CookieKita — GDPR Consent & Cookie Banner
CookieKita is the WordPress companion plugin to cookiekita.com, a GDPR/ePrivacy consent management platform. It does the on-site work — blocking trackers before consent, installing your tags consent-aware, and executing data requests — while the dashboard handles the consent log, cookie scanner and compliance reporting.
What it does
- 🍪 Cookie consent banner — auto-injects the CookieKita banner, localized to the WordPress site language.
- 🛡 Real tracker blocking — holds back Google Analytics, Google Tag Manager, Meta Pixel, Hotjar, Clarity, LinkedIn, TikTok and 30+ other services until the visitor consents. A banner that only shows without blocking is not compliant — CookieKita actually blocks.
- 🔌 Integrations directory — a catalogue of 37 recognised services, each auto-blocked and mapped to the right consent category.
- ⚡ Consent-aware tag installer — paste your GA4 / Meta Pixel / GTM (and many more) ID and CookieKita installs the official tag for you as a blocked script that only fires after the matching consent. You become the bridge, not just the blocker.
- 🛒 WooCommerce eCommerce tracking — automatically sends
view_item,add_to_cart,begin_checkoutandpurchaseto GA4 / Google Tag Manager and your ad pixels (Meta, TikTok, Pinterest, Snap, Reddit). Analytics events fire on analytics consent; ad events on marketing consent — fully consent-gated. - 🟢 Google Consent Mode v2 & Microsoft UET Consent Mode — consent signals are forwarded automatically.
- 🌐 GPC / DNT signals — honours Global Privacy Control and Do Not Track.
- 📊 Cookie declaration shortcode —
[cookiekita_cookies]renders a live table of the cookies discovered by the CookieKita scanner. - 📨 DSAR form shortcode —
[cookiekita_dsar]adds a GDPR data-subject-request form to any page. - 🤖 Auto-execute DSAR (opt-in) — verified deletion/export requests are executed via the WordPress Personal Data API and WooCommerce privacy hooks, with an audit log.
Requirements
- A free or paid account at cookiekita.com.
- Your Site Key (32 hex characters) from the CookieKita dashboard. If you download the plugin from your dashboard, the key is pre-configured for you.
External services
This plugin connects to the CookieKita service (cookiekita.com) — it is a companion plugin for that platform and requires a CookieKita account to function. The connection is used for the features below.
1. Banner script & configuration — On every front-end page the plugin loads the consent banner script from https://cookiekita.com/banner.js and fetches your banner configuration and cookie list from https://cookiekita.com/functions/v1/. Your public Site Key is sent so the correct configuration is returned. No personal data is sent for this.
2. Connection / heartbeat — When you save your Site Key (and roughly once a day afterwards) the plugin sends your site URL, plugin version, WordPress version and PHP version to https://cookiekita.com/functions/v1/verify-wp-site so the dashboard can show connection status and register the DSAR webhook. It also checks whether the site was disconnected from the dashboard.
3. DSAR webhook — When auto-execute DSAR is enabled, CookieKita sends signed data-subject requests (containing the requester’s email) to the plugin so they can be fulfilled on your site.
By using this plugin you agree to the CookieKita Terms of Service (https://cookiekita.com/terms) and Privacy Policy (https://cookiekita.com/privacy).
Optional third-party tags (only loaded if you enable them)
CookieKita does not load any of the third-party services below by default. The consent-aware tag installer loads a provider’s official script only when you, the site administrator, enter that provider’s ID / enable it, and even then the script is held back until the visitor gives the matching consent (analytics or marketing). When a tag fires, the visitor’s browser loads the provider’s script directly and that provider receives standard analytics/advertising data (e.g. page views, events, IP address, cookie/device identifiers) — what is sent and when is determined by that provider. Review each provider’s terms and privacy policy before enabling it:
- Google (Tag Manager, gtag, GA4) — googletagmanager.com — terms: https://policies.google.com/terms — privacy: https://policies.google.com/privacy
- Meta Pixel (Facebook) — connect.facebook.net — terms: https://www.facebook.com/legal/terms/ — privacy: https://www.facebook.com/privacy/policy/
- Microsoft Clarity / UET — clarity.ms — terms: https://www.microsoft.com/legal/terms-of-use — privacy: https://privacy.microsoft.com/privacystatement
- TikTok — analytics.tiktok.com — terms: https://www.tiktok.com/legal/terms-of-service — privacy: https://www.tiktok.com/legal/privacy-policy
- LinkedIn Insight — snap.licdn.com — terms: https://www.linkedin.com/legal/user-agreement — privacy: https://www.linkedin.com/legal/privacy-policy
- X (Twitter) Ads — static.ads-twitter.com — terms: https://legal.twitter.com/ads-terms.html — privacy: https://twitter.com/en/privacy
- Pinterest Tag — s.pinimg.com — terms: https://policy.pinterest.com/terms-of-service — privacy: https://policy.pinterest.com/privacy-policy
- Snap Pixel — sc-static.net — terms: https://snap.com/terms — privacy: https://snap.com/privacy/privacy-policy
- Reddit Pixel — redditstatic.com — terms: https://www.redditinc.com/policies/user-agreement — privacy: https://www.reddit.com/policies/privacy-policy
- Amazon Ads — c.amazon-adsystem.com — terms: https://www.amazon.com/gp/help/customer/display.html?nodeId=508088 — privacy: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
- Criteo — static.criteo.net — terms: https://www.criteo.com/terms-and-conditions/ — privacy: https://www.criteo.com/privacy/
- Outbrain — amplify.outbrain.com — terms: https://www.outbrain.com/onyx/term-of-use/ — privacy: https://www.outbrain.com/privacy/
- Taboola — cdn.taboola.com — terms: https://policies.taboola.com/terms-of-service/ — privacy: https://policies.taboola.com/privacy-policy/
- Hotjar — static.hotjar.com — terms: https://www.hotjar.com/legal/policies/terms-of-service/ — privacy: https://www.hotjar.com/legal/policies/privacy/
- Segment (Twilio) — cdn.segment.com — terms: https://www.twilio.com/en-us/legal/tos — privacy: https://www.twilio.com/en-us/legal/privacy
- Heap — cdn.heapanalytics.com — terms: https://www.heap.io/terms — privacy: https://www.heap.io/privacy
- Amplitude — cdn.amplitude.com — terms: https://amplitude.com/terms — privacy: https://amplitude.com/privacy
- Mixpanel — cdn.mxpnl.com — terms: https://mixpanel.com/legal/terms-of-use/ — privacy: https://mixpanel.com/legal/privacy-policy/
- FullStory — fullstory.com — terms: https://www.fullstory.com/legal/terms-and-conditions/ — privacy: https://www.fullstory.com/legal/privacy-policy/
- Crazy Egg — script.crazyegg.com — terms: https://www.crazyegg.com/terms — privacy: https://www.crazyegg.com/privacy
- Mouseflow — cdn.mouseflow.com — terms: https://mouseflow.com/legal/terms/ — privacy: https://mouseflow.com/legal/privacy-policy/
- Inspectlet — cdn.inspectlet.com — terms: https://www.inspectlet.com/terms-of-service — privacy: https://www.inspectlet.com/terms-of-service
- Plausible Analytics — plausible.io — terms: https://plausible.io/terms — privacy: https://plausible.io/privacy
- PostHog — posthog.com — terms: https://posthog.com/terms — privacy: https://posthog.com/privacy
- Simple Analytics — simpleanalyticscdn.com — terms: https://www.simpleanalytics.com/terms — privacy: https://www.simpleanalytics.com/privacy-policy
- HubSpot — js.hs-scripts.com — terms: https://legal.hubspot.com/terms-of-service — privacy: https://legal.hubspot.com/privacy-policy
- Intercom — widget.intercom.io — terms: https://www.intercom.com/legal/terms-and-policies — privacy: https://www.intercom.com/legal/privacy
- Drift — js.driftt.com — terms: https://www.drift.com/terms-of-service/ — privacy: https://www.drift.com/privacy-policy/
- Crisp — client.crisp.chat — terms: https://crisp.chat/en/terms/ — privacy: https://crisp.chat/en/privacy/
- Tawk.to — embed.tawk.to — terms: https://www.tawk.to/terms-of-service/ — privacy: https://www.tawk.to/privacy-policy/
- LiveChat — cdn.livechatinc.com — terms: https://www.livechat.com/legal/terms/ — privacy: https://www.livechat.com/legal/privacy-policy/
- Zendesk — static.zdassets.com — terms: https://www.zendesk.com/company/agreements-and-terms/master-subscription-agreement/ — privacy: https://www.zendesk.com/company/agreements-and-terms/privacy-notice/
