Open WooCommerce → Settings → Advanced → Features. Look at the “Order Attribution” toggle. If it’s on, your store is writing tracking cookies on every visit — and your cookie banner doesn’t know about it. Since WooCommerce 8.5 shipped in December 2023, Order Attribution Tracking has been enabled by default on every new store, capturing IP, device, referrer, UTM parameters, and session pages. It integrates with exactly one consent system: WordPress’s own WP Consent API. Not Complianz. Not CookieYes. Not Real Cookie Banner. If you haven’t installed the bridge plugin, your CMP says “blocked” while WooCommerce keeps writing.

Why Complianz, CookieYes and Real Cookie Banner Can’t See It

The mechanism is architectural, not accidental. When the WooCommerce team added Order Attribution Tracking in 8.5, they wired consent handling to the WordPress Consent API — a generic consent specification that any CMP can implement, but most don’t by default. The feature checks one signal: whether the WP Consent API reports consent for the statistics category. If yes, cookies write. If no, they don’t.

The problem is on the CMP side. Complianz, CookieYes, Real Cookie Banner, Iubenda, and most other consumer-facing CMPs do not natively report into the WP Consent API. Each requires two plugins to bridge the gap: the WP Consent API plugin itself, plus a CMP-specific adapter that translates banner state into the signal WooCommerce is actually listening for. The Complianz developer confirmed this gap directly in a public WordPress.org forum response.

Your CMP isn’t broken. WooCommerce isn’t broken. They’re listening for different signals — and nobody told you to install the translator.

How to Check if Your Store Is Affected

Three checks, two minutes total.

Check 1 — The feature toggle. Open WooCommerce → Settings → Advanced → Features. Find Order Attribution. If the toggle is on (the default since 8.5), the feature is active.

Check 2 — The cookies themselves. Open a fresh incognito window, land on your store from any referrer, then open DevTools → Application → Cookies. Look for entries prefixed wc_order_attribution_. You’ll see source_type, referrer, utm_campaign, session_pages, and several more — written on page load, before any consent banner has a chance to register a click.

Check 3 — The bridge. Go to Plugins → Installed Plugins. Search for “WP Consent API”. If it’s not installed and active, your CMP and WooCommerce are speaking different languages, and your default answer is the WooCommerce default: cookies on.

WordPress runs 43.5% of websites on the open web, and WooCommerce powers roughly 30% of online stores globally. The affected installation count is in the millions.

The ICO April 29 Bar — Why Default-On Is Now a Liability

On April 29, 2026, the UK’s Information Commissioner’s Office finalised its Storage and Access Technologies guidance, tightening the definition of “strictly necessary” cookies and explicitly requiring that any tracking-purpose cookie integrate with the site’s consent management platform. Order Attribution falls squarely into the tracking-purpose bucket under that bar — and the gap between WooCommerce’s default-on behaviour and the ICO’s new line is now a regulatory exposure, not just a configuration oversight. For the full breakdown of what changed and which WooCommerce cookie banners went stale overnight, see The ICO Just Finalised Its Storage and Access Technologies Guidance on April 29.

EU rejection rates make the gap material. Industry data puts cookie consent rejection on properly-configured CMPs at 40-70% — meaning the default-on Order Attribution cookie writes for nearly half of EU visitors who actively said no to tracking.

That’s the compliance exposure on paper. The DUAA’s five new cookie exceptions activated February 5, 2026 — and Order Attribution isn’t one of them. GDPR Article 6 needs a lawful basis a store can’t claim when the user has declined consent. The UK ICO and the German supervisory authorities have both signalled tighter enforcement on default-on tracking through 2026.

The Native Fix: Install the WP Consent API Bridge

If you want to keep Order Attribution enabled, the native fix is two plugins:

1. WP Consent API — the WordPress.org consent specification plugin (free, maintained by the official WP Consent Level Compliance Working Group)
2. A CMP adapter — Complianz ships its own integration, CookieYes has an adapter, Real Cookie Banner has a Pro-tier integration, Iubenda’s varies by configuration

Once both are active, your CMP banner state gets translated into WP Consent API signals, and WooCommerce checks those signals before writing cookies. The architecture works. It just doesn’t ship that way out of the box, and the WooCommerce documentation’s claim that the feature is “GDPR compliant by default” silently assumes a bridge most stores have never installed.

A complementary read on this: Reading Complianz, CookieYes and Real Cookie Banner From Server-Side. Worth pairing because most stores fragment consent across browser and server in ways that drift over time — the WP Consent API bridge solves the browser side; the server side needs its own pattern.

The Architectural Fix: Don’t Use a Browser Cookie at All

The deeper question is whether the browser cookie is even necessary. Most of the data Order Attribution captures — UTM parameters, referrer, traffic source — arrives at the same moment as the page request and can be read directly from the request URL and HTTP headers. WooCommerce’s own order lifecycle exposes attribution context through server-side hooks (woocommerce_checkout_create_order, woocommerce_payment_complete) that fire after consent has been resolved. No cookie write. No CMP bridge dependency. No default-on liability.

The question isn’t “how do I make my browser cookies compliant.” The question is “why is my server reading attribution from the browser when WordPress already has it server-side.”

Here’s how you actually do this. Transmute Engine™ is a first-party Node.js server that runs on your subdomain and reads attribution from WooCommerce order hooks rather than from browser cookies, while pulling CMP state from your existing Complianz, CookieYes, or Real Cookie Banner installation before any data routes outbound. No WP Consent API dependency, no second bridge plugin, no default-on cookie writing for visitors who declined.

Key Takeaways

• Default-on since WooCommerce 8.5 (December 2023): Order Attribution Tracking writes cookies on every new store unless explicitly disabled
• Only one consent integration: WP Consent API — not Complianz, CookieYes, Real Cookie Banner, or Iubenda directly
• The native fix needs two plugins: WP Consent API + your CMP’s adapter, both installed and active
• The ICO April 29, 2026 guidance and DUAA both treat tracking cookies as requiring CMP integration — default-on is now active exposure, not just configuration drift
• The architectural alternative reads attribution server-side from WooCommerce hooks, eliminating the cookie write entirely

Frequently Asked Questions

Audit your WooCommerce Order Attribution toggle today, install the WP Consent API bridge if you keep it enabled, or move attribution server-side at seresa.io.