WooCommerce Sets Cookies Before You Add a Single Plugin
Every WooCommerce installation places cookies on visitor devices the moment someone interacts with the shop. These cookies handle cart contents, login sessions, and currency preferences. Most fall under the "strictly necessary" classification, meaning they keep the store functional and do not require prior consent under Article 5(3) of the ePrivacy Directive.
The trouble starts when you install analytics, remarketing, or advertising plugins. A default WooCommerce store with Google Analytics 4 and Meta Pixel enabled will set upwards of 15 cookies and fire multiple tracking requests before any visitor clicks "Accept." That is a compliance problem under the GDPR, the UK GDPR, and increasingly under US state laws such as the CCPA.
Which WooCommerce Cookies Are Strictly Necessary?
WooCommerce core sets a handful of cookies that qualify as essential. These do not require consent because the store cannot function without them.
| Cookie Name | Purpose | Duration | Consent Needed? |
|---|---|---|---|
woocommerce_cart_hash | Stores a hash of cart contents to detect changes | Session | No |
woocommerce_items_in_cart | Flags whether the cart contains items | Session | No |
wp_woocommerce_session_* | Links each visitor to their server-side session and cart data | 2 days | No |
woocommerce_recently_viewed | Stores recently viewed product IDs | Session | No (functional) |
wordpress_logged_in_* | Authenticates logged-in customers | Session/14 days | No |
PHPSESSID | PHP server session identifier | Session | No |
These cookies are tied directly to cart functionality or authentication. A cookie banner should list them for transparency, but it does not need to block them pending consent.
Tracking Pixels and the Cookies They Drop
The compliance risk for WooCommerce stores sits almost entirely with third-party tracking scripts. Each pixel or tag you add brings its own set of cookies, and none of them qualify as strictly necessary.
Google Analytics 4 sets _ga (expires after 2 years), _ga_* (also 2 years), and _gid (24 hours). These are analytics cookies that track visitor behaviour, session counts, and traffic sources. Under GDPR consent requirements, they must not fire until the visitor opts in.
Meta Pixel sets _fbp (90 days) and can set _fbc when a visitor arrives from a Facebook ad. These are marketing cookies used for conversion tracking and audience building. The Meta Pixel requires explicit consent before activation in all EU and UK jurisdictions.
Other common WooCommerce tracking integrations - TikTok Pixel, Pinterest Tag, Google Ads remarketing - follow the same pattern. Each sets its own cookies and requires consent before loading.
Google Tag Manager and Consent-Based Firing
Many WooCommerce stores use Google Tag Manager (GTM) as a central hub for all tracking scripts. GTM itself does not set cookies, but the tags it fires do. The critical step is configuring GTM to respect consent signals before any tag executes.
Google Consent Mode v2 provides a framework for this. When integrated with a consent management platform, Consent Mode instructs Google tags to behave differently based on consent status. Denied consent means no _ga or _gcl_* cookies, though Google may still use cookieless pings for basic measurement modelling.
For non-Google tags within GTM, you need consent-aware triggers. The standard approach is to block GTM containers before consent or use a consent initialisation trigger that only fires tags after a visitor grants permission for the relevant cookie category.
How to Set Up Compliant Cookie Consent on WooCommerce
Step 1: Scan Your Store for All Cookies
Before configuring consent, you need a complete inventory of every cookie your store sets. A cookie scanner will crawl your pages - including product pages, checkout, and account areas - and identify all first-party and third-party cookies.
WooCommerce stores often have more cookies than expected. Plugins for reviews, wishlists, currency switching, and live chat each add their own. Without a scan, you risk missing cookies that should be blocked until consent.
Step 2: Categorise Each Cookie
Group cookies into standard categories recognised by regulators and CMP platforms:
- Strictly necessary - cart, session, authentication, CSRF tokens
- Functional - language preferences, currency selection, recently viewed products
- Analytics -
_ga,_gid, Hotjar, Microsoft Clarity - Marketing -
_fbp,_fbc, TikTok_ttp, Google Ads_gcl_au
Only strictly necessary cookies may load without consent. Everything else must be blocked until the visitor actively opts in.
Step 3: Block Scripts Before Consent
The most common compliance failure on WooCommerce stores is loading tracking scripts on page load regardless of consent. A consent management platform should automatically block non-essential scripts until permission is granted, using either script rewriting (changing type="text/javascript" to type="text/plain") or tag manager integration.
WooCommerce Plugin Considerations
WooCommerce's plugin ecosystem complicates compliance. Each plugin can introduce cookies and external requests that your consent banner may not catch automatically.
Review plugins set cookies for visitor identification and aggregate ratings. Wishlist plugins store product selections in cookies that may persist for months. Live chat widgets from services like Intercom or Tidio set their own tracking cookies alongside the chat functionality.
The WP Consent API offers a standardised way for WordPress plugins to register their cookies and respect consent status. Plugins that support this API will automatically defer cookie placement until consent is given. Those that do not support it require manual script blocking configuration.
When evaluating WooCommerce extensions, check whether each plugin documents its cookies and supports consent integration. Undocumented cookies from third-party plugins are a frequent source of compliance gaps found during cookie audits.
What Regulators Expect from Online Stores
Enforcement actions in 2025 and 2026 show that ecommerce sites face real scrutiny. The French data protection authority CNIL fined SHEIN 150 million euros in September 2025 for cookie consent violations, including loading tracking scripts without prior consent. The UK's ICO launched a review of the top 1,000 UK websites in January 2025 and issued warnings to more than 130 sites from the first 200 reviewed.
Regulators check for specific failures: cookies set before consent, missing reject option, pre-ticked category boxes, and dark patterns that steer visitors toward accepting. For an ecommerce store, they also look at whether checkout and payment cookies are correctly classified and whether remarketing pixels fire only after opt-in.
Legitimate interest is not a valid basis for analytics or marketing cookies. The ePrivacy Directive requires consent for any non-essential storage on a user's device, and this applies regardless of the GDPR legal basis you rely on for the underlying data processing.
Server-Side Tracking and the Conversions API
Server-side tracking has become popular among WooCommerce store owners looking to recover data lost to ad blockers and browser restrictions like Safari's Intelligent Tracking Prevention. Meta's Conversions API and Google's server-side tagging send event data directly from your server rather than relying on browser-based pixels.
Server-side tracking does not remove consent obligations. Sending purchase or add-to-cart events to Meta from your server still constitutes personal data processing under the GDPR. You still need consent before transmitting that data. The difference is operational, not legal.
Frequently Asked Questions
Does WooCommerce set cookies without any plugins installed?
Yes. A default WooCommerce installation sets cart cookies (woocommerce_cart_hash, woocommerce_items_in_cart) and session cookies (wp_woocommerce_session_*) when a visitor interacts with the store. These are strictly necessary and do not require consent.
Do I need cookie consent for WooCommerce cart cookies?
No. Cart and session cookies are strictly necessary for the store to function. Article 5(3) of the ePrivacy Directive exempts cookies that are essential for a service explicitly requested by the user. Adding items to a cart qualifies.
Can I use Google Analytics on WooCommerce without consent?
Not under the GDPR or ePrivacy Directive. Google Analytics sets cookies like _ga that track visitor behaviour, and these require explicit opt-in consent in the EU and UK. Cookieless measurement via Consent Mode still sends data to Google but avoids setting cookies.
How do I block Meta Pixel on WooCommerce until consent is given?
Use a consent management platform that supports automatic script blocking, or load Meta Pixel through Google Tag Manager with consent-aware triggers. The pixel and its cookies (_fbp, _fbc) must not fire until the visitor has opted into the marketing category.
Does server-side tracking with the Conversions API remove the need for consent?
No. Server-side tracking sends personal data (such as purchase events, email hashes, or IP addresses) to advertising platforms from your server. This still counts as personal data processing under GDPR and requires prior consent.
What happens if my WooCommerce plugins set cookies I did not know about?
Undocumented cookies from plugins can put your store in breach of the ePrivacy Directive. Run regular cookie scans to detect all cookies, and check whether each plugin supports the WP Consent API for automatic consent integration.
Take Control of Your Cookie Compliance
If you are not sure which cookies your WooCommerce store sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie across your store - so your visitors get a clear choice, and you stay on the right side of the law.
