Sorry for the delay in responding.
The WordPress plugin is based on [ScrollDepth](https://scrolldepth.parsnip.io/) JavaScript.
I don’t see anyplace in the code that it creates a cookie.
It simply sends sends Events to Google Analytics.
If your audit system is flagging the Google Analytics cookie as not GDPR-compliant then you will want to review the GDPR information on consent for Google Analytics and decide how to manage Google Analytics.
A [reasonable article](https://brianclifton.com/blog/2018/04/16/google-analytics-gdpr-and-consent/).
If you plan to use Google Tag Manager to choose when to load the script, then you may want to switch to GTM’s built-in scroll tracking. (They have added basic scrolling as well as element visibility to GTM.)
If you’d like to see the plugin directly support a consent switch, please let me know how you’d like that work.
The user data tools in WordPress 4.9.6 don’t apply to this plugin: No data is associated with a user on the WordPress side of things. Google will probably associate those events with a persistent cookie.
Sounds like we’ll be getting more data-related features in 5.0.
Not sure I answered the question. Please let me know if there’s more we can do to help you with your GDPR plans.
