdn.com/li.lms-analytics/insight.min.js with your Partner ID. From then on, on each page view, LinkedIn receives Insight Tag data: your Partner ID, the page URL, and the visitor’s IP address and browser/user-agent. Nothing is sent before advertising consent.
Provider: LinkedIn Corporation. Privacy Policy: https://www.linkedin.com/legal/privacy-policy — LinkedIn Ads Agreement: https://www.linkedin.com/legal/ads-agreement

Disclaimer

This plugin is provided “as is”, free of charge, for evaluation and use at
the site operator’s own discretion and risk.

• The site operator alone chooses which plugins to install and run on their
  site, and bears full responsibility for that choice and its consequences.
• The plugin is offered for informational and evaluation purposes. The
  authors make no guarantees and no promises of any kind — including
  correctness, completeness, fitness for a particular purpose, or
  uninterrupted operation.
• Software may contain errors. Any errors, malfunctions, data loss, or
  legal consequences arising from the use of this plugin are the sole
  responsibility of the site operator.
• Nothing in this plugin or its documentation constitutes legal advice.
  The plugin is designed to support a GDPR/ePrivacy-oriented consent setup,
  but it does not and cannot guarantee legal compliance of any specific
  site — final compliance always depends on the operator’s configuration,
  vendors, and policies.
• The warranty disclaimer and limitation of liability are governed by
  sections 11 and 12 of the GNU GPL v2 license that ships with this plugin.