=== VideoWhisper Light Cookie Consent ===
Contributors: videowhisper
Tags: cookie consent, privacy, consent mode, cookie banner, woocommerce
Requires at least: 6.5
Tested up to: 7.0
Stable tag: 0.6.9
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Local, accessible privacy choices with optional WP Consent API interoperability and Google Consent Mode v2 signals.

== Description ==

VideoWhisper Light Cookie Consent provides a local-first consent banner and privacy choices dialog for WordPress.

The plugin stores visitor choices in a first-party functional cookie. It does not require an account, send telemetry, or load remote assets.

Features:

* Strict opt-in, opt-out, notice-only, and disabled modes.
* Accept, reject, customize, revisit, and withdraw controls.
* Configurable bottom-left or bottom-right privacy choices button.
* Optional eight-second auto-hide for the privacy choices button, paused and reset during interaction.
* Configurable idle transparency for the banner and privacy choices button.
* WordPress-native Additional CSS link for theme-level visual customization.
* Necessary, preferences, anonymous statistics, statistics, and marketing purposes.
* Global Privacy Control recognition in opt-out mode.
* Optional WP Consent API interoperability.
* Optional Google Consent Mode v2 signals, disabled by default and suppressed when Site Kit Consent Mode is detected.
* Site Kit Consent Mode, AdSense module, and limited public-homepage publisher-ad detection.
* Certified-CMP compatibility mode that suppresses this plugin's frontend consent controls.
* Dynamic Privacy Choices and Cookie Declaration blocks.
* Cookie Policy, cookie declaration, and privacy choices shortcodes for classic content.
* On-demand editable draft Cookie Policy page with optional banner and dialog links.
* Persistent service and cookie registry with reviewed-only public output.
* Cached public cookie declarations with automatic settings and registry invalidation.
* Opt-in, browser-local cookie-name observation report for administrators.
* Administrator inventory and tracker-gating review checklist.
* Optional privacy-preserving consent event records with retention, CSV export, and erasure controls.
* Administrator Reference tab with official Google, WordPress, and regulator guidance.
* Automatic, opt-out integration presets for WooCommerce, Site Kit by Google, BuddyPress, WPForms, Wordfence, Jetpack, FansPaysite, and verified VideoWhisper plugins.
* Source-verified Broadcast Live Video, PPV Live Webcams, Live Support Tickets, 2Way VideoCalls, and Webcam Recorder presets.
* Sanitized JSON settings and registry import/export.
* Complete reset to out-of-box settings and registry state.
* Extensible service and cookie definitions with administrator overrides.
* WordPress privacy-policy suggested text.
* Site Health configuration diagnostics.
* FansPaysite theme palette, light/dark mode, and Fomantic UI integration when detected.
* Clean, unbranded frontend controls with no intrusive branding or powered-by notice.
* No jQuery or frontend framework.

This plugin helps collect and communicate privacy choices. It cannot guarantee legal compliance, discover every cookie, or block every script. Site owners must inventory and configure their services.

= Automatic integrations =

When a reviewed plugin is detected, its available service and cookie definitions are included automatically. Administrators can opt out of an integration, ignore a service, ignore a cookie, or override a cookie purpose from Settings > Cookie Consent.

Some integrations are feature-dependent. A detected plugin may not create every listed cookie on every site. Plugins without a verified plugin-created cookie are not shown as integrations.

= Developer integration =

Plugins and themes can add definitions with `vwcc_service_definitions` and `vwcc_cookie_definitions` filters. Supported purposes are `functional`, `preferences`, `statistics-anonymous`, `statistics`, and `marketing`; match types are `exact`, `prefix`, and `glob`. The `vwcc_register_services` and `vwcc_register_cookies` actions plus `vwcc_register_service()` and `vwcc_register_cookie()` remain available.

Integrations can defer scripts and iframes until a purpose is allowed:

`echo vwcc_gated_script( 'statistics', 'https://example.com/analytics.js', array( 'defer' => true ) );`

`echo vwcc_gated_iframe( 'marketing', 'https://example.com/embed', array( 'title' => 'Example video' ) );`

Equivalent markup can use `type="text/plain"` and `data-vwcc-purpose` / `data-vwcc-src`. Dynamic integrations can call `window.vwcc.registerGate( element, purpose )` or `window.vwcc.refreshGates( root )`. The browser dispatches `vwcc:gate-activated` after activation.

Gate activation is intentionally one-way for the current page. Withdrawing consent prevents activation on later page loads, but JavaScript that already executed cannot be unloaded reliably.

= Google publisher limitation =

This plugin is not a Google-certified TCF CMP. It is not sufficient for publishers serving personalized AdSense, Ad Manager, or AdMob ads in the EEA, UK, or Switzerland where Google requires a certified CMP integrated with IAB TCF.

The plugin can detect Site Kit AdSense settings, perform a limited browser-side check for common AdSense or Ad Manager markers on the public homepage, and let administrators declare publisher-ad use. These checks are not a complete site scan. When a separate certified CMP is used, compatibility mode can suppress this plugin's banner and consent synchronization.

= Privacy =

The plugin sets `vwcc_consent`, a functional first-party cookie containing selected purposes, policy version, update time, operating mode, GPC state, and a random browser consent identifier. Its lifetime is configurable from 1 to 365 days.

Optional consent event records are disabled by default. When enabled, the site stores UTC time, policy version, mode, choices, event source, GPC state, and a salted hash of the random consent identifier. Raw IP addresses and user-agent strings are not stored by this feature. Retention is configurable from 30 to 730 days.

The plugin itself sends no telemetry or site data to VideoWhisper. Google Consent Mode signals are emitted only when explicitly enabled and when the site uses compatible Google tags. Other services configured by the site may process data independently.

== Installation ==

1. Upload and activate the plugin.
2. Open Settings > Cookie Consent. Conservative defaults and detected integrations are already active.
3. Review the operating mode, text, detected services, and cookie purposes.
4. Inventory scripts, embeds, analytics, advertising, and storage not covered by detected integrations.
5. Test behavior before publishing.
6. Add the Privacy Choices block or `[vwcc_preferences]` to a privacy page.
7. Add the Cookie Declaration block or `[vwcc_cookie_declaration]` to show confirmed declarations.

Clear or change the policy version after a material purpose or service change to request new choices.

== Frequently Asked Questions ==

= Does activation make a site legally compliant? =

No. The plugin provides technical controls. Requirements depend on jurisdiction, audience, business, wording, and the services used by the site.

= Does it automatically block every tracker? =

No. It emits consent state and provides explicit script and iframe gating APIs for cooperating integrations. Scripts hard-coded by a theme, plugin, or tag manager may need separate configuration.

= Is WP Consent API required? =

No. Interoperability is feature-detected and optional.

= How should this be configured with Site Kit? =

Enable Consent Mode in Site Kit, keep WP Consent API interoperability enabled in this plugin, and leave this plugin's own Google Consent Mode signals disabled. When Site Kit Consent Mode is detected, this plugin suppresses its duplicate Google output automatically.

= What does advanced Google Consent Mode mean? =

Advanced mode loads Google consent defaults and can permit cookieless requests while storage is denied. Basic mode expects cooperating tags to wait until consent is granted.

= Does the cookie declaration scan the whole site? =

No. The declaration contains the plugin cookie plus preset or manually confirmed registry entries. Presets and manual inventory are not a complete scan.

= How can visitors withdraw consent? =

Enable the persistent privacy choices button or place `[vwcc_preferences]` on a privacy page.

== Changelog ==

= 0.6.9 =

* Removed plugin-owned arbitrary CSS storage and frontend injection following WordPress.org review.
* Added a capability-gated link from the Banner settings to WordPress Additional CSS.
* Removes previously stored plugin CSS during the settings-schema upgrade.

= 0.6.8 =

* Hardened administrator actions, imports, consent records, and database queries following Plugin Check review.
* Escaped core page-dropdown markup with an explicit allowlist and removed template-scope variable warnings.
* Create the optional consent evidence table only after its disabled-by-default feature is enabled.
* Removed the generic plugin homepage header so WordPress.org can provide the canonical plugin URL.

= 0.6.7 =

* Added cookie counts and involved purposes to a table of detected integrations.
* Added purpose details to observed cookies that match registry definitions.
* Added FansPaysite Fomantic UI classes to cookie-policy tables and privacy-choice buttons.

== Upgrade Notice ==

= 0.6.9 =

Removes the custom CSS insertion feature and delegates CSS editing to WordPress core.

= 0.6.8 =

Security and repository-readiness maintenance following Plugin Check review.

= 0.6.7 =

Improves integration summaries, observation details, and FansPaysite shortcode styling.
