RoyalComply – Cookie Consent, GDPR & CCPA Compliance Banner

RoyalComply is a cookie consent and privacy compliance plugin for WordPress. It blocks analytics and marketing scripts until consent is given, supports Google Consent Mode v2, and adapts banner behavior based on the visitor’s jurisdiction (GDPR, CCPA, and 19 US state privacy laws).

The plugin runs entirely on your server. It does not connect to any external services.

Works With Your Stack

RoyalComply integrates with the analytics, advertising, and tag management tools you already use — no per-vendor configuration required:

• Analytics — Google Analytics 4 (GA4), Google Tag Manager, Hotjar, Microsoft Clarity, Matomo, Plausible, Fathom, Mixpanel, Amplitude, Heap.
• Advertising pixels — Meta Pixel (Facebook / Instagram), Google Ads, LinkedIn Insight Tag, TikTok Pixel, Pinterest Tag, Twitter (X) Pixel, Snapchat Pixel, Reddit Pixel.
• Themes and page builders — Elementor, Divi, Beaver Builder, Bricks, Gutenberg, Astra, GeneratePress, Kadence, Avada, OceanWP — works with any theme or builder.
• eCommerce and memberships — WooCommerce, Easy Digital Downloads, MemberPress, Restrict Content Pro, LearnDash, LifterLMS. Cart and session cookies are auto-categorized as “Necessary” and never blocked.
• Caching plugins — WP Rocket, W3 Total Cache, LiteSpeed Cache, WP Super Cache, FlyingPress, Cloudflare APO. Banner state is read client-side from localStorage so cached pages render correctly for every visitor.
• Multilingual — Polylang, WPML, qTranslate, TranslatePress. Banner text supports per-language translation; the language-selection cookie is auto-categorized as “Preferences”.
• CDN geo headers — Cloudflare (CF-IPCountry), Fastly, KeyCDN, Sucuri. Geo detection runs server-side from existing CDN headers with a browser-timezone fallback — no IP geolocation API is contacted.

RoyalComply is a free alternative to CookieYes, Complianz, Cookiebot, Iubenda, OneTrust, and Termly — without per-page-view billing, per-domain licensing, or external SaaS dependencies.

Features:

• Script blocking — Uses the WordPress script_loader_tag filter to change the type attribute of analytics and marketing scripts to text/plain until consent is given, preventing execution.
• Google Consent Mode v2 — Outputs the gtag('consent', 'default', {...}) call with a denied state before Google Tag Manager loads, and sends consent update events when the visitor makes a choice.
• Regional banner behavior — Detects the visitor’s region from CDN request headers (Cloudflare CF-IPCountry etc.) with a browser-timezone fallback. Banner behavior switches between opt-in (GDPR), opt-out (CCPA), and other jurisdictions as configured.
• Cookie scanner — Scans your site’s rendered HTML for known third-party script patterns (Google Analytics, Facebook Pixel, Hotjar, etc.) and matches them against a built-in database of 50+ cookie names. The scanner reads HTML your site already produces. No outbound HTTP requests are made.
• Consent logging — Stores each consent choice with a SHA-256 hashed visitor identifier, timestamp, and category selections. Exportable to CSV. No IP addresses or personally identifiable information are stored.
• Banner customization — 6 position options, bar or box layout, full color control. Combined CSS and JavaScript on the frontend is under 8KB.
• Geo detection — Reads the CF-IPCountry and similar headers already present in the incoming request. Falls back to the browser’s timezone via JavaScript. No IP lookup service is called.

Cookie Categories:

• Necessary — Always allowed. WordPress sessions, WooCommerce cart, PHP sessions.
• Analytics — Google Analytics, Hotjar, Clarity, Matomo, Plausible.
• Marketing — Facebook Pixel, Google Ads, LinkedIn, TikTok, Pinterest.
• Preferences — Language selection (Polylang, WPML, qTranslate).

Compliance Coverage:

• GDPR (EU/EEA) — Opt-in consent required
• CCPA (California) — Opt-out with “Do Not Sell” link
• VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TIPA (Tennessee), ICDPA (Indiana), MTCDPA (Montana), TDPSA (Texas), OCPA (Oregon), DPDPA (Delaware), FDBR (Florida), NJDPA (New Jersey), NHDPA (New Hampshire), KCDPA (Kentucky), NEBDPA (Nebraska), ICDPA (Iowa), MCDPA (Maryland), MNDPA (Minnesota)

External services

RoyalComply does not connect to any third-party services. The plugin runs entirely on your own WordPress install and does not send data to any external server, API, or CDN.

The built-in cookie scanner makes a single loopback HTTP request to your own site’s homepage (home_url( '/' )) using the WordPress wp_remote_get() function, with a 10-second timeout. This request goes to the same WordPress install; no third-party service is contacted. The scanner then reads the returned Set-Cookie response headers and the HTML response body, and searches the body for known third-party script hostnames (for example google-analytics.com, connect.facebook.net, js.stripe.com, widget.intercom.io, cdnjs.cloudflare.com). These hostnames are stored as pattern strings inside the plugin and are compared against the response body using PHP’s stripos() function. The plugin does not make any network requests to the services the pattern strings refer to; it only reads HTML that your own site already generates.

The scanner runs only when the site administrator clicks the “Scan Site” button in the RoyalComply admin screen. It is not run on a schedule and is not triggered by visitors.

Geo detection reads HTTP headers that are already present in the incoming page request (for example Cloudflare’s CF-IPCountry header) and, as a JavaScript fallback, reads the visitor’s timezone from the browser using Intl.DateTimeFormat().resolvedOptions().timeZone. No IP geolocation API is contacted.

Google Consent Mode v2 outputs a gtag('consent', 'default', {...}) JavaScript call in the page. This call runs in the visitor’s browser and is consumed by Google Tag Manager or gtag.js if those are already installed on the site. RoyalComply itself does not load Google’s scripts; the integration only configures the consent state that the site’s existing Google scripts read.