What cookies does CoreConsent set?
CoreConsent’s job is managing other services’ cookies — but like every consent tool, it needs a small amount of first-party storage of its own to remember each visitor’s choice. This article lists exactly what CoreConsent stores, when, and what to include in your site’s cookie policy.
CoreConsent sets at most two first-party cookies, and never sends any of this data off your site.
The consent cookie: clearconsent
| Name | clearconsent by default — configurable under Settings → Developer options → Cookie / storage key name |
| Purpose | Stores the visitor’s consent choices so the banner isn’t shown again and scripts obey the saved decision |
| Set when | The visitor makes a choice on the consent banner (accept, decline, or per-category) |
| Expires | Follows Cookie expiration (days) in Developer options — 365 days by default |
| Contents | The consent state only (which categories/services were allowed). No identifiers, no personal data |
| Category | Strictly necessary |
Because it contains only the consent record itself, this cookie is generally treated as strictly necessary under GDPR/ePrivacy — storing a visitor’s consent decision doesn’t itself require consent. It should still be listed in your cookie policy (see below).
If Storage method is set to localStorage instead of Cookie, no consent cookie is set at all — the choice is kept in the browser’s localStorage under the same key.
The geo cache: cc_geo
| Name | cc_geo |
| Purpose | Caches the resolved region behavior so the geo lookup doesn’t repeat on every page view |
| Set when | Only if Geo-targeting is enabled, and only until the visitor makes a consent choice |
| Expires | 24 hours |
| Contents | A region behavior string (e.g. opt-in vs. opt-out) and a timestamp. No location coordinates, no IP address, no personal data |
| Category | Strictly necessary / functional |
If Geo-targeting is disabled, this cookie is never set — and CoreConsent automatically removes any leftover cc_geo cookie from returning visitors’ browsers.
What to put in your cookie policy
You’re welcome to copy this into your site’s cookie policy table:
clearconsent — First-party, strictly necessary. Stores your cookie-consent choices for this website so we can respect them on future visits. Expires after 365 days. Set by the CoreConsent plugin; contains no personal data.
cc_geo (only if you use Geo-targeting) — First-party, strictly necessary. Temporarily remembers which regional consent rules apply to your visit. Expires after 24 hours. Contains no personal data.
Adjust the expiry if you’ve changed the defaults.
“Another cookie scanner flagged these — is CoreConsent tracking my visitors?”
No. Third-party cookie scanners flag every cookie they find, including the one that stores consent itself — every consent plugin on the market triggers this. Neither cookie contains identifiers or personal data, and CoreConsent never transmits their contents anywhere. CoreConsent’s own site scanner excludes these cookies from results for the same reason.
This article describes how the plugin works and common regulatory treatment of consent-storage cookies; it isn’t legal advice. If you’re unsure how to classify cookies in your policy, check with your privacy counsel.