WP WordPress Beginner

DataFirefly Cookie Consent — Complete Guide

Installation, banner configuration, Google Consent Mode v2, tracker audit and CNIL/Garante log of the DataFirefly Cookie Consent WordPress plugin.

Updated Module version 1.0.0

Overview

DataFirefly Cookie Consent is a WordPress and WooCommerce cookie consent management plugin. It combines three building blocks: a GDPR/CNIL/Garante compliant consent banner, native emission of the Google Consent Mode v2 signals before any Google tag, and an audit that detects the trackers actually loaded on your site with an exportable proof log.

Requirements

  • WordPress 6.2 or higher
  • PHP 8.0 or higher
  • WooCommerce 8.0+ (optional — the plugin also works on plain WordPress, HPOS compatibility declared)
  • GTM or GA4 already installed if you want to benefit from Consent Mode v2 (the plugin does not install Google tags for you)

Installation

  1. Download the df-cookie-consent.zip file from your DataFirefly account.
  2. In the WordPress admin, go to Plugins → Add New → Upload Plugin, select the ZIP and click Install Now.
  3. Click Activate. On activation, the plugin creates the wp_dfcc_consent_log log table, generates a random salt for IP hashing and schedules two cron tasks (daily log purge and tracker scan).
  4. A new Cookie Consent menu appears in the admin sidebar with four pages: Dashboard, Settings, Audit and Log.

The banner displays immediately on the frontend with the default settings (bar layout at the bottom of the page, light theme, opt-in mode, all 4 categories enabled).

All settings live in Cookie Consent → Settings.

General behavior

  • Enable banner: global plugin switch.
  • Mode: opt-in (mandatory in the EU — no non-essential cookie before consent) or opt-out.
  • Reject all button at first level: enabled by default, in line with the CNIL recommendation of 17 September 2020. Do not disable it if your audience is European.
  • Consent cookie lifetime: 180 days by default. The user’s choice is stored in the dfcc_consent cookie (encoded, first-party).
  • Policy version: increment this number when your cookie policy changes substantially — the banner will automatically be shown again to all visitors and the log will record the new version.

Appearance

  • Layout: full-width bar, corner card or centered modal.
  • Position: top or bottom of the page (for the bar and card layouts).
  • Theme: light, dark or auto (follows the visitor’s system preference via prefers-color-scheme).
  • Accent color: customizes the main button color.

On mobile (under 640 px), the banner automatically switches to full screen to remain readable. Animations respect prefers-reduced-motion.

Four categories are preconfigured, each with an editable label and description:

  • Necessary (necessary) — always active, not deactivatable by the visitor: cart, session, security.
  • Functional (functional) — preferences, language, chat.
  • Analytics (analytics) — Google Analytics, Matomo, etc.
  • Marketing (marketing) — Google Ads, Meta Pixel, remarketing.

The banner title, introduction text and the labels of the four buttons (Accept all, Reject all, Customize, Save my choices) are editable in the settings. Also fill in the URLs of your privacy policy and cookie policy — they display as discreet links under the buttons. All texts go through the WordPress translation functions: the plugin ships with 5 catalogs (FR, EN, ES, DE, IT) and remains overridable via Loco Translate.

This is the technical heart of the plugin. Since March 2024, Google requires European sites to emit the 7 Consent Mode v2 signals to keep measuring Google Ads conversions and building GA4 audiences.

How it works

The plugin prints a gtag('consent', 'default', ...) block in the HTML head with wp_head priority 1 — that is, before any GTM container or GA4 tag loaded the standard way. The 7 emitted signals:

  • ad_storage, ad_user_data, ad_personalization — driven by the Marketing category
  • analytics_storage — driven by the Analytics category
  • functionality_storage, personalization_storage — driven by the Functional category
  • security_storage — always granted (Google recommendation)

The categories → signals mapping is automatic: no manual configuration needed. When the visitor makes their choice, a gtag('consent', 'update', ...) is emitted immediately and the choice is reapplied as the default state on every subsequent page.

  • EEA region: by default, the strict deny only applies to the 31 EEA countries (plus United Kingdom and Switzerland) via the gtag region parameter — the rest of the world stays granted. Native Cloudflare detection via the CF-IPCountry header.
  • url_passthrough: enabled by default. Preserves the gclid and dclid click identifiers in URLs even on rejection, enabling cookieless conversion measurement.
  • ads_data_redaction: enabled by default. Redacts user data sent to Google when ad_storage is denied.
  • wait_for_update: 500 ms by default. Delay given to Google tags to wait for the consent update.

Verifying everything works

  1. Open your site in a private window, open the browser console and type dataLayer: you should see the consent default entry before the gtm.js entry.
  2. In Google Tag Assistant or GTM Preview mode, the Consent tab should show the 7 signals with their state.
  3. Accept the banner then type dataLayer again: a consent update entry should appear with the new states.

Compliance audit

The Cookie Consent → Audit page runs a scan that fetches your homepage and analyzes the HTML actually served.

What the scan detects

  • 23 known trackers: Google Analytics 4, GTM, Meta Pixel, TikTok, LinkedIn, Pinterest, Snapchat, Twitter/X, Bing UET, Matomo, Microsoft Clarity, Hotjar, Mixpanel, Plausible, HubSpot, Intercom, Crisp, Tawk, YouTube, Vimeo, Stripe and others — each classified in its expected consent category.
  • 11 at-risk WordPress plugins: MonsterInsights, Site Kit, PixelYourSite, Facebook/Pinterest/TikTok for WooCommerce, HubSpot, MC4WP and other plugins that inject trackers on their own.
  • Server-side cookies: snapshot with automatic vendor identification (_ga, _fbp, _gcl, etc.).

Score and recommendations

The scan produces a compliance score from 0 to 100 based on the gap between your declared categories and the trackers actually detected. Issues are classified into three levels — critical, warning, info — each with an actionable recommendation (for example: a marketing tracker detected while the category is disabled in the banner). An automatic scan also runs in the background via the dfcc_cron_scan_trackers cron.

The Cookie Consent → Log page lists every consent event recorded in the dedicated wp_dfcc_consent_log table.

Recorded data

  • UTC timestamp, persistent anonymous UID (multi-event traceability of the same visitor)
  • Event type: accept_all, reject_all, custom, withdraw
  • Complete per-category state, policy and banner version
  • Double-protected IP: SHA-256 hash with the random salt generated at activation (irreversible), plus IP truncated to /24 (IPv4) or /64 (IPv6) for anonymous analysis
  • User agent, page URL, referer, region, language, WordPress user_id if logged in

Filters and export

Filter by period, event type or UID, then export as CSV (UTF-8 BOM, semicolon separator — opens directly in French Excel) or pretty JSON. These exports constitute your proof of consent in the event of a CNIL or Garante inspection.

Retention

By default, the log is kept 1825 days (5 years, the duration recommended by the CNIL). The automatic purge runs nightly via the dfcc_cron_purge_logs cron. Retention is adjustable in the settings. Note: deactivating the plugin preserves the logs (proof of consent); only a complete uninstall via Plugins → Delete purges the table, options and crons.

Regulations require that visitors can change their choice at any time. Two options:

  • Shortcode: place Manage my cookies in a footer widget or menu — it renders a link that reopens the customization modal.
  • JavaScript API: call window.dfcc.open() from any element of your theme.

Developer API

JavaScript API

The global window.dfcc object exposes:

  • dfcc.open() — opens the customization modal
  • dfcc.accept() — accepts all categories
  • dfcc.reject() — rejects all optional categories
  • dfcc.withdraw() — withdraws consent (a withdraw event is logged)
  • dfcc.getConsent() — returns the complete consent state
  • dfcc.hasConsent('analytics') — checks a given category (useful to gate your own scripts)

REST endpoint

A POST endpoint is available at wp-json/dfcc/v1/consent to record a consent event from your own code (nonce-protected).

WordPress hooks

  • dfcc_before_banner_render — action fired before the banner renders (to hide it on certain pages for example)
  • dfcc_after_consent_logged — action fired after every log write (to sync a CRM for example)
  • dfcc_consent_mode_defaults — filter on the default states of the 7 Consent Mode signals
  • dfcc_scan_trackers_patterns — filter to add your own detection patterns to the scanner

Troubleshooting

  • Consent Mode signals do not appear before GTM: check that no performance plugin moves or defers head scripts. The dfcc-consent-mode-default block must remain inline and not deferred.
  • The banner reappears on every visit: check that a caching system is not serving a frozen page with an old cookie, and that the cookie lifetime is not set to 0.
  • The audit scan fails: the server must be able to make an HTTP request to its own homepage. On some hosts with blocked loopback, allow local requests or check the firewall.
  • Logged IPs are Cloudflare’s: the plugin reads CF-Connecting-IP in priority — if the problem persists, check that your server configuration forwards the Cloudflare headers.
Was this page helpful?

Still stuck? Contact support