Title: Plain Cookie Consent
Author: Ontario
Published: June 16, 2026
Last modified: June 16, 2026
---
Search plugins
# Plain Cookie Consent
By [Ontario](https://profiles.wordpress.org/ontario777/)
[Download](https://downloads.wordpress.org/plugin/plain-cookie-consent.0.6.3.zip)
* [Details](https://wordpress.org/plugins/plain-cookie-consent/#description)
* [Reviews](https://wordpress.org/plugins/plain-cookie-consent/#reviews)
* [Installation](https://wordpress.org/plugins/plain-cookie-consent/#installation)
* [Development](https://wordpress.org/plugins/plain-cookie-consent/#developers)
[Support](https://wordpress.org/support/plugin/plain-cookie-consent/)
## Description
Plain Cookie Consent is a no-frills GDPR + ePrivacy consent banner for WordPress.
It ships a single banner, Google Consent Mode v2 defaults, a server-side audit log
with pseudonymised subject hashing, a DSAR lookup helper, and constant-gated Meta
Pixel / Microsoft Clarity / LinkedIn Insight Tag helpers — all under GPL v2, with
no upsells and no external telemetry.
The plugin is designed to support a GDPR/ePrivacy-compliant consent setup. Final
compliance depends on the site owner’s configuration and linked privacy policy.
#### Core compliance features
* Google Consent Mode v2 defaults injected at `wp_head` priority 1, before any
tag manager or gtag snippet.
* Early inline consent replay with a revision gate — consent recorded before a
policy revision bump is not replayed; the banner re-prompts instead.
* Server-side audit log (`wp_plain_consent_log`) with a privacy-preserving SHA-
256 subject hash over a daily-rotating salt, and a 730-day default retention
purge (filterable via constant).
* Consent revision system with a “Force re-consent for all users now” admin action
and strict rollback if the audit insert fails.
* Two-step choice pattern: the first layer offers Accept All and Show Options;
the preferences screen (one click away) offers equal-weight Accept All, Reject
All, and Save Preferences buttons.
* Server-mirror consent cookie via a cache-safe `GET /mirror-nonce` endpoint (`
Cache-Control: no-store`), so full-page caching does not break nonce validation.
* Geo targeting: the consent-required region set is the EEA (EU-27 plus Iceland,
Liechtenstein, Norway) plus the United Kingdom. Detection uses the Cloudflare`
CF-IPCountry` header when present, with a fail-safe default: if the country cannot
be determined, the visitor is treated as in-scope.
* CSV/JSON streamed export of the consent log, plus a pre-uninstall evidence warning
with one-click export.
* DSAR lookup admin tool: recompute a visitor’s subject hash from IP + User-Agent
and list matching consent-log entries (GDPR Art. 15 support).
#### Integrations
* Meta Pixel: define `PLAIN_COOKIE_CONSENT_FACEBOOK_PIXEL_ID` in `wp-config.php`.
* Microsoft Clarity: define `PLAIN_COOKIE_CONSENT_CLARITY_PROJECT_ID` in `wp-config.
php`.
* LinkedIn Insight Tag: define `PLAIN_COOKIE_CONSENT_LINKEDIN_PARTNER_ID` in `wp-
config.php`.
* Public `window.plainCookieConsent` JavaScript API (`getCategories`, `hasConsent`,`
onChange`, `onGrant`, `onRevoke`) for site-specific vendors.
* Cookie cleanup on revoke with curated defaults for LinkedIn, TikTok, Hotjar,
Clarity, Yandex Metrica, and Snapchat (`plain_cookie_consent_autoclear_cookies`
filter).
* `localStorage` / `sessionStorage` cleanup on a real granted-to-revoked transition(`
plain_cookie_consent_clear_storage_keys` filter).
#### Accessibility
* The banner and preferences modal are attested against WCAG 2.1 AA.
* axe-core smoke tests (`wcag2a`, `wcag2aa`, `wcag21aa` tags) run on every push
and pull request via GitHub Actions.
* Site-level accessibility remains the operator’s responsibility.
#### Languages
Translation catalogs ship for nine languages: English, German, Russian, Spanish,
French, Italian, Dutch, Polish, and Portuguese. Banner language auto-resolution
covers all nine shipped languages, including regional variants (for example de-AT
or pt-BR), with any other locale falling back to English. Any shipped catalog can
also be selected explicitly, and translators can override strings the standard WordPress
gettext way.
#### Not included
* TCF v2.2 (programmatic publishers).
* Consent analytics dashboards beyond the read-only Consent Health widget.
* Multi-domain consent sync.
* Banner A/B testing.
* Script auto-blocking beyond Consent Mode and the documented vendor helpers.
### External services
This plugin has no telemetry and never sends data to its own or the author’s servers.
Consent records stay in your own WordPress database.
The plugin can optionally load three well-known third-party marketing/analytics
tags **on your behalf**. Each one is OFF by default and only ever loads when BOTH
of the following are true:
1. You explicitly enable it by defining the matching constant in `wp-config.php`,
and
2. The visitor grants the relevant consent category in the banner.
If you do not define these constants, the plugin makes no third-party requests at
all. Once enabled, the tag still loads only after the visitor grants the relevant
consent category in the banner.
#### Meta (Facebook) Pixel
Optional advertising measurement. Enabled by defining `PLAIN_COOKIE_CONSENT_FACEBOOK_PIXEL_ID`.
When a visitor grants **advertising** consent, the plugin loads `https://connect.
facebook.net/en_US/fbevents.js` and initialises the Pixel with your Pixel ID. From
then on, on each page view, Meta receives standard Pixel data: your Pixel ID, the
page URL and referrer, the visitor’s IP address and browser/user-agent, and a PageView
event. Nothing is sent before advertising consent.
Provider: Meta Platforms, Inc.
Privacy Policy: https://www.facebook.com/privacy/policy/ — Business Tools Terms:
https://www.facebook.com/legal/terms/businesstools
#### Microsoft Clarity
Optional session analytics (heatmaps and session insights). Enabled by defining `
PLAIN_COOKIE_CONSENT_CLARITY_PROJECT_ID`. When a visitor grants **analytics** consent,
the plugin loads `https://www.clarity.ms/tag/`. From then on, on
each page view, Microsoft receives Clarity analytics data: your project ID, the
page URL, the visitor’s IP address and browser/user-agent, and interaction events
such as clicks and scrolls. Nothing is sent before analytics consent.
Provider:
Microsoft Corporation. Privacy Statement: https://www.microsoft.com/privacy/privacystatement—
Clarity Terms of Service: https://clarity.microsoft.com/terms
#### LinkedIn Insight Tag
Optional advertising measurement on LinkedIn. Enabled by defining `PLAIN_COOKIE_CONSENT_LINKEDIN_PARTNER_ID`.
When a visitor grants **advertising** consent, the plugin loads `https://snap.licdn.
com/li.lms-analytics/insight.min.js` with your Partner ID. From then on, on each
page view, LinkedIn receives Insight Tag data: your Partner ID, the page URL, and
the visitor’s IP address and browser/user-agent. Nothing is sent before advertising
consent.
Provider: LinkedIn Corporation. Privacy Policy: https://www.linkedin.com/
legal/privacy-policy — LinkedIn Ads Agreement: https://www.linkedin.com/legal/ads-
agreement
### Disclaimer
This plugin is provided “as is”, free of charge, for evaluation and use at
the
site operator’s own discretion and risk.
* The site operator alone chooses which plugins to install and run on their
site,
and bears full responsibility for that choice and its consequences.
* The plugin is offered for informational and evaluation purposes. The
authors
make no guarantees and no promises of any kind — including correctness, completeness,
fitness for a particular purpose, or uninterrupted operation.
* Software may contain errors. Any errors, malfunctions, data loss, or
legal consequences
arising from the use of this plugin are the sole responsibility of the site operator.
* Nothing in this plugin or its documentation constitutes legal advice.
The plugin
is designed to support a GDPR/ePrivacy-oriented consent setup, but it does not
and cannot guarantee legal compliance of any specific site — final compliance
always depends on the operator’s configuration, vendors, and policies.
* The warranty disclaimer and limitation of liability are governed by
sections
11 and 12 of the GNU GPL v2 license that ships with this plugin.
## Screenshots
[⌊Consent banner — first layer.⌉⌊Consent banner — first layer.⌉[
Consent banner — first layer.
[⌊Cookie preferences modal — equal-weight Accept / Reject.⌉⌊Cookie preferences modal—
equal-weight Accept / Reject.⌉[
Cookie preferences modal — equal-weight Accept / Reject.
[⌊Settings page — Privacy Policy URL, consent revision, policy version, controller
name.⌉⌊Settings page — Privacy Policy URL, consent revision, policy version, controller
name.⌉[
Settings page — Privacy Policy URL, consent revision, policy version, controller
name.
[⌊Diagnostics panel — checks including policy-version drift, Google Fonts, and reCAPTCHA
presence.⌉⌊Diagnostics panel — checks including policy-version drift, Google Fonts,
and reCAPTCHA presence.⌉[
Diagnostics panel — checks including policy-version drift, Google Fonts, and reCAPTCHA
presence.
[⌊Consent Health dashboard widget.⌉⌊Consent Health dashboard widget.⌉[
Consent Health dashboard widget.
## Installation
1. Upload the `plain-cookie-consent` folder to `/wp-content/plugins/`.
2. Activate the plugin via the Plugins menu.
3. Visit Settings Plain Cookie Consent to configure the Privacy Policy URL, policy
version, and optional data-controller name.
4. For Meta Pixel / Microsoft Clarity / LinkedIn Insight: define the relevant constant
in `wp-config.php`.
## FAQ
### Is reCAPTCHA covered?
The plugin does not auto-gate reCAPTCHA, because its legal basis is context-dependent:
on contact forms it generally requires consent, while as payment anti-fraud it may
be consent-exempt. The Diagnostics “reCAPTCHA / security CAPTCHA” probe flags its
presence so you can decide. The bundled docs/INTEGRATION.md documents gating patterns.
### Is Switzerland covered?
No. Switzerland (CH) is deliberately excluded from the consent-required region set.
The Swiss revFADP has no prior-consent rule for cookies equivalent to ePrivacy Art.
5(3), so Swiss traffic falls under the rest-of-world (granted-by-default) branch.
The in-scope set is the EEA (EU-27 + Iceland, Liechtenstein, Norway) plus the United
Kingdom.
### Does the plugin collect any data itself?
No. There is no external telemetry. Consent records stay in your own WordPress database,
with the subject identifier stored only as a salted SHA-256 hash.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“Plain Cookie Consent” is open source software. The following people have contributed
to this plugin.
Contributors
* [ Ontario ](https://profiles.wordpress.org/ontario777/)
“Plain Cookie Consent” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/plain-cookie-consent/contributors)
for their contributions.
[Translate “Plain Cookie Consent” into your language.](https://translate.wordpress.org/projects/wp-plugins/plain-cookie-consent)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/plain-cookie-consent/),
check out the [SVN repository](https://plugins.svn.wordpress.org/plain-cookie-consent/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/plain-cookie-consent/)
by [RSS](https://plugins.trac.wordpress.org/log/plain-cookie-consent/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 0.6.3
* Fixed: DSAR lookups now reliably match visitors whose User-Agent contains escaped
characters or stray whitespace — the recording and lookup paths now canonicalise
the User-Agent identically. Hashes for ordinary User-Agents are unchanged.
* Performance: the Consent Health dashboard widget caches its 7-day counts for
a few minutes instead of querying the audit log on every admin page load.
* Internal hardening and cleanup (input unslashing, prefixed uninstall globals).
#### 0.6.2
* Banner language now auto-resolves across all nine shipped locales, including
regional variants (for example de-AT or pt-BR), with English fallback.
* Localized the optional data-controller banner label.
* Documented the optional Meta Pixel / Microsoft Clarity / LinkedIn Insight Tag
integrations under a new “External services” section.
* Housekeeping: admin notice/menu scripts and styles are now enqueued; the Consent
Mode defaults use the standard inline-script API; removed a redundant translation-
loading call.
#### 0.6.1
* Added an explicit Disclaimer section (no warranties, operator responsibility,
not legal advice).
#### 0.6.0
* localStorage / sessionStorage cleanup on consent revoke (transition-only, filterable
allowlist).
* DSAR lookup admin tool (GDPR Art. 15 support).
* Microsoft Clarity helper (constant-gated, analytics consent).
* LinkedIn Insight Tag helper (constant-gated, advertising consent).
* New Diagnostics probes: reCAPTCHA presence, Google Fonts remote loading, policy-
version drift.
* Optional data-controller identity line in the banner.
* gettext i18n migration with shipped catalogs for 9 languages (en, de, ru, es,
fr, it, nl, pl, pt).
* Optional floating “Cookie Settings” reopen icon (off by default).
* Consent Health dashboard widget (read-only, local data only).
* WCAG 2.1 AA attestation backed by axe-core CI smoke tests.
* Core namespace extraction (`ConsentLog`, `ConsentMirror`) with documented public
hooks and backwards-compatible class aliases.
* New INTEGRATION.md covering WooCommerce, Stripe, reCAPTCHA, AMP, and page-cache
rules.
#### 0.5.2
* Raised the minimum supported PHP to 8.0.
* Documentation clarifications (compliance posture, Switzerland geo stance).
#### 0.5.1
* Documentation hotfix after the 0.5.0 release audit.
#### 0.5.0
* Public `window.plainCookieConsent` JavaScript API.
* Expanded cookie auto-clear filter for LinkedIn / TikTok / Hotjar / Clarity /
Yandex Metrica / Snapchat.
* CSV/JSON audit-log export and pre-uninstall evidence warning.
* Optional YouTube `youtube-nocookie.com` oEmbed rewrite.
* Rate limit on the `/mirror` REST endpoint.
#### 0.4.0
* Server-mirror consent cookie, audit log, revision system, and policy version.
* Cache-safe `/mirror-nonce` endpoint.
* Versioned boot-time migrator and multisite-correct activation/deactivation.
* Early-replay revision gate.
## Meta
* Version **0.6.3**
* Last updated **9 hours ago**
* Active installations **Fewer than 10**
* WordPress version ** 6.0 or higher **
* Tested up to **7.0**
* PHP version ** 8.0 or higher **
* Languages
* [English (US)](https://wordpress.org/plugins/plain-cookie-consent/) and [Russian](https://ru.wordpress.org/plugins/plain-cookie-consent/).
* [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/plain-cookie-consent)
* Tags
* [consent mode](https://wordpress.org/plugins/tags/consent-mode/)[cookie consent](https://wordpress.org/plugins/tags/cookie-consent/)
[ePrivacy](https://wordpress.org/plugins/tags/eprivacy/)[GDPR](https://wordpress.org/plugins/tags/gdpr/)
[privacy](https://wordpress.org/plugins/tags/privacy/)
* [Advanced View](https://wordpress.org/plugins/plain-cookie-consent/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/plain-cookie-consent/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/plain-cookie-consent/reviews/)
## Contributors
* [ Ontario ](https://profiles.wordpress.org/ontario777/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/plain-cookie-consent/)