Title: FAZ Cookie Manager
Author: fabiodalez
Published: April 30, 2026
Last modified: May 15, 2026
---
Search plugins
# FAZ Cookie Manager
By [fabiodalez](https://profiles.wordpress.org/fabiodalez/)
[Download](https://downloads.wordpress.org/plugin/faz-cookie-manager.1.13.17.zip)
[Live Preview](https://test.wordpress.org/plugins/faz-cookie-manager/?preview=1)
* [Details](https://test.wordpress.org/plugins/faz-cookie-manager/#description)
* [Reviews](https://test.wordpress.org/plugins/faz-cookie-manager/#reviews)
* [Installation](https://test.wordpress.org/plugins/faz-cookie-manager/#installation)
* [Development](https://test.wordpress.org/plugins/faz-cookie-manager/#developers)
[Support](https://wordpress.org/support/plugin/faz-cookie-manager/)
## Description
**Tired of cookie consent plugins that lock essential features behind paywalls,
require cloud accounts, or send your visitors’ data to third-party servers?**
FAZ Cookie Manager is a WordPress plugin that helps you implement cookie consent
and privacy workflows for international regulations — completely free, with no strings
attached.
No account to create. The plugin requires no cloud service connection. Basic features
like consent logging and geo-targeting are included — no premium plan needed. Core
consent features run on your own server, and you own all your data.
#### Why FAZ Cookie Manager?
Most cookie consent plugins follow the same pattern: a free version with crippled
features, and a paid tier starting at $10-50/month that unlocks what you actually
need (cookie scanning, consent logs, Google Consent Mode, IAB TCF). FAZ Cookie Manager
breaks that model:
* **Cookie scanner** — Scans your site directly from your browser. No external
service, no API limits, no waiting.
* **Consent logging with CSV export** — Every consent is recorded locally in your
database. Export anytime for audits.
* **Google Consent Mode v2** — Sends all 7 consent signals to Google tags. No premium
required.
* **IAB TCF v2.3** — Full Transparency and Consent Framework support, built in.
* **Geo-targeting** — Show banners only to visitors from regulated regions (EU,
California, etc.).
* **180+ languages** — Translate every string in the banner, or use one of the
built-in translations.
* **Script blocking** — Tag any script with `data-faz-tag` to block it until the
right category is accepted.
* **Microsoft UET/Clarity** — Consent integration for Microsoft advertising and
analytics tools.
* **Revisit consent widget** — Floating button lets visitors change their preferences
anytime.
* **Accessibility-focused** — Keyboard navigation (Tab, Enter, Escape), screen-
reader support, mobile responsive.
#### Helps with these frameworks
This plugin assists consent and privacy workflows. It does not itself create, provide,
or guarantee legal compliance, and you remain responsible for the final configuration
for your site and jurisdiction.
* **GDPR** (EU General Data Protection Regulation) — Opt-in consent, granular categories,
right to withdraw
* **CCPA / CPRA** (California Consumer Privacy Act) — “Do Not Sell or Share” opt-
out link
* **ePrivacy Directive** (EU Cookie Law) — Consent-based script blocking support
* **Italian Garante Privacy** — 6-month consent expiry setting and consent logging
controls
* **EDPB Guidelines** — No scroll-as-consent, no pre-checked categories, equal
button prominence options
* **LGPD** (Brazil General Data Protection Law) — Consent-based model
* **POPIA** (South Africa Protection of Personal Information Act) — Opt-in consent
#### Try it Live
**[Try FAZ Cookie Manager in WordPress Playground](https://playground.wordpress.net/?plugin=faz-cookie-manager)**—
no account, no install, runs entirely in your browser.
#### How it works
1. Install and activate — the cookie banner appears immediately with sensible defaults
2. Scan your site to detect cookies automatically
3. Customize the banner design, text, and colors to match your brand
4. Enable Google Consent Mode or IAB TCF if you use advertising tools
5. Monitor consent analytics on the dashboard
Core banner functionality runs on your WordPress site. Optional update/download
features may contact GitHub, IAB Europe, MaxMind, or the AMP CDN depending on which
features you enable and use.
### External Services
#### GitHub / Raw GitHubusercontent (Open Cookie Database)
Used to refresh the built-in cookie definitions snapshot for the optional auto-categorize
feature.
Triggered when: you click the definitions update action in the Cookies screen.
Data sent: your server IP address and standard HTTP request headers.
Service URLs:
* https://raw.githubusercontent.com/fabiodalez-dev/Open-Cookie-Database/
master/open-cookie-database.json
Terms of Service / Privacy Policy:
* https://docs.github.com/en/site-policy/github-
terms/github-terms-of-service * https://docs.github.com/en/site-policy/privacy-policies/
github-privacy-statement
#### IAB Europe / vendor-list.consensu.org
Used to download the Global Vendor List and purpose translations for the optional
IAB TCF feature.
Triggered when: you manually update the vendor list, and weekly while IAB TCF is
enabled.
Data sent: your server IP address and standard HTTP request headers.
Service URLs:
* https://vendor-list.consensu.org/v3/vendor-list.json * https://
vendor-list.consensu.org/v3/purposes-en.json
Privacy Policy:
* https://iabeurope.eu/privacy-policy/
#### MaxMind
Used to download the GeoLite2 Country database for optional geo-targeting.
Triggered when: you enter a MaxMind license key in Settings and start the database
download.
Data sent: your server IP address, the license key you provide, and standard HTTP
request headers.
Service URL:
* https://download.maxmind.com/app/geoip_download
Terms of Service / Privacy Policy:
* https://www.maxmind.com/en/terms-of-use *
https://www.maxmind.com/en/privacy-policy
#### AMP Project CDN
Used only on AMP pages when the AMP consent integration is active, to load the official`
amp-consent` component required by AMP.
Triggered when: an AMP page renders the AMP consent banner.
Data sent: the visitor IP address and standard browser request data to the AMP CDN.
Service URL:
* https://cdn.ampproject.org/v0/amp-consent-0.1.js
Documentation / Privacy:
* https://amp.dev/documentation/components/amp-consent*
https://policies.google.com/privacy
#### Note on third-party domain strings inside the plugin codebase
The plugin source includes several third-party domain names (e.g. `js.stripe.com`,`
connect.facebook.net`, `cdn.jsdelivr.net`, `unpkg.com`, `googletagmanager.com`,
etc.) as **string patterns** for two purposes:
1. **Script-blocking detection patterns** — used to identify analytics, advertising,
and tracking scripts that the _site administrator’s other plugins_ may inject,
so we can block them until the visitor has given consent. The plugin itself does**
not** load any of these scripts.
2. **Whitelist defaults** — domains such as `unpkg.com/`, `cdn.jsdelivr.net/`, `fonts.
googleapis.com/`, `www.google.com/recaptcha/api`, etc. are seeded as default _whitelist_
entries so the script blocker leaves them alone unless the admin explicitly removes
them. They are configuration data, not outbound HTTP calls.
The only outbound HTTP requests this plugin makes are the four documented above (
Open Cookie Database, IAB GVL, MaxMind, AMP CDN). All four are gated behind explicit
administrator action or an enabled feature.
## Screenshots
* [[
* **Cookie consent banner on the frontend** — GDPR-ready banner in the bottom-left
corner with “Customize”, “Reject All” and equal-weight “Accept All” buttons.
Shown only on the first visit until the visitor makes a choice.
* [[
* **Preference center** — Category-level opt-in modal. Necessary cookies are always
active; every other category (Functional, Analytics, Uncategorized, Marketing)
is opt-in by default, with a clear description for each.
* [[
* **Admin dashboard** — Overview of pageviews, banner impressions, accept rate
and reject rate, with a 7/30/365-day pageviews chart and consent distribution.
* [[
* **Banner editor** — Configure layout, position, colours, copy and behaviour with
a live in-iframe preview. Ships with GDPR Strict, High Contrast and Light Minimal
design presets.
* [[
* **Cookies management** — Review and edit cookie categories, run the built-in
scanner, and browse the bundled Open Cookie Database with 1,000+ definitions.
* [[
* **IAB TCF v2.3 Global Vendor List** — Browse the bundled GVL, filter by purpose,
and select which vendors your site works with. Full Transparency and Consent
Framework v2.3 support, no cloud required.
* [[
* **Consent logs** — Local, tamper-resistant audit trail of every visitor consent:
status, categories, hashed IP, URL and timestamp. Filter, search and export to
CSV for DPIA / audits.
* [[
* **Google Consent Mode v2** — Default vs. granted state for `ad_storage`, `analytics_storage`,`
ad_user_data`, `ad_personalization`, `functionality_storage`, `personalization_storage`
and `security_storage`. Works with GTM and gtag.
* [[
* **Languages** — Manage active languages and the default banner language. Works
alongside WPML / Polylang; Italian, Dutch, German, French and Czech translations
ship out of the box.
* [[
* **Settings** — Global controls: enable/disable the banner, exclude specific pages,
cross-domain consent forwarding, hide from bots, GTM dataLayer events, consent
log retention and scanner limits.
## Blocks
This plugin provides 3 blocks.
* Cookie Table
* Cookie Policy
* Manage Cookies Button
## Installation
#### From the WordPress.org plugin directory (recommended)
1. In your WordPress dashboard go to **Plugins > Add New Plugin**
2. Search for **FAZ Cookie Manager**
3. Click **Install Now**, then **Activate**
4. Go to **FAZ Cookie** in the admin sidebar to configure your banner
#### Manual installation
1. Download the ZIP from [wordpress.org/plugins/faz-cookie-manager](https://wordpress.org/plugins/faz-cookie-manager/)
2. In your WordPress dashboard go to **Plugins > Add New Plugin > Upload Plugin**
3. Upload the ZIP and click **Install Now**, then **Activate**
4. Go to **FAZ Cookie** in the admin sidebar to configure your banner
## FAQ
### Does this plugin require a cloud account or subscription?
No required cloud account or subscription is needed. Core consent features run locally,
while some optional refresh/download features can contact documented third-party
services such as GitHub, IAB Europe, MaxMind, or AMP infrastructure.
### Is it really free? What’s the catch?
It’s free and open source (GPL-3.0). There are no premium upgrades, no feature gates,
and no upsells. The plugin is based on the GPL-licensed CookieYes v3.4.0 codebase,
with cloud dependencies removed and all included features running locally.
### Is it compatible with Google Consent Mode v2?
Yes. The plugin sends all 7 consent signals (`ad_storage`, `analytics_storage`, `
ad_user_data`, `ad_personalization`, `functionality_storage`, `personalization_storage`,`
security_storage`) and supports Google Additional Consent Mode (GACM) for ad technology
providers.
### Does the banner block cookies before consent?
Yes. Any script tagged with `data-faz-tag="category-name"` is blocked until the
visitor grants consent for that category. This helps you implement consent-based
blocking for ePrivacy/GDPR workflows.
### How does the cookie scanner work?
Go to **FAZ Cookie > Cookies** and click **Scan Site**. The scanner runs in your
browser using iframes, crawling your site’s pages to detect all cookies. Choose
from quick scan (10 pages), standard (100), deep (1000), or full scan. No external
service involved.
### Can I log consent for GDPR accountability?
Yes. Every consent action (accept, reject, customize) is recorded in a local database
table with timestamp, consent ID, categories chosen, anonymized IP, and page URL.
Export to CSV anytime from the Consent Logs page.
### Does it support multiple languages?
Yes. The Languages page lets you select from 180+ available languages. The banner
text is automatically translated based on the visitor’s browser language, and you
can customize every string.
### Can users change their consent after accepting?
Yes. A floating revisit widget appears on every page, letting visitors reopen the
preference center and change their choices at any time.
### Is the banner accessible?
Yes. The banner supports full keyboard navigation (Tab, Enter, Escape), proper ARIA
labels, and is responsive down to 375px viewports. Buttons have equal visual prominence
to avoid dark patterns.
### Does it work with caching plugins?
Yes. The consent banner is rendered via JavaScript from a cached template, so it
works with all major caching plugins (WP Super Cache, W3 Total Cache, LiteSpeed
Cache, etc.).
### Does the plugin send any data home or collect telemetry?
No. The plugin contains no telemetry, no analytics beacon, and no “phone home”.
Dashboard numbers are computed locally from your own `wp_faz_pageviews` and `wp_faz_consent_logs`
tables. Every outbound request that _can_ happen is documented in the “External
services” section and is gated behind an explicit admin action.
### Where is the source of the bundled minified JavaScript?
The only minified files we ship are `frontend/js/gcm.min.js` and `frontend/js/tcf-
cmp.min.js`. The full, unminified sources live next to them as `gcm.js` and `tcf-
cmp.js`, and the build command `npm run build:min` rebuilds them with `terser`.
No obfuscation is used.
### Does uninstalling the plugin remove my data?
By default, no — your consent logs, banner configuration and categories stay in
the database so you can reinstall without losing work. To wipe everything on uninstall,
enable **Settings General Remove all data on uninstall** or define `FAZ_REMOVE_ALL_DATA`
as `true` in `wp-config.php` before deleting the plugin.
### Does the plugin include a CCPA “Do Not Sell” opt-out form?
Yes. Place `[faz_do_not_sell]` on any page (e.g. your Privacy Policy) to show a
California Consumer Privacy Act opt-out form. When a visitor submits the form, the
opt-out is logged in the local consent table with a hashed IP address, a long-lived
cookie is set so the visitor sees a confirmation on subsequent visits, and the site
admin receives a notification email. Optional attributes: `title` (heading text)
and `button` (submit label). No external service is involved.
### Does the plugin include a GDPR Data Subject Access Request (DSAR) form?
Yes. Place `[faz_dsar_form]` on any page to show a GDPR-compliant request form covering
six rights: Access (Art. 15), Erasure (Art. 17), Data Portability (Art. 20), Rectification(
Art. 16), Restriction (Art. 18), and the Right to Object (Art. 21). On submission,
the request is stored as a private post in the WordPress database (so it survives
email failures), a notification is sent to the admin with a direct link to the record,
and a confirmation is sent to the requester. The form includes a honeypot field
and nonce verification to block spam bots. Optional attributes: `button` (submit
label).
## Reviews
### [Best free cookies plugin](https://wordpress.org/support/topic/best-free-cookies-plugin/)
[pascalminator](https://profiles.wordpress.org/pascalminator/) May 12, 2026
Well made plugin by a proactive developer, replacing cookiebot for several websites
now. Entirely free and no account needed.
### [Great plugin and quick support](https://wordpress.org/support/topic/great-plugin-and-quick-support-41/)
[Dieter J – Webtica Support](https://profiles.wordpress.org/dieterj/) May 8, 2026
Thanks for this plugin! Great support too. Quick and extensive debugging.
### [This is amazing!](https://wordpress.org/support/topic/this-is-amazing-45/)
[kejserjorn](https://profiles.wordpress.org/kejserjorn/) May 7, 2026
Found this plugin by chance on Reddit a couple of days ago, and now it runs on 2
of my sites, replacing heavy (and expensive) solutions. It is really well done.
Easy to use and with a lot of options to customize and tinker. Cookie scanner, Consent
Mode and everything else just works flawlessly. Thank You so much for this. I am
sure it will be a huge success for the dev.
### [Incredible Plugin](https://wordpress.org/support/topic/incredible-plugin-172/)
[alimaggs](https://profiles.wordpress.org/alimaggs/) May 6, 2026
I’ve been using several other plugins in the past to manage cookies and consent,
and they’re so faffy, usually require setting up accounts with a third-party service,
and are horrendous to manage. This plugin is so straightforward to set up; it is
incredible. We’ve rolled this plugin out on a couple of the websites we manage,
and we’ll look to add this to all our sites in the future. Fantastic. Would highly
recommend, and would happily pay for this plugin (it’s a huge bonus that this is
completely free).
### [Absolutely in love](https://wordpress.org/support/topic/absolutely-in-love-2/)
[Nico](https://profiles.wordpress.org/gooloode/) May 5, 2026
Stumbled on the Plugin on Reddit and have installed it right away. Have been contributing
some bug reports and issues and all of them have been resolved, sometimes in a matter
of less than an hour. Haven’t looked back at all and switched all my sites from
Complianz to FAZ Cookie Manager. It’s extremely easy to set-up, does 99% of tasks
by it’s own and the rest is usually just a one-time set-up & done. AdSense Integration
and Google Consent Mode are absolutely amazing, the Cookie-check is extremely well
done. I will absolutely never look back and can’t recommend this plugin enough.
The developer is incredibly helpful and that it is completely free and open source
is still astonishing to me.
### [Best cookie plugin](https://wordpress.org/support/topic/best-cookie-plugin-16/)
[8vasa8](https://profiles.wordpress.org/8vasa8/) May 1, 2026 1 reply
Everything is free and works really great.
[ Read all 7 reviews ](https://wordpress.org/support/plugin/faz-cookie-manager/reviews/)
## Contributors & Developers
“FAZ Cookie Manager” is open source software. The following people have contributed
to this plugin.
Contributors
* [ fabiodalez ](https://profiles.wordpress.org/fabiodalez/)
[Translate “FAZ Cookie Manager” into your language.](https://translate.wordpress.org/projects/wp-plugins/faz-cookie-manager)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/faz-cookie-manager/),
check out the [SVN repository](https://plugins.svn.wordpress.org/faz-cookie-manager/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/faz-cookie-manager/)
by [RSS](https://plugins.trac.wordpress.org/log/faz-cookie-manager/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
The full changelog (every release back to 1.0.0) lives at:
https://github.com/fabiodalez-
dev/FAZ-Cookie-Manager/blob/main/CHANGELOG.md and on the GitHub Releases page: https://
github.com/fabiodalez-dev/FAZ-Cookie-Manager/releases
#### 1.13.17
* Fix: `dataLayer is not defined` when third-party trackers emit a bare `dataLayer.
push()` before GTM bootstraps. Pre-init via `wp_add_inline_script('before')`.
Closes wp.org thread “bug-report-datalayer-is-not-defined”.
* Fix: cookie category counts stay stale after scan + auto-categorise — every cookie
create/update/delete now invalidates Category controller cache, banner template,
IAB unmatched-vendors transient, and 10 page-cache adapters. Closes wp.org thread“
bug-report-cookie-categories-not-populated”.
* Fix: REST `bulk_update` was silently dropping `opt_in_script` / `opt_out_script`.
Now iterates schema editable fields through the same `sanitize_script_field`
capability gate as single-cookie updates.
* Fix: `_cookieScripts` no longer truncates at 500 cookies (paged query, JSON-key-
anchored LIKE, 10000-row ceiling).
* Fix: `sanitize_meta_for_current_user` intercepts every write path into `wp_faz_cookies.
meta`. Closes a stored-XSS surface for multisite Site Administrators without `
unfiltered_html`.
* Fix: own `wp_localize_script` payloads (`{handle}-js-extra`) can no longer be
classified as analytics by the output-buffer blocker. Closes #99 and #101 (reported
independently by @Myblueroom).
* Fix: WP Rocket “Load JavaScript deferred” no longer wraps our `_fazConfig` bootstrap
payload in a `DOMContentLoaded` callback (which would scope `var _fazConfig`
to the callback and break `script.js` with `Cannot set properties of undefined`).
New `rocket_defer_inline_exclusions` filter excludes `_fazConfig`, `_fazCfg`,`
_fazGcm`, `_fazTcfConfig` from DeferJS wrapping. Closes #95 (thanks @dominikkucharski
for the diagnosis and reference patch).
* Fix: `