Set Up Cookie Consent
Install a cookie consent banner that actually blocks tracking until visitors opt in.
If you use cookies for analytics, advertising, or personalization, you need a cookie consent banner. This isn’t optional for EU visitors, and it’s increasingly expected everywhere.
The good news: A free plugin handles this in 30 minutes.
What this covers: When cookie consent is legally required, how to set up a compliant consent banner using free plugins or third-party tools, and how to verify that tracking scripts are properly blocked until users opt in.
Who it’s for: Site owners using analytics, advertising pixels, or any form of visitor tracking.
Key outcome: You’ll have a working cookie consent banner that blocks marketing and analytics cookies until visitors explicitly accept, with proper category controls and compliance documentation.
Time to read: 5 minutes
Part of: Privacy & Compliance series
Do You Need Cookie Consent?
You need a cookie consent banner if:
- You have EU/UK visitors (GDPR requires it)
- You have California visitors (CCPA/CPRA recommends it)
- You use Google Analytics, Meta Pixel, or any tracking
- You use personalization or advertising cookies
You don’t need consent for:
- necessary cookies (login sessions, shopping cart)
- Security cookies (CSRF protection)
The practical answer: If you have a website with any analytics or marketing tools, add a consent banner. It takes 30 minutes and protects you from liability.
The 30-Minute Setup
For WordPress:
- Complianz (free) – Full-featured, auto-detects cookies, blocks scripts until consent
- CookieYes (free tier) – Simple setup, good for basic compliance
- Cookie Notice (free) – Lightweight option for simple sites
- Install your chosen plugin
- Run the setup wizard
- Let it scan your site for cookies
- Categorize: necessary (always on) vs. Marketing (needs consent)
- Customize banner appearance if desired
- Test in incognito: decline cookies, verify GA doesn’t load
For Shopify:
- Pandectes GDPR Compliance (free tier)
- Consentmo ($9/month)
- CookieYes ($10/month)
For any platform:
Cost: Free to $20/month for most sites. Enterprise solutions (OneTrust, TrustArc) run $300+/month.
What Consent Actually Means
Compliant consent requires:
- Prior consent: Marketing/analytics cookies must NOT load until user clicks Accept
- Real choice: “Reject All” must be as prominent as “Accept All”
- Granular control: Users should be able to accept some categories, reject others
- Easy withdrawal: Users can change their mind later
- Record keeping: You should log when consent was given
Common mistake: Banners that say “We use cookies” with only an “OK” button. That’s not consent—that’s notification. GDPR requires actual choice.
Cookie Categories
Standard categories for your banner:
- necessary: Login, cart, security. Always on, no consent needed.
- Analytics: Google Analytics, Hotjar. Needs consent.
- Marketing: Facebook Pixel, Google Ads, retargeting. Needs consent.
- Functional: Preferences, language settings. Usually needs consent.
Testing
- Open your site in incognito/private browsing
- Check that the banner appears
- Click “Reject All”
- Open DevTools → Network tab
- Verify no GA or marketing scripts loaded
- Clear cookies, reload, click “Accept All”
- Verify scripts now load
If scripts load before consent: Your implementation is broken. The banner is just cosmetic. Fix the actual blocking.
Testing Your Cookie Banner
- Banner appears on first visit (not after page load—on page load)
- “Reject All” is visible without scrolling
- Declining actually blocks tracking (verified in DevTools)
- Preference persists across sessions
- Users can change preference later (usually via footer link)
Sources
- ICO – Guide to Cookies
- GDPR.eu – Cookie Consent
- CNIL – French Data Protection Authority (Cookie Enforcement)
Cookie Consent Questions Answered
Do I need a cookie consent banner?
If your site uses any non-essential cookies (analytics, advertising, social media embeds) and has visitors from the EU, UK, or several US states with privacy laws, yes. Even Google Analytics requires consent in GDPR jurisdictions before firing.
What is the difference between opt-in and opt-out cookie consent?
Opt-in (GDPR standard): no non-essential cookies fire until the user clicks Accept. Opt-out (some US states): cookies fire by default but users can reject them. GDPR opt-in is the stricter standard and the safer default if you have international traffic.
Can I just use a “This site uses cookies” banner?
No. A notice-only banner does not meet GDPR or CCPA requirements. Users must have a genuine choice to accept or reject non-essential cookies, and that choice must actually control whether cookies are set. A “dismiss” button is not valid consent.
Which cookie consent plugin should I use for WordPress?
CookieYes and Complianz are the most popular GDPR-compliant options. Both auto-scan for cookies, block scripts before consent, and generate cookie policies. CookieYes has a free tier for small sites. Complianz integrates well with caching plugins.
✓ Your Cookie Consent System Is Functioning Correctly
- Cookie consent banner appears on first visit before any non-essential cookies are set
- Declining cookies actually prevents analytics, marketing, and third-party cookies from loading
- Consent preferences can be changed after initial choice via an accessible settings link
- Consent records are logged with timestamps for audit and compliance documentation
- The banner does not reappear on every page load — consent state persists correctly
Test it: In a private browser window, decline all cookies, then open DevTools → Application → Cookies and confirm only strictly necessary cookies are present — no Google Analytics, no Facebook Pixel, no marketing tags.