Plain Cookie Consent

Plain Cookie Consent is a no-frills GDPR + ePrivacy consent banner for WordPress. It ships a single banner, Google Consent Mode v2 defaults, a server-side audit log with pseudonymised subject hashing, a DSAR lookup helper, and constant-gated Meta Pixel / Microsoft Clarity / LinkedIn Insight Tag helpers — all under GPL v2, with no upsells and no external telemetry. The plugin is designed to support a GDPR/ePrivacy-compliant consent setup. Final compliance depends on the site owner's configuration and linked privacy policy. Core compliance features

• Google Consent Mode v2 defaults injected at wp_head priority 1, before any tag manager or gtag snippet.
• Early inline consent replay with a revision gate — consent recorded before a policy revision bump is not replayed; the banner re-prompts instead.
• Server-side audit log (wp_plain_consent_log) with a privacy-preserving SHA-256 subject hash over a daily-rotating salt, and a 730-day default retention purge (filterable via constant).
• Consent revision system with a "Force re-consent for all users now" admin action and strict rollback if the audit insert fails.
• Two-step choice pattern: the first layer offers Accept All and Show Options; the preferences screen (one click away) offers equal-weight Accept All, Reject All, and Save Preferences buttons.
• Server-mirror consent cookie via a cache-safe GET /mirror-nonce endpoint (Cache-Control: no-store), so full-page caching does not break nonce validation.
• Geo targeting: the consent-required region set is the EEA (EU-27 plus Iceland, Liechtenstein, Norway) plus the United Kingdom. Detection uses the Cloudflare CF-IPCountry header when present, with a fail-safe default: if the country cannot be determined, the visitor is treated as in-scope.
• CSV/JSON streamed export of the consent log, plus a pre-uninstall evidence warning with one-click export.
• DSAR lookup admin tool: recompute a visitor's subject hash from IP + User-Agent and list matching consent-log entries (GDPR Art. 15 support).

Integrations

• Meta Pixel: define PLAIN_COOKIE_CONSENT_FACEBOOK_PIXEL_ID in wp-config.php.
• Microsoft Clarity: define PLAIN_COOKIE_CONSENT_CLARITY_PROJECT_ID in wp-config.php.
• LinkedIn Insight Tag: define PLAIN_COOKIE_CONSENT_LINKEDIN_PARTNER_ID in wp-config.php.
• Public window.plainCookieConsent JavaScript API (getCategories, hasConsent, onChange, onGrant, onRevoke) for site-specific vendors.
• Cookie cleanup on revoke with curated defaults for LinkedIn, TikTok, Hotjar, Clarity, Yandex Metrica, and Snapchat (plain_cookie_consent_autoclear_cookies filter).
• localStorage / sessionStorage cleanup on a real granted-to-revoked transition (plain_cookie_consent_clear_storage_keys filter).

Accessibility

• The banner and preferences modal are attested against WCAG 2.1 AA.
• axe-core smoke tests (wcag2a, wcag2aa, wcag21aa tags) run on every push and pull request via GitHub Actions.
• Site-level accessibility remains the operator's responsibility.

Languages Translation catalogs ship for nine languages: English, German, Russian, Spanish, French, Italian, Dutch, Polish, and Portuguese. Banner language auto-resolution covers all nine shipped languages, including regional variants (for example de-AT or pt-BR), with any other locale falling back to English. Any shipped catalog can also be selected explicitly, and translators can override strings the standard WordPress gettext way. Not included

• TCF v2.2 (programmatic publishers).
• Consent analytics dashboards beyond the read-only Consent Health widget.
• Multi-domain consent sync.
• Banner A/B testing.
• Script auto-blocking beyond Consent Mode and the documented vendor helpers.

0.6.3

• Fixed: DSAR lookups now reliably match visitors whose User-Agent contains escaped characters or stray whitespace — the recording and lookup paths now canonicalise the User-Agent identically. Hashes for ordinary User-Agents are unchanged.
• Performance: the Consent Health dashboard widget caches its 7-day counts for a few minutes instead of querying the audit log on every admin page load.
• Internal hardening and cleanup (input unslashing, prefixed uninstall globals).

0.6.2

• Banner language now auto-resolves across all nine shipped locales, including regional variants (for example de-AT or pt-BR), with English fallback.
• Localized the optional data-controller banner label.
• Documented the optional Meta Pixel / Microsoft Clarity / LinkedIn Insight Tag integrations under a new "External services" section.
• Housekeeping: admin notice/menu scripts and styles are now enqueued; the Consent Mode defaults use the standard inline-script API; removed a redundant translation-loading call.

0.6.1

• Added an explicit Disclaimer section (no warranties, operator responsibility, not legal advice).

0.6.0

• localStorage / sessionStorage cleanup on consent revoke (transition-only, filterable allowlist).
• DSAR lookup admin tool (GDPR Art. 15 support).
• Microsoft Clarity helper (constant-gated, analytics consent).
• LinkedIn Insight Tag helper (constant-gated, advertising consent).
• New Diagnostics probes: reCAPTCHA presence, Google Fonts remote loading, policy-version drift.
• Optional data-controller identity line in the banner.
• gettext i18n migration with shipped catalogs for 9 languages (en, de, ru, es, fr, it, nl, pl, pt).
• Optional floating "Cookie Settings" reopen icon (off by default).
• Consent Health dashboard widget (read-only, local data only).
• WCAG 2.1 AA attestation backed by axe-core CI smoke tests.
• Core namespace extraction (ConsentLog, ConsentMirror) with documented public hooks and backwards-compatible class aliases.
• New INTEGRATION.md covering WooCommerce, Stripe, reCAPTCHA, AMP, and page-cache rules.

0.5.2

• Raised the minimum supported PHP to 8.0.
• Documentation clarifications (compliance posture, Switzerland geo stance).

0.5.1

• Documentation hotfix after the 0.5.0 release audit.

0.5.0

• Public window.plainCookieConsent JavaScript API.
• Expanded cookie auto-clear filter for LinkedIn / TikTok / Hotjar / Clarity / Yandex Metrica / Snapchat.
• CSV/JSON audit-log export and pre-uninstall evidence warning.
• Optional YouTube youtube-nocookie.com oEmbed rewrite.
• Rate limit on the /mirror REST endpoint.

0.4.0

• Server-mirror consent cookie, audit log, revision system, and policy version.
• Cache-safe /mirror-nonce endpoint.
• Versioned boot-time migrator and multisite-correct activation/deactivation.
• Early-replay revision gate.