|
Applies to: WordPress Plugin v3.1.0+ Smash Balloon Instagram, Twitter/X, Facebook, and YouTube feed plugins |
Overview
Smash Balloon’s feed plugins embed third-party social media content that sets cookies and pixels on the visitor’s browser. Under GDPR, those cookies require consent before the feed can render. Compliance by Hu-manity.co covers the two most-deployed Smash Balloon plugins natively in v3.1.0+ and provides a documented bridge snippet for the other two.
Coverage at a Glance
| Plugin | Slug | How It Is Gated | Setup Required |
|---|---|---|---|
| Smash Balloon Instagram Feed | sbi |
Native bridge inside Compliance (sbicheckconsent) |
None — works out of the box |
| Custom Twitter/X Feeds | ctf |
Native bridge inside Compliance (ctfcheckconsent) |
None — works out of the box |
| Custom Facebook Feed | cff |
Legacy-cookie bridge snippet (see below) | Add snippet to functions.php or a code-snippets plugin |
| Feeds for YouTube | sby |
Legacy-cookie bridge snippet (see below) | Add snippet to functions.php or a code-snippets plugin |
Native Bridge: Instagram (sbi) and Twitter (ctf)
From v3.1.0 onward, Compliance includes a native consent bridge for the Instagram and Twitter feed plugins. The bridge listens for Smash Balloon’s built-in consent hooks (sbicheckconsent and ctfcheckconsent) and answers them based on the visitor’s banner choice for the marketing category.
How to verify it is working:
- Open a page with an Instagram or Twitter feed embedded.
- Visit in a fresh incognito window. Before consent, the feed should display a placeholder (Smash Balloon’s built-in “Click to load” or a custom message you configured in the plugin’s GDPR settings).
- Accept marketing in the Compliance banner.
- The feed should now render normally without a page reload (the bridge fires on the
save-consent.huevent).
Important: In the Smash Balloon plugin’s own settings, make sure GDPR mode is set to either Automatic (it will look for a CMP and find Compliance) or Manual: On. If GDPR mode is Off, the feed will fire regardless of consent and the bridge has nothing to gate.
Legacy-Cookie Bridge: Facebook (cff) and YouTube (sby)
Smash Balloon’s Custom Facebook Feed and Feeds for YouTube plugins read consent from a legacy cookie format that pre-dates the WP Consent API. Compliance does not write that cookie by default, but the bridge is a small snippet you can paste once.
Add this to your theme’s functions.php, a child theme, or a code-snippets plugin (Code Snippets, WPCode, etc.):
add_action('wp_footer', function () {
if (!function_exists('wp_has_consent')) {
return;
}
$allow = wp_has_consent('marketing') ? 1 : 0;
?>
<script>
(function () {
var allow = <?php echo (int) $allow; ?>;
document.cookie = 'cli_user_preference=' + (allow ? 'yes' : 'no') + '; path=/; max-age=' + (60*60*24*365) + '; SameSite=Lax';
document.cookie = 'sbi_consent_marketing=' + (allow ? 'true' : 'false') + '; path=/; max-age=' + (60*60*24*365) + '; SameSite=Lax';
})();
</script>
<?php
}, 99);This snippet does two things:
- Reads the current marketing-consent state from the WP Consent API (requires the WP Consent API plugin to be active and the integration to be on — see WP Consent API Integration).
- Writes the legacy cookies Smash Balloon’s Facebook and YouTube plugins are looking for.
After installing, in the Smash Balloon plugin’s GDPR settings, choose Automatic. The plugin will see the legacy cookie and gate the feed.
If You Do Not Have the WP Consent API Plugin
The native bridges (Instagram, Twitter) still work without the WP Consent API plugin — they listen to Compliance’s own consent events directly. However, the legacy-cookie snippet above relies on wp_has_consent() and will silently return without setting the cookies if the WP Consent API plugin is missing. To use the Facebook / YouTube bridge, install the WP Consent API plugin (free, from WordPress.org).
Troubleshooting
Feed renders before the visitor consents
- Confirm GDPR mode is not set to Off in the Smash Balloon plugin’s own settings.
- For Facebook / YouTube, confirm the bridge snippet is installed and running in
wp_footer. - Check the browser console for the
cli_user_preferenceandsbi_consent_marketingcookies after a fresh visit.
Feed stays as a placeholder after the visitor accepts marketing
- For Instagram / Twitter, confirm the visitor selected the level that grants marketing (typically “Personalized” or “Accept All”). At Balanced, marketing stays denied and the feed will remain a placeholder by design.
- Reload the page. The native bridge re-renders on the
save-consent.huDOM event, but some Smash Balloon themes only check at initial render — a reload forces a fresh check. - For Facebook / YouTube, the legacy-cookie bridge sets cookies on page load, so a reload after consent is always required for those two.
Visitor revoked consent but the feed is still loaded
The feed itself stops fetching new content the moment marketing is denied, but the already-rendered HTML stays on the page until reload. This is expected. For high-sensitivity sites, hide Smash Balloon feeds entirely with a CSS rule keyed to a body class set by the banner script.