DataFirefly Cookie Consent — Complete Guide
Installation, banner configuration, Google Consent Mode v2, tracker audit and CNIL/Garante log of the DataFirefly Cookie Consent WordPress plugin.
Overview
DataFirefly Cookie Consent is a WordPress and WooCommerce cookie consent management plugin. It combines three building blocks: a GDPR/CNIL/Garante compliant consent banner, native emission of the Google Consent Mode v2 signals before any Google tag, and an audit that detects the trackers actually loaded on your site with an exportable proof log.
Requirements
- WordPress 6.2 or higher
- PHP 8.0 or higher
- WooCommerce 8.0+ (optional — the plugin also works on plain WordPress, HPOS compatibility declared)
- GTM or GA4 already installed if you want to benefit from Consent Mode v2 (the plugin does not install Google tags for you)
Installation
- Download the
df-cookie-consent.zipfile from your DataFirefly account. - In the WordPress admin, go to Plugins → Add New → Upload Plugin, select the ZIP and click Install Now.
- Click Activate. On activation, the plugin creates the
wp_dfcc_consent_loglog table, generates a random salt for IP hashing and schedules two cron tasks (daily log purge and tracker scan). - A new Cookie Consent menu appears in the admin sidebar with four pages: Dashboard, Settings, Audit and Log.
The banner displays immediately on the frontend with the default settings (bar layout at the bottom of the page, light theme, opt-in mode, all 4 categories enabled).
Banner configuration
All settings live in Cookie Consent → Settings.
General behavior
- Enable banner: global plugin switch.
- Mode: opt-in (mandatory in the EU — no non-essential cookie before consent) or opt-out.
- Reject all button at first level: enabled by default, in line with the CNIL recommendation of 17 September 2020. Do not disable it if your audience is European.
- Consent cookie lifetime: 180 days by default. The user’s choice is stored in the
dfcc_consentcookie (encoded, first-party). - Policy version: increment this number when your cookie policy changes substantially — the banner will automatically be shown again to all visitors and the log will record the new version.
Appearance
- Layout: full-width bar, corner card or centered modal.
- Position: top or bottom of the page (for the bar and card layouts).
- Theme: light, dark or auto (follows the visitor’s system preference via prefers-color-scheme).
- Accent color: customizes the main button color.
On mobile (under 640 px), the banner automatically switches to full screen to remain readable. Animations respect prefers-reduced-motion.
Cookie categories
Four categories are preconfigured, each with an editable label and description:
- Necessary (necessary) — always active, not deactivatable by the visitor: cart, session, security.
- Functional (functional) — preferences, language, chat.
- Analytics (analytics) — Google Analytics, Matomo, etc.
- Marketing (marketing) — Google Ads, Meta Pixel, remarketing.
Texts and links
The banner title, introduction text and the labels of the four buttons (Accept all, Reject all, Customize, Save my choices) are editable in the settings. Also fill in the URLs of your privacy policy and cookie policy — they display as discreet links under the buttons. All texts go through the WordPress translation functions: the plugin ships with 5 catalogs (FR, EN, ES, DE, IT) and remains overridable via Loco Translate.
Google Consent Mode v2
This is the technical heart of the plugin. Since March 2024, Google requires European sites to emit the 7 Consent Mode v2 signals to keep measuring Google Ads conversions and building GA4 audiences.
How it works
The plugin prints a gtag('consent', 'default', ...) block in the HTML head with wp_head priority 1 — that is, before any GTM container or GA4 tag loaded the standard way. The 7 emitted signals:
ad_storage,ad_user_data,ad_personalization— driven by the Marketing categoryanalytics_storage— driven by the Analytics categoryfunctionality_storage,personalization_storage— driven by the Functional categorysecurity_storage— always granted (Google recommendation)
The categories → signals mapping is automatic: no manual configuration needed. When the visitor makes their choice, a gtag('consent', 'update', ...) is emitted immediately and the choice is reapplied as the default state on every subsequent page.
Consent Mode settings
- EEA region: by default, the strict deny only applies to the 31 EEA countries (plus United Kingdom and Switzerland) via the gtag region parameter — the rest of the world stays granted. Native Cloudflare detection via the CF-IPCountry header.
- url_passthrough: enabled by default. Preserves the gclid and dclid click identifiers in URLs even on rejection, enabling cookieless conversion measurement.
- ads_data_redaction: enabled by default. Redacts user data sent to Google when ad_storage is denied.
- wait_for_update: 500 ms by default. Delay given to Google tags to wait for the consent update.
Verifying everything works
- Open your site in a private window, open the browser console and type
dataLayer: you should see the consent default entry before the gtm.js entry. - In Google Tag Assistant or GTM Preview mode, the Consent tab should show the 7 signals with their state.
- Accept the banner then type
dataLayeragain: a consent update entry should appear with the new states.
Compliance audit
The Cookie Consent → Audit page runs a scan that fetches your homepage and analyzes the HTML actually served.
What the scan detects
- 23 known trackers: Google Analytics 4, GTM, Meta Pixel, TikTok, LinkedIn, Pinterest, Snapchat, Twitter/X, Bing UET, Matomo, Microsoft Clarity, Hotjar, Mixpanel, Plausible, HubSpot, Intercom, Crisp, Tawk, YouTube, Vimeo, Stripe and others — each classified in its expected consent category.
- 11 at-risk WordPress plugins: MonsterInsights, Site Kit, PixelYourSite, Facebook/Pinterest/TikTok for WooCommerce, HubSpot, MC4WP and other plugins that inject trackers on their own.
- Server-side cookies: snapshot with automatic vendor identification (_ga, _fbp, _gcl, etc.).
Score and recommendations
The scan produces a compliance score from 0 to 100 based on the gap between your declared categories and the trackers actually detected. Issues are classified into three levels — critical, warning, info — each with an actionable recommendation (for example: a marketing tracker detected while the category is disabled in the banner). An automatic scan also runs in the background via the dfcc_cron_scan_trackers cron.
Consent log
The Cookie Consent → Log page lists every consent event recorded in the dedicated wp_dfcc_consent_log table.
Recorded data
- UTC timestamp, persistent anonymous UID (multi-event traceability of the same visitor)
- Event type: accept_all, reject_all, custom, withdraw
- Complete per-category state, policy and banner version
- Double-protected IP: SHA-256 hash with the random salt generated at activation (irreversible), plus IP truncated to /24 (IPv4) or /64 (IPv6) for anonymous analysis
- User agent, page URL, referer, region, language, WordPress user_id if logged in
Filters and export
Filter by period, event type or UID, then export as CSV (UTF-8 BOM, semicolon separator — opens directly in French Excel) or pretty JSON. These exports constitute your proof of consent in the event of a CNIL or Garante inspection.
Retention
By default, the log is kept 1825 days (5 years, the duration recommended by the CNIL). The automatic purge runs nightly via the dfcc_cron_purge_logs cron. Retention is adjustable in the settings. Note: deactivating the plugin preserves the logs (proof of consent); only a complete uninstall via Plugins → Delete purges the table, options and crons.
“Manage my cookies” link in the footer
Regulations require that visitors can change their choice at any time. Two options:
- Shortcode: place
Manage my cookiesin a footer widget or menu — it renders a link that reopens the customization modal. - JavaScript API: call
window.dfcc.open()from any element of your theme.
Developer API
JavaScript API
The global window.dfcc object exposes:
dfcc.open()— opens the customization modaldfcc.accept()— accepts all categoriesdfcc.reject()— rejects all optional categoriesdfcc.withdraw()— withdraws consent (a withdraw event is logged)dfcc.getConsent()— returns the complete consent statedfcc.hasConsent('analytics')— checks a given category (useful to gate your own scripts)
REST endpoint
A POST endpoint is available at wp-json/dfcc/v1/consent to record a consent event from your own code (nonce-protected).
WordPress hooks
dfcc_before_banner_render— action fired before the banner renders (to hide it on certain pages for example)dfcc_after_consent_logged— action fired after every log write (to sync a CRM for example)dfcc_consent_mode_defaults— filter on the default states of the 7 Consent Mode signalsdfcc_scan_trackers_patterns— filter to add your own detection patterns to the scanner
Troubleshooting
- Consent Mode signals do not appear before GTM: check that no performance plugin moves or defers head scripts. The dfcc-consent-mode-default block must remain inline and not deferred.
- The banner reappears on every visit: check that a caching system is not serving a frozen page with an old cookie, and that the cookie lifetime is not set to 0.
- The audit scan fails: the server must be able to make an HTTP request to its own homepage. On some hosts with blocked loopback, allow local requests or check the firewall.
- Logged IPs are Cloudflare’s: the plugin reads CF-Connecting-IP in priority — if the problem persists, check that your server configuration forwards the Cloudflare headers.