FAZ Cookie Manager
Tired of cookie consent plugins that lock essential features behind paywalls, require cloud accounts, or send your visitors’ data to third-party servers? FAZ Cookie Manager is a WordPress plugin that helps you implement cookie consent and privacy workflows for international regulations — completely free, with no strings attached. No account to create. The plugin requires no cloud service connection. Basic features like consent logging and geo-targeting are included — no premium plan needed. Core consent features run on your own server, and you own all your data. Why FAZ Cookie Manager? Most cookie consent plugins follow the same pattern: a free version with crippled features, and a paid tier starting at $10-50/month that unlocks what you actually need (cookie scanning, consent logs, Google Consent Mode, IAB TCF). FAZ Cookie Manager breaks that model: Cookie scanner — Scans your site directly from your browser. No external service, no API limits, no waiting. Cookie Policy generator (NEW in 1.16.0) — Build a jurisdiction-aware Cookie Policy page directly from your admin. Pick GDPR / CCPA / LGPD, fill in your company details, and publish via the [faz_cookie_policy_complete] shortcode. Output is multilingual (en, it, fr, de, es, pt-BR, bg), pulls the live cookie inventory from the scanner, and ships with a non-removable disclaimer that the templates are starting points, not legal advice. The standalone [faz_cookie_table] shortcode (and the matching Gutenberg block) still works for embedding just the cookie list. Consent logging with CSV export — Every consent is recorded locally in your database. Export anytime for audits. Google Consent Mode v2 — Sends all 7 consent signals to Google tags. No premium required. IAB TCF v2.3 — Full Transparency and Consent Framework API and UI, built in. To operate as a recognised CMP in the IAB framework you must enter your own registered IAB Europe CMP ID; without one the TCF interface stays inactive (no TC string is produced) so invalid signals are never broadcast to vendors. Geo-targeting — Show banners only to visitors from regulated regions (EU, California, etc.). 180+ languages — Translate every string in the banner, or use one of the built-in translations. Script blocking — Tag any script with data-faz-tag to block it until the right category is accepted. Microsoft UET/Clarity — Consent integration for Microsoft advertising and analytics tools. Revisit consent widget — Floating button lets visitors change their preferences anytime. Accessibility-focused — Keyboard navigation (Tab, Enter, Escape), screen-reader support, mobile responsive. Helps with these frameworks This plugin assists consent and privacy workflows. It does not itself create, provide, or guarantee legal compliance, and you remain responsible for the final configuration for your site and jurisdiction. GDPR (EU General Data Protection Regulation) — Opt-in consent, granular categories, right to withdraw CCPA / CPRA (California Consumer Privacy Act) — “Do Not Sell or Share” opt-out link ePrivacy Directive (EU Cookie Law) — Consent-based script blocking support Italian Garante Privacy — 6-month consent expiry setting and consent logging controls EDPB Guidelines — No scroll-as-consent, no pre-checked categories, equal button prominence options LGPD (Brazil General Data Protection Law) — Consent-based model POPIA (South Africa Protection of Personal Information Act) — Opt-in consent Try it Live Try FAZ Cookie Manager in WordPress Playground — no account, no install, runs entirely in your browser. How it works Install and activate — the cookie banner appears immediately with sensible defaults Scan your site to detect cookies automatically Customize the banner design, text, and colors to match your brand Enable Google Consent Mode or IAB TCF if you use advertising tools Monitor consent analytics on the dashboard Core banner functionality runs on your WordPress site. Optional update/download features may contact GitHub, IAB Europe, MaxMind, ip-api.com, ipinfo.io (opt-in VPN detection), or the AMP CDN depending on which features you enable and use. Cookie Policy generator (1.16.0+) Need a Cookie Policy page that explains the cookies your site sets, the jurisdiction it operates under, and who the visitor should contact about their data? FAZ Cookie Manager 1.16.0 ships a dedicated Cookie Policy admin tab plus the [faz_cookie_policy_complete] shortcode. Jurisdiction-aware — pick GDPR (EU/EEA/UK), CCPA/CPRA (California), or LGPD (Brazil). Each jurisdiction ships its own template scaffold with the legal references and required sections for that framework. Multilingual (7 languages out of the box) — en, it, fr, de, es, pt-BR, bg. Override per render with [faz_cookie_policy_complete lang="it"] or let the visitor’s browser language pick. Auto-populated cookie inventory — the rendered policy pulls live from wp_faz_cookies, so any cookie discovered by the scanner shows up at the next render with its category, duration and description, in the active language. Filled with your company data — name, address, DPO email, third-party services, retention period: stored in faz_cookie_policy_data option, edited via the admin form, never seeded from admin_email or blogname (PII protection). Non-removable legal disclaimer — every generated policy ends with a footer making explicit that the templates are starting points, not legal advice. The disclaimer is hardcoded in the renderer (not in the template files) so section overrides cannot suppress it. Versioning hash — a data-faz-policy-version attribute on the rendered article tracks template + data drift over time. Display-only fields (the visible “Last updated” date) are excluded so the hash doesn’t change daily. Filter for site builders — faz_cookie_policy_data lets you inject custom placeholders before template substitution. Backwards compatible — the long-standing [faz_cookie_policy] shortcode (with site_name / contact / show_table attributes from 1.7.0) is unchanged. The standalone [faz_cookie_table] shortcode and matching faz/cookie-table Gutenberg block still work for embedding just the cookie inventory table. Multi-banner geo-routing vs multilingual content (1.14.0+) These are two orthogonal features that combine freely — multi-banner is per country, multilingual content is per language inside each banner. Multi-banner geo-routing picks WHICH banner profile to serve based on the visitor’s country. Typical setup: a strict GDPR banner for EU/EEA/UK and a CCPA opt-out banner for California (or any other per-region compliance profile). Country resolution chain: Cloudflare CF-IPCountry header (opt-in via the faz_trust_cf_ipcountry_header filter) → MaxMind GeoLite2 → ip-api.com fallback. Each banner row carries its own target_countries list and a priority integer for overlap resolution. Multilingual content lives INSIDE each banner. A single banner stores translations of its title, description and button labels for as many languages as you enable on the Languages page. The language displayed to the visitor is resolved CLIENT-SIDE from navigator.languages so a country-targeted banner can still be served from a full-page cache (LiteSpeed / WP Rocket / Cloudflare APO) and the right language renders on hydration. Practical example: an install needs only TWO banner rows, not eight. One EU-targeted GDPR banner with English + Italian + German + French + Polish translations inside, and one US-targeted CCPA banner with English + Spanish translations inside. The country selects the banner; the browser selects the translation inside the banner. Visitors hitting the right cache key get the right banner + the right language. External Services GitHub / Raw GitHubusercontent (Open Cookie Database) Used to refresh the built-in cookie definitions snapshot for the optional auto-categorize feature. Triggered when: you click the definitions update action in the Cookies screen. Data sent: your server IP address and standard HTTP request headers. Service URLs: * https://raw.githubusercontent.com/fabiodalez-dev/Open-Cookie-Database/master/open-cookie-database.json Terms of Service / Privacy Policy: * https://docs.github.com/en/site-policy/github-terms/github-terms-of-service * https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement IAB Europe / vendor-list.consensu.org Used to download the Global Vendor List and purpose translations for the optional IAB TCF feature. Triggered when: you manually update the vendor list, and weekly while IAB TCF is enabled. Data sent: your server IP address and standard HTTP request headers. Service URLs: * https://vendor-list.consensu.org/v3/vendor-list.json * https://vendor-list.consensu.org/v3/purposes-en.json Privacy Policy: * https://iabeurope.eu/privacy-policy/ MaxMind Used to download a GeoLite2 database for optional geo-targeting. You choose the edition in Settings → GeoIP Database: the smaller Country edition (default, country-level only) or the larger City edition (adds region/subdivision data for sub-national province/state routing such as Quebec Law 25). City is a much larger download; pick it only if you rely on region-level routing. Triggered when: you enter a MaxMind license key in Settings and start the database download. Data sent: your server IP address, the license key you provide, and standard HTTP request headers. Service URL: * https://download.maxmind.com/app/geoip_download Terms of Service / Privacy Policy: * https://www.maxmind.com/en/terms-of-use * https://www.maxmind.com/en/privacy-policy ip-api.com Used as a fallback geolocation lookup for the optional geo-targeting and multi-banner geo-routing features, only when MaxMind is unavailable. Triggered when: a frontend page renders the banner while geo-targeting / multi-banner geo-routing is enabled AND neither the Cloudflare CF-IPCountry header (opt-in) nor the MaxMind GeoLite2 database produces a result. The visitor’s IP is sent to ip-api.com for country resolution; the resolved country code is cached in a transient (hash-keyed by IP) for one hour to avoid repeating the lookup. Data sent: the visitor’s IP address and standard HTTP request headers. Service URL: * http://ip-api.com/json/{ip}?fields=countryCode Terms of Service / Privacy Policy: * https://ip-api.com/docs/legal ipinfo.io (geo-routing v2 only) Used for VPN/proxy/Tor detection when the admin opts in to enhanced geo detection via Settings → Geo-routing → ipinfo settings. The plugin sends the visitor IP to ipinfo.io to determine whether the visitor is masking their location; when VPN is detected, the most-protective rule-set is applied regardless of the visitor’s apparent country. Triggered when: a frontend page renders the banner AND the admin has configured an ipinfo API key AND has explicitly attested to having a DPF / SCC / DPA agreement with ipinfo.io for cross-border data transfer of EU/UK visitor IPs. Without the admin opt-in, ipinfo is NEVER called. Data sent: the visitor’s IP address (in cleartext, as required by ipinfo’s lookup contract), the configured API key, and standard HTTP request headers. The plugin caches the VPN classification locally for 24 hours hash-keyed by the IP (with monthly salt rotation) so repeat visitors do not trigger fresh calls. Service URL: * https://ipinfo.io/{ip}/privacy Terms of Service / Privacy Policy: * https://ipinfo.io/terms-of-service * https://ipinfo.io/privacy-policy * DPA (Data Processing Agreement) available on request: https://ipinfo.io/contact Plugin REST endpoint /faz/v1/banner (public) Used by the plugin’s own front-end JavaScript (script.js) to fetch the per-language / per-country banner payload after the page has loaded. This is an INTERNAL endpoint hosted by the plugin on the same WordPress install — no third-party network call leaves the visitor’s browser to a remote service. It is documented here only because the response carries bannerSlug and activeLaw, two strings that describe which banner profile and which legal regime (gdpr / ccpa) currently applies to the visitor. Triggered when: the front-end banner script bootstraps on a page that has multi-banner geo-routing active. Data sent: only what the visitor’s browser already sends with any page request to the same origin. The plugin does not forward the request to any remote service. Service URL: * https://{your-site}/wp-json/faz/v1/banner AMP Project CDN Used only on AMP pages when the AMP consent integration is active, to load the official amp-consent component required by AMP. Triggered when: an AMP page renders the AMP consent banner. Data sent: the visitor IP address and standard browser request data to the AMP CDN. Service URL: * https://cdn.ampproject.org/v0/amp-consent-0.1.js Documentation / Privacy: * https://amp.dev/documentation/components/amp-consent * https://policies.google.com/privacy Note on third-party domain strings inside the plugin codebase The plugin source includes several third-party domain names (e.g. js.stripe.com, connect.facebook.net, cdn.jsdelivr.net, unpkg.com, googletagmanager.com, etc.) as string patterns for two purposes: Script-blocking detection patterns — used to identify analytics, advertising, and tracking scripts that the site administrator’s other plugins may inject, so we can block them until the visitor has given consent. The plugin itself does not load any of these scripts. Whitelist defaults — domains such as unpkg.com/, cdn.jsdelivr.net/, fonts.googleapis.com/, www.google.com/recaptcha/api, etc. are seeded as default whitelist entries so the script blocker leaves them alone unless the admin explicitly removes them. They are configuration data, not outbound HTTP calls. The only outbound HTTP requests this plugin makes are the six documented above (Open Cookie Database, IAB GVL, MaxMind, ip-api.com fallback, ipinfo.io VPN detection (opt-in), AMP CDN). All six are gated behind explicit administrator action or an enabled feature. The internal /faz/v1/banner endpoint described above is hosted by this plugin on the same site — no third-party network call leaves the visitor’s browser to a remote service. Cache Plugin Compatibility When multi-banner geo-routing (1.14.0+) is active, the rendered HTML can legitimately vary by visitor country. This plugin asks the page-cache layer to bypass caching on those requests by emitting: Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache X-LiteSpeed-Cache-Control: no-cache Vary: CF-IPCountry (when the trust filter faz_trust_cf_ipcountry_header is enabled) DONOTCACHEPAGE, DONOTCACHEOBJECT, DONOTCACHEDB PHP constants (industry-standard bypass hints) do_action( 'litespeed_control_set_nocache', ... ) when LiteSpeed Cache is installed Verified compatible (no extra configuration needed) LiteSpeed Cache — uses the explicit litespeed_control_set_nocache action + X-LiteSpeed-Cache-Control header. WP Rocket — honors DONOTCACHEPAGE natively. W3 Total Cache — honors DONOTCACHEPAGE / DONOTCACHEOBJECT natively. WP Super Cache — honors DONOTCACHEPAGE natively. Hummingbird (WPMU DEV) — honors DONOTCACHEPAGE natively. Cloudflare APO — honors the Cache-Control: no-store header. With CF in front, also enable the trust filter so the Vary: CF-IPCountry header is emitted and CF caches per-country variants instead of bypassing entirely. Known limitations CDNs without origin Cache-Control honoring (e.g. some legacy CloudFront configurations) — verify the response Cache-Control header reaches the edge. If not, add a CF-IPCountry or country-based cache key rule at the CDN level. Minor / regional cache plugins (Comet Cache, Cachify, Swift Performance Lite) — not formally tested. Most still honor DONOTCACHEPAGE; verify by inspecting the response Cache-Control on a country-targeted page. Override the bypass logic per request via the faz_country_dependent_banner_output filter (return false to force the cache to ignore the country dimension on a specific URL).
Top keywords
- cookie33×1.40%
- banner28×1.19%
- consent24×1.02%
- data21×0.89%
- faz21×0.89%
- com20×0.85%
- https18×0.76%
- policy18×0.76%
- visitor18×0.76%
- service16×0.68%
- faz cookie13×0.55%
- ipinfo13×0.55%
SureCookie – Smarter Cookie Consent solution
Most cookie plugins either: Just show a banner Or make setup feel like preparing for a law exam SureCookie exists because there should be something better. Something accurate. Something simple. Something modern. Something built properly for WordPress. SureCookie automatically detects the cookies running on your website, categorizes them intelligently, blocks non-essential scripts before consent, and stores consent logs directly inside your WordPress database. No traffic limits. No SaaS visitor caps. No complicated configuration maze. Just clean, real enforcement. Try the live demo of SureCookie. How SureCookie Actually Works There are 4 things that matter when it comes to consent: Detection has to be accurate: If you do not know what cookies are actually running on your site, everything else falls apart. SureCookie scans with a real browser, not guesswork. Enforcement has to be technical: A banner asking for permission means nothing if scripts are already firing. SureCookie blocks non-essential scripts at the code level before consent is given. Data has to stay under your control: Consent logs belong on your server. Not locked inside a third-party SaaS dashboard you cannot fully control. Setup has to be simple: Compliance should not require a weekend of configuration. SureCookie gets you from install to enforcement in minutes. Everything in SureCookie revolves around that. Real Browser Cookie Detection This is important. Most tools try to guess cookies by scanning HTML. That is not accurate. SureCookie uses a Playwright-powered scanning engine at https://library.surecookie.com/. When you run a scan, it loads your website in a real browser environment. Not static source code. An actual browser session. That means it detects: Cookies injected dynamically Scripts loaded after interaction Conditional third-party trackers Tag manager injected scripts Things that only appear after page load It visits your website like a real user would. That is the difference. Once detected, cookies are categorized intelligently and automatically. Smart Categorization After detection, SureCookie categorizes cookies into: Essential Functional Analytics Marketing Most cookies are categorized automatically using a continuously improving detection database. Everything is editable. The goal is simple: Nobody should have to manually research every random cookie string just to get compliant. Script Blocking Before Consent This part is critical. Showing a banner is not compliance. Before consent: Analytics does not run Marketing pixels do not fire Tag managers do not execute Embedded videos do not load tracking Social widgets are paused Consent is enforced at execution level. Not just visually. Consent Logs Stored Locally All consent logs are stored inside your WordPress database in a dedicated custom table. View logs from the admin dashboard Export for compliance documentation Delete anytime Control retention periods Compliance data stays on your server. Not in an external SaaS dashboard. Performance by Design SureCookie is lightweight from the ground up. No jQuery dependency Minimal frontend footprint Dedicated database table for logs No heavy background processing Blocking non-essential scripts before consent also reduces unnecessary third-party requests, which improves page load performance as a side effect. Designed in 2026, Not 2019 Many WordPress plugins are outdated. Too many toggles. Too much legal jargon. Too much friction. SureCookie is designed to feel modern. The onboarding is structured: Scan your site Review detected cookies Confirm categories Activate enforcement That is it. Setup should feel good, not overwhelming. No Visitor-Based Limits Whether a site has 1,000 visitors or 1,000,000 visitors, SureCookie works the same way. No caps. No surprises. No usage-based pricing tiers. Built for the WordPress Ecosystem SureCookie works with: SureCart WooCommerce Easy Digital Downloads Page builders Analytics tools Marketing integrations Multisite setups Consent logic applies across your site. Who This Is For Site owners who want real enforcement, not just a banner eCommerce stores handling customer data Agencies managing multiple client sites Developers who care about clean implementation Businesses operating in regulated regions If the goal is just the simplest possible banner without caring about detection accuracy, SureCookie is probably not the right fit. If the goal is modern, accurate, performance-conscious consent management, it is. Important Note SureCookie provides the technical infrastructure for consent management. Legal compliance depends on your policies and jurisdiction. Always consult a qualified legal professional when needed. External Services Cookie Scanning: SureCookie connects to https://library.surecookie.com/ to provide real browser-based cookie scanning and smart categorization. When you run a cookie scan, SureCookie sends the URLs of your selected pages to the scanner. A real Playwright-powered browser visits those pages, just like an actual user would, and detects every cookie, tracking script, and third-party service running on your site. Detected cookies are then automatically categorized using a continuously improving detection database. Scanner Registration & Authentication: Before your first scan, SureCookie performs a one-time registration handshake with library.surecookie.com/api/register. The request includes your site URL, the WordPress administrator email, and the SureCookie plugin version so the SaaS can associate scan results with your site. The SaaS issues a per-site credential which is stored locally in your WordPress database (the surecookie_site_credentials option) and used to sign every subsequent scan request with HMAC-SHA256. To prove that the registration is initiated by an admin who actually controls the domain, the SaaS makes a single follow-up GET request to https://yoursite.example/wp-json/surecookie/v1/site-verify/{token} and confirms the token matches before issuing the credential. No user content or personal data is sent during this handshake — only the site URL, the administrator email, and the plugin version. Credentials are automatically invalidated and re-issued if the site moves to a new domain. Consent IP Logs: For region-aware consent, visitor IP addresses are processed through MaxMind integration to determine country-level location, so the correct Country gets into the consent log. PDF Export (PDFObject): SureCookie allows administrators to download consent logs as PDF files. This feature uses the PDFObject library, loaded from the cdnjs Cloudflare CDN: https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js. PDFObject is used solely to render the consent log data as a PDF in the browser. No user data is sent to the CDN — the library file itself is fetched and executed locally in the browser. PDFObject is MIT-licensed and GPL-compatible. Data Stored Locally All consent data is stored inside your WordPress database: User consent choices (categories accepted or rejected) Timestamps of consent actions Masked IP address, country and user session ID Cookie scan results Plugin configuration settings Privacy Policy SureCookie processes data through its API service at library.surecookie.com to empower cookie scanning and region-aware consent. Here is exactly what happens and why. What we send to surecookie.com: When your site is connected to the billing portal, the plugin sends only: An opaque account identifier (UUID) — never your email address. The site URL, plugin version, and the URLs you’re scanning. For Pro users: an HMAC signature derived from your license key (the license key itself never crosses the wire after activation). Your admin email is never transmitted on scan requests, scan polling, or any other recurring call after authentication completes. What Is Processed and Why: Cookie Scanning: When you run a scan, page URLs are sent to the scanning service where a real browser detects cookies and scripts. Detected cookie information (names, domains, durations) is used to categorize cookies and improve detection accuracy across all SureCookie installations. Region Detection: Visitor IP addresses are processed through MaxMind to determine country-level location for applying the correct Country into logs. IP addresses are masked before being stored in your database. Consent Records: Consent choices, timestamps, and user session ID details are logged locally in your WordPress database for compliance documentation. Where Data Lives: All consent logs, scan results, and settings are stored in your WordPress database Data sent to library.surecookie.com for scanning and geolocation may be temporarily stored for processing Nothing is sold, shared with third parties, or used for advertising Since visitor data is processed through SureCookie’s services, this should be mentioned in your site’s privacy policy. Full details: https://surecookie.com/privacy-policy/ Data Retention and Control: Consent logs and scan results can be viewed, exported, or deleted anytime from your WordPress admin Retention periods are configurable in plugin settings Security: All data transmission uses HTTPS encryption API communications are secured with authentication tokens For questions about data processing, visit https://surecookie.com/support/ About Brainstorm Force SureCookie is built by Brainstorm Force, the team behind Astra and other widely used WordPress products. Support Support Forum Documentation