Skip to content

Marketers, designers, and developers need high quality data to deliver optimal online experiences and grow their businesses. A lot of that data comes from your audience and their activities on your website.

To collect that data in a way that respects data privacy laws and users’ privacy means that you need to be transparent and provide consent options. Laws like the GDPR and CCPA require you to inform people about what data you collect, how you use it, and what their rights are. 

Different laws in different regions also require you to obtain user consent before collecting data, or provide granular options about what data uses that users can accept or decline, or enable them to opt out of various data uses.

Not to mention that there are an increasing number of business requirements for companies that rely on important platforms like Google’s to provide proof of consent if your company uses them for advertising, analytics, and other key marketing functions.

Smart consent management strategy with Webflow and Usercentrics enables you to meet data privacy requirements, build trust with your audience, and protect your marketing efforts and growing business. 

Provide clear information and user-friendly consent options that match your brand and that are customized to where your users are located.

We look at why you need a Webflow cookie banner, how it benefits your data privacy compliance and marketing performance strategies, and how to set it up. Support customer-friendly Privacy-Led Marketing and Webflow cookie consent.

Let’s look at why having a Webflow cookie consent banner on your website is so important for your business. Then we’ll cover the setup process.

No disruption to your Google services campaigns

Google Ads campaigns are popular among Webflow website owners for generating traffic, especially with retargeting. Government regulations aren’t the only requirements business owners need to navigate today. Large tech platforms that many businesses rely on are also implementing and enforcing privacy-centric policies. 

Setting up Webflow cookie consent via Usercentrics CMP and displaying a user-friendly and privacy-compliant consent banner enables you to maintain access to Google services that your business relies on. This includes key features like Google Ads’ personalization and remarketing.

Usercentrics CMP is Gold Tier certified with Google’s CMP Partner Program, and comes with Google Consent Mode v2 built in. Start collecting and signalling compliant consent right from implementation.

Get the required consent information from your users, securely store it for regulatory requirements, and signal it via Consent Mode to Google Services. This controls the firing of tags for ads, analytics, and other services to comply with user consent requirements for users in the US, EU, and around the world.

With Google Tag Manager, it’s easy to get up and running with Usercentrics CMP on your Webflow website.

Embrace Privacy-Led Marketing

Marketing performance strategy and optimization is already a full-time job, but it grows more complex every day.

Marketers have to stay abreast of evolving privacy regulations, changes in tech platforms’ policies and functions, the expectations of customers and prospects, and more. 

The risks of data breaches and other privacy violations go far beyond just fines and legal penalties.

They can irreparably damage your brand reputation and customers’ trust. They can require time- and resource-consuming remediation activities, like ongoing audits. And they can discourage potential new customers, partners, investors, and advertisers.

Your Webflow cookie consent banner can be a powerful tool, especially combined with a clear Webflow cookie policy, to enable you to achieve and automate privacy compliance, and maintain access to the business platforms you rely on. 

Plus, you keep your customers happy that their privacy concerns are being addressed. Which means higher long-term engagement and more valuable data to boost your marketing efforts.

We will walk you through the steps to ensure you have the accounts and access you need, and that your tags are set up to respond to consent signals correctly.

Set up your Google Tag Manager account

The easiest and most streamlined way to set up and control services on your Webflow website is by using Google Tag Manager to conditionally load scripts.

If you have a Google Tag Manager account already, you’re all set to get started. If not, create one for free.

Once your account is active, you can use it to set up Usercentrics CMP and to configure the tags that require user consent. Next we’ll cover the Usercentrics CMP setup and customization, then later we’ll get back to Webflow and how to add the CMP to your account.

You can refer to our Usercentrics CMP setup guide as well.

Sign up for your Usercentrics account

Go to the Free Trial page, then click the Usercentrics Web CMP tab. Click START FREE to get started with your 14-day free trial by providing the required information to set up your 

Usercentrics account. 

Configure your banner in the Usercentrics Admin Interface

Once your new account is set up (or you’re logged in if you already have an account), it’s time to set up your configuration. In the Admin Interface, click Configuration. This section is where you’ll add information about your domain (your Webflow site), where you’ll display the banner, your language preferences, and more. 

Configuration of Usercentrics CMP

Initial website scan

In the Admin Interface, click Service Settings, then click the Initial Website Scan button to start the first scan of your Webflow website. This will detect the cookies and trackers (Data Processing Services, or DPS) that are in use. 

Once the scan is completed, it will generate your scan report, which you can see under the DPS Overview.

Categorize the Data Processing Services

Usercentrics CMP will automatically categorize the DPS for you that were detected in the initial scan. Essential, Functional, and Marketing are included by default. You can edit the classifications, or manually categorize anything that comes up as unclassified. You’ll do that under Service Categories, which includes predefined categories or enables you to define your own. 

Service settings in Usercetrics CMP Admin interface

Add the Data Processing Services

Use the list of DPS from the initial scan report to add all the relevant cookies and other trackers in use on your website. Click Add Service to the right of each DPS listing in the Admin Interface.

This will add them to the CMP, enabling users to access and control their consent preferences by category. Your list of DPS can also be added to your Cookie Declaration. 

Note: Scripts for the DPS may need to be adjusted to enable blocking until consent is obtained. Get more information in our guide.

Click the Appearance tab to get started customizing how your consent banner will look. Under the Styling tab you can adjust the brand styling, fonts, logos, and more. 

Under the Layout tab you can customize the settings for the banner’s first and section layer settings and the Privacy Trigger. That’s a shortcut that visitors can use to update their consent preferences on future visits to your website. 

Appearance settings in Usercentrics CMP Admin interface

Click the Content tab to start customizing the text, links, and other elements that users will see and read on your consent banner. Usercentrics CMP supports 60 languages, and you can customize the banner here for relevant legal frameworks, like the “Do Not Sell Or Share My Personal Information” link required by the CCPA. 

Content settings in Usercentrics CMP Admin interface

Implement the Usercentrics CMP on your Webflow website

Now you will add the Google Tag Manager snippet to your Webflow website. Please note that you will need a Basic, CMS, or Business Webflow account in order to be able to add scripts to your Webflow website.

Login to your Webflow account and ensure that you are in Design mode. You can select this at the top left of the menu. Click the + button to open up the menu of options you can add, then scroll down to the Advanced section. Click on Code Embed.

Screenshot presenting the section of the Webflow website where the Google Tag Manager snippet should be added

Add your Google Tag Manager snippet. You must replace “GTM-XXXXXX” in the last line with your own Google Tag Manager Container ID.

If you exclusively use Google Tag Manager to load third-party scripts, remember to configure them to require “additional consent” so cookies will be set without prior consent if that regulatory requirement is relevant to your business and website.

<!-- Google Tag Manager -->

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':

new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],

j=d.createElement(s),dl=l!=’dataLayer’?’&l=’+l:”;j.async=true;j.src=

‘https://www.googletagmanager.com/gtm.js?id=’+i+dl;f.parentNode.insertBefore(j,f);

})(window,document,’script’,’dataLayer’,’GTM-XXXXXX’);</script>

<!– End Google Tag Manager –>

The Usercentrics CMP runs a daily website scan and automatically sends the report to your inbox when it’s complete. We recommend regularly checking your scan report to make sure all the cookies and other tracking technologies in use on your site are correctly classified and have a purpose description. 

Marketing operations evolve quickly, so this is one way to stay ahead and make sure only the cookie categories that your users have consented to are activated. The scanner also automatically updates your Cookie Declaration to accurately reflect your Webflow website’s cookie usage.

Usercentrics CMP helps protect your business and grows with you

Usercentrics CMP makes it easy for you to meet regulatory requirements no matter where you do business. Keep your customers informed about your data processing and their privacy rights to build trust. 

Also stay on top of the cookies and other tracking technologies that you’re using to collect data, so you can provide accurate information and valid consent options, and compliantly control your data collection and use. Build a Privacy-Led Marketing strategy that scales.

In just a few steps, you can set up a cookie banner on your Webflow website that looks great, is user-friendly, and helps protect your business. Check out our opt-in optimization whitepaper for more information about optimizing user experience and consent rates. 

Show customers that you respect their privacy, get the high quality marketing data you need, and get automated peace of mind regarding your legal obligations.

Learn more

When visitors land on your website, they make a split-second decision about whether to engage or leave. While factors like design, speed, and usability play a role, one of their first interactions with your brand is often your cookie consent banner. This seemingly small element has an outsized impact on how users perceive your website, affecting not only compliance but also trust, engagement, and overall user experience.

A poorly designed or intrusive banner can frustrate users, leading to immediate exits or a lack of engagement with your content. On the other hand, a well-crafted consent banner signals transparency, respect for privacy, and a commitment to user control, all of which contribute to a positive first impression. When users feel in control of their data, they are more likely to trust a brand, explore the website further, and take meaningful actions — whether that’s signing up for a newsletter, making a purchase, or engaging with content.

Businesses often think of consent banners as just a legal necessity, something to check off a compliance list. But in reality, they are a crucial touchpoint in the customer journey. The way a consent banner is presented—its design, language, and placement — can influence how users interact with the website and whether they feel confident in sharing their data. With privacy regulations like GDPR, CCPA, and other evolving frameworks, businesses need to approach consent management strategically, not just for legal reasons but to build relationships based on trust and transparency.

A/B testing offers a powerful way to refine this first interaction. By experimenting with different banner placements, CTA wording, and design elements, businesses can identify what resonates most with users and optimize for higher engagement, better opt-in rates, and stronger brand credibility. 

This guide explores how A/B testing can transform a simple consent banner into a trust-building tool, helping businesses align privacy compliance with a seamless user experience.

Watch our on-demand session to learn how to properly manage cookies and avoid legal risks.

This webinar, featuring Magdalena Aleksova (Usercentrics) and Adrian Nowakowski (Up Blue), provides practical insights into cookie compliance, legal risks, and best practices for managing cookies on your website.

What You’ll Learn:

Who Should Watch?

When visitors land on your website, they make a split-second decision about whether to engage or leave. While factors like design, speed, and usability play a role, one of their first interactions with your brand is often your cookie consent banner. This seemingly small element has an outsized impact on how users perceive your website, affecting not only compliance but also trust, engagement, and overall user experience.

A poorly designed or intrusive banner can frustrate users, leading to immediate exits or a lack of engagement with your content. On the other hand, a well-crafted consent banner signals transparency, respect for privacy, and a commitment to user control, all of which contribute to a positive first impression. When users feel in control of their data, they are more likely to trust a brand, explore the website further, and take meaningful actions — whether that’s signing up for a newsletter, making a purchase, or engaging with content.

Businesses often think of consent banners as just a legal necessity, something to check off a compliance list. But in reality, they are a crucial touchpoint in the customer journey. The way a consent banner is presented—its design, language, and placement — can influence how users interact with the website and whether they feel confident in sharing their data. With privacy regulations like GDPR, CCPA, and other evolving frameworks, businesses need to approach consent management strategically, not just for legal reasons but to build relationships based on trust and transparency.

A/B testing offers a powerful way to refine this first interaction. By experimenting with different banner placements, CTA wording, and design elements, businesses can identify what resonates most with users and optimize for higher engagement, better opt-in rates, and stronger brand credibility. 

This guide explores how A/B testing can transform a simple consent banner into a trust-building tool, helping businesses align privacy compliance with a seamless user experience.

On December 20, 2024, the Bundesrat (German Federal Council), approved an ordinance pursuant to Section 26 Paragraph 2 of the Telecommunications Digital Services Data Protection Act (TDDDG) and amending the Special Telecommunications Fee Ordinance (DE, PDF). Officially, the update is the “Verordnung über Dienste zur Einwilligungsverwaltung nach dem Telekommunikation-DigitaleDienste-Datenschutz-Gesetz (Einwilligungsverwaltungsverordnung – EinwV)”.

The goal of this ordinance is to reduce the “flood” of consent banners displayed on websites to German residents. We delve into what this new law says, when it comes into effect, and how your business can navigate the requirements.

What is the TDDDG?

The Telecommunications Digital Services Data Protection Act (TDDDG in German, TTDPA in English) covers similar territory to the General Data Protection Regulation (GDPR) regarding data handling, privacy, and user rights, but gets into more detail in certain areas. 

The TDDDG came into effect in Germany in December 2021. It shares the scope of the ePrivacy Directive for requirements regarding use of consent management solutions, and applies to any company offering goods or services in Germany if they access information (not just personal data) stored on a user’s device, or store information on users’ devices. 

The regulation requires informed and explicit user consent for the use of more digital technologies, and storage of and access to data stored on or collected from users’ devices, in line with the GDPR’s consent requirements. It is permissible to use bundled consent to cover both regulations when providing users with notification and consent choices, though in many cases there will be two legal bases required: one for the GDPR and one for the TDDDG. 

The new ordinance comes into effect April 1, 2025, giving affected organizations three months for preparation and implementation if they choose. It’s meant “to protect Internet users from disruptive and misleading consent requests” by reducing the number of cookie banners or comparable displays that users are faced with regularly. The Bundesrat has recommended that the ordinance undergo evaluation within two years.

The goal is for users to make one-time decisions about cookie consent using a consent management solution, with the information they provide centrally stored and used over time to signal the individual’s consent preferences to any digital services collecting data. As a result, users will not be presented with cookie banners over and over when they visit different websites. 

Additionally, the ordinance is meant to strengthen web users’ freedom of choice regarding access to their personal data online. Explicit and informed consent from users for data collection and use via cookies remains a requirement. The core strategy in achieving the ordinance’s goals while making use of existing consent management solutions is the introduction of “recognized consent management services”. To become a “recognized” service, there is an annual certification process. 

However, it is unclear whether this strategy supports the overarching goals of data privacy and specific regulatory requirements, particularly as it centers ID-based solutions.

The requirements of the ordinance are voluntary for both website operators, who can choose if they want to implement the new framework, and for users, who can choose if they want to engage with these services and save consent choices for reuse.

What is the certification approval process for the new ordinance?

To become a “recognized consent management service” under the new regulation, a company offering a consent management services must undergo an approval process that is overseen by the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — the Federal Data Protection Commissioner. 

The process requires demonstrating compliance with current data protection laws, like the GDPR, and passing security audits. The estimated annual administrative costs to maintain certification are 79,000, which may be out of reach for smaller companies providing consent management solutions. However, as noted, the requirements of the ordinance are voluntary.

The regulation applies to website operators and digital service providers that collect consent under 25 TDDDG (DE). 

Internet users can benefit from a more streamlined process for managing consent and cookie preferences online, and an improved user experience overall when browsing. Consent preferences set once and centrally stored with a recognized consent management service will automatically be signalled to subsequent websites users visit, so they will see fewer cookie banners pop up.

Website operations and digital service providers would continue to need to respect the user’s consent selection, so using a consent management platform (CMP) is important. Also, recognized consent management services would need to signal user consent to the CMP that a website operator has implemented, thus a compatible CMP is necessary. 

Consent management service providers will have to develop solutions that can pass the certification requirements and enable compliance with the ordinance and other relevant data privacy regulations and frameworks like the GDPR and ePrivacy Directive. Consent management services will need to work with CMPs to pass the user consent signal information. Providers can benefit from increased business from organizations that want to implement a recognized service.

Website operators and digital service providers in Germany and throughout the EU already need to respect users’ privacy and rights and obtain explicit and informed consent for collecting and processing data. So organizations already using a CMP will need to continue to do so. (Those who are still not using one are taking increasingly large risks with their revenue, legal standing, brand reputation, and customer retention.)

Because the ordinance’s requirements are voluntary, companies can continue to use their existing CMP, which likely displays consent banners to users infrequently but at specific intervals, e.g. first visit to the site, after the consent expires, if the user clears their browser cache, etc. 

If a website operator wants to comply with the ordinance, they will also need to ensure their CMP can seamlessly accept and process consent information signals from users who have set them using a recognized consent management service.  Usercentrics specializes in smooth integrations that enable consent information to be obtained in a user-friendly manner and  signaled throughout your tech and marketing ecosystem. 

As of yet some ambiguity remains regarding how the functionality will be required to work, if there are standards, etc. that recognized consent management services and CMPs will need to meet, etc. The ordinance also does not specify for how long a user’s consent information remains valid. 

Of note is that the ordinance’s mechanism with recognized consent management services is a new proposal, as it uses an opt-in model. To date there have only been opt-out solutions, like Global Privacy Control (GPC) or other universal opt-out mechanism (UOOM). Recognizing such signals is not universal, but has been finding traction in more of the newer data privacy regulations passed, e.g. at the state level in the United States. 

There are tools to signal consent information that work with CMPs, like Google Consent Mode, but are not relevant to the ordinance’s requirements. They don’t function on the user’s side, as they forward consent choices that users’ have made with the CMP through to services like Google Ads.

No consent management services have been certified yet, as the ordinance was only passed in late December 2024. However, it will be critical for any recognized consent management services to work well with CMPs to ensure legally compliant processing of users’ consent choices. Maintaining good user experience with seamless functionality is also important for happy website visitors, as well as for interaction and consent rates.

It will be important for companies to use a CMP like Usercentrics CMP that enables compliant and secure collection, storage, and signaling of consent information. It also enables a full range of integrations and is updated regularly for the latest regulatory and technology changes and requirements. We will continue to update on this ordinance and its requirements as more information becomes available.

This new ordinance does not mean CMPs are no longer needed for consent management. Quite the opposite; it points to the need for companies to implement a CMP backed by constantly evolving technology and legal expertise. This enables companies to maintain privacy compliance, marketing monetization, and positive user experiences no matter what changes the future brings from regulators, influential tech platforms, or elsewhere.

Understanding and implementing a cookie policy is crucial for any website that values transparency, user trust, and legal compliance.

As digital privacy concerns continue to grow, both users and regulatory bodies demand greater clarity on how personal data is collected and used. And a cookie policy serves as an essential document that informs visitors about the types of cookies a website uses, the data they collect, and how this information is managed.

So let’s take a look at what a cookie policy is, the benefits of adding one to your website, and what it must include.

What is a cookie and how do they work?

Cookies are small text files that websites send to a user’s device, like a web browser on a desktop or phone, on their first visit. They are then stored there for (usually) a specified amount of time. They help track user behavior, remember login details, and maintain session information, enabling a personalized browsing experience. For example, cookies can keep items in a shopping cart or save user preferences.

On subsequent visits, your browser sends the cookie data back to the server, enabling the site to recognize you. There are different types of cookies, like first-party and third-party, which are used for different types of data collection.

Learn more about cookies

What is a cookie policy?

A cookie policy is a document containing a list of all the cookies present and used on a website, along with detailed information about each. It tells website visitors which cookies are present, how they will be used, what information they collect, who sets them and collects information from them (e.g. advertising vendors), and how users can control their cookie preferences.

What’s the difference between a cookie policy and a privacy policy?

The main differences between a cookie policy and a privacy policy lie in their scope, content, and legal requirements.

A privacy policy is broader, covering how a company collects, uses, and protects all types of personal data, while a cookie policy focuses specifically on cookies and similar tracking technologies used on a website.

Additionally, a privacy policy explains data collection methods, purposes, storage, sharing practices, and user rights for all personal information, whereas the cookie policy details the types of cookies used, their purposes, duration, and how users can manage cookie preferences.

The cookie policy can be its own document, e.g. on a company’s website, or it can be a section in the privacy policy. The important thing is the information contained, that it’s kept up to date, and that it’s clear and easy for website visitors to access.

Generate your privacy policy

Why is a cookie policy important?

Cookie policies are essential for several reasons, particularly in the context of data privacy and user experience.

Build trust through transparency

A well-crafted cookie policy reflects your commitment to transparency. By clearly explaining the cookies used on your website, how they function, and what data they collect, you empower users to make informed decisions about their privacy. This openness fosters trust with your audience, an invaluable asset in today’s privacy-conscious world.

Comply with data protection laws

Cookie policies are typically a legal requirement, especially in regions with strict data protection laws. For example, the GDPR in the European Union requires websites to obtain user consent before storing or accessing cookies on their devices. Similarly, the UK’s Privacy and Electronic Communications Regulations (PECR) outlines specific rules for cookie usage. Ensuring your cookie policy complies with these laws is crucial to avoid penalties.

Empower users through control and consent

An effective cookie policy provides users with clear information on how to manage their cookie preferences, though opt-in/opt-out rights will vary by jurisdiction. This includes instructions on opting out of certain types of cookies or adjusting their settings. By offering this level of control, you not only meet legal requirements but also show respect for user autonomy.

Reduce legal risks

Having a transparent cookie policy in place helps mitigate legal risks. It demonstrates your proactive approach to data protection and compliance with regulatory requirements to inform visitors. This is important if your practices are ever scrutinized by regulatory authorities.

Provide a better user experience

By explaining the purpose of different types of cookies, your policy can help users understand how these cookies contribute to their browsing experience. This understanding can lead to more informed decisions about cookie acceptance. And improve their overall experience on your site by giving users a feeling of control over their data and how it’s used.

Gain a competitive advantage

In an era where privacy concerns are at the forefront, having a clear and comprehensive cookie policy can differentiate you from competitors. It signals that you take user privacy seriously, which can be a deciding factor for privacy-conscious consumers.

Is a cookie policy on a website mandatory?

The implementation of cookie policies is not just a matter of best practice, it’s often a legal necessity.

Key regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Privacy Rights Act (CPRA) in the United States have set strict requirements for transparency in data collection practices. These laws mandate that websites inform users about the use of internet cookies and obtain consent before deploying them, especially for non-essential tracking purposes. Even when the consent requirements of privacy laws differ, all privacy laws have a clear set of requirements for information that has to be provided to customers about data use, privacy, and rights.

Start your scan now

Requirements for a cookie policy for a website

Crafting a cookie policy isn’t just about listing the cookies your website uses. It’s about creating a document that’s clear, transparent, and user-friendly. A well-thought-out policy can help build trust with your visitors by clearly explaining how cookies are used and how they can manage their preferences.

Here are the key components to include to create a compliant cookies policy for a website.

Types of cookies used

Provide a clear description of the various categories of cookies on your website, such as strictly necessary, functional, analytical, and marketing cookies. Use a consent management platform like Cookiebot CMP by Usercentrics to help automate this process by regularly scanning and updating your site for new cookies.

The purpose of cookies

Explain the specific purpose of each type of cookie, detailing how they benefit the user experience or contribute to website functionality.

Mention all third-party cookies

Disclose any third-party services that may place cookies on users’ devices through your website, including their purpose and how they’re used. These can be tricky to detect and may change regularly, making a consent management platform that can detect them even more important.

Address the lifespan of placed cookies

Provide information on how long cookies remain on a user’s device, distinguishing between session cookies, which are temporary, and persistent cookies, which remain for a longer period. Most cookies have an expiry date, but not all. However, many privacy laws and guidelines also include requirements for how long cookies can be active, and when new consent has to be obtained, where relevant.

Provide user controls

Offer clear instructions on how users can manage their cookie preferences, including how to opt-in or opt-out, change existing preferences, or disable cookie use. It should also include clear information about the effects of opting out or disabling cookie use. Particularly where doing so would affect the function or user experience on the website, or prevent the delivery of certain services.

Address policy updates

Include a statement on how users will be notified of changes to the cookie policy, ensuring they stay informed about any updates.

Website cookie policy example

Armed with the knowledge of what a cookie policy should include, let’s look at an example.

Cookiebot by Usercentrics has a cookie declaration in addition to a privacy policy. The page has a straightforward, user-friendly layout, making it easy for visitors to navigate and understand how cookies are used on the site.

The policy starts with a clear explanation of what cookies are and their purpose, which is helpful for users unfamiliar with the technology. It then categorizes cookies into four groups: necessary, preferences, statistics, and marketing. Each category is clearly defined, helping users quickly grasp the different types of cookies and their functions.

Cookiebot also provides specific details about each cookie, including its name, provider, and expiration period. This level of detail is important for users who want to understand how cookies affect their privacy.

Cookie Declaration

This information is presented in a clear and accessible manner to enable website visitors to make informed choices about their cookie preferences.

Industry-specific nuances of cookie policies

Different industries face specific challenges when it comes to cookie policies, as the ways websites collect and use data vary widely across sectors. By understanding these nuances, businesses can create cookie policies that are not only compliant but also effectively tailored to their specific needs.

Ecommerce

Ecommerce websites rely heavily on cookies for functions like personalization, shopping cart functionality, and targeted advertising. Their cookie policies must strike a balance between enabling these features and being transparent about data collection. Many ecommerce sites now provide clear explanations of how cookies enhance the shopping experience, such as remembering items in a user’s cart or suggesting relevant products.

Healthcare

Healthcare websites face strict privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), in addition to various data privacy laws in the US or abroad. Therefore, a cookie policy for the healthcare sector often emphasizes the security measures used to protect sensitive health information, clearly distinguishing between necessary cookies for essential site functionality and optional cookies used for analytics or marketing purposes.

Health and wellness apps are also growing in popularity, and while they have different data collection mechanisms, there is increasing scrutiny. More focused regulations will likely follow, such as the Washington My Health My Data Act, governing how they can collect and use sensitive personal data from users.

Finance

Financial institutions must adhere to stringent data privacy and security requirements and build trust with their users. Like with healthcare, the financial sector has a whole industry-specific set of regulations they must abide by, which include additional data privacy requirements.

Financial companies’ cookie policies typically focus on the use of secure, encrypted cookies for essential functions like login sessions, while also providing detailed information on any tracking cookies used for marketing or analytics.

Media and entertainment

Websites in the media and entertainment industry often use a wide range of cookies for content personalization, advertising, and tracking user engagement. Their cookie policies usually include clear explanations of how these cookies improve the user experience, such as by remembering playback preferences or suggesting articles based on past reading behavior.

Build user trust and comply with privacy laws by implementing a cookie policy

A clear and well-structured cookie policy is essential for any website. It not only ensures compliance with data protection laws but also builds trust by being transparent about how user data is collected and used.

By empowering users with control over their privacy settings, you enhance their experience and reinforce your commitment to safeguarding their personal information. A thoughtful cookie policy is more than a legal requirement—it’s a step toward creating a trustworthy and user-friendly online presence.

If you operate an online business, whether via a website, mobile app, or both, your business needs a clear understanding of user consent for their data. As privacy protection laws become increasingly strict, failure to gain proper consent from visitors, customers, and users can lead to both hefty fines and brand distrust.

But there are many different types of consent, all with specific requirements levied by regulatory bodies. Understanding what consent you need and when and how you need to request it can help you build brand loyalty, make better decisions for your business, comply with regulations, and avoid penalties for noncompliance.

While there are two main consent models used in privacy regulations around the world, the conditions for valid consent under different data processing circumstances vary more widely. We break down what they are, where they’re relevant, and how to comply with them.

Opt-in vs. opt-out consent

Digital marketers need to obtain valid opt-in consent from users, for functions like subscribing to a newsletter or using their data to personalize ads shown to them. Similarly, users need the option to opt out of data-driven activities, such as unsubscribing from a newsletter or withdrawing from data collection for advertising or analytics.

Along with marketing functions, opt-in and opt-out consent also applies to cookie banners. A consent banner employed for CCPA/CPRA-compliant consent would include an opt-out option, and requires the phrase “Do Not Sell Or Share My Personal Information”. Users can click that link at any time, but companies don’t need to get consent before they start collecting users’ data in most cases. If the user has not explicitly opted out, consent is implied.

A cookie banner that follows an opt-in model would require users to manually click an “Accept” button or similar explicit action to agree to the data collection practices and purposes communicated. This style of banner is mandatory under GDPR law for consent to be valid.

In most cases it is not compliant to prevent users from accessing sites or their features if they decline consent, e.g. with a consent wall that can’t be bypassed, or for them to have a lesser user experience if they don’t consent. Here are tips for creating cookie banners that meet legal requirements.

Informed consent

Informed consent was once predominantly applied in sectors like research, healthcare, and media studies. But it’s becoming increasingly applicable in online data protection and relevant to marketers, especially since the introduction of the General Data Protection Regulation (GDPR) in the European Union.

Informed consent requires users to be informed of the details of digital data collection. Regardless of the consent model, all data privacy laws require that data subjects are provided with information about data collection and use and their rights.

Read about email marketing privacy policy now

Informed consent is especially relevant for businesses that are required to comply with the GDPR. Organizations that fail to obtain proper informed consent in the EU can be heavily fined.

Since then, Google has introduced solutions for data privacy protection with tools like Google Consent Mode and updates to its EU user consent policy.

Explicit consent

Explicit consent is clear and unambiguous on the part of the data subject. With informed consent, the individual knows what their data will be used for and what their rights are. With explicit consent, the user must perform a clear, dedicated action to express their acceptance with the request for access to their data.

Examples of this include:

By using explicit consent, not only are you meeting regulatory requirements, but you’re demonstrating respect for data privacy and building stronger trust with your users.

Granular consent

Granular consent involves requesting separate consent for different data processing purposes.

For example, rather than a cookie banner that only gives users the option to “Accept All” for cookies and other trackers in use, website hosts need to offer specific cookie consent options to comply with GDPR, like enabling visitors to say yes to analytics cookies but no to advertising ones, for example.

Users should be presented with clear and user-friendly options to accept or reject data processing, such as banners that allow users to opt-in or opt-out of specific cookies individually, like in the image below.

Implied consent

Unlike explicit consent, implied consent involves assuming consent based on a person’s actions or inactions. An example of this might be a user continuing to browse a website after a cookie banner pops up, and ignoring it. These are sometimes referred to as “browsewrap agreements”.

With a marked shift towards privacy-led marketing and regulatory authorities increasingly prohibiting assuming consent from a user not performing an explicit action, it’s recommended to err on the side of caution against implied consent.

Instead, follow informed and explicit consent best practices, following privacy-led and consent-based marketing principles.

General consent

Unlike granular consent, general consent offers limited control over what data users can agree to or reject.

An example of this could be a general online service agreement where users consent to the Terms of Service, without providing necessary details about the privacy policy and how data is being collected, stored, and processed.

General consent was once fairly commonplace, but it’s becoming increasingly discouraged in favor of granular consent. Consent “bundling” is also not allowed under a number of data privacy laws. Best practices involve separating out different kinds of required information, like in the Terms of Service and privacy policy, as well as having a cookie notice and consent banner for informed and explicit consent management.

Conditional consent

This typically follows a ‘this for that’ approach. Conditional consent can look like companies offering something in exchange for a user’s data. For example, a user accessing a whitepaper or webinar under the condition that the company can send them marketing messages. Or a discount code in exchange for a newsletter signup.

For businesses in the European Union, conditional consent can become convoluted as consent must be “freely given” under the GDPR. This blurs the lines with marketing strategies like gated content. It has generally not been frowned upon to make such offers, but what individuals are giving must be equivalent to what they’re getting, otherwise it looks like a bribe for consent, which is definitely frowned on by data protection authorities.

If you’re considering conditional consent-based marketing, using a consent management platform to follow proper protocol is recommended.

Ongoing and dynamic consent

Ongoing consent, otherwise known as dynamic consent, helps ensure that users have the opportunity to actively manage their data and adjust, update, or withdraw their consent at any point.

Unlike the traditional one-time model of consent, sometimes referred to as a “clickwrap agreement”, a dynamic consent approach is based on a few core factors.

Offering dynamic/ongoing consent is a crucial way to build trust with users by improving user experience, and adhering to data privacy laws.

Withdrawable consent

Whether using an opt-in or opt-out consent model, pretty much all data privacy laws require users to be able to withdraw consent at any time, even if their data has been collected and used for some time. Ideally individuals should be able to easily change consent preferences at any time as well, if they don’t want to entirely revoke them. Once the user opts out, data collection and processing must stop as soon as possible, ideally immediately, including processing by third parties working for the main controller.

Here are specific features of withdrawable consent:

The right to withdraw consent is, arguably, one of the most important aspects of data protection. Consider a consent management platform to help manage withdrawal functionality accordingly. Many data privacy laws require companies to maintain proof of consent, which includes user actions over time, like accepting, changing, or later withdrawing it.

Start free trial

Many of the world’s modern and comprehensive data privacy laws require opt-in consent, among other requirements. While all EU member states are covered by the GDPR, each country has additional consent requirements. The United States is the biggest market where opt-out consent is the norm, though in that country there is not yet a federal law managing privacy requirements, and in the US data privacy is handled state by state.

Consent requirements under the GDPR

When the GDPR came into effect it created a global standard for consent standards in privacy laws. But what, specifically, does the GDPR require around consent? Here are the key requirements.

Key requirements for consent

Get started

Consent requirements under the CCPA

The California Consumer Privacy Act (CCPA) and its expansion with the California Privacy Rights Act (CPRA), applies to for-profit organizations that conduct business in California and meet certain criteria.

The CCPA is generally less strict than the GDPR, especially with regards to consent requirements. Still, like the GDPR, failure to adhere to these criteria can result in serious penalties and damage to consumer trust and brand reputation. Here is a high-level checklist of its requirements.

Get started

Consent requirements under the LGPD

Another prominent data protection law is Brazil’s Lei Geral de Proteção de Dados (LGPD), which translates to General Data Protection Law in English. The LGPD was influenced heavily by the GDPR, and has actually expanded its coverage beyond the GDPR in some areas. Here are some of the core requirements for consent under the LGPD.

Learn more

Navigating different types of consent can be overwhelming, especially if you conduct business globally where customer expectations vary regionally and when technology and regulation frequently changes.

For example, business requirements are catching up to regulatory ones for consent. Due to Digital Markets Act (DMA) requirements on Google, for example, publishers and developers using Google AdSense, Ad Manager, or AdMob now require a Google-certified Consent Management Platform integrated with the latest version of Google Consent Mode if they want to retain access to all features of Google services, like personalization and retargeting, across the EU/EEA and UK. Google has also expanded their EU user consent policy to include Switzerland.

To ensure that you’re conducting business in these regions while complying with legal and business requirements, choose a Google-certified consent management platform (CMP) like Usercentrics CMP.

From obtaining compliant consent and better engaging customers to staying up to date with evolving regulations, a CMP like Usercentrics’ simplifies the process and helps to ensure you can both achieve and maintain privacy compliance while getting the data your company needs, and building trust and engagement with customers.

Start free trial

Being a successful enterprise company today means understanding and adhering to global privacy regulations and business requirements to protect user data and respect privacy.

One critical digital component of privacy compliance is the cookie popup, which has become a familiar notification on websites and apps. These popups serve a dual purpose: they inform website and app users about data collection and request their permission to collect and use personal data.

As global privacy laws like the GDPR and CPRA tighten their grip and online consumers become more savvy, cookie popups have become indispensable tools for maintaining transparency, protecting revenue, and building trust with users.

We explore the importance of cookie popups, details of implementation, and best practices for great user experience, high consent rates, and achieving and maintaining privacy compliance.

A cookie pop-up, also known as a cookie banner or consent banner, is a notification that appears on a digital property to inform visitors and users about the use of components and other tracking cookies and to ask for their permission to use them to collect personal data.

A cookie popup appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs users about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the General Data Protection Regulation (GDPR) and ePrivacy Directive (also sometimes known as the “cookie law”), websites and apps must comply with more than just notification requirements. When collecting users’ personal data, digital property owners have certain obligations regarding users’ data privacy. For instance, securely storing data collected, including consent choices, or not disclosing or selling the data to third parties without prior consent from users in many cases.

Desktop Banner

Cookie popups are important for website owners, app publishers, and others with platforms that collect personal data. They’re also important to consumers whose data is being requested as well. They let users know what technologies can collect their data, for what purposes, and enable (ideally) granular consent options, which usually also need to be changeable or revocable over time to be privacy-compliant.

The main reason to implement a cookie popup is to comply with global privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA). By using these popups, websites can demonstrate their compliance and commitment to user privacy, thereby building trust with visitors. This trust enhances user engagement, leading to higher-quality data, which in turn benefits marketing operations and boosts revenue.

Additionally, cookie popups give users control over their data. By enabling people to choose which cookies they feel comfortable accepting, website owners are improving the website browsing experience.

For businesses, cookie popups enable the collection of useful data for improving website performance and marketing strategies in a legally compliant way. This can also contribute to improving ecommerce and product development.

Cookie popups play a crucial role in compliance with data privacy laws across the globe. Many regulations, such as the GDPR, require websites to gather explicit consent from users before collecting, using, or sharing their data through cookies. Other laws, like those in the US, usually only require users to be able to opt-out.

To comply with global data privacy laws, website owners and app publishers must follow a few key requirements of cookie popup use.

While cookie popups are not explicitly mandated by all privacy laws, they have become a common practice for demonstrating compliance and respecting user privacy. For instance, while the CPRA doesn’t specifically require cookie popups, many websites use them to comply with the law’s broader privacy protection requirements.

Cookie popup

International laws requiring cookie consent popups

Various countries have different regulations related to cookie consent popups.

It’s important to note that while these laws influence cookie consent practices globally, the specific requirements for cookie popups can vary by jurisdiction. Many websites implement cookie consent mechanisms to comply with these various regulations, especially if they have a global audience.

Typically, data privacy laws protect residents of the jurisdiction where they are active, e.g. the GDPR protects residents of the EU. Many laws are also extraterritorial, which means it doesn’t matter where companies are located if they process the data of residents of the region where the law is active. So a US-based company has to comply with the GDPR if it processes data of EU residents.

The list above covers the more well-known privacy regulations, but it is not exhaustive. To date, the majority of the world’s population is covered by one or more privacy regulations. It’s important for website owners and app publishers to be up to date on the jurisdictions and laws relevant to their business, and the compliance requirements. Companies should consult qualified legal counsel and/or a privacy expert.

When implementing a cookie consent popup on your website, it’s crucial to ensure compliance with privacy regulations and provide a good user experience. Use the following checklist to create an effective and compliant cookie consent mechanism:

  • Clear information: Explain which cookies you use, to collect which kinds of data, and why. Specify the types of cookies, e.g. necessary, functional, analytics, marketing). Mention if third-party cookies are used, and who sets them.
  • Give consent options: Provide equal consent options, like both “Accept and “Reject” buttons, both overall consent to cookie use and ideally options for granular consent to some cookies. Do not use manipulative tactics like prechecking boxes or only showing an “Accept All” option.
  • Active consent collection: Require users to take a clear affirmative action that’s recorded, e.g. clicking a button. Do not use scrolling or continued browsing as consent, which is prohibited under many laws.
  • Enable easy consent withdrawal: Provide a method for users to easily change their preferences or withdraw consent. Include a persistent “cookie widget” or callback button to make it easy to access.
  • Timely consent collection: Obtain consent before setting any non-essential cookies in jurisdictions where this is required. Best practice would be to block cookies automatically until consent is obtained.
  • Consent storage: Securely store user consents for as long as needed for privacy compliance and other legal requirements. Be ready to provide information in the event of data protection authorities’ inquiry or data subject access request.
  • Provide users with more information: Include a link to your full cookie policy or privacy policy that is prominent on any website page or app screen. Ensure it’s kept up to date.
  • Visibility and accessibility: Ensure the popup is prominently displayed and easily noticeable. Make it accessible on all devices (desktop and mobile) but also well branded and user-friendly to use. Don’t use it to block user access to websites or apps unless they give consent.
  • Language and readability: Use clear, understandable language without technical or legal jargon. Provide the banner in all languages your website supports, ideally with automatic geotargeting.
  • Respect user choices: Implement technical measures to honor user preferences. Block non-essential cookies until consent is given. If users decline consent, don’t ask again before the legally allowed period of time, e.g. 12 months, depending on the law. If your data processing purposes change, however, you may be legally required to get new consent, however.

By following this checklist, you can create a compliant cookie consent popup that respects user privacy and provides a good user experience.

Read about wordpress cookie consent now

There are multiple ways to install a cookie popup on your website.

The first is to use a consent management platform (CMP), such as Usercentrics CMP or Cookiebot CMP, that enables you to create a customizable and compliant cookie banner in minutes.

These CMPs will scan your website so you know which cookies and tracking technologies are collecting data, and create a cookie declaration that you can use alongside a privacy policy. The CMPs also record and securely store consent records, with a log of the cookie consent you receive from website visitors over time.

If you have a WordPress website, WordPress offers a range of cookie popup plugins, like the Cookiebot™ WordPress Plugin, that enable website owners to add a privacy-compliant cookie popup without compromising user experience. We’ve compiled a resource that enables you to compare the 10 Best WordPress cookie consent plugins.

Another option is to manually code a cookie banner for your website. Add a short explanation of the purpose of cookies, a clear statement on which action will signify consent and a link to your cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

A “DIY” approach to a cookie popup is not recommended for small businesses, due to the amount of work to build and maintain it, the expense of accessing qualified legal consultation to enable compliance, and the regulatory risks of mistakes or missing crucial components.

Read about cookie policy now

Scan your website now

Cookie popups are no longer just a formality, they are a necessity. If your cookie consent popup does not comply with relevant regulations, you could face hefty fines, operational disruptions, loss of customer trust and brand reputation, and a long-term hit to revenue.

For example:

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies. Fines are generally more severe for repeat offenses or willful violations.

Learn more

A consent management platform (CMP) provides tools to help you achieve and maintain compliance with data privacy laws such as the GDPR, the ePrivacy Directive, and CPRA.

For example, Usercentrics CMP and Cookiebot CMP automatically scan your website to find, categorize, and list all cookies and trackers in use, including third-party ones. It helps you create personalized consent banners with relevant jurisdictional information to inform visitors and request their permission to use cookies.

Usercentrics and Cookiebot CMPs are also Google-certified, integrating seamlessly with Google Consent Mode and Google Tag Manager, enabling compliance with Google’s privacy requirements and maintenance of your marketing activities, including personalization and retargeting, in the EU, UK, and Switzerland.

Start your free trial of Cookiebot CMP!

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Cookies play a crucial role in enhancing online experiences, making websites more functional and personalized, and enabling digital marketing. The shopping cart that stores your customers’ items while they continue to browse? That’s made possible via cookies, for just one example.

Cookies have also evolved into sophisticated tools for tracking user behavior, and empower businesses with valuable insights to boost engagement and optimize marketing activity, amongst other things. However, with this increased functionality comes consumer privacy concerns and regulatory requirements.

Companies that do business in the EU and collect personal data from EU residents in the process must comply with the General Data Protection Regulation (GDPR), which requires clear, unambiguous, and freely given user consent before collecting or processing personal data. It also requires transparency about cookie usage, and a defensible legal basis for data collection, among other stipulations.

Businesses must also keep up with evolving standards from industry leaders like Google (Alphabet), which, along with other designated “gatekeepers,” has to comply with the Digital Markets Act (DMA) — and as a result has levied data privacy requirements on its customers.

The DMA mandates that the gatekeepers meet certain requirements designed to encourage fair competition in digital markets and uphold the privacy rights of users. This adds another piece to the privacy compliance puzzle.

To navigate this landscape and continue to grow digital marketing operations, you’ll need to blend robust privacy practices with consent management software. By finding innovative ways to leverage cookie technology while complying with data privacy regulations, you can enhance the user experience, build trust, and protect advertising revenue.

Cookies, the GDPR, and “cookie law”

While cookies play a pivotal role in enhancing user experience and delivering personalized content online, they can also raise significant privacy concerns, particularly the use of third-party cookies, which track users across websites.

The personal data collected can, in some cases, be used to identify individuals, and some of it can be quite sensitive, including financial details.

These concerns are addressed by the GDPR and the ePrivacy Directive (ePD), which mandate measures to ensure that an individual’s personal data is handled securely, with consent, and that the end user is provided with clear information about data handling, their rights, and consent options.

Let’s break down how these regulations impact cookie use and what businesses need to know to stay compliant.

How cookies are affected by the GDPR and the ePrivacy Directive

The GDPR and the ePrivacy Directive govern the usage of cookies. The GDPR outlines the conditions for explicit user consent and a valid legal basis for processing personal data, while the ePrivacy Directive focuses on the privacy implications of electronic communications.

What the GDPR says about cookie use

What the ePrivacy Directive says about cookie use

Key requirements of the GDPR and the ePrivacy Directive include:

These regulations apply to the various kinds of cookies and to similar technologies that store or access information on a user’s device, such as:

Businesses must conduct regular audits to identify and manage all such technologies used on their sites as they change over time, to ensure ongoing compliance with both the GDPR and the ePrivacy Directive.

A high performance consent management platform will include a cookie scanner that can scan sites regularly to detect and manage the cookies and trackers in use on websites, including hidden third-party ones that may change regularly.

GDPR cookies compliance myths

Cookie compliance misinformation can result in either overly cautious practices that hinder user experience or access to needed data, or insufficient preparation that risks noncompliance and potential penalties.

Debunking these myths will help to ensure your approach to cookie management is both effective and primed for GDPR compliance.

“My website doesn’t collect personal data.”

Many website owners assume that their site doesn’t collect personal data, especially if they’re only tracking website performance or functionality. Under the GDPR, however, the definition of personal data is broader than many realize.

Even cookies used for advertising or analytics often collect information that can, directly or indirectly, identify an individual. This includes IP addresses or unique identifiers within cookies.

In reality, nearly all cookies capture some form of personal data, bringing such practices under scrutiny from overseeing authorities.

“Cookies are not personal data, which is why the GDPR does not apply.”

While cookies themselves are not personal data, the data they collect can be. According to Recital 30. GDPR, identification is possible via online identifiers such as IP addresses or cookie identifiers. As such, it will depend on the kind of cookie in place as well as the data being collected.

It’s also wrong to assume that cookies are only regulated under the ePrivacy Regulation, which is expected to be in full effect by 2026.

While intended to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009, the forthcoming ePrivacy Regulation covers the processing of all electronic communications data, regardless of identifiable personal data. Read more about the ePrivacy Regulation below.

“I don’t need a cookie banner.”

Cookies collect personal data irrespective of the intended use, so you are required to inform users about the collection and processing of their personal data. Provided information must include: what data is collected, how it’s processed, for what purpose, and on what legal basis.

Furthermore, the website operator must communicate how long the data is kept, who will have access to it, how they can contact the controller (the entity collecting personal data, like a website owner), and where they can revoke their consent.

Try us Today

“Telling users the site uses cookies is enough for compliance.”

Simply informing users that your site uses cookies is not sufficient for GDPR compliance, just like only presenting an “Accept” button for consent is not sufficient. The regulation demands a higher standard of transparency and user control.

Websites must provide clear, specific information about the types of cookies being used, the data they intend to collect, the purpose for processing, and who has access to this data.

Additionally, consent must be explicit and informed. This means users should be given the choice to accept or reject non-essential cookies without impacting their access to the website and its features.

Providing comprehensive cookie notices is crucial to ensure that users are fully aware of their choices and have meaningful control over their personal data.

A cookie notice can be a separate page on the website, but it’s commonly a section in the broader privacy policy. Regardless, like the privacy policy, it must be easy to access and understand for the average visitor.

“If I have a cookie banner in place, I’m safe.”

Having a cookie banner doesn’t mean you are automatically GDPR-compliant. The GDPR defines seven criteria for collection to be valid within the meaning of the Basic Data Protection Ordinance.

This means that the website operator must obtain the user’s consent via its cookie banner per these criteria.

Moreover, compliance with other global privacy laws does not guarantee GDPR compliance. The GDPR has stringent and specific consent requirements that differ significantly from other jurisdictions.

For example, the GDPR uses an opt-in model for consent while US regulations such as the CCPA use an opt-out model.

“The ePrivacy Regulation will not affect the use of cookies.”

The ePrivacy Regulation contains additional provisions for the use of cookies. While essential cookies used for the technical operation of a website do not require the user’s consent, those used for tracking or advertising purposes require explicit, active, and voluntary user consent.

It is also not compliant to try and categorize marketing cookies as essential, for example, in order to skirt consent requirements.

The ePrivacy Regulation is intended to counteract and eliminate cookie walls. Accordingly, all of the website must be accessible, even if the user has not consented to the use of cookies.

GDPR cookie policy checklist

As you can see, these myths and assumptions can lead to confusion and compliance risks for website operators.

The following points should be noted to use cookies in a GDPR-compliant manner.

Try it free

Duty to provide information

Cookie banners (aka consent banners) should include all necessary information, including how cookies are used on each web page.

Consent banner with granular user Privacy Settings options and Data Processing Services information

Furthermore, as per Art. 21 GDPR, visitors should know if their data is used to create profiles and if their data may be transferred to third parties in countries outside of the EU. This is needed if the cookie technology providers are based in the US, for example.

Active consent

The cookie banner must ensure that the user can give their informed consent in advance, voluntarily, explicitly, and granularly for each web technology or category of technologies (or bundled for individual use areas).

There must also be a straightforward and simple way for users to object to the processing of their personal data, or to withdraw their consent.

Loading cookies

Under the GDPR, you may not use cookies to process or collect any data without a legal basis. Plus, cookies may not load until consent has been granted, meaning there must be a technical link between the cookie banner and your web technology. If the user refuses processing, cookies cannot be loaded.

Usercentrics CMP enables you to control cookies and block them until consent has been obtained. With the Google Consent Mode integration, it also signals consent information to Google services, controlling their function and data collection based on consent status.

Legally compliant documentation

In the event of a review by data protection authorities, the website operator must comply with its documentation obligation and be able to demonstrate their users’ consent.

To ensure all data is available in the event of an audit, various data points should be documented, including timestamps, user agents, and the version of the consent text.

The condition under which consent was given is also important — how large the “Accept” button was compared to the “Reject” button, whether the choice was voluntary, could the user use the site unhindered even when rejecting cookies, etc.

Most data privacy laws also include the right for consumers to know if website operators are collecting data about them, and to access a copy of that data, of which consent data is a part. This is another reason robust and secure documentation is important.

Opt-out

According to the GDPR, the process to opt out must be as straightforward as opting in. This ensures that users can easily decline the use of cookies initially, and similarly, can just as easily change their preferences or withdraw consent at any time.

Consent banner with data processing information, consent buttons, and informational links

It’s not sufficient to direct users to external links or third-party pages to opt out. From the moment a user opts out, no further data should be collected or forwarded to any third parties. Any processing taking place on the controller’s behalf by third parties must also cease right away.

Therefore, the opt-out mechanism must be technically integrated with the cookie settings on your site and documented for compliance and transparency. This approach helps meet legal requirements and builds trust by respecting user choices at every step.

How to ensure GDPR cookie compliance

Ensuring GDPR cookie compliance involves following a series of regulatory requirements and data protection best practices that also help build user trust and form the foundation of privacy-led marketing.

  1. Have a cookie policy: Clearly outline what cookies are used, their purpose, and how data is managed in a cookie policy. This policy should be easily accessible on your website, either as an independent document or as part of the privacy policy.
  2. Implement cookie consent banners: Present contextually relevant consent banners. For example, when a user first visits your site, provide them with immediate, clear options to accept or reject non-essential cookies. Ideally use geotargeting to determine which regulations are relevant to the user, with multi-language support to present consent information in the visitor’s preferred language.
  3. Obtain granular consent: Enable users to give separate consent for different types of cookies (e.g., analytics, advertising). This helps ensure that consent is specific and informed.
  4. Monitor tracking technologies: Continuously review and update the cookies and tracking technologies present on your site to ensure they comply with the latest legal standards and technical requirements. A robust scanner built into your CMP can automate this to save time and resources.
  5. Optimize consent mechanisms: Ensure that consent mechanisms are intuitive and enable users to withdraw consent as easily as they gave it. This can be streamlined using a consent management platform like Usercentrics.

Google has specific requirements of its own, especially concerning how advertisers use cookies and data.

With Google Consent Mode, you can adjust how your Google tags behave based on the consent status of your users. This ensures that you continue gathering valuable data while still complying with the GDPR by respecting user preferences about cookies and data tracking.

Usercentrics is a Google-certified CMP that integrates with the latest version of Google Consent Mode. Plus, with its library of over 2,200+ legal templates and comprehensive Data Processing Services (DPS) Scanner Usercentrics enables you to obtain, document, and signal granular cookie consent.

Try it free

Managing cookies under the GDPR with Usercentrics

There’s a lot to consider when it comes to cookie compliance under the GDPR, but consent management tools like Usercentrics CMP simplify the process of collecting, managing, and signaling valid consent significantly.

Usercentrics provides a comprehensive solution for collecting, processing, and securely storing granular cookie consent, managing cookie banners, and documenting user consent as required by the GDPR. Speak to a Usercentrics expert today.

After several years of delays, in July 2024 Google announced that the company would not be deprecating third-party cookie use in the Chrome browser. The article’s content remains relevant, however, so we have left it in its original form, with this note, for educational and reference purposes.

Even without the inclusion of Google Chrome, other major browsers have already fully deprecated third-party cookie use, and we believe that privacy-led marketing is the “cookieless” future.

Google plans to phase out the use of third-party cookies (set by external companies to track user behavior across the web) in the Chrome browser, and other browsers — Firefox, Safari, Opera, and Brave — have already deprecated third-party cookie support. This affects the type and volume of data available for marketers. There are also increasing pressures on digital marketers to meet strict data privacy standards. These pressures now come from influential tech platforms that millions of companies rely on, perhaps even more than from data protection authorities.

The cookieless future doesn’t mean there won’t be any cookies of any kind in use, just that third-party cookies and their sometimes indiscriminate tracking will be phased out. While marketers have long relied on the data third-party cookies collect, this data has often been collected with questionable — if any — consent from the people it’s sourced from. The data itself is also often of lower quality, needing to be aggregated with other data sources to be useful (and profitable).

Given the Chrome browser’s 65 percent majority market share as of mid-2024, however, the final deprecation of third-party cookie use will mark a significant milestone in the evolution of data processing, digital marketing, and privacy online. So “cookieless future” is in many ways appropriate.

We look at what the evolution of cookie use, changes in requirements for use of Google services, demands for data, and evolving privacy laws mean for companies. We also delve into the impacts of massive changes to established ways of doing digital marketing, and the solutions that companies can implement to make the cookieless future much brighter and more privacy-compliant.

What are the biggest challenges of the cookieless future for marketers?

There are increasing limitations on and even elimination of third-party data — which is indirectly derived from customers via various sources using third-party trackers and tools. Combine this change with the move to zero- and first-party data, which is limited to what customers consent to, marketers will see reduced data visibility. This will impact the ability to track and target users online. However, as noted, these other data sources are of higher quality, and less data is needed to gain valuable insights, since it comes directly from customers.

Learn more

Additionally, there are tools and strategies to optimize data collection in ways that are privacy-compliant, and to use newer technologies to enable modeling to provide the information marketers need to understand audience segments, customer journeys, and more.

Previously it’s not that consumers didn’t care about companies collecting so much of their data without consent, it’s more that there was little they could do about it. However, that is changing, thanks to regulations putting more control over data access into consumers’ hands, and people understanding that their patronage — and data — hold influence. If companies want their data, people want to know what’s in it for them. And if they don’t feel that they can trust companies to respect their privacy and secure their data, they’re increasingly inclined to take their business and data elsewhere, as this PWC survey from 2022 noted.

Shifting strategy from “collect as much data as you can and we’ll figure out what to do with it later” to much more strategic data collection and analysis is not only a legal requirement today, it’s a much smarter strategy. Companies can ask consumers how they want communications, what they want to hear from companies about, and what data they consent to share. Companies demonstrate respect for privacy, better engage customers, and acquire much more accurate data that can inform all parts of marketing operations.

Once companies connect with customers and obtain data, they still need to analyze and measure the performance of their marketing efforts. Obviously, measurement based on old models, like those relying on third-party data, need an overhaul. Fortunately, there are new tools and strategies to help, which we’ll get into. Even when users decline consent, there are ways to obtain anonymized data and to model conversion journeys to know which channels are converting, the ROI of campaigns, and other key insights.

Learn more

Why do you need to be ready for a Google cookieless future?

Change is coming for digital marketers on a number of fronts. Data privacy regulations have been spreading globally for years, and now influential tech partners are levying strict privacy requirements on their customers to ensure end to end privacy compliance in their operations. We look at the most important factors that marketers need to build into their operations to succeed in the privacy-led future.

1. Legal compliance with data protection and user privacy regulations

Data privacy laws are becoming well established, with the majority of the world’s population now protected by some form of privacy regulation. However, it’s not uncommon for many smaller companies to pay little attention even to established laws like the European Union’s General Data Protection Regulation (GDPR). It’s big and complex, there are large “gray areas” that require legal interpretation, and all the penalties that have grabbed headlines seem to exclusively land on giant tech companies with global operations and billions of Euros in revenue.

But what has grabbed the attention of millions of companies is new requirements handed down by Google to their customers and partners. Thanks to new laws like the Digital Markets Act (DMA), big tech platforms like Google, Meta, and Amazon have additional stringent privacy requirements to meet. And to ensure compliance, all the companies relying on their platforms for data, audience access, analytics, advertising, and more need to meet the same privacy standards.

2. Google’s requirements for advertisers

Google has also updated and is enforcing its EU user consent policy, which aligns with the requirements of the GDPR and ePrivacy Directive (ePD), further tightening consent requirements to its customer base.

If you’re using services like Google Ads or Analytics you need to implement a Google-certified consent management platform with the latest version of Consent Mode integrated. This enables you to collect user consent for data collection and processing and signal it to Google services, which are then controlled based on users’ consent choices. If you don’t comply, you can lose access to key functionality, like personalization features.

Download now

3. Google’s requirements for publishers

Google also now requires publishers serving ads on websites or in apps in the EU/EEA or UK to implement the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP). Not implementing TCF 2.2 puts you at risk of loss of advertising revenue in significant markets.

While Google’s privacy requirements are not fully global yet, it’s inevitable that as data privacy regulations continue to spread and evolve, data privacy requirements and robust consent management — including for cookie use — will become the global standard for doing business with influential tech platforms, enforcing a cookieless future.

Data privacy and marketing alignment

Navigating these new requirements means marketers need to embrace privacy-centric marketing strategies and technologies that align with evolving user privacy expectations. It requires giving up old notions of control over data and bringing together technologies to update the marketing stack, using consented data to drive campaigns, and doing the work to get to know customers and prospects directly so they welcome simply being asked about what they want from your company.

Google has presented core strategies for the future of measurement, including Google Consent Mode, Customer Match, Server-side Tagging, and Enhanced Conversion Tracking, emphasizing the pivotal role of user consent and transparent data practices for robust marketing operations in the cookieless future.

Read more

From third-party cookies to a cookieless world: embracing a privacy-first approach to marketing

A knee-jerk reaction to the evolution of digital marketing operations is that a lack of data will hamstring campaigns, affecting paid channel performance and measurement, for example. But this notion fails to take into account a critical fact outlined in a Google/Ipsos survey: providing a positive privacy experience can increase share of brand preference by 43%. Additionally, 71% of people prefer to buy from brands that are honest about what data they collect and why.

It’s not that valuable data is no longer available to marketers; it’s that it hasn’t occurred to some of them to provide customers and prospects with the right kind of experiences — that respect data privacy and are transparent about using data — that make them happy to provide it.

The impending end of third-party cookies in major web browsers calls for advertisers to take a proactive approach to adapt their marketing practices and data operations to the new cookieless world.

Check your website

The same study confirms the positive impact the privacy experience users have on your website or app. A positive privacy experience and a sense of control over user data can bolster brand preference and sales, while a negative experience can have a detrimental impact. With more and more data privacy regulations including the user right of data portability, being able to vote with their feet (or phones) and wallets has never been easier, and marketers need to pay attention.

“Brands need to go beyond the basics to provide truly positive privacy experiences and there are clear, tangible actions advertisers can take to achieve that. This means letting people know why their data is being collected, what it will be used for, and how it is improving their experience. All these factors combine to create transparency and build trust with your customers.”

Zero- and first-party data in a cookieless world

The quality issue with third-party data — the kind collected by third-party cookies — is its distance from the source, i.e. companies website visitors, app users, ecommerce customers, etc. So much of it has to be aggregated to gain useful insights, and even then it’s still nowhere near ideal.

What is ideal is building a direct relationship with these customers and getting their informed consent and preferences. This enables you to personalize communications, sales offers, targeted marketing, and more. Individuals hear from your company when they want and about what they want, which builds trust and increases engagement to grow long-term customer relationships and revenue. To do this, companies need zero- and first-party data.

Zero-party data for marketing in a cookieless world

Zero-party data is also referred to as self-reported, explicit, or opt-in data. It’s the gold standard for marketing in a cookieless world because it comes directly from visitors, users, and customers. It’s shared voluntarily and intentionally with their consent, and goes hand in hand with their consent choices about access to their personal data. Zero-party data doesn’t need to be aggregated or analyzed, because it’s direct information about what customers want.

Some examples of sources of zero-party data include surveys, product reviews, product preferences from orders, etc.

McKinsey has reported that companies earn 40 percent more revenue from personalization, so investing in operations to obtain and activate zero-party data are well worth it, via preference management and other mechanisms.

Zero-party data is also valuable for product development and improvements, improved marketing programs, better sales strategy, and more.

First-party data for marketing in a cookieless world

First-party data is also referred to as proprietary, customer, in-house, or owned data. It’s obtained slightly less directly than zero-party data, so insights from it can be less accurate, but it’s still more valuable than third-party data, and an important source for marketing strategy and analysis.

Some examples of sources of first-party data include website analytics, ecommerce records, app usage data, and social media activities.

First-party data is particularly valuable for showing patterns in user behavior and preferences via activities, such as website session duration, page views, online purchases, software usage data, email engagement data, etc. Sometimes data from what people do can be more accurate than what they self-report via voluntary channels.

This data is useful for improving product user experience, enabling users to get more value from products, faster. On the business side, the data is useful for audience segmentation, marketing communications personalization, predictive modeling based on browsing and purchasing habits, campaign performance analysis, ROI interpretation, and budget optimization.

Read about Google additional consent now

Preference management in a cookieless world

Preference management involves requesting information from users and customers, and then using it to tailor those individuals’ experiences with your company via communications, offers, and more. It’s a key source of zero-party data, and involves the most direct interaction rather than collecting data via user activities like web browsing.

Preference management also goes hand in hand with consent management, as when you want to know what customers want, that includes what personal data they agree to share with you and possibly with third-party partners.

Unlike with some third-party data collection, combining consent and preference management helps to ensure customers have full control over what they consent to in their interactions with companies regarding collection of data about them, communications, profiling and targeting, and more.

A preference management solution helps you gain higher open rates for emails, text messages, and more since they match the preferences of each customer. You target advertising more accurately, gain better visibility for product launches and sales, targeting customers who’ve specifically requested information about these campaigns.

Preference management delivers better customer experience all around and demonstrates respect for privacy and customer preference and choice. A cookieless future all companies can get behind.

Learn more

Server-side tagging in a cookieless world

Server-side tagging is another solution to the end of third-party tracking. With this function, your tags are served from a server directly, rather than in the visitor’s browser. This provides more control over privacy compliance in data collection and sharing with third parties, important when evolving marketing activities for a cookieless culture.

Client-side tagging transmits data to one or more servers, and commonly, with tag management, shares collected data with third parties, e.g. marketing technology partners. But there is no central control over data and who can access it, hence the privacy value of server-side tagging.

Server-side tagging is sitewide, so website and customer data are securely hosted on a central first-party server, which functions as a buffer between customers (and their consent) and third-parties that want their data for tracking and analysis. It enables a cookieless tracking solution where your customers’ consent choices determine what data is made available, and you control who gets access, when, how, and to what specific information.

Additional benefits of server-side tagging include:

Learn more

Digital marketing in a cookieless world

With all these changes to how marketing and advertising work online, it’s understandable that marketers could be worried. But there’s no need to be. There are already tools and solutions available that not only replace third-party data from cookies, but enable consented collection and use of higher quality zero- and first-party data, higher user engagement, better customer satisfaction, and sustainable revenue growth.

Marketing measurement in a cookieless world

Marketers are greatly concerned about moving away from relying on third-party data and meeting business and regulatory requirements for obtaining valid user consent to access personal data, primarily due to accuracy concerns. They need to maintain accurate measurement of marketing activities and target new and existing audiences accurately. Fortunately, there are solutions to help marketers accurately obtain and signal user consent and obtain the data they need for accurate measurement.

The Google cookieless future arrived for many companies with the advent of Google’s new requirements for marketers, advertisers, and publishers in the EU. As of early 2024, the company requires its Google Ads customers to use a Google-certified consent management platform (CMP) that’s integrated with the latest version of Consent Mode in order to maintain access to key features of its services, like personalization.

A solution like Usercentrics CMP enables companies to obtain valid consent for the processing of personal data, per the compliance requirements of laws like the GDPR. Then the integrated Consent Mode v2 signals the consent information to Google services, controlling tags for website and advertising performance with it, and blocking or enabling cookies and trackers depending on users’ consent choices.

Learn more

Watch our video to see how easy it is to enable Consent Mode with Google-certified Usercentrics CMP.

Where measurement is concerned, even when individuals decline consent, Consent Mode enables the collection of anonymized data only, which can’t identify an individual. This data is used for conversion modeling to develop insights while data privacy rights and requirements are respected. Website operators get back a significant amount of data for advertisers and gain conversion insights and information about consent banner interactions to optimize consent rates. It’s a strong example of a sophisticated solution for a cookieless world that’s driven by consent and enables marketing operations and business growth.

Learn more

Marketing attribution in a cookieless world

Digital marketing is moving away from multi-touch attribution tools as the phase-out of third-party cookies draws nearer. So how can marketers accurately track customers’ conversion journeys? Here, again, conversion modeling can help.

Conversion modeling uses machine learning to assign links between ad interactions and conversions. This provides accounting in cases where cookies or other identifiers aren’t available.

Ad interactions are grouped; one group has a clear link to conversion, and the others don’t. The conversions with clear conversion paths are subdivided into groups to identify patterns more specifically, e.g. distribution of product purchase volumes depending on the day of the week or time of day.

Machine learning can then predict characteristics for the other group of unidentified ad conversions based on data that is known, and characteristics from the clear conversion paths. Modeled conversions are typically only included in reporting when the degree of confidence is high that an ad display resulted in a conversion. This helps with reporting accuracy.

Google has also proposed Privacy Sandbox APIs. These are meant for several advertising use cases, including attribution reporting, while enabling data privacy compliance. Advertising interactions can be linked to specific actions or conversions, so individual tracking isn’t needed. Advertisers can understand campaign impact in a privacy-centric way.

Optimized targeting and retargeting in a cookieless world

First-party data, coming directly from users, allows for significantly greater precision in optimizing targeting and retargeting activities. Consumers are all too familiar with poorly targeted ads, especially when they seem to follow individuals around online. Companies need to know what a prospect who converts looks like, which can be modeled from data collected (with consent), ideally in real time. Google Ads enables optimized targeting to help you find your ideal audiences, and is one of the Google services supported by Consent Mode to help ensure adherence to privacy standards.

As marketing evolves away from cookies, contextual targeting is becoming more important. Companies can direct advertising based on users’ demonstrated interests, respecting their privacy and data preferences, rather than trying to broadly harvest enough data in an effort to understand the user and present ads that engage them.

To do retargeting well, companies need good data sources and user consent, which consent and preference management explicitly deliver. As retargeting evolves, along with many digital marketing operations — not to mention data privacy laws, business requirements, and consumer savvy — this will only continue to become more important.

For a successful user journey that results in conversions (and happy customers), companies will need tools and insights to carefully craft messaging that matches customers’ actions, interests, and consent choices. Instead of blasting individuals who didn’t immediately convert with ads and potentially questionable personalization, companies can use more sophisticated campaigns to stay top of mind with prospects where they like to browse, based on known patterns and interests, until they’re ready to buy.

Google’s tools to implement consent and a privacy-first approach also extend to retargeting efforts. The Privacy Sandbox APIs support it, enabling these important conversions on future interactions.

Learn more

Read about cookie consent tips now

Consent management is the lynchpin of these new marketing tactics, in addition to being a key tool to enable data privacy compliance with an ever-increasing number of regulations, guidelines, and policies around the world.

While companies have gotten used to established laws like the GDPR, more recently, regulations like the Digital Markets Act (DMA) have contributed to new pressures to achieve and maintain privacy compliance due to business requirements. As companies like Google, Meta, and Amazon are required to meet stringent new standards, to enable end to end privacy compliance, that means they need to levy their own requirements on their customers to ensure consent for advertising, analytics, and other data uses.

A consent management solution sits at the middle of the marketing stack to record customers’ consent preferences, and enable signaling them to control the many marketing functions, from Google tags to vendor campaigns. It also enables companies to prove that they obtained valid consent in the event of an audit or data subject request.

A consent management platform enables users to make granular choices about their data use, saying “yes” to cookie use for marketing purposes, “no” to analytics, etc. Or they can consent to all cookie use (increasingly first-party as third-party cookies are deprecated) or decline the use of all cookies and tracking technologies except those essential for core website functions.

 

Read more

What’s next for the marketing cookieless future?

While marketers have relied on third-party cookies for a long time, they have always been imperfect tools, and they simply don’t fit today’s technology and privacy requirements, and customers’ expectations.

Not to worry, there are plenty of tools now for the marketing stack, and evolving strategies that respect privacy and enable compliance, while still delivering the data marketers need for precision, engagement, and conversions.

Of course, as with any big change, getting your new privacy-led marketing tactics and measurement right will require some fine-tuning. You will need to test and optimize both to get the zero- and first-party data you need, and increase data volumes by improving opt-in rates and increasing user buy-in to personalization.

A layered approach is also important, including using advanced data modeling and AI. AI-driven attribution is being considered as a solution to stitch together longer customer journeys, enabling more effective tracking and personalized targeting in the absence of traditional cookie-based measurement systems.

Each company needs to determine the right toolkit for its operations; there isn’t one blanket solution to overhaul marketing operations or preserve traditional methods of measurement. Not all companies will have sufficient data volumes for functions like modeling, and so may need to shift to internal data science functions. Very small companies may lack both the data and resources, but even tiny startups can listen to their customers, respect their privacy, and deliver great customer experiences that make people happy to share their preferences and information.

The cookieless future is here, and it brings with it better customer experience by incorporating built-in end-to-end privacy in marketing operations, relying only on data coming directly from the customer, which in turn enables true personalization, and builds longer-term relationships based on trust.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.