WordPress Consent API Integration

Overview

The WordPress Consent API standardizes consent communication between Consent Management Platforms (CMPs) like Concord and WordPress plugins. When used together with Concord, the API allows consent choices made in Concord's Consent Banner or Privacy Center to be propagated to compatible WordPress plugins (Google Site Kit, WooCommerce, etc.) with no extra configuration.

This document explains how to set up the WordPress Consent API with Concord, how Concord maps consent categories and dispatches events, and recommended blocking strategies (including a note about potential plugin issues).

Quick Summary

• Concord supports the WP Consent API and will sync consent choices to WordPress when the plugin is present.
• Concord sets the wp_consent_type (e.g., optin / optout) and dispatches consent updates (e.g., via calls equivalent to wp_set_consent())
• Recommended approach for most WordPress sites: Install and enable Concord and let the WP Consent API handle WordPress plugin consent where possible.
• Concord's automatic detection and blocking can typically be used in tandem but may break some plugins that rely on server-side cookies or certain scripts that have issues with detection or blocking (payment processing, checkout, etc.).

Prerequisites

• A Concord project configured and embedded on your site (Concord plugin or direct embed) — see: Deployment → Integrations → Embed Concord
• The WP Consent API plugin installed on your WordPress site: WordPress Consent API

How Concord and the WP Consent API Interact

• Concord will detect the presence of the WP Consent API and sync consent changes across the site.
• Concord will set window.wp_consent_type (when configured depending on your consent mode) and dispatch the appropriate events so WP plugins can react.
• Concord maps its internal categories to WordPress categories (e.g., Concord marketing → WP marketing, Concord analytics → WP statistics/statistics-anonymous) and then dispatches consent updates (e.g., wp_set_consent('marketing', 'allow')).

This means that any plugin that implements the WP Consent API should automatically respect consent decisions made via Concord.

Step-by-Step Setup

1. Sign up for Concord.
2. Install and activate the WP Consent API plugin on the WordPress site.
3. Install and connect the Concord WordPress plugin (or embed the Concord script directly).
4. Verify Concord shows connected in your Concord project (Deployment → Integrations → Embed Concord).
5. Verify the integration is active and test consent flows (see Testing section below).

Testing & Verification

Open your site in a browser devtools console and:

• Check wp_consent_type:

// should be defined when wp consent API is active
console.log(window.wp_consent_type);

• Inspect WP consent cookies: wp_consent_marketing, wp_consent_statistics, etc.
• Confirm Concord dispatches consent events: try changing consent from the Concord banner and verify the WP cookies / wp_has_consent() reflect the change.

You can also test programmatically in the console:

// Example (from WP Consent API docs)
window.wp_consent_type = 'optin';
document.dispatchEvent(new CustomEvent('wp_consent_type_defined'));
wp_set_consent('marketing', 'allow');
// or check
if (wp_has_consent('marketing')) {
  console.log('marketing consent is allowed');
}

Category & Service Mappings

• Default Concord categories: marketing, analytics, functional, strictly_necessary, unclassified, ignored.
• WP Consent API categories commonly used: marketing, statistics (and statistics-anonymous), preferences, functional.

Standard mappings:

• Concord marketing → WP marketing
• Concord analytics → WP statistics or statistics-anonymous
• Concord functional → WP preferences or functional (depends on CMP)
• Concord strictly_necessary → treat as always allowed

Blocking Strategies — Concord Auto-Blocking & the WP Consent API

Concord's tracker discovery and auto-blocking is enabled by default and will run on most sites to detect and block trackers immediately and transparently. In most cases this automatic detection and blocking works well and doesn't require additional configuration, but certain scripts or plugins may require special handling.

How Concord's Automatic Detection & Blocking Works (Default)

• Auto-Enabled: Concord's detection and blocking engine runs by default and will perform actions like removing src/href attributes or converting <script> to type="text/plain", hiding iframes/images, and restoring elements once consent is granted.
• Broad Coverage: The blocker handles many dynamically-inserted scripts and cookies, providing the main line of defense when it comes to compliance.

How the Concord & WP Consent API Integration Works When Detected

• Server-Side Cookies & Service-Level Consent: For WordPress plugins that set PHP cookies or need service-level consent (e.g., Google Site Kit, WooCommerce), the WP Consent API provides additional functionality that isn't available with Concord's auto-blocking alone.
• WP Consent API First: The WP Consent API is the source of truth for plugin-level consent; Concord's auto-blocking can typically remain enabled as a supplemental layer.

Opting Out: Per-Element Opt-Out With data-concord-ignore (Recommended When Needed)

• If an element must not be auto-blocked (for example certain checkout scripts or other scripts that may encounter issues break when processed in any form), add data-concord-ignore to the tag to opt that element out of Concord blocking:

<script src="https://example.com/payment.js" data-concord-ignore></script>

Recommendation

Keep Concord auto-blocking enabled (default) because it works in most cases. For WordPress, use the WP Consent API for plugin-level consent and only opt out specific elements with data-concord-ignore if Concord's detection or blocking causes functional problems. Always test critical flows (checkout, login, analytics) after changes.

Practical Tips & Examples

• To exclude a script or element from Concord blocking, add data-concord-ignore to the tag (Concord will not process it):

<script src="https://example.com/payment.js" data-concord-ignore></script>

• For advanced pre-blocking or managed re-insertion, the detection and blocking engine also supports pre-tagging nodes by setting attributes: data-concord-modified="blocked" with data-concord-src/data-concord-href and data-concord-type for scripts. Concord will restore these attributes once consent allows them.

• If a WordPress plugin needs a service-level consent (e.g., google-analytics, woo commerce, etc.), use the WP Consent API if available.

Troubleshooting & Potential Issues

• Payment or checkout flows break: Can be caused by Concord detecting or blocking dynamic scripts. Solution: let WP Consent API manage consent for the plugin by adding data-concord-ignore to the script element and test.

• Server-side cookies still set after consent denied: WP Consent API exposes PHP hooks and wp_add_cookie_info() — ensure plugins register cookies correctly with the WP Consent API (plugin authors should do this).

• Dynamic/minified plugin scripts not detected by blocking rules: prefer WP Consent API which works via API rather than URL matching.

Recommended Checklist Before Go-Live

• Concord + WP Consent API plugin installed and configured
• Category mappings verified (Concord → WP CMP)
• Main flows tested (checkout, login, analytics) with consent toggled
• Add data-concord-ignore or plugin exceptions where necessary

Links & Resources

• WP Consent API plugin: Wordpress Consent API
• Concord WordPress release notes: Product New: WordPress Updates & Major Plugin Update with Consent API Integration
• Concord WordPress integration guide: Wordpress Integration Guide