=== SKT Cookie Consent ===
Contributors: sonalsinha21
Plugin URI:  https://www.sktthemes.org/shop/skt-cookie-consent/
Tags: cookie consent, gdpr, cookie banner, cookie notice, ccpa
Requires at least: 5.5
Tested up to: 6.9
Requires PHP: 7.2
Stable tag: 1.0.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight, self-hosted GDPR / CCPA / LGPD cookie consent plugin with banner designer, script blocker, geo-targeting and consent log.

== Description ==

**<a href="https://www.sktthemes.org/shop/skt-cookie-consent/">SKT Cookie Consent</a>** is a lightweight, 100% self-hosted WordPress cookie consent plugin built to help your website comply with global privacy laws including **GDPR (EU)**, **CCPA / CPRA (California)**, **LGPD (Brazil)**, and the **ePrivacy Directive**. No third-party SaaS account, no monthly fees, and no consent caps - all data stays on your own server.

Whether you run a blog, business site, WooCommerce store, or multilingual website, the plugin lets you display a customizable cookie banner, block third-party scripts before consent, log proof of consent, and manage cookie declarations from one clean admin dashboard.

**Documentation:** [SKT Cookie Consent – Documentation](https://sktthemesdemo.net/documentation/skt-cookie-consent-doc/)

= Key features =

* **Banner designer** - Banner, Popup, or Widget mode with multiple positions, full color, typography, and button controls. Mobile-responsive.
* **Privacy law presets** - GDPR, CCPA / CPRA, LGPD, or combined GDPR + CCPA mode with automatic banner text adjustments.
* **Geo-targeting** - Show the banner only in regions where it is required (Worldwide, EU + UK, US only, or custom country list) with cached IP lookups.
* **Real script blocker** - Blocks 22+ tracking scripts (GA4, GTM, Meta Pixel, Hotjar, YouTube, Vimeo, Google Maps, X, LinkedIn, Instagram, Pinterest, HubSpot, reCAPTCHA, AdSense, Matomo, Tawk.to, SlideShare, SoundCloud, ShareThis, AddToAny, and more) BEFORE consent is given.
* **Cookie categories** - Necessary, Marketing, Analytics, Preferences, Unclassified. Fully editable.
* **Cookie declaration list** - Document each cookie's name, provider, duration, category, storage type, and purpose. Displayed in the "Manage Preferences" view.
* **Consent log** - Searchable record of every consent decision with anonymized IP (last octet removed), country, date, status, and proof-of-consent string. Indexed for performance.
* **Dashboard insights** - Total consents, acceptance rate, rejection rate, and activity charts.
* **Developer friendly** - Translation-ready (.pot included), WPML / Polylang / TranslatePress / Loco compatible, no jQuery on the frontend, works with WP Rocket / W3 Total Cache / LiteSpeed, and major page builders (Elementor, Divi, Gutenberg).

**Compliance disclaimer:** This plugin provides the technical tools to help you meet GDPR, CCPA / CPRA, LGPD, and ePrivacy requirements. Installing it alone does NOT make your website automatically compliant - you are responsible for configuring it correctly, classifying your cookies accurately, and reviewing legal language with your own counsel.

== Installation ==

= Automatic Installation =

1. Log in to your WordPress dashboard.
2. Navigate to **Plugins → Add New**.
3. Search for **SKT Cookie Consent**.
4. Click **Install Now**, then click **Activate**.
5. Go to **SKT Cookie** in the admin sidebar to configure.

= Manual Installation =

1. Download the plugin ZIP file from WordPress.org.
2. Go to **Plugins → Add New → Upload Plugin** in your WordPress dashboard.
3. Choose the downloaded ZIP and click **Install Now**.
4. Activate the plugin through the **Plugins** screen.
5. Visit **SKT Cookie** in the admin sidebar to configure your banner, script blocker, and geo-targeting.

= Quick Start =

1. Go to **SKT Cookie → Banner Templates** and choose Banner, Popup, or Widget.
2. Visit **SKT Cookie → Banner Design** to set colors, typography, and button styles.
3. Open **SKT Cookie → Geo Location** to choose your privacy law (GDPR, CCPA, LGPD, or both).
4. In **SKT Cookie → Script Blocker**, enable blocking for the third-party services you use.
5. Add your tracking IDs (GA4, GTM, etc.) under **SKT Cookie → Cookies Settings**.
6. Done! Visit your site to see the banner in action.

= Assets =

Custom self-designed images used in this plugin:

/assets/images/
- skt-banner-right.png
- skt-branding.png
- skt-cookie-logo.png

These custom self-designed images are licensed under the GPL v2 or later.
License URL: http://www.gnu.org/licenses/gpl-2.0.html

== Frequently Asked Questions ==

= Does SKT Cookie Consent make my site GDPR / CCPA / LGPD compliant? =

The plugin provides the technical features required by these laws (consent capture, prior blocking of cookies, granular categories, easy withdrawal, audit trail). However, true compliance also requires accurate cookie classification, a privacy policy, and lawful data handling practices. We strongly recommend reviewing your setup with a qualified data-protection professional.

= Is the plugin really free? =

Yes. All core features - banner designer, script blocker, geo-targeting, consent logs, cookie list, and dashboard - are included for free with no consent caps and no visitor limits.

= Does it require a third-party account or SaaS service? =

No. SKT Cookie Consent is fully self-hosted. All consent records, settings, and configurations live in your own WordPress database. The only external service used is an optional IP geolocation lookup (ipapi.co) for visitor country detection - results are cached to minimize requests. See the "External services" section below for full details on every third-party endpoint the plugin can call.

= Will this slow down my website? =

No. The plugin is lightweight - the frontend banner uses vanilla JavaScript with minimal dependencies and only loads when needed. Geo-lookups and consent writes are cached and indexed.

= Does it work with caching plugins? =

Yes. SKT Cookie Consent works with WP Rocket, W3 Total Cache, LiteSpeed Cache, WP Super Cache, and others. Consent state is stored client-side and the banner appears regardless of whether the page is served from cache.

= Can I show different banners in different countries? =

Yes. Use the geo-targeting feature to show the banner only in EU + UK, only in the United States, worldwide, or only in countries you select manually. You can apply different rules for GDPR and CCPA when running both frameworks together.

= Will the script blocker really stop Google Analytics, Facebook Pixel, etc., before consent? =

Yes. When script blocking is enabled for a service, the plugin prevents the relevant tracking script from loading until the visitor explicitly accepts the matching cookie category. This is critical for GDPR compliance under the "prior consent" requirement.

= Does it support multilingual sites? =

Yes. The plugin is fully translation-ready and includes a .pot file. It works with WPML, Polylang, TranslatePress, and Loco Translate.

= How are visitor IP addresses handled? =

IP addresses are anonymized before being stored in the consent log (the final octet is removed), in line with GDPR best practices. The full IP is never written to the database.

= Can I export my consent logs? =

The consent log is searchable and filterable inside the WordPress admin. Each individual consent record can be inspected to view the exact proof-of-consent string. CSV / JSON export is on our roadmap.

= Is the plugin compatible with WooCommerce? =

Yes. SKT Cookie Consent works on any WordPress site, including WooCommerce stores, WordPress Multisite, BuddyPress / BuddyBoss, LearnDash, and membership plugins.

= Can I customize the banner text and buttons? =

Absolutely. Every label - title, message, "Accept All", "Reject All", "Manage Preferences", category names, and policy links - can be customized through the admin. Designs (colors, fonts, borders, buttons) are fully configurable from the visual editor.

= How is this plugin different from CookieYes, Complianz, Real Cookie Banner, or Cookie Notice? =

Unlike SaaS-based plugins (CookieYes, iubenda, Cookiebot) which require a paid account for advanced features, SKT Cookie Consent is fully self-hosted with no consent caps. Compared with other free options, it includes a real script blocker, geo-targeting, GDPR / CCPA / LGPD presets, full design customization, and built-in consent logging - all in the free version.

== Screenshots ==

1. Cookie banner displayed at the bottom of a website with Accept, Reject, and Manage Preferences buttons.
2. Admin dashboard showing total consents, acceptance rate, and consent activity chart.
3. Banner Templates page - choose between Banner, Popup, or Widget mode with positioning options.
4. Banner Design editor with full color, typography, and button customization.
5. Script Blocker page listing 22+ supported third-party services that can be blocked before consent.
6. Geo-Targeting page for selecting GDPR, CCPA, LGPD, or GDPR + CCPA presets and country rules.
7. Cookies List page where you can declare each cookie with name, domain, duration, and purpose.
8. Consent Log page showing anonymized IP, country, date, status, and proof-of-consent.
9. Cookie Types / Categories management page (Necessary, Marketing, Analytics, Preferences, Unclassified).

== External services ==

This plugin may connect to the following third-party services. These services are only loaded if explicitly enabled by the site administrator and/or after the visitor provides consent via the cookie banner.

No data is sent to these services without user consent, except where strictly required for functionality (for example, IP-based geolocation used to determine whether the cookie banner should be displayed).

= ipapi.co (IP geolocation) =

This plugin connects to an external API to determine the visitor's country based on their IP address. This is required to support geo-targeting rules (for example, displaying the cookie banner only in specific regions such as the EU or UK).

It sends the visitor's IP address to the ipapi.co service only when geo-targeting is enabled and the visitor's country has not already been resolved. This request is performed server-side. The result is cached locally on the site (as a WordPress transient) for up to 24 hours per IP address to minimize repeated external requests.

This service is provided by "ipapi.co": [terms of use](https://ipapi.co/terms/), [privacy policy](https://ipapi.co/privacy/).

= Instagram embeds =

This plugin connects to Instagram to load post embeds, it is needed to display Instagram posts that the admin has embedded on the site.

It sends data as transmitted by the Instagram embed script itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "Meta Platforms, Inc.": [terms of use](https://help.instagram.com/581066165581870), [privacy policy](https://privacycenter.instagram.com/policy).

= Pinterest widget =

This plugin connects to Pinterest to load share / save widgets, it is needed to display Pinterest save and share buttons on the site.

It sends data as transmitted by the Pinterest widget itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "Pinterest, Inc.": [terms of use](https://policy.pinterest.com/terms-of-service), [privacy policy](https://policy.pinterest.com/privacy-policy).

= Tawk.to live chat =

This plugin connects to Tawk.to to load the live-chat widget, it is needed to display the live-chat box so visitors can chat with the site operators.

It sends data as transmitted by the Tawk.to widget itself (typically including IP address, user agent, page URL, and any chat messages the visitor sends) only after consent to the matching category AND the admin has entered a Tawk.to ID.

This service is provided by "tawk.to ltd.": [terms of use](https://www.tawk.to/terms-of-service/), [privacy policy](https://www.tawk.to/privacy-policy/).

= HubSpot tracking =

This plugin connects to HubSpot to load the analytics / tracking script, it is needed to power HubSpot analytics and CRM tracking for the site administrator.

It sends data as transmitted by the HubSpot tracking script itself (such as page URL, referrer, IP address, device/browser information, and visitor interaction events) only after consent to the matching category AND the admin has entered a HubSpot account ID.

This service is provided by "HubSpot, Inc.": [terms of use](https://legal.hubspot.com/terms-of-service), [privacy policy](https://legal.hubspot.com/privacy-policy).

= Google reCAPTCHA =

This plugin connects to Google's bot-detection service, it is needed to protect forms on the site from spam and abuse.

It sends standard reCAPTCHA telemetry (such as IP address, user agent, mouse and keyboard interaction signals, and a hardware/software identifier) only after consent to the matching category AND the admin has enabled reCAPTCHA blocking.

This service is provided by "Google LLC": [terms of use](https://policies.google.com/terms), [privacy policy](https://policies.google.com/privacy).

= Google AdSense =

This plugin connects to Google's ad-serving service, it is needed to display AdSense ads on the site.

It sends standard AdSense telemetry (such as page URL, referrer, IP address, user agent, and ad interaction events) only after the visitor consents to the "Marketing" category AND the admin has enabled the corresponding script blocker.

This service is provided by "Google LLC": [terms of use](https://policies.google.com/terms), [privacy policy](https://policies.google.com/privacy).

= Google Publisher Tag (GPT) =

This plugin connects to Google's ad-management service, it is needed to deliver ads through Google Ad Manager on the site.

It sends standard GPT telemetry (such as page URL, referrer, IP address, user agent, and ad interaction events) only after the visitor consents to the "Marketing" category AND the admin has enabled the corresponding script blocker.

This service is provided by "Google LLC": [terms of use](https://policies.google.com/terms), [privacy policy](https://policies.google.com/privacy).

= Matomo analytics (self-hosted or cloud) =

This plugin connects to a Matomo analytics endpoint, it is needed to collect website analytics through the open-source Matomo platform configured by the site administrator.

It sends standard Matomo telemetry (such as page URL, referrer, IP address, user agent, screen resolution, and visitor interaction events) only after consent to the "Analytics" category AND the admin has entered a Matomo URL and Site ID.

This service is provided by "InnoCraft Ltd. (Matomo)": [terms of use](https://matomo.org/matomo-cloud-terms-of-service/), [privacy policy](https://matomo.org/privacy-policy/).

= SlideShare embeds =

This plugin connects to SlideShare to load presentation embeds, it is needed to display SlideShare presentations that the admin has embedded on the site.

It sends data as transmitted by the embedded SlideShare player itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "Scribd, Inc.": [terms of use](https://www.scribd.com/terms), [privacy policy](https://support.scribd.com/hc/en-us/articles/210129366-Privacy-policy).

= SoundCloud embeds =

This plugin connects to SoundCloud to load audio player embeds, it is needed to display SoundCloud tracks and playlists that the admin has embedded on the site.

It sends data as transmitted by the embedded SoundCloud player itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "SoundCloud Global Limited & Co. KG": [terms of use](https://soundcloud.com/terms-of-use), [privacy policy](https://soundcloud.com/pages/privacy).

= ShareThis widget =

This plugin connects to ShareThis to load the social sharing widget, it is needed to display ShareThis share buttons on the site.

It sends data as transmitted by the ShareThis widget itself (typically including IP address, user agent, referring URL, and share interaction events) only after consent to the matching category AND the admin has entered a ShareThis Property ID.

This service is provided by "ShareThis, Inc.": [terms of use](https://sharethis.com/publisher-terms-of-use/), [privacy policy](https://sharethis.com/privacy/).

= AddToAny =

This plugin connects to AddToAny to load the social sharing widget, it is needed to display AddToAny share buttons on the site.

It sends data as transmitted by the AddToAny widget itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "AddToAny LLC": [terms of use](https://www.addtoany.com/terms), [privacy policy](https://www.addtoany.com/privacy).

= Google Maps =

This plugin connects to Google Maps to load embedded maps, it is needed to display maps that the admin has embedded on the site.

It sends data as transmitted by the embedded Google Maps iframe itself (typically including IP address, user agent, and referring URL) only after consent to the matching category.

This service is provided by "Google LLC": [terms of use](https://policies.google.com/terms), [privacy policy](https://policies.google.com/privacy).

= Bundled third-party library (no network calls) =

This plugin also bundles the open-source library "Chart.js" (version 4.5.1, MIT License, https://www.chartjs.org/) inside 'assets/js/chart.umd.js'. It is loaded only on the plugin's admin dashboard screen to render local charts of your own consent log. It does not call out to any external server. The library's full license text is included in 'THIRD-PARTY-LICENSES.txt' shipped with the plugin.

== Changelog ==

= 1.0.2 =
* Added a nonce check to the consent logging AJAX request to make sure consent entries can only be saved through valid requests from the site.
* Fixed escaping issues in display/popup-show.php by removing the custom Header, Body, and Footer script fields.
* Added missing "External services" entries for ShareThis and AddToAny in the readme, including what data is sent, when it is sent, and links to their terms of service and privacy policy.
* Added a link to the plugin documentation (https://sktthemesdemo.net/documentation/skt-cookie-consent-doc/) in the Description.
* Reviewed all form inputs ($_POST, $_GET, $_REQUEST) once more to make sure they are properly sanitized and protected with nonce and capability checks where needed.
* Tested the plugin with Plugin Check and PHPCS with WordPress Coding Standards (WPCS) to confirm there are no remaining warnings or errors.
* No changes to the database or settings — all existing options and consent logs remain intact after the update.

= 1.0.1 =
* Updated bundled Chart.js library from 4.4.1 to 4.5.1 (latest stable, MIT).
* Added a complete "External services" section to the readme documenting every third-party endpoint the plugin can call, what data is sent, when, and links to each service's terms of service and privacy policy.
* Added a chart.js-LICENSE.txt file.
* Added a 'THIRD-PARTY-LICENSES.txt' file documenting the MIT license of the bundled Chart.js library and its included '@kurkle/color' dependency.
* Code hardening for WordPress.org plugin guidelines:
  - Refactored inline '<script>' and '<style>' blocks in admin and front-end templates to use 'wp_enqueue_script', 'wp_enqueue_style', 'wp_add_inline_script', and 'wp_add_inline_style' instead of being printed directly into the page output.
  - Renamed the "show" prefix used in 'register_setting()' calls to the plugin-specific prefix 'sktcoco_' to avoid collisions with other plugins or themes.
  - Reviewed and prefixed all globals, options, transients, action hooks, AJAX actions, and class names with the 'sktcoco_' / 'SKTCOCO_' prefix.
* Updated the readme display name to match the plugin header ("SKT Cookie Consent") and removed keyword-stuffed feature terms from the title line.
* Added the plugin author's WordPress.org username (sonalsinha21) to the "Contributors" list.
* No functional changes for end-users — existing settings and consent logs are preserved on upgrade.

= 1.0.0 =
Initial release of SKT Cookie Consent.