FAQ — ShieldConsent

No questions match your search.

Getting started

What is ShieldConsent?

ShieldConsent is a self-hosted Consent Management Platform (CMP) for WordPress. It blocks tracking scripts before consent, presents a fully customizable banner and preferences modal, records every consent decision with a timestamp and policy version, and stores everything on your own server — no SaaS, no third-party cloud, no external dependencies.

How do I install ShieldConsent?

Upload the plugin ZIP file via Plugins → Add New → Upload Plugin in your WordPress dashboard, then click Activate. The Setup Wizard starts automatically. Navigate to ShieldConsent → Settings to configure your banner, run a cookie scan, and customize the appearance.

Is there a setup wizard?

Yes. On first activation, a guided wizard walks you through 9 steps: regulations, protection mode, banner appearance, analytics, cookie categories, compliance info, first scan, and a compliance score. Every setting can be changed later.

Does it work with page caching plugins?

Yes. ShieldConsent filters scripts at the server level before the page is sent to the browser. It works with WP Rocket, LiteSpeed Cache, W3 Total Cache, WP Super Cache, SG Optimizer, and others. If a cache was built before installing the plugin, purge it so the filtered HTML is cached. When geolocation is enabled, it signals caching plugins to bypass full-page caching automatically.

Does it work with WooCommerce?

Yes. ShieldConsent includes a smart whitelist that auto-detects WooCommerce checkout, cart, and account pages. Payment gateways (Stripe, PayPal, Klarna, Mollie, Braintree, Square, Razorpay, Google Pay, Apple Pay and more) are automatically unblocked on those pages so checkout is not disrupted by consent requirements.

Compliance & regulations

Is ShieldConsent GDPR compliant?

ShieldConsent is designed to support GDPR compliance, particularly Article 7 (proof of consent) and Article 5 (accountability). It provides technical enforcement and documented proof of consent. Full compliance depends on correct configuration and accurate legal texts — ShieldConsent is a technical tool, not legal advice.

Is it compliant with CNIL guidelines?

Yes. ShieldConsent follows the principles defined by the CNIL and similar European authorities: consent before non-essential cookies, refusal as easy as acceptance, clear information, and documented proof. Final compliance remains the website operator's responsibility.

Does it support Google Consent Mode v2?

Yes. ShieldConsent automatically sends all 7 consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage, security_storage) to GA4, Google Ads, and Tag Manager. Required since March 2024 for EU ad measurement. Zero configuration needed.

Does it support IAB TCF 2.3?

Yes. ShieldConsent implements the IAB Transparency & Consent Framework 2.3, including the CMP API (window.__tcfapi) and the TC string required by participating vendors.

How does GPC (Global Privacy Control) work?

When a browser sends the GPC signal (navigator.globalPrivacyControl = true), ShieldConsent automatically enforces an opt-out for marketing and analytics — as required by CCPA §999.315(d) and similar US state privacy laws.

Does it support CCPA / US state privacy laws?

Yes. With geolocation enabled, ShieldConsent detects visitors from US states with privacy laws (California, Virginia, Colorado, Connecticut, Montana…) and automatically switches to opt-out mode with GPC enforcement.

Banner & customization

Can I customize the banner to match my site?

Fully. Accent color, banner background, text color, 4 corner presets, 4 shadow depths, optional gradient, 5 icon choices (shield, cookie, fingerprint, lock, sliders), button icon, and pulse animation on the floating button. All configured through a visual interface with instant live preview — no CSS needed.

What positions are available?

Bottom bar (full-width), floating card (bottom-left or bottom-right), top bar, or centered modal. The floating re-open button is automatically mirrored for RTL languages.

Is the banner accessible?

Yes. WCAG 2.1 AA compliant: keyboard navigation, ARIA attributes, focus management (saved on open, restored on close), visible focus indicators, and screen-reader-only class. Validated with axe DevTools and WAVE.

How does the auto-fill feature work?

Click "Auto-fill" in Settings → Appearance and all text fields (banner title, description, category labels, button labels) are pre-filled in your site language. Also available per language in the Translations tab. 36 languages supported.

My banner shows old text despite changes in Settings

Check Settings → Translations. Translations take priority over the Appearance tab. If a translation has an older version of the text, it overrides the main text. Delete or update the relevant translation.

What is the Cookie Policy Page generator?

Generates a complete cookie policy page with customizable intro, a cookie table auto-populated from your scan results (grouped by category), and a customizable outro. Use the shortcode [shieldconsent_cookie_policy].

Can I use it with a dark-themed website?

Yes. Background and text color are independent. Set a dark background with light text, and buttons, links, and icons adapt automatically. The live preview shows exactly how it looks.

Languages & detection

How does language support work?

ShieldConsent detects each visitor's browser language and shows the matching translation automatically. You can add unlimited translations from Settings → Translations. 36 languages ship with one-click auto-fill packs, and 17 more are available for manual entry — 53 languages in total.

Do I need WPML or Polylang?

No. ShieldConsent handles translations internally with its own translation management. No third-party translation plugin needed.

How do I customize texts for a specific language?

Go to Settings → Translations, select the language, and edit any field. Use the "Auto-fill" button to pre-populate all fields for that language instantly, then fine-tune.

Do I have to fill in every field when adding a language?

No. Empty fields automatically fall back to your base language texts (Settings → Appearance). This means you can translate just the banner (title, text, button labels) for a new language while the modal and category descriptions remain in your default language. The plugin handles the mix seamlessly — no broken layout, no missing text.

My site is in French but the banner shows English. Why?

Your base texts (Settings → Appearance) should be written in the same language as your WordPress site language. If your site is set to fr_FR but you wrote the banner texts in English, French visitors see the English base texts. Fix: write your base texts in French, or change your site language to match.

Which languages are supported?

36 languages with one-click auto-fill: English (US + GB), Bulgarian, Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Norwegian, Polish, Portuguese (PT + BR), Romanian, Slovak, Slovenian, Spanish, Swedish, Welsh, Arabic, Chinese (Simplified & Traditional), Hebrew, Hindi, Japanese, Turkish, and Vietnamese — including full RTL support for Arabic and Hebrew.

17 additional languages available for manual entry: Albanian, Basque, Bosnian, Catalan, Filipino, Galician, Icelandic, Indonesian, Korean, Luxembourgish, Macedonian, Malay, Persian, Russian, Serbian, Thai, and Ukrainian. Select the language in Settings → Translations and fill in the banner and modal fields — the consent banner will display in that language for matching visitors.

You can also add any language not listed above using the custom locale field.

My banner shows in the wrong language (Chinese, Arabic, etc.) — why?

ShieldConsent automatically detects the visitor's language via the Accept-Language header sent by the browser. If your banner shows in an unexpected language, the issue is in your browser's language settings — not the plugin.

Chrome: go to Settings → Languages and remove any language you don't use.
macOS: also check System Settings → General → Language & Region → Preferred Languages.

Each browser manages its own language list, independently from the operating system. Note that extensions are disabled in private/incognito mode, which may explain different behavior between normal and private browsing. After correcting your settings, clear your browser cache and reload the page.

Cookie scanner

How does the cookie scanner work?

Select up to 20 pages to scan at a time (homepage is always included). For each page, the scanner runs a two-phase detection: server-side (reads Set-Cookie headers from the HTTP response) and client-side Deep Scan (opens the page in a hidden iframe to capture cookies set by JavaScript). Every detected cookie is matched against the Open Cookie Database (2,200+ entries from 350+ platforms) for automatic identification and categorization.

What is the Enhanced scan mode?

A checkbox you can enable before scanning. The scanner auto-scrolls to the bottom of each page to trigger lazy-loaded scripts, uses a MutationObserver to catch dynamically injected scripts, and waits longer for delayed cookies. Takes about 15 seconds more per page, but catches cookies that only appear after scroll or time-based triggers.

Can I schedule automatic scans?

Yes. From Settings → Scheduled Scan, choose daily, weekly, or monthly. The scheduled scanner covers the homepage plus your most recently modified pages and posts — configurable up to 200 pages (50 is recommended for most sites). You receive an email report when new or unknown cookies are detected.

What if a cookie is not recognized?

Unrecognized cookies are flagged in the scan results. You can manually add them to your Cookie Catalog with a name, description, vendor, duration, and category. They'll then appear in your cookie policy page and consent modal.

What is the Third-Party Tracker Report?

After each scan, a network analysis identifies every third-party domain contacted during the scan and matches them against a database of known trackers. This catches tracking scripts that may not set cookies but still collect data — tracking pixels, beacons, and fingerprinting scripts.

Cookie monitor

What is the Cookie Monitor and how is it different from the scanner?

The scanner visits selected pages once and captures cookies that appear within seconds. The Cookie Monitor is a passive system that observes cookies set by real visitors over 24 to 72 hours. Real visitors click, scroll, add to cart, submit forms, and watch videos — the monitor captures cookies that appear during those interactions, naturally. No simulation, no headless browser, no cloud dependency.

How does it work technically?

When you activate the monitor, a lightweight micro-script (~800 bytes gzipped, pure vanilla JS) is injected on every page via wp_footer. It periodically polls document.cookie and batches new cookie names to the server via sendBeacon. Only cookie names and page paths are collected — never values, never visitor identity. The script self-disables when the configured window expires.

Does the monitor affect site performance or visitor privacy?

Performance: minimal. The script is tiny, sends data only when it finds new cookies, includes built-in rate-limiting and an automatic safety valve to prevent any impact on high-traffic sites. Database writes are batched, not per-request.

Privacy: the monitor sets no cookies itself, performs no fingerprinting, stores no visitor identifiers, and filters out WordPress admin cookies server-side. It collects purely technical metadata about your site — GDPR-safe by design.

Do I need to stay on my site while the monitor runs?

No. Start monitoring, close your browser, come back in 48 hours. The monitor runs autonomously — it depends on your visitors' traffic, not your presence. It auto-expires after the configured duration (24, 48, or 72h). You only need to come back to review the report and merge detected cookies into your catalog.

Do I get an email when monitoring finishes?

Yes. When the monitoring window expires, ShieldConsent sends a summary email to the admin address. The email lists all detected cookies, highlights which ones are not yet in your catalog, and includes a direct link to review and merge results. The email is sent automatically — either at the exact expiration time via WP-Cron, or on the next admin page load as a fallback on low-traffic sites.

Why doesn't the monitor auto-add cookies to the catalog?

By design. The monitor captures everything — including transitional cookies, debug cookies, and browser extension artifacts. Auto-adding them would pollute your catalog with false positives and could mislead visitors about which cookies your site actually uses. The scanner auto-adds because it runs in a controlled environment; the monitor shows you what it found and lets you decide what to keep.

Script blocking & content blocker

How does server-side script blocking work?

ShieldConsent intercepts the page HTML in a PHP output buffer before it reaches the browser. Tracking scripts are matched against a registry of 290+ known endpoints and replaced with inert placeholders. When the visitor gives consent, scripts are activated client-side. This is more reliable than JavaScript-only blocking because scripts are removed from the HTML before it reaches the browser.

I pasted a Google Analytics or Google Ads tag in my theme header — is that a problem?

Yes. Hardcoded inline scripts like gtag('config', 'G-...') or gtag('config', 'AW-...') in your theme's header.php (or via an "Insert Headers" plugin) bypass ShieldConsent's blocking entirely. ShieldConsent blocks external scripts loaded with <script src="...">, but it cannot remove inline JavaScript that is already part of the HTML. These tags will set cookies (_ga, _gcl_aw, etc.) before consent, which violates GDPR. Remove them from your header and use one of the two compliant methods described in the next question.

How should I set up Google tags (GA4, Google Ads) with ShieldConsent?

Option 1 — Via GTM (recommended): Enter your GTM container ID (GTM-XXXXXX) in ShieldConsent → Protection. ShieldConsent injects GTM only when analytics consent is granted, and sends Consent Mode v2 signals so marketing tags inside GTM are gated automatically. Add your GA4 and Google Ads tags inside GTM with an "All Pages" trigger — GTM handles the consent logic for you.

Option 2 — Without GTM: Enter your GA4 Measurement ID (G-XXXXXXX) in ShieldConsent → Protection → GA4 Measurement ID. ShieldConsent will inject the gtag.js script conditionally and block it until consent. For Google Ads, add gtag/js?id=aw- to your Managed Endpoints so ShieldConsent blocks the Ads script until marketing consent is given.

In both cases, never paste Google tag code directly in your theme header or via an "Insert Headers" plugin — these bypass consent management entirely.

What about embedded content (YouTube, Maps, etc.)?

The Content Blocker detects and replaces third-party iframes with consent placeholders. Supported: YouTube, Vimeo, Dailymotion, TikTok, Twitch, Wistia, Loom, X (Twitter), Instagram, Facebook, Spotify, SoundCloud, Google Maps, OpenStreetMap, and more. YouTube embeds show a video thumbnail in the placeholder.

What is the Cookie Cleaner?

When a visitor refuses cookies, ShieldConsent actively deletes known tracking cookies (_ga, _gid, _gat, _fbp, etc.) that may have been set previously. Best-effort cleanup of first-party cookies visible to the domain.

What happens when a visitor doesn't give consent?

Tracking scripts remain blocked. Consent Mode v2 sends "denied" signals (GA4 can still use cookieless modeling). Iframes are replaced with placeholders. The visitor can reopen the modal any time via the floating button.

Can I whitelist specific scripts or pages?

Yes. You can configure managed endpoints (URL patterns always allowed), custom category overrides, and assign scripts to strictly_necessary so they're never blocked. The WooCommerce whitelist works automatically in Mode C.

What are the three protection modes?

Mode A (Signals only) — sends Consent Mode signals without blocking scripts. Mode B (Standard blocking) — blocks scripts by category until consent; recommended for most sites. Mode C (Advanced / e-commerce) — adds smart whitelisting for WooCommerce checkout, cart, account pages, and payment gateways.

Geolocation

How does geolocation work?

ShieldConsent detects the visitor's country using CDN/proxy headers (Cloudflare, Vercel, etc.), a configurable geolocation API, and server-level headers. Based on the detected country, it automatically applies the correct consent mode.

Which countries and regions are recognized?

All 27 EU + 3 EEA countries (opt-in), UK and Switzerland (opt-in), Brazil (LGPD, opt-in), and US states with privacy laws: California, Virginia, Colorado, Connecticut, Montana, and more as legislation evolves.

Does geolocation work with page caching?

Yes. ShieldConsent signals caching plugins to bypass full-page caching via DONOTCACHEPAGE, Cache-Control: no-store, and plugin-specific hooks (WP Rocket, LiteSpeed, Kinsta, Cloudflare APO). A runtime geo-fix script corrects the consent mode if a stale cached page is served.

What geolocation settings can I configure?

In Settings → Geolocation: region-based consent mode mapping, detection method priority, fallback behavior, and cache handling.

What if geolocation can't determine the country?

ShieldConsent falls back to your default consent mode (configured in Settings). For maximum protection, set the default to opt-in.

Consent data & storage

Where is consent data stored?

Two places: (1) cookies on the visitor's device — an HttpOnly server-side cookie as source of truth, and a JS-readable cookie for UI state; (2) a dedicated table in your WordPress database (wp_shieldconsent_logs). No data is sent to external servers.

How long are consent records retained?

Configurable in Settings → Legal. Old records are deleted automatically via WP-Cron. You can also delete records manually at any time.

Does ShieldConsent act as a data processor?

No. All data stays on your server. There are no third-party data transfers to justify under GDPR Article 28. The website operator is the sole data controller.

Can consent records be tampered with?

Records are stored as database rows and include SHA-256 integrity hashes for verification. They can technically be modified by a database administrator — this design prioritizes transparency and full site owner control.

Legal documents

What legal documents can ShieldConsent generate?

Individual consent proof (PDF/HTML), consent dossier, and legal ZIP bundle — all accessible from ShieldConsent → Legal Downloads. The consent proof shortcode also lets visitors view their own consent status on the frontend.

What is the individual consent proof?

A document for a specific consent ID containing the exact banner text shown (in the visitor's language), category selections, policy version, and SHA-256 hash. Designed to satisfy GDPR Article 7(1).

What is the Legal ZIP bundle?

An audit-ready package: consent dossier, settings snapshot, cookie catalog, and all consent logs in one ZIP. Supports GDPR Article 5 (accountability).

Why do documents download as HTML instead of PDF?

PDF requires the Dompdf library (composer require dompdf/dompdf). Without it, ShieldConsent falls back to HTML — same content, different format. You can also use Print → Save as PDF from any browser.

How often should I generate legal documents?

Generate a fresh Legal ZIP whenever you make significant configuration changes (new categories, updated policy version, new cookies). Individual consent proofs are generated on demand for regulatory inquiries.

Are the legal documents accepted by regulators?

ShieldConsent provides documented, auditable technical evidence of consent — which is what GDPR Article 7 requires. This level of proof is standard for CMP solutions and recognized by supervisory authorities as adequate evidence.

Dashboard & exports

What is the Audit Log?

A journal of consent activity with filters, exports (CSV/JSON), and formal audit generation (PDF/HTML) for documentation and review.

What shortcodes are available?

[shieldconsent_manage_consent] (reopen modal button), [shieldconsent_cookies_table] (cookie table), [shieldconsent_consent_proof] (current visitor's consent status), and [shieldconsent_cookie_policy] (full auto-generated cookie policy page).

What is the Diagnostics page?

Detects common issues: Google Site Kit injecting tracking independently, competing plugins (MonsterInsights, etc.), database schema status, and a front-end scan that checks your home page for scripts that might fire before consent.

Pricing & licensing

What's included in ShieldConsent?

ShieldConsent includes the full feature set: banner customizer with live preview, 6 cookie categories, cookie scanner with Open Cookie Database (2,200+ entries), scheduled scans, Cookie Monitor (passive real-traffic detection), Google Consent Mode v2, IAB TCF 2.3, all three protection modes, Content Blocker, Cookie Cleaner, geolocation, unlimited translations, legal exports (PDF + ZIP), Audit Log, Legal Proof Generator, cookie policy page generator, settings import/export, and priority support.

How does licensing work?

Licenses are annual. No per-pageview limits, no cloud subscriptions, no data leaving your server.

What happens when my license expires?

Your site continues to work — banner, consent collection, and all active features remain functional. Pro features are disabled and you no longer receive plugin updates or access to support. Renew to stay current with regulation changes and security patches.

Troubleshooting

The banner doesn't appear on my site

Check: (1) Is the plugin activated? (2) Is the consent mode set to "hidden" for your region? (3) Is there already a valid consent cookie? Clear cookies or use incognito. (4) Is a caching plugin serving a stale page? Purge your cache. (5) Run Settings → Diagnostics to detect competing plugins.

Scripts are still loading before consent

Possible causes: (1) a caching plugin cached the page before activation — purge the cache; (2) a competing plugin injects tracking independently — run Diagnostics; (3) the script isn't in the registry — add it in Settings → Managed Endpoints.

Google Analytics shows no data after installing

Expected if visitors haven't consented to analytics yet. GA4 data resumes once visitors accept. With Consent Mode v2, GA4 uses cookieless modeling to estimate data for non-consenting users.

Page reloads in a loop in Firefox private browsing

Firefox private browsing sends the GPC signal by default. If "Auto reload on consent" is enabled AND GPC enforcement is active, this can cause a loop. Fix: disable "Auto reload on consent" in Settings.

Banner appears in the wrong language

ShieldConsent detects each visitor's language from the browser's Accept-Language header. If the banner shows in an unexpected language, check your browser's language preferences (Chrome: Settings → Languages; macOS: System Settings → General → Language & Region). Clear your browser cache after making changes. See also: Languages & detection.

Known limitations

Can ShieldConsent delete third-party cookies (e.g. on .google.com or .facebook.com)?

No — this is a browser security restriction, not a ShieldConsent limitation. Cookies set on a third-party domain (like .google.com or .facebook.com) can only be deleted by that domain. ShieldConsent blocks the scripts that create these cookies, preventing them from being set in the first place. If a third-party cookie was set during a previous visit before the plugin was installed, it will persist until the browser clears it or it expires. This limitation applies to all consent management platforms.

Does it work with aggressive page caching (LiteSpeed, WP Rocket, Cloudflare APO)?

ShieldConsent filters scripts at the PHP level (output buffering), so it works well with most caching setups. However, if your cache serves a fully static HTML page and PHP doesn't execute at all, the Script Tag Filter cannot run. In that case, purge the cache after installing ShieldConsent so the filtered HTML is cached instead. For Cloudflare APO or similar edge caches, make sure ShieldConsent's JS file is not deferred or delayed by optimization plugins — it needs to run first.

Does ShieldConsent control what happens inside Google Tag Manager?

ShieldConsent blocks or unblocks the GTM container script based on consent. Once the container loads, ShieldConsent sends Consent Mode v2 signals that well-configured tags respect. However, tags added inside GTM by a marketing team that ignore Consent Mode will fire regardless. Make sure all tags in your GTM container are configured to check Consent Mode before firing — this is a GTM-side configuration, not a ShieldConsent setting.

Does the Cookie Cleaner handle localStorage and sessionStorage?

Currently, the Cookie Cleaner targets HTTP cookies only. Some modern trackers (Amplitude, Segment, Mixpanel) also store identifiers in localStorage or IndexedDB. These are not cleared when a visitor refuses consent. ShieldConsent prevents the scripts from running in the first place (which prevents localStorage writes), but data from a previous session may persist.

What if the consent AJAX request fails (502 or timeout)?

The visitor's consent choice is always saved in a client-side cookie — the visitor is protected regardless of server response. However, the server-side consent log (used for audit trail and legal proof) may not be written. This can happen on shared hosting with strict timeout limits or when too many cookies cause oversized request headers. The visitor can reload the page and the consent will be resent.