Title: GDPR
Last modified: May 20, 2026

---

# GDPR

 *  Resolved [Henrik Thue Nielsen](https://wordpress.org/support/users/webministeren/)
 * (@webministeren)
 * [2 weeks, 5 days ago](https://wordpress.org/support/topic/gdpr-256/)
 * Hi,
 * I am writing regarding a concern I discovered with your plugin ‘Website LLMs.
   txt’ (v8.4.0), installed on my WordPress site.
 * While investigating unknown cookies appearing on my website, I traced them back
   to your plugin. I found that the plugin automatically injects the following third-
   party tracking script into every page of my site:
 * [https://cdn.visibilitykit.ai/t/3c870d4c0489a25d/vk.js?ver=8.4.0](https://cdn.visibilitykit.ai/t/3c870d4c0489a25d/vk.js?ver=8.4.0)
 * This script sets the following analytics cookies on all visitors:
    - _vk_attr_first (first-touch attribution data)
    - _vk_landing (landing page URL)
    - _vk_referrer (traffic referrer)
    - _vk_session_id (session identifier)
    - _vk_vid (visitor identifier)
 * I have since found the ‘Disconnect from Visibility Kit’ option in the plugin 
   settings and have disabled the tracking. However, I would like to raise the following
   concerns:
    1. Opt-in vs. opt-out: The tracking is enabled by default upon installation, with
       no clear notification to the site owner. Under GDPR, this should be opt-in, 
       not opt-out. Site owners should be explicitly informed during setup that VisibilityKit
       tracking will be activated.
    2. No CMP integration guidance: There is no documentation explaining how to integrate
       the tracking script with a Consent Management Platform (CMP) such as Cookiebot,
       Complianz, or similar. Under GDPR, analytics cookies must not fire until the
       visitor has given explicit consent. Without CMP guidance, site owners are unknowingly
       violating GDPR.
    3. No cookie declaration guidance: There is no information provided on how to properly
       declare the VisibilityKit cookies (_vk_*) in a cookie policy. Site owners need
       documentation describing what each cookie does, its duration, and its purpose,
       so they can correctly declare them in their cookie consent setup.
 * I would kindly suggest the following improvements to the plugin:
    - Clearly inform site owners during installation/setup that VisibilityKit tracking
      will be enabled
    - Make tracking opt-in rather than opt-out by default
    - Provide documentation on how to integrate with common CMPs to ensure cookies
      only fire after consent is given
    - Provide a cookie declaration reference listing all _vk_* cookies, their purpose,
      and their lifetime
 * These changes would go a long way in helping site owners remain GDPR compliant
   when using your plugin.
 * All the best and THANK YOU for providing this plugin after all! NB. I would be
   happy to support a paid PRO version of the plugin.
 * Best regards
   Henrik

Viewing 1 replies (of 1 total)

 *  Plugin Author [Ryan Howard](https://wordpress.org/support/users/ryhowa/)
 * (@ryhowa)
 * [2 days ago](https://wordpress.org/support/topic/gdpr-256/#post-18930549)
 * Hi [@webministeren](https://wordpress.org/support/users/webministeren/) 
   Thanks
   for the detailed note, and for supporting the plugin. I want to clarify the most
   important point: the Visibility Kit tracking is not enabled by default. On a 
   fresh install the plugin sets no cookies and loads no third-party scripts. The`
   vk.js` script (and the `_vk_*` cookies) only load after an administrator enters
   an email address and clicks “Connect to Visibility Kit” in the settings. That
   connection step is what activated it on your site. You can switch it off completely
   at any time with “Disconnect from Visibility Kit,” which you found, and that 
   removes the script and stops the cookies. As of 8.4.1 we’ve added documentation
   listing every `_vk_*` cookie (`_vk_vid`, `_vk_session_id`, `_vk_attr_first`, `
   _vk_landing`, `_vk_referrer`) so you can declare them in your cookie policy, 
   plus guidance to connect only after wiring the script into your CMP (Cookiebot,
   Complianz, etc.) so the cookies fire post-consent. We’re also reviewing the wording
   at the connect step to make the cookie/script behavior clearer before you opt
   in. Appreciate you flagging it.

Viewing 1 replies (of 1 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fgdpr-256%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/website-llms-txt/assets/icon-256x256.png?rev=3322182)
 * [Website LLMs.txt](https://wordpress.org/plugins/website-llms-txt/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/website-llms-txt/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/website-llms-txt/)
 * [Active Topics](https://wordpress.org/support/plugin/website-llms-txt/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/website-llms-txt/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/website-llms-txt/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [Ryan Howard](https://wordpress.org/support/users/ryhowa/)
 * Last activity: [2 days ago](https://wordpress.org/support/topic/gdpr-256/#post-18930549)
 * Status: resolved