ConsentPixel – Privacy · Verified

WooCommerce ⚡ No Plugin Conflicts

Cookie Consent for
WooCommerce Stores
Done Right.

Your WooCommerce store fires Google Analytics, Meta Pixel, Klaviyo, and session-replay tools on every page — including your checkout. WooCommerce has no built-in consent banner. Consent plugins conflict with your caching, break on updates, and let trackers fire anyway. ConsentPixel — Privacy · Verified is one script tag. No plugin. No conflicts. Full compliance.

Start Free 14-Day Trial → Scan My WooCommerce Store
Zero WooCommerce plugin conflicts
GDPR · CCPA · CIPA · 19 US state laws
Google Consent Mode v2 built in
Checkout page CIPA protection
28%
Of all online stores worldwide run on WooCommerce
$5,000
CIPA exposure per California visitor from checkout session-replay
€20M
Max GDPR fine — or 4% of global annual revenue
5 min
To install ConsentPixel on any WooCommerce store

Why WooCommerce Stores Face Elevated Privacy Risk

WooCommerce stores sit at the intersection of two privacy risk profiles at once. On one side, they carry all the general WordPress compliance exposures — plugin-injected trackers, Google Analytics without consent, session-replay tools running before any banner has been shown. On the other, they carry a heightened eCommerce risk layer: purchase data, billing and shipping addresses, email addresses, and payment flow interactions being shared with advertising and analytics platforms in real time.

The compliance picture is made more complex by WooCommerce's plugin ecosystem. A typical mid-size WooCommerce store has 20–40 active plugins — and a significant number of them silently introduce tracking. A payment gateway plugin adds its own fraud-detection script. A loyalty programme app drops a pixel. A reviews extension calls a third-party API. None of these came with a note saying "this shares your customers' data."

⚠️
WooCommerce has no built-in consent banner. WooCommerce ships with a privacy policy page generator and a checkout privacy notice checkbox — neither of which constitutes a cookie consent mechanism. There is no script blocking, no GPC signal handling, no Google Consent Mode v2 support, and no consent audit log. Every WooCommerce store needs a third-party consent solution.

What makes WooCommerce distinct from a pure WordPress content site is the checkout flow. The checkout page is where the highest-risk data collection happens — and it is precisely where most consent solutions fail. Trackers that should have been blocked continue to fire. Session-replay tools record billing form interactions. Google Ads conversion tags transmit purchase data without a Consent Mode v2 framework in place. These are not edge cases — they are the default configuration on most WooCommerce stores.

Trackers Commonly Running on WooCommerce Stores

These are the tools most frequently found on WooCommerce stores and the specific privacy law exposure each creates when running without proper consent.

📊
Google Analytics 4
GDPR · CCPA · GCM v2
Usually added via Site Kit or MonsterInsights. Must not fire before GDPR consent. Requires all four GCM v2 parameters.
📘
Meta Pixel
GDPR · CCPA · CIPA
Captures add-to-cart, checkout, and purchase events. Fires on checkout by default. Shares purchase data with Meta's ad network.
🔥
Hotjar / Microsoft Clarity
GDPR · CIPA
Session-replay on checkout pages. Highest CIPA risk — $5,000 per California visitor. Frequently missed in consent configurations.
📧
Klaviyo / Mailchimp
GDPR · CCPA
Onsite tracking scripts identify visitors and build behavioural profiles. Fire on all pages including checkout by default.
🎯
Google Ads Conversion
GDPR · GCM v2 Required
Purchase conversion tags on order confirmation pages. All four GCM v2 parameters required for EEA/UK — without them conversion data disappears.
💳
Payment Gateway Scripts
GDPR · CCPA
Stripe, Klarna, Afterpay, and PayPal inject third-party scripts that set persistent cookies and transmit session data.
Reviews Apps (Yotpo, Trustpilot)
GDPR · CCPA
Review widgets inject tracking scripts alongside their UI. Often overlooked in consent configurations because they appear harmless.
💬
Live Chat (Intercom, Tidio)
GDPR · CCPA
Chat widgets set persistent cross-session identifiers and transmit interaction data to third-party support platforms.
🔁
Retargeting (Criteo, AdRoll)
GDPR · CCPA
Retargeting pixels on product and cart pages build audience lists from browsing and purchase intent data.

The WooCommerce Checkout Page CIPA Problem

For WooCommerce stores, the checkout page deserves its own discussion. It is the highest-value page in your funnel — and the highest-risk page from a CIPA and GDPR perspective. It is where visitors enter their most sensitive personal information: name, address, email, phone number, and payment details. It is also where most stores have the most trackers running.

🚨 Checkout Page — Highest Risk Area for WooCommerce

Session-replay on checkout = CIPA exposure

Any session-replay tool running on your checkout page records keystrokes and form inputs. Plaintiff firms specifically target eCommerce checkout flows. $5,000 per California visitor, no proof of harm required.

Meta Pixel purchase events = data sharing without consent

WooCommerce's Meta Pixel integration fires purchase and checkout events by default. Under CCPA this is a "sale" of personal information. Under GDPR it requires prior opt-in consent.

Google Ads conversion tags = no data without GCM v2

Without GCM v2 correctly configured, EU and UK visitors who decline consent simply disappear from your conversion reports. No modelling, no smart bidding signals — direct ad revenue impact.

WooCommerce order attribution tracking

WooCommerce's built-in order attribution feature (added in v8.5) fires pixel-style events to track the channel that drove each sale. This feature requires disclosure and may require consent for EU visitors.

🚫
Best practice: no session-replay tool should ever run on checkout pages. Even with consent in place, running Hotjar, Microsoft Clarity, or Lucky Orange on your WooCommerce checkout page is a risk that the potential UX insight does not justify. Use URL exclusions in your replay tool's settings to permanently exclude /checkout/, /my-account/, and /order-received/ from any recording scope.

Is your WooCommerce checkout leaking customer data?

ConsentPixel scans your store — including the checkout flow — and shows you exactly which scripts fire before consent on your most sensitive pages.

Scan My Store Free →

WooCommerce Consent Plugins vs. ConsentPixel

The instinctive solution on WooCommerce is another plugin. But consent plugins and WooCommerce are notoriously difficult to combine reliably — the same WordPress hooks, caching systems, and session management that power WooCommerce are exactly what consent plugins interfere with.

Capability Typical Consent Plugin ConsentPixel
Technically blocks scripts before consent✗ Most don't✓ Always
Zero WooCommerce plugin conflicts✗ Common issue✓ Not a plugin
Checkout page CIPA protection✗ Rarely enforced✓ Script-blocked
Google Consent Mode v2 (all 4 parameters)⚠ Paid tiers only✓ All plans
Works with WP Rocket / caching plugins⚠ Requires manual config✓ No cache interaction
GPC browser signal honouring✗ Rarely✓ Auto-detected
Consent audit log (timestamped)⚠ Paid tiers only✓ All plans
US state law opt-out (CCPA, VCDPA, 19 states)✗ Usually EU-only✓ All plans
Survives WooCommerce updates✗ Breaks frequently✓ No WP dependency
Page speed impact on checkout300–800ms added✓ <50ms edge-served

How to Install ConsentPixel on WooCommerce

ConsentPixel installs as a single script tag in your WordPress child theme — before WooCommerce, before Google Analytics, before any other script on the page. There is no plugin to install, no WooCommerce compatibility mode to enable, and no interaction with WooCommerce hooks or session management.

1

Create your account and scan your WooCommerce store

Sign up at consentpixel.com, add your store domain, and run the auto-scanner. ConsentPixel identifies every tracker on your store — including those injected by WooCommerce extensions — and pre-fills your cookie declaration. Copy your unique pixel snippet from the dashboard.

2

Add the pixel to your child theme's functions.php — priority 1

In your child theme's functions.php, add the snippet using wp_head with priority 1. This ensures ConsentPixel loads before every other wp_head hook — including those from WooCommerce, payment gateways, and any other plugin.

child-theme/functions.php 
add_action( 'wp_head', function() { ?>
  <!-- ConsentPixel — must be first in head -->
  <script src="https://pixel.consentpixel.com/YOUR-SITE-ID.js"
          async></script>
<?php }, 1 ); // Priority 1 loads before all other hooks
3

Alternative: WPCode (no code option)

If you prefer not to edit theme files, install the WPCode plugin (formerly Insert Headers and Footers). Paste the ConsentPixel snippet into the Header section set to load on all pages. This method is fully compatible with WooCommerce and requires no PHP editing.

4

Register your WooCommerce tracking scripts by category

In the ConsentPixel dashboard, add each tracker to your controlled scripts list with its category: Analytics (GA4, Hotjar), Marketing (Meta Pixel, Klaviyo, TikTok, Google Ads), Functional (live chat, loyalty scripts). ConsentPixel will fire each script only when the visitor has consented to that category — or block it entirely if they decline or have GPC enabled.

Strictly necessary scripts — WooCommerce cart cookies, checkout session management, payment gateway security scripts — are never blocked and require no consent category.

5

Configure Google Consent Mode v2 for your conversion tags

In your ConsentPixel dashboard, enable Google Consent Mode v2. This automatically passes all four parameters (analytics_storage, ad_storage, ad_user_data, ad_personalization) to your Google tags before they load — whether you use Google Tag Manager or direct GA4/Google Ads snippets. EU and UK visitors who decline will be modelled by Google rather than disappearing from your conversion reports.

GCM v2 — auto-injected by ConsentPixel before any Google tag 
gtag('consent', 'default', {
  'analytics_storage':  'denied',
  'ad_storage':         'denied',
  'ad_user_data':       'denied',
  'ad_personalization': 'denied',
  'wait_for_update':     500
});
// ConsentPixel fires 'update' on visitor consent choice
6

Verify with the compliance checker

Use the ConsentPixel compliance checker to confirm: no scripts fire on a fresh checkout page load before consent, GCM v2 parameters are passing correctly, session-replay tools are excluded from the checkout URL, and consent events are being logged with timestamps.

⚠️
Using WP Rocket, LiteSpeed Cache, or W3 Total Cache? Ensure your caching plugin does not cache consent state between user sessions — a visitor who accepted cookies last week should not have their acceptance applied to a new visitor's session. Exclude ConsentPixel's script from minification and file combining. ConsentPixel's documentation covers specific exclusion settings for all major WordPress caching plugins.

What ConsentPixel Does for Your WooCommerce Store

🛡️

Script blocking before consent — including on checkout

Every registered tracker — Meta Pixel, GA4, Klaviyo, session-replay tools — is held at page load across every page including checkout. Nothing fires until the visitor's consent state is established, eliminating both GDPR violations and CIPA exposure from checkout recording.

📡

Google Consent Mode v2 for conversion tracking

All four GCM v2 parameters fire before your Google tags load. EU and UK visitors who decline are modelled by Google — your purchase conversion data and smart bidding signals survive even with a compliant consent setup. No more black-hole reporting for European markets.

🌎

Geo-targeted rules for international stores

Selling globally? ConsentPixel automatically applies GDPR opt-in for EU and UK visitors, CCPA opt-out for California, GPC honouring for Virginia and Colorado, and a neutral disclosure banner for all other regions — all from a single installation on your WooCommerce store.

📋

Consent audit log for GDPR accountability

Every consent decision is logged with a timestamp, the exact banner version shown, the visitor's category choices, and whether the signal came from the banner or a GPC browser setting. Produceable on demand for Data Protection Authority investigations or legal proceedings.

🔍

Continuous plugin-tracker scanning

ConsentPixel scans your WooCommerce store on a schedule and alerts you when new trackers appear — including those silently introduced by WooCommerce extension updates. Your consent configuration stays current without manual quarterly audits.

📬

DSAR portal for customer rights requests

An embeddable data subject request form handles GDPR access, deletion, and portability requests from your EU customers, and CCPA rights requests from US customers. Each request is tracked with a deadline so you never miss your 30-day GDPR or 45-day CCPA response windows.

WooCommerce Privacy Compliance Checklist (2026)

Run through this checklist for your WooCommerce store. Click each item to mark it complete.

📋 WooCommerce Store Compliance Checklist — 2026 12 items
Audit every tracker running on your store — especially checkout pagesUse browser DevTools Network tab in incognito on /checkout/ and /my-account/ pages
Confirm no scripts fire before consent on a fresh sessionIf GA4 or Meta Pixel appear in Network tab before banner interaction, you have a compliance gap
Deploy a consent solution that technically blocks scripts — not just a noticeA banner that does not block script execution is a disclosure, not a consent mechanism
Configure Google Consent Mode v2 with all four parametersRequired for EEA/UK ad features — without it, declined sessions disappear from conversion reports
Exclude checkout, order-received, and my-account pages from session-replayNever run Hotjar, Clarity, or Lucky Orange on pages where customers enter personal or payment data
Consent-gate Meta Pixel purchase and checkout eventsWooCommerce's Meta Pixel integration fires by default — must be controlled by your consent platform
Review WooCommerce Order Attribution tracking (v8.5+)Built-in attribution feature fires pixel-style events — check if it needs consent disclosure for EU visitors
Add "Do Not Sell or Share" opt-out for US visitorsRequired under CCPA for California — and effectively for all 19 US state privacy laws in 2026
Implement GPC browser signal recognitionMandatory in California and Virginia — must auto-honour without requiring any visitor click
Update privacy policy to name all WooCommerce trackers and extensionsName Klaviyo, Meta, Google, payment gateways, review apps, and live chat as third-party recipients
Review DPAs with all data-processing vendorsKlaviyo, Meta, Google, Stripe, Klarna, Yotpo — each must have a GDPR-compliant Data Processing Agreement
Enable consent logging for your audit trailTimestamped record of every customer consent decision — required under GDPR's accountability principle

Frequently Asked Questions

WooCommerce includes a privacy policy page generator and a checkout privacy notice checkbox — but no cookie consent banner, no script blocking, no Google Consent Mode v2 support, and no GPC signal handling. For any WooCommerce store running analytics, advertising pixels, or session-replay tools, a separate consent management solution is required.
Yes — if your WooCommerce checkout page runs session-replay tools or tracking pixels without prior consent, you face CIPA exposure. Checkout pages are the highest-risk area because they capture billing addresses, email addresses, and payment interaction data. CIPA plaintiff firms specifically target eCommerce checkout flows, with $5,000 in statutory damages per affected California visitor available without proof of harm. ConsentPixel blocks all such scripts until explicit consent is given.
Consent plugins frequently conflict with WooCommerce because both interact with WordPress hooks, checkout form handling, and caching configurations. Common issues include banners breaking cart persistence, caching plugins serving stale consent states to new visitors, and WooCommerce updates breaking script blocking logic. ConsentPixel is not a plugin — it is a JavaScript pixel with no interaction with WordPress's plugin system, WooCommerce hooks, or server-side caching.
Without GCM v2, any EU or UK visitor who declines consent simply disappears from your Google Ads conversion reports and GA4 — no modelling, no smart bidding signals. In markets like Germany and France where opt-out rates are high, this can mean 40–60% of your traffic is invisible to your campaigns. With ConsentPixel implementing GCM v2 correctly, Google models the missing conversions using aggregated signals, keeping your campaign optimisation and ROAS reporting accurate.
WooCommerce's core functional cookies (woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session) are strictly necessary for store operation and do not require consent under GDPR or CCPA. However, WooCommerce's optional order attribution tracking (v8.5+) and any tracking introduced by WooCommerce extensions — Klarna, Stripe, Mailchimp, Yotpo, and others — may require consent and must be disclosed in your privacy policy.
No. ConsentPixel is a single lightweight script served from Cloudflare's global edge network with sub-50ms load times. For visitors who decline consent, it actually speeds up page load by blocking multiple heavy third-party scripts that would otherwise fire. There are no database queries, no WordPress plugin overhead, and no interaction with WooCommerce's session or checkout system.
WooCommerce Compliance — No Plugin Required

Your checkout. Your customers.
Actually protected.

One script tag in your functions.php. No plugin conflicts. No caching headaches. Full GDPR, CCPA, CIPA, and 19-state US compliance — with Google Consent Mode v2 and checkout page protection built in from day one.

Start Free 14-Day Trial Scan My WooCommerce Store →
Scroll to Top