How to Set Up Cookie Consent in WordPress (GDPR)

Under European privacy law, you cannot set tracking cookies, analytics cookies, or marketing cookies on a visitor's browser without their explicit, informed consent. This is not optional, and violations carry serious fines. The good news is that setting up a proper cookie consent solution in WordPress takes about 30 minutes once you understand the requirements. This guide covers the legal basis, the technical implementation, and common mistakes that can get you in trouble.

What the GDPR and ePrivacy Directive Actually Require

Two pieces of EU legislation govern how websites handle cookies. The GDPR (General Data Protection Regulation) establishes the rules for processing personal data, while the ePrivacy Directive (often called the "Cookie Directive") specifically addresses the storage of information on a user's device. Together, they create a clear framework:

• Article 6 GDPR (Lawful Basis): You need a lawful basis to process personal data. For cookies that track users, the relevant basis is consent under Article 6(1)(a). Legitimate interest (Article 6(1)(f)) does not apply to non-essential cookies according to most European data protection authorities.
• Article 7 GDPR (Conditions for Consent): Consent must be freely given, specific, informed, and unambiguous. It must be an active opt-in (no pre-checked boxes). Withdrawing consent must be as easy as giving it.
• ePrivacy Directive (Article 5(3)): Storing or accessing information on a user's device (including cookies, localStorage, and similar technologies) requires prior consent, unless the cookie is strictly necessary for the service the user explicitly requested.

In practice, this means: no analytics, no marketing pixels, no social media embeds, no embedded videos from third parties, and no advertising cookies until the user clicks "Accept." Strictly necessary cookies (like session cookies for a shopping cart or authentication cookies) do not require consent.

Understanding Cookie Categories

A proper consent implementation categorizes cookies into groups so users can make granular choices. Here are the standard categories:

• Strictly Necessary (Essential): Cookies required for basic site functionality. Examples include session cookies (e.g., WordPress login cookie wordpress_logged_in_*), WooCommerce cart cookies, CSRF tokens, and the cookie consent preference cookie itself. These do not require consent and cannot be rejected by the user.
• Functional (Preferences): Cookies that remember user preferences like language selection, theme preference, or region. These are not strictly necessary but enhance the user experience. They require consent.
• Analytics (Statistics): Cookies set by tools like Google Analytics, Matomo, or Plausible that measure how visitors use your site. Even "anonymous" analytics cookies typically require consent in the EU, unless you use a privacy-focused tool that does not set cookies at all (like Plausible or Fathom in cookieless mode).
• Marketing (Advertising): Cookies from advertising networks, retargeting platforms, and social media pixels (Facebook Pixel, Google Ads, LinkedIn Insight Tag). These always require consent.

Setting Up Complianz (Recommended for Most Sites)

1. Install Complianz - GDPR/CCPA Cookie Consent from the WordPress plugin directory.
2. Run the setup wizard. Complianz asks about your business location, the regions you serve, and which third-party services you use. Answer honestly, as the wizard generates your cookie policy and consent configuration based on these answers.
3. The plugin automatically scans your site to detect cookies. Review the scan results and categorize any cookies it could not identify automatically.
4. Configure the consent banner design under Complianz > Consent Banner. Choose between a banner at the top or bottom, a centered popup, or a side panel. Make sure the "Reject All" button is equally prominent as the "Accept All" button (this is a legal requirement).
5. Enable script blocking. Complianz can automatically block known scripts (Google Analytics, Facebook Pixel, YouTube embeds) until the user gives consent. Go to Integrations and verify that your third-party services are listed.
6. For custom scripts that Complianz does not recognize, wrap them with the Complianz placeholder. Change the script type from text/javascript to text/plain and add a data-category attribute.
7. Test by opening your site in an incognito window. Before accepting cookies, verify that no analytics or marketing scripts are loaded (check the Network tab in browser DevTools). After accepting, verify that the scripts load correctly.

Setting Up Real Cookie Banner (Best for DACH Region)

Real Cookie Banner is a German-developed plugin that takes a service-based approach rather than a cookie-based approach. Instead of categorizing individual cookies, you configure each service (Google Analytics, YouTube, Google Maps, etc.) and the plugin handles the rest. This approach aligns well with the German interpretation of the GDPR.

1. Install Real Cookie Banner from the WordPress plugin directory.
2. Run the setup wizard. The plugin includes a large database of pre-configured service templates, so you do not need to manually enter cookie names or retention periods for common services.
3. For each detected service, the plugin provides legally vetted descriptions, data processing details, and cookie information. Review these and adjust if needed.
4. Configure the consent banner layout. Real Cookie Banner offers extensive customization options for colors, button styles, and text.
5. The plugin generates a content blocker for embedded content (YouTube videos, Google Maps, social media embeds). Visitors see a placeholder with a consent prompt instead of the embedded content.

Setting Up CookieYes

1. Install CookieYes | GDPR Cookie Consent from the WordPress plugin directory or sign up at cookieyes.com.
2. Run the automatic cookie scan. CookieYes identifies cookies on your site and categorizes them.
3. Customize the banner appearance, button colors, and text in the CookieYes dashboard.
4. Configure script blocking for each cookie category. CookieYes supports both automatic and manual script blocking.
5. CookieYes also provides a cookie policy generator that you can embed on your privacy policy page.

Google Consent Mode v2 Integration

If you use Google services (Analytics, Ads, Tag Manager), you need to implement Google Consent Mode v2. Since March 2024, Google requires Consent Mode for sites that serve ads to EEA users. Without it, Google Ads will not collect data from users in the European Economic Area.

Consent Mode v2 introduces two new parameters in addition to the original ones:

• ad_user_data: Controls whether user data can be sent to Google for advertising purposes.
• ad_personalization: Controls whether personalized advertising (remarketing) is allowed.
• analytics_storage: Controls whether analytics cookies can be set.
• ad_storage: Controls whether advertising cookies can be set.

All three recommended plugins (Complianz, Real Cookie Banner, CookieYes) support Google Consent Mode v2 out of the box. Make sure you enable it in the plugin settings. When a user has not given consent, Consent Mode sends "cookieless pings" to Google that provide aggregate, modeled data without identifying individual users.

TCF 2.2 and the IAB Framework

The Transparency and Consent Framework (TCF) version 2.2, managed by the Interactive Advertising Bureau (IAB), is a standardized protocol for communicating user consent to advertising vendors. If you run programmatic advertising on your site (Google AdSense, header bidding, ad networks), your consent solution should support TCF 2.2. This ensures that ad networks receive consent signals in a standardized format they can process.

Not all free consent plugins support TCF 2.2. Complianz includes TCF support in its premium version. CookieYes also offers TCF 2.2 in its paid plans. If you rely on ad revenue, this is worth the investment.

Handling Google Analytics and Tag Manager with Consent

The most common setup involves loading Google Tag Manager (GTM) with Consent Mode v2 as the default state, then updating consent when the user interacts with your banner. Here is the pattern:

<!-- Load GTM with default consent state (denied) -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'wait_for_update': 500
});
</script>

Your consent plugin then calls gtag('consent', 'update', {...}) when the user accepts. If you use one of the recommended WordPress plugins, this is handled automatically. You do not need to write this code manually.

Auditing Your Site's Cookies Manually

Before setting up a consent solution, it helps to know exactly what cookies your site sets. Here is how to audit them:

1. Open your site in an incognito browser window.
2. Open DevTools (F12) and go to the Application tab (Chrome) or Storage tab (Firefox).
3. Under Cookies, click your domain. Note every cookie name, its domain, expiry, and whether it is HttpOnly or Secure.
4. Browse through several pages, including pages with embedded content (YouTube videos, Google Maps, social media feeds). Each interaction may set additional cookies.
5. Check localStorage and sessionStorage as well, since these are also covered by the ePrivacy Directive.
6. Use your browser's Network tab to identify which requests set cookies (look for Set-Cookie response headers).

InspectWP can help with this audit. Run a scan and check the cookies section, which lists all cookies detected during the crawl.

Common Cookie Consent Mistakes That Lead to Fines

European data protection authorities have issued significant fines for cookie violations. Here are the most common mistakes to avoid:

• Pre-checked consent boxes: The CJEU (Court of Justice of the European Union) ruled in the Planet49 case (2019) that pre-checked boxes do not constitute valid consent. Every non-essential category must be opt-in.
• Cookie walls: Blocking access to your site unless users accept all cookies is considered coercion and invalidates consent. Users must be able to access your content even if they reject all non-essential cookies.
• Confusing reject buttons: Making the "Reject" button small, gray, or hidden behind a "Manage Preferences" link while the "Accept All" button is large and colorful is a dark pattern. The French CNIL fined Google 150 million euros partly for this. Both buttons should be equally visible.
• No way to withdraw consent: Users must be able to change their cookie preferences at any time. Include a persistent link or icon (often a small shield or cookie icon in the corner) that reopens the consent dialog.
• Setting cookies before consent: If your analytics script fires before the consent banner is even displayed, you are violating the law regardless of how nice your banner looks. Use your browser's DevTools to verify timing.
• Ignoring consent for embedded content: YouTube embeds, Google Maps iframes, and social media widgets all set cookies. You need to block these until consent is given, typically by replacing the embed with a placeholder.

Testing Your Cookie Consent Implementation

After setting up your consent solution, test it thoroughly:

1. Open your site in incognito mode. The consent banner should appear immediately.
2. Before interacting with the banner, check DevTools for cookies. You should only see strictly necessary cookies.
3. Click "Reject All." No analytics or marketing cookies should be set. Navigate through several pages to confirm.
4. Clear cookies and reload. Click "Accept All." Verify that analytics and marketing scripts now load correctly.
5. Clear cookies again. Click "Manage Preferences" and accept only analytics. Verify that marketing cookies are not set but analytics cookies are.
6. After accepting, look for the option to withdraw consent. Click it and verify that non-essential cookies are removed.

Verify Your Cookie Setup with InspectWP

Run an InspectWP scan to see a complete list of cookies your site sets during a page load. The GDPR section flags third-party cookies and external resources that may require consent. If you see Google Analytics cookies, Facebook cookies, or other tracking cookies in the InspectWP report, verify that your consent solution is properly blocking them before consent is given. Remember that InspectWP crawls your site without giving cookie consent, so any tracking cookies that appear in the report indicate a potential compliance issue.