Complianz audit guide for agencies (2026)

TL;DR - Complianz is a strong WordPress-native consent management plugin, license-based and sold with both yearly and monthly billing, with deep integration into the WordPress request lifecycle. For WordPress-only operators, it's a clean choice. The catch arrives when an agency's portfolio includes Shopify, custom Next.js, headless commerce, or other non-WordPress sites: Complianz's WordPress-deep approach doesn't extend to those surfaces uniformly. This guide explains how to audit a Complianz installation and where independent verification fits for multi-CMS portfolios.

What Complianz does well

Complianz is a WordPress-native plugin in a way that SaaS-first CMPs are not. The plugin hooks into the WordPress request lifecycle at multiple points: it manages the consent banner UI, generates legal documents, runs a hybrid cookie scan (server-side detection plus client-side rendering), wires up Google Consent Mode v2, and keeps consent records in the WordPress database. Multi-region compliance (GDPR, ePrivacy, CCPA, others) is built in. IAB/TCF advertising frameworks and A/B testing are included across the premium license tiers.

Pricing is license-based and the public page may be displayed as yearly or monthly depending on the toggle and currency. At yearly USD display, Personal is $59/year (1 site), Professional is $179/year (5 sites, marked as Popular), and Agency is $399/year (25 sites). The EUR pricing page also exposes monthly billing for the same tiers. The Agency tier adds a multisite plugin with cross-domain cookie consent and automatic subsites configuration. A free WordPress plugin version exists with reduced features. For a WordPress shop running multiple sites under one license, Complianz is a cost-efficient option for WordPress-only portfolios.

The vendor is explicit about scope: "The Complianz plugin is currently available exclusively for WordPress." A separate Shopify App offering is sold as a different product with a different feature surface.

For an operator whose primary need is "consent management on a WordPress site or fleet of WordPress sites," Complianz is a strong single choice, and that is a real strength of the product. Where it gets harder is the multi-CMS case.

Common Complianz implementation issues that self-scans may miss

Complianz's WordPress-native integration is genuinely deep, and that depth is also the source of its blind spots: the protections are exactly as good as the WordPress-native script-loading model is. Four patterns we see repeatedly:

1. Tag manager and Consent Mode race conditions. Universal across CMPs. The Google Tag Manager snippet is hardcoded inline in header.php above the Complianz output, so GTM initializes before the plugin's script-blocking can intervene. Or Consent Mode v2 defaults to 'granted' for one or more of the four parameters. If GTM snippets, theme scripts, or plugin-injected tags run before the consent state is applied, the live first-load network can still differ from the plugin configuration. Verify with a clean browser trace, not only the WordPress admin state.

2. Theme and page-builder script injections. Complianz's auto-blocking integrates with the standard WordPress enqueue lifecycle and the WordPress Consent API. Marketing widgets pasted into theme files, custom HTML blocks in page builders (Elementor, Divi, Gutenberg, etc.), or third-party plugins that don't participate in that consent path may still need manual handling. The WordPress admin state can look correct while the live network capture still shows a tracker firing early.

3. Multi-CMS portfolio mismatch. This is the sharpest issue and the one most relevant to agencies. Complianz's WordPress integration is deep; its Shopify app is a separate product with a different feature surface; and the WordPress plugin does not directly cover custom Next.js, headless commerce, or arbitrary non-WordPress stacks. An agency portfolio that's "Complianz on WordPress + something else on the rest" has uneven coverage by definition. A uniform audit layer that doesn't care about the underlying CMS is a clean way to verify whether consent behavior works consistently across the portfolio.

4. Conditional and behavior-triggered marketing scripts. A scroll-triggered recorder, a delayed chat widget, an A/B-test branch, or a dynamically injected tag may not be exercised by a fixed crawler path. Manual verification: reproduce the user action, reject consent, reload, check whether the tag still fires.

Step-by-step audit checklist

Each step is something you can do in a browser; an external scanner shortcuts the manual work.

1. Open the site in a clean browser profile, dev tools open, network filter on "third-party." Reload. Anything that fires before you click a banner button is a candidate.
2. Check the GTM snippet position. If the GTM loader is above the Complianz output in the page source, the plugin's auto-blocking is racing the tag manager. Move the GTM snippet into Complianz's consent-gated injection or use the plugin's recommended GTM integration.
3. Verify Consent Mode v2 default state. Search the rendered page for gtag('consent', 'default'. The argument should set all four parameters to 'denied'.
4. Click reject. Reload. Check the same network capture. No third-party trackers should appear in the post-reject network.
5. Test consent persistence across pages. Click reject, navigate to a second page. The banner should not reappear.
6. Audit theme and page-builder injections. Search header.php, footer.php, and any "custom HTML" page-builder blocks for hardcoded script tags. These bypass the plugin's auto-blocking.
7. For multisite installs (Agency tier), audit each subsite separately. Cross-domain consent sharing is an Agency feature; per-subsite drift is real.
8. Switch the page to each of your live languages. Check that the cookie declaration translates and that the listed trackers match.
9. Test from a non-EU IP. If your Complianz setup uses geo-targeting, verify the banner renders as expected for non-EU visitors.
10. For multi-CMS portfolios, audit each non-WordPress site with the same checklist applied to its native stack. Complianz's WordPress-deep integration does not extend to Shopify, Next.js, or custom-stack sites uniformly.

When Complianz alone is enough

For the following profile, Complianz's built-in scanner is sufficient and a second tool is overhead:

• A single WordPress site or a fleet of WordPress sites under one Agency license.
• The Complianz plugin (Personal, Professional, or Agency tier) installed on each site.
• Standard WordPress theme and page-builder use; no marketing widgets pasted directly into theme files.
• No Google Tag Manager or just a simple Google Analytics 4 install routed through the plugin's gated injection.
• No client reporting requirement.
• No higher-scrutiny profile.

For this profile, the Complianz license does the job and any additional tooling is a tax. The Agency tier in particular is a cost-efficient way to manage consent across a fleet of WordPress sites.

When to add independent auditing

The case for external verification scales with three factors, and one of them is much sharper for Complianz users than for SaaS-CMP users:

Multi-CMS portfolio. This is the sharpest wedge. Complianz's WordPress integration is excellent; its Shopify app is separate; and the WordPress plugin does not directly cover custom Next.js, headless commerce, or arbitrary non-WordPress stacks. Agencies maintaining a portfolio that includes any of those need a uniform audit layer that produces the same evidence pack regardless of CMS.

Marketing tag complexity. GTM, Meta Pixel, Google Ads conversion, LinkedIn Insight, TikTok Pixel, server-side tagging - every additional tag multiplies the surface area where a default-granted slip can fire trackers before consent.

Higher-scrutiny profile. For operators that would attract regulator attention if a complaint landed, a non-vendor evidence trail is useful because cookie-consent implementation is a recurring subject of DPA scrutiny.

Evidence packs for procurement. Enterprise clients in regulated industries often request independent technical evidence as part of vendor onboarding. An external scan report addresses that ask in a way a screenshot of the Complianz dashboard does not.

Complianz vs. independent auditing

Eight rows favor Complianz because Complianz does deep CMP work that an audit tool does not replicate. Complianz manages consent on WordPress; GDPR Privacy Monitor verifies the result behaves correctly in the wild and produces a uniform evidence pack across WordPress, Shopify, custom-stack, and headless sites.

A clean Complianz install on a single WordPress site should usually land in the low-risk band. A score in the 40s typically means one practical issue is present - for example, a theme-file script bypassing the plugin scope, a tag firing before consent, or a tracker not honored after reject.

Run an independent scan on the site you're auditing

Start a free scan or view a sample report to see what an external capture looks like alongside the Complianz dashboard.

Frequently asked questions

Is Complianz only for WordPress?

The plugin is. Complianz's vendor is explicit that "The Complianz plugin is currently available exclusively for WordPress." A separate Shopify App is sold as a different product with a different feature surface; the WordPress plugin does not directly cover custom Next.js, headless commerce, or arbitrary non-WordPress stacks. For multi-CMS portfolios, you'll either pair Complianz on the WordPress sites with a different CMP elsewhere, or use a uniform audit layer that doesn't care about the CMS.

How does Complianz compare to Cookiebot or CookieYes on WordPress?

Complianz is more WordPress-native: it integrates into the request lifecycle at multiple points, generates legal documents from inside WordPress, and stores consent records in the WordPress database. Cookiebot and CookieYes are SaaS-first products that ship a WordPress plugin alongside their main offering. For a WordPress-only operator, Complianz's license-based model can be cheaper than the recurring SaaS subscriptions of competitors at yearly billing; on monthly billing the gap narrows. For multi-CMS portfolios, the SaaS-first products travel better.

How accurate is the Complianz scanner?

Complianz combines server-side detection with browser-based checks, which is useful for WordPress sites. Runtime verification is still useful to confirm what actually fires before consent and after reject. Its limits are structural rather than technical: like any automated scan it follows a bounded scan path and observation window, so tags or embeds gated on real-user behavior may not be exercised by every crawler path. Self-scans are useful inventory; they are not independent technical evidence.

What's the difference between Complianz Free, Personal, Professional, and Agency?

The free WordPress plugin version covers basics. Personal ($59/year at yearly USD display, 1 site) adds the full feature set. Professional ($179/year, 5 sites, marked Popular) is the typical mid-market tier. Agency ($399/year, 25 sites) adds a multisite plugin with cross-domain cookie consent and automatic subsites configuration - the right tier for a WordPress shop maintaining many sites under one license. The pricing page also offers monthly billing for the same tiers when EUR is selected. All paid tiers include 1 year of support.

Why can a Complianz dashboard look clean while an agency audit still finds pre-consent trackers?

Usually one of two things: a script in header.php or a page-builder custom HTML block bypasses the plugin's auto-blocking, or GTM tags are not consent-aware. Complianz integrates deeply with the WordPress request lifecycle and the WordPress Consent API; scripts loaded by plugins, themes, or tag managers that don't participate in that consent path may still need manual handling or independent verification. A real-user network trace surfaces these where a self-scan dashboard does not.

Run a free Complianz verification scan

Before you write a remediation plan, see what an independent capture shows on the site you're auditing. GDPR Privacy Monitor's free scan returns a network-level breakdown of what fires before consent, what survives reject, and what the cookie declaration says vs. what the network does. No account required for the first scan.

Start a free scan or view a sample report to see the format before you commit.

Other audit guides: Cookiebot · CookieYes · OneTrust · Iubenda Background: Pre-consent tracking explained

Pricing and feature claims verified 2026-05-06 against complianz.io/pricing. Complianz's pricing page is canonical when figures change. Set a quarterly reminder to re-verify.