plugin-icon

CookieKita — GDPR Consent & Cookie Banner

GDPR cookie consent banner with real tracker blocking, Google Consent Mode v2, consent-aware tag installer, DSAR handling and WooCommerce tracking.
Version
1.0.8
Last updated
Jul 4, 2026
CookieKita — GDPR Consent & Cookie Banner

CookieKita is the WordPress companion plugin to cookiekita.com, a GDPR/ePrivacy consent management platform. It does the on-site work — blocking trackers before consent, installing your tags consent-aware, and executing data requests — while the dashboard handles the consent log, cookie scanner and compliance reporting.

What it does

  • 🍪 Cookie consent banner — auto-injects the CookieKita banner, localized to the WordPress site language.
  • 🛡 Real tracker blocking — holds back Google Analytics, Google Tag Manager, Meta Pixel, Hotjar, Clarity, LinkedIn, TikTok and 30+ other services until the visitor consents. A banner that only shows without blocking is not compliant — CookieKita actually blocks.
  • 🔌 Integrations directory — a catalogue of 37 recognised services, each auto-blocked and mapped to the right consent category.
  • Consent-aware tag installer — paste your GA4 / Meta Pixel / GTM (and many more) ID and CookieKita installs the official tag for you as a blocked script that only fires after the matching consent. You become the bridge, not just the blocker.
  • 🛒 WooCommerce eCommerce tracking — automatically sends view_item, add_to_cart, begin_checkout and purchase to GA4 / Google Tag Manager and your ad pixels (Meta, TikTok, Pinterest, Snap, Reddit). Analytics events fire on analytics consent; ad events on marketing consent — fully consent-gated.
  • 🟢 Google Consent Mode v2 & Microsoft UET Consent Mode — consent signals are forwarded automatically.
  • 🌐 GPC / DNT signals — honours Global Privacy Control and Do Not Track.
  • 📊 Cookie declaration shortcode[cookiekita_cookies] renders a live table of the cookies discovered by the CookieKita scanner.
  • 📨 DSAR form shortcode[cookiekita_dsar] adds a GDPR data-subject-request form to any page.
  • 🤖 Auto-execute DSAR (opt-in) — verified deletion/export requests are executed via the WordPress Personal Data API and WooCommerce privacy hooks, with an audit log.

Requirements

  • A free or paid account at cookiekita.com.
  • Your Site Key (32 hex characters) from the CookieKita dashboard. If you download the plugin from your dashboard, the key is pre-configured for you.

External services

This plugin connects to the CookieKita service (cookiekita.com) — it is a companion plugin for that platform and requires a CookieKita account to function. The connection is used for the features below.

1. Banner script & configuration — On every front-end page the plugin loads the consent banner script from https://cookiekita.com/banner.js and fetches your banner configuration and cookie list from https://cookiekita.com/functions/v1/. Your public Site Key is sent so the correct configuration is returned. No personal data is sent for this.

2. Connection / heartbeat — When you save your Site Key (and roughly once a day afterwards) the plugin sends your site URL, plugin version, WordPress version and PHP version to https://cookiekita.com/functions/v1/verify-wp-site so the dashboard can show connection status and register the DSAR webhook. It also checks whether the site was disconnected from the dashboard.

3. DSAR webhook — When auto-execute DSAR is enabled, CookieKita sends signed data-subject requests (containing the requester’s email) to the plugin so they can be fulfilled on your site.

By using this plugin you agree to the CookieKita Terms of Service (https://cookiekita.com/terms) and Privacy Policy (https://cookiekita.com/privacy).

Optional third-party tags (only loaded if you enable them)

CookieKita does not load any of the third-party services below by default. The consent-aware tag installer loads a provider’s official script only when you, the site administrator, enter that provider’s ID / enable it, and even then the script is held back until the visitor gives the matching consent (analytics or marketing). When a tag fires, the visitor’s browser loads the provider’s script directly and that provider receives standard analytics/advertising data (e.g. page views, events, IP address, cookie/device identifiers) — what is sent and when is determined by that provider. Review each provider’s terms and privacy policy before enabling it:

  • Google (Tag Manager, gtag, GA4) — googletagmanager.com — terms: https://policies.google.com/terms — privacy: https://policies.google.com/privacy
  • Meta Pixel (Facebook) — connect.facebook.net — terms: https://www.facebook.com/legal/terms/ — privacy: https://www.facebook.com/privacy/policy/
  • Microsoft Clarity / UET — clarity.ms — terms: https://www.microsoft.com/legal/terms-of-use — privacy: https://privacy.microsoft.com/privacystatement
  • TikTok — analytics.tiktok.com — terms: https://www.tiktok.com/legal/terms-of-service — privacy: https://www.tiktok.com/legal/privacy-policy
  • LinkedIn Insight — snap.licdn.com — terms: https://www.linkedin.com/legal/user-agreement — privacy: https://www.linkedin.com/legal/privacy-policy
  • X (Twitter) Ads — static.ads-twitter.com — terms: https://legal.twitter.com/ads-terms.html — privacy: https://twitter.com/en/privacy
  • Pinterest Tag — s.pinimg.com — terms: https://policy.pinterest.com/terms-of-service — privacy: https://policy.pinterest.com/privacy-policy
  • Snap Pixel — sc-static.net — terms: https://snap.com/terms — privacy: https://snap.com/privacy/privacy-policy
  • Reddit Pixel — redditstatic.com — terms: https://www.redditinc.com/policies/user-agreement — privacy: https://www.reddit.com/policies/privacy-policy
  • Amazon Ads — c.amazon-adsystem.com — terms: https://www.amazon.com/gp/help/customer/display.html?nodeId=508088 — privacy: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
  • Criteo — static.criteo.net — terms: https://www.criteo.com/terms-and-conditions/ — privacy: https://www.criteo.com/privacy/
  • Outbrain — amplify.outbrain.com — terms: https://www.outbrain.com/onyx/term-of-use/ — privacy: https://www.outbrain.com/privacy/
  • Taboola — cdn.taboola.com — terms: https://policies.taboola.com/terms-of-service/ — privacy: https://policies.taboola.com/privacy-policy/
  • Hotjar — static.hotjar.com — terms: https://www.hotjar.com/legal/policies/terms-of-service/ — privacy: https://www.hotjar.com/legal/policies/privacy/
  • Segment (Twilio) — cdn.segment.com — terms: https://www.twilio.com/en-us/legal/tos — privacy: https://www.twilio.com/en-us/legal/privacy
  • Heap — cdn.heapanalytics.com — terms: https://www.heap.io/terms — privacy: https://www.heap.io/privacy
  • Amplitude — cdn.amplitude.com — terms: https://amplitude.com/terms — privacy: https://amplitude.com/privacy
  • Mixpanel — cdn.mxpnl.com — terms: https://mixpanel.com/legal/terms-of-use/ — privacy: https://mixpanel.com/legal/privacy-policy/
  • FullStory — fullstory.com — terms: https://www.fullstory.com/legal/terms-and-conditions/ — privacy: https://www.fullstory.com/legal/privacy-policy/
  • Crazy Egg — script.crazyegg.com — terms: https://www.crazyegg.com/terms — privacy: https://www.crazyegg.com/privacy
  • Mouseflow — cdn.mouseflow.com — terms: https://mouseflow.com/legal/terms/ — privacy: https://mouseflow.com/legal/privacy-policy/
  • Inspectlet — cdn.inspectlet.com — terms: https://www.inspectlet.com/terms-of-service — privacy: https://www.inspectlet.com/terms-of-service
  • Plausible Analytics — plausible.io — terms: https://plausible.io/terms — privacy: https://plausible.io/privacy
  • PostHog — posthog.com — terms: https://posthog.com/terms — privacy: https://posthog.com/privacy
  • Simple Analytics — simpleanalyticscdn.com — terms: https://www.simpleanalytics.com/terms — privacy: https://www.simpleanalytics.com/privacy-policy
  • HubSpot — js.hs-scripts.com — terms: https://legal.hubspot.com/terms-of-service — privacy: https://legal.hubspot.com/privacy-policy
  • Intercom — widget.intercom.io — terms: https://www.intercom.com/legal/terms-and-policies — privacy: https://www.intercom.com/legal/privacy
  • Drift — js.driftt.com — terms: https://www.drift.com/terms-of-service/ — privacy: https://www.drift.com/privacy-policy/
  • Crisp — client.crisp.chat — terms: https://crisp.chat/en/terms/ — privacy: https://crisp.chat/en/privacy/
  • Tawk.to — embed.tawk.to — terms: https://www.tawk.to/terms-of-service/ — privacy: https://www.tawk.to/privacy-policy/
  • LiveChat — cdn.livechatinc.com — terms: https://www.livechat.com/legal/terms/ — privacy: https://www.livechat.com/legal/privacy-policy/
  • Zendesk — static.zdassets.com — terms: https://www.zendesk.com/company/agreements-and-terms/master-subscription-agreement/ — privacy: https://www.zendesk.com/company/agreements-and-terms/privacy-notice/
Freeon paid plans
Tested up to
WordPress 7.0
This plugin is available for download for your site.