Why WooCommerce stores need cookie compliance

GDPR applies to any business that processes personal data of EU residents — regardless of where your WooCommerce store is hosted or where your business is incorporated. A shopper in France buying from a US-based WooCommerce store triggers GDPR obligations the moment tracking cookies are set.

The ePrivacy Directive (often called the "cookie law") reinforces this: non-essential cookies cannot fire until the user has actively opted in. Pre-ticked checkboxes don't count. Continued browsing doesn't count. Consent must be freely given, specific, informed, and unambiguous.

🚫
Enforcement against e-commerce is accelerating

In 2024 and 2025, Data Protection Authorities across Germany, France, Italy, and the Netherlands issued fines against WooCommerce merchants for loading Google Analytics, Meta Pixel, and Hotjar before consent. Fines ranged from €3,000 to €250,000. The "I'm a small store" argument did not hold — DPAs have explicitly stated that scale is not a mitigating factor for systematic violations.

WooCommerce is particularly exposed because it's built on WordPress — a platform with thousands of plugins, most of which set cookies without any built-in consent management. Every plugin you install is a potential compliance gap that your cookie consent banner may not cover.

Default WooCommerce cookies — categorised by type

Before configuring consent, you need to know exactly what your store sets. WooCommerce and WordPress core set several cookies by default, before any plugins are considered.

Cookie Set by Purpose Category Consent needed?
woocommerce_cart_hash WooCommerce Stores a hash of cart contents to detect when cart changes Essential No (strictly necessary)
woocommerce_items_in_cart WooCommerce Indicates whether the cart has items, for UI purposes Essential No (strictly necessary)
wp_woocommerce_session_* WooCommerce Session cookie linking browser to WooCommerce session in database Essential No (strictly necessary)
woocommerce_recently_viewed WooCommerce Stores recently viewed products for the "Recently Viewed" widget Functional Debated — best practice is yes
wordpress_logged_in_* WordPress Authentication cookie for logged-in users Essential No (strictly necessary)
wordpress_test_cookie WordPress Tests whether cookies are enabled in the browser Essential No (strictly necessary)
_ga, _gid Google Analytics Visitor identification and session tracking Analytics Yes
_fbp, _fbc Meta Pixel Facebook/Instagram ad targeting and retargeting Marketing Yes
_hjid, _hjSession_* Hotjar Session recording and heatmap analytics Analytics Yes
_gcl_au Google Ads Conversion measurement for Google Ads campaigns Marketing Yes
⚠️
This is just the baseline — plugins multiply the count

The table above covers WooCommerce and WordPress core cookies only. A typical WooCommerce store with 10–15 plugins active sets 30–60 additional cookies from analytics tools, marketing platforms, live chat, loyalty programs, and reviews widgets. The only accurate view of what your store actually sets is a live scan.

Common WooCommerce plugins that set cookies requiring consent

These are the most common sources of consent-requiring cookies across WooCommerce stores. If you use any of these, your cookie banner must cover them — and they must not fire before consent is granted.

WooCommerce Analytics & MonsterInsights (GA4)

WooCommerce's built-in analytics sets _wc_session_ variants, but if you connect Google Analytics 4 via MonsterInsights or a manual GTM implementation, the _ga, _gid, and _ga_* cookies are set immediately on page load unless you implement Consent Mode v2. MonsterInsights has a consent mode integration, but it requires explicit configuration — it is not on by default.

Jetpack

Jetpack sets its own analytics cookies (jetpackState, Jetpack site stats pixel) for WordPress.com stats. These are analytics cookies that require consent. Jetpack also integrates with several third-party services (Akismet, VideoPress, social sharing) that each introduce their own cookies. Check Jetpack's active modules — each active module is a potential cookie source.

Mailchimp for WooCommerce

The official Mailchimp plugin sets tracking cookies for e-commerce purchase attribution and email campaign tracking. These cookies (typically _mc_id variants) are marketing cookies that require consent. The plugin fires its tracking scripts on page load regardless of consent state unless you explicitly configure otherwise.

Google Analytics via Google Site Kit

Google Site Kit is the official Google plugin for WordPress and handles GA4, Google Ads, and Search Console integration. By default it loads GA4 immediately on every page view. Since Google Consent Mode v2 became mandatory for Google Ads remarketing in March 2024, Site Kit requires explicit Consent Mode v2 configuration — not just a cookie banner.

ℹ️
Caching plugins create a specific compliance risk

WooCommerce stores commonly use caching plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache). If a page is cached after a consent-requiring cookie has been set, the cached version may serve that cookie to new visitors before consent is granted. This is a common source of violations that manual audits miss entirely.

How to audit cookies on a WooCommerce site

A cookie audit tells you every cookie your store sets, which plugins set them, and whether you're disclosing them correctly. Do this before configuring your consent banner — consent for cookies you don't know about is meaningless.

Option 1: Manual audit with Chrome DevTools

1
Open your store in a fresh incognito window

Incognito ensures no existing cookies influence what you see. Open Chrome DevTools (F12), go to Application → Storage → Cookies, select your domain. This is your zero state — the cookies set before any consent interaction.

2
Navigate through key page types

Visit your homepage, a category page, a product page, and the cart/checkout flow. Different page templates load different plugin scripts. Watch which cookies appear as you navigate — some will only appear on product pages, others only in checkout.

3
Cross-reference Network requests with active plugins

Open the Network tab, filter by "3rd-party" requests. Every external domain loading on your store is a potential cookie setter. Cross-reference with your active WordPress plugins — the list in your browser and the list in wp-admin should correlate. Anything loading from a domain you don't recognise is a flag.

4
Categorise and document each cookie

Sort every discovered cookie into: Essential (session, cart, authentication), Analytics (GA4, Jetpack stats, Hotjar), Marketing (Meta Pixel, Google Ads, Mailchimp). Essential cookies are exempt from consent. Everything else must be blocked until consent is granted.

ℹ️
Manual audits have a fundamental coverage gap

Some cookies only appear after specific interactions — adding a product to cart, triggering an exit-intent pop-up, reaching the order confirmation page. A manual scan of the homepage alone will miss 40–60% of the cookies your store actually sets. You also have to re-audit every time you update or install a plugin.

Option 2: Automated scanning with CookieGuard

CookieGuard crawls your WooCommerce store across all key page types, discovers every cookie set by WooCommerce core, plugins, and custom scripts, and classifies them by category. It catches cookies that manual audits miss — including those triggered by user interactions — and re-scans automatically when your store changes.

Scan your WooCommerce store for free

CookieGuard finds every cookie your store sets — including ones from plugins you forgot you installed. Takes 30 seconds, no account needed.

Scan my store →

Consent Mode v2 for WooCommerce + Google Tag Manager

If you use GA4 or Google Ads, Consent Mode v2 is now mandatory — Google stopped modelling conversion data for advertisers without it in March 2024. For WooCommerce stores, the most common setup is Google Tag Manager (GTM) deployed via a plugin like Google Site Kit, MonsterInsights, or a manual <script> tag in your theme.

The core requirement: four consent signals must default to denied before GTM fires any tags. Those signals update to granted when the user accepts the relevant cookie category.

✅ GTM Consent Initialisation tag — add via Consent Initialization trigger
// This tag fires BEFORE all other GTM tags via the Consent Initialization trigger
// Set all four signals to 'denied' by default
window.dataLayer = window.dataLayer || [];
function gtag(){ dataLayer.push(arguments); }

gtag('consent', 'default', {
  ad_storage: 'denied',
  analytics_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  wait_for_update: 2000
});
✅ Consent Update tag — fires when your cookie banner receives a consent decision
// Fire this tag when your CMP updates consent state
// Map your banner's consent categories to Google's four signals
gtag('consent', 'update', {
  ad_storage: window.cookieConsent.marketing ? 'granted' : 'denied',
  analytics_storage: window.cookieConsent.analytics ? 'granted' : 'denied',
  ad_user_data: window.cookieConsent.marketing ? 'granted' : 'denied',
  ad_personalization: window.cookieConsent.marketing ? 'granted' : 'denied'
});
⚠️
Caching breaks Consent Mode v2 on WooCommerce

If your caching plugin (WP Rocket, LiteSpeed, W3 Total Cache) serves a cached page that already has GTM loaded, the consent default call may fire after GA4 has already initialised. Ensure your cache exclusion rules bypass pages served to first-time visitors, or use a plugin with native CMP integration that injects consent defaults before the cached page renders.

CookieGuard vs manual compliance for WooCommerce

Task Manual approach CookieGuard
Initial cookie audit 2–4 hours in DevTools, incomplete coverage 30 seconds, full coverage including dynamic cookies
Plugin cookie identification Manual cross-referencing with plugin docs Automatic attribution — each cookie mapped to its source plugin
After plugin install or update Manual re-audit (rarely happens in practice) Automatic re-scan + alert on new cookie detected
Caching compliance gap detection Extremely difficult to detect manually Detected via server-side scan that bypasses cache
Consent Mode v2 verification Chrome DevTools tag assistant (time-intensive) Automated signal state verification
Ongoing monitoring Not sustainable without dedicated resource Continuous background monitoring
Compliance documentation Manual documentation, often stale Audit-ready reports generated on demand

Scan your WooCommerce store — it's free

Get a full cookie compliance report in 30 seconds. See exactly which plugins are firing without consent, and what needs fixing.

Start free scan →

WooCommerce GDPR Cookie Compliance Checklist (2026)

Use this checklist to verify your store's compliance status. Every Critical item is a potential fine.

📋 WooCommerce GDPR Cookie Compliance Checklist

1
Cookie consent banner is active and blocks non-essential cookies
Your banner must appear before any analytics or marketing cookies fire. Test in incognito: open your store, don't interact with the banner, and check DevTools → Application → Cookies. You should only see essential WooCommerce session cookies.
Critical
2
Google Analytics (GA4) is blocked until analytics consent
GA4 via MonsterInsights, Site Kit, or manual GTM must not fire until the user grants analytics consent. The _ga and _gid cookies must not appear before consent in the DevTools Cookies tab.
Critical
3
Meta Pixel and ad pixels blocked until marketing consent
Meta Pixel (_fbp), Google Ads (_gcl_au), TikTok Pixel (_ttp), and any other retargeting scripts must not load until the user explicitly consents to marketing cookies.
Critical
4
Reject option is equally accessible as Accept
Dark patterns (small grey "Reject" button, multi-step rejection flow, "Accept" prominent green CTA vs "Manage preferences" buried) are being actively fined by EU regulators. Both options must be accessible in one click.
Critical
5
Google Consent Mode v2 is configured for GA4 and Google Ads
All four signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) must default to denied and update on user consent. Without this, Google Ads remarketing and conversion modelling will stop working for EU traffic.
High
6
Jetpack modules with analytics are consent-gated
If Jetpack is active, verify that site stats and social sharing modules are not firing tracking pixels or setting analytics cookies before consent. Jetpack's stats module sets cookies on every page view by default.
High
7
Caching plugin does not serve pre-consent cookies
Test with WP Rocket / LiteSpeed Cache active: clear the cache, open the store fresh in incognito, confirm no analytics cookies appear before banner interaction. Cached pages must not bypass consent blocking.
High
8
Cookie policy is accurate and lists all active cookies
Your cookie policy must name every non-essential cookie your store sets, who sets it, the purpose, and retention period. A generic WordPress privacy policy that doesn't mention plugin-specific cookies is non-compliant.
High
9
Checkout pages are covered by consent controls
WooCommerce checkout pages can set additional cookies (payment processor scripts, order confirmation pixels). Verify your consent banner's blocking logic covers the checkout flow — not just the marketing pages.
Medium
10
New plugin installs are audited for cookie compliance
Every WordPress plugin you install can introduce new cookies. Before installing plugins with analytics, personalisation, or marketing features, check what cookies they set and whether your consent banner's category mapping covers them.
Ongoing

Common WooCommerce cookie compliance mistakes

These are the issues we see most frequently when scanning WooCommerce stores:

1. Plugin conflicts bypassing the consent banner

Many WooCommerce compliance setups break at the plugin interaction layer. A typical failure mode: your cookie consent plugin blocks GTM by adding a type="text/plain" attribute to the GTM script tag, but a separate plugin (Google Site Kit, MonsterInsights) also injects GTM — independently, without the blocking attribute. Result: two GTM instances, one blocked, one not. All tracking fires pre-consent through the unblocked instance.

Fix: Use exactly one method to load GTM. If you use a consent plugin that manages GTM, remove all other GTM injection points in wp-admin, plugins, and theme code. Verify with the Network tab in DevTools that GTM loads exactly once.

2. Caching plugins serving cookies before consent

WP Rocket, W3 Total Cache, and LiteSpeed Cache can serve cached page HTML that already contains inline scripts with pre-existing cookie values. Even if your consent plugin correctly blocks fresh page loads, a cached version may bypass this. This creates an intermittent compliance gap that's hard to catch because it only affects users who hit the cache.

Fix: Configure your caching plugin to exclude pages from cache for first-time visitors (no consent cookie present), or use a consent plugin with native caching integration that modifies cached HTML at serve time. Test after every cache flush by clearing cookies and loading from a cold cache.

3. Mailchimp and email plugins firing at checkout

Email marketing plugins (Mailchimp for WooCommerce, Klaviyo, ActiveCampaign) often fire their tracking scripts on the order confirmation (thank you) page to capture purchase data and trigger post-purchase flows. If a customer rejected marketing cookies at the banner, these scripts should not fire — but many default plugin configurations don't check consent state before firing on checkout completion.

Fix: Check whether your email plugin offers a Consent Mode integration or supports conditional script loading. If not, wrap the plugin's tracking call in a check against your CMP's consent state API before the script fires on the thank you page.

4. Checkout cookie gaps from payment processors

Payment processor integrations (Stripe, PayPal, Klarna) often inject their own JavaScript and set cookies on checkout pages for fraud detection and session continuity. Some of these are technically essential (required for the payment to function). Others are analytics or marketing cookies for the payment processor's own tracking. Distinguish between the two: essential payment cookies don't need consent; processor analytics cookies do.

Scan first, configure second

The most common mistake is installing a cookie consent plugin and assuming it's done. It's not. The plugin gives you a mechanism for consent — you still need to know what cookies exist and verify the blocking is working correctly. Scan your store first, see what's actually firing, then verify your banner is blocking everything non-essential before the user interacts. CookieGuard's free scan gives you that ground truth in 30 seconds.