Understanding and implementing a cookie policy is crucial for any website that values transparency, user trust, and legal compliance.

As digital privacy concerns continue to grow, both users and regulatory bodies demand greater clarity on how personal data is collected and used. And a cookie policy serves as an essential document that informs visitors about the types of cookies a website uses, the data they collect, and how this information is managed.

So let’s take a look at what a cookie policy is, the benefits of adding one to your website, and what it must include.

What is a cookie and how do they work?

Cookies are small text files that websites send to a user’s device, like a web browser on a desktop or phone, on their first visit. They are then stored there for (usually) a specified amount of time. They help track user behavior, remember login details, and maintain session information, enabling a personalized browsing experience. For example, cookies can keep items in a shopping cart or save user preferences.

On subsequent visits, your browser sends the cookie data back to the server, enabling the site to recognize you. There are different types of cookies, like first-party and third-party, which are used for different types of data collection.

Better understand what is a cookie, the different types of cookies, and how they keep your website going.

Learn more about cookies

What is a cookie policy?

A cookie policy is a document containing a list of all the cookies present and used on a website, along with detailed information about each. It tells website visitors which cookies are present, how they will be used, what information they collect, who sets them and collects information from them (e.g. advertising vendors), and how users can control their cookie preferences.

What’s the difference between a cookie policy and a privacy policy?

The main differences between a cookie policy and a privacy policy lie in their scope, content, and legal requirements.

A privacy policy is broader, covering how a company collects, uses, and protects all types of personal data, while a cookie policy focuses specifically on cookies and similar tracking technologies used on a website.

Additionally, a privacy policy explains data collection methods, purposes, storage, sharing practices, and user rights for all personal information, whereas the cookie policy details the types of cookies used, their purposes, duration, and how users can manage cookie preferences.

The cookie policy can be its own document, e.g. on a company’s website, or it can be a section in the privacy policy. The important thing is the information contained, that it’s kept up to date, and that it’s clear and easy for website visitors to access.

Use our privacy policy generator to craft a personalized privacy policy for your website that aligns with data privacy laws in just a few easy steps.

Generate your privacy policy

Why is a cookie policy important?

Cookie policies are essential for several reasons, particularly in the context of data privacy and user experience.

Build trust through transparency

A well-crafted cookie policy reflects your commitment to transparency. By clearly explaining the cookies used on your website, how they function, and what data they collect, you empower users to make informed decisions about their privacy. This openness fosters trust with your audience, an invaluable asset in today’s privacy-conscious world.

Comply with data protection laws

Cookie policies are typically a legal requirement, especially in regions with strict data protection laws. For example, the GDPR in the European Union requires websites to obtain user consent before storing or accessing cookies on their devices. Similarly, the UK’s Privacy and Electronic Communications Regulations (PECR) outlines specific rules for cookie usage. Ensuring your cookie policy complies with these laws is crucial to avoid penalties.

Empower users through control and consent

An effective cookie policy provides users with clear information on how to manage their cookie preferences, though opt-in/opt-out rights will vary by jurisdiction. This includes instructions on opting out of certain types of cookies or adjusting their settings. By offering this level of control, you not only meet legal requirements but also show respect for user autonomy.

Reduce legal risks

Having a transparent cookie policy in place helps mitigate legal risks. It demonstrates your proactive approach to data protection and compliance with regulatory requirements to inform visitors. This is important if your practices are ever scrutinized by regulatory authorities.

Provide a better user experience

By explaining the purpose of different types of cookies, your policy can help users understand how these cookies contribute to their browsing experience. This understanding can lead to more informed decisions about cookie acceptance. And improve their overall experience on your site by giving users a feeling of control over their data and how it’s used.

Gain a competitive advantage

In an era where privacy concerns are at the forefront, having a clear and comprehensive cookie policy can differentiate you from competitors. It signals that you take user privacy seriously, which can be a deciding factor for privacy-conscious consumers.

Is a cookie policy on a website mandatory?

The implementation of cookie policies is not just a matter of best practice, it’s often a legal necessity.

Key regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Privacy Rights Act (CPRA) in the United States have set strict requirements for transparency in data collection practices. These laws mandate that websites inform users about the use of internet cookies and obtain consent before deploying them, especially for non-essential tracking purposes. Even when the consent requirements of privacy laws differ, all privacy laws have a clear set of requirements for information that has to be provided to customers about data use, privacy, and rights.

Scan your website for free to find out which cookies and tracking technologies are collecting data on your website.

Start your scan now

Requirements for a cookie policy for a website

Crafting a cookie policy isn’t just about listing the cookies your website uses. It’s about creating a document that’s clear, transparent, and user-friendly. A well-thought-out policy can help build trust with your visitors by clearly explaining how cookies are used and how they can manage their preferences.

Here are the key components to include to create a compliant cookies policy for a website.

Types of cookies used

Provide a clear description of the various categories of cookies on your website, such as strictly necessary, functional, analytical, and marketing cookies. Use a consent management platform like Cookiebot CMP by Usercentrics to help automate this process by regularly scanning and updating your site for new cookies.

The purpose of cookies

Explain the specific purpose of each type of cookie, detailing how they benefit the user experience or contribute to website functionality.

Mention all third-party cookies

Disclose any third-party services that may place cookies on users’ devices through your website, including their purpose and how they’re used. These can be tricky to detect and may change regularly, making a consent management platform that can detect them even more important.

Address the lifespan of placed cookies

Provide information on how long cookies remain on a user’s device, distinguishing between session cookies, which are temporary, and persistent cookies, which remain for a longer period. Most cookies have an expiry date, but not all. However, many privacy laws and guidelines also include requirements for how long cookies can be active, and when new consent has to be obtained, where relevant.

Provide user controls

Offer clear instructions on how users can manage their cookie preferences, including how to opt-in or opt-out, change existing preferences, or disable cookie use. It should also include clear information about the effects of opting out or disabling cookie use. Particularly where doing so would affect the function or user experience on the website, or prevent the delivery of certain services.

Address policy updates

Include a statement on how users will be notified of changes to the cookie policy, ensuring they stay informed about any updates.

Website cookie policy example

Armed with the knowledge of what a cookie policy should include, let’s look at an example.

Cookiebot by Usercentrics has a cookie declaration in addition to a privacy policy. The page has a straightforward, user-friendly layout, making it easy for visitors to navigate and understand how cookies are used on the site.

The policy starts with a clear explanation of what cookies are and their purpose, which is helpful for users unfamiliar with the technology. It then categorizes cookies into four groups: necessary, preferences, statistics, and marketing. Each category is clearly defined, helping users quickly grasp the different types of cookies and their functions.

Cookiebot also provides specific details about each cookie, including its name, provider, and expiration period. This level of detail is important for users who want to understand how cookies affect their privacy.

Cookie Declaration

This information is presented in a clear and accessible manner to enable website visitors to make informed choices about their cookie preferences.

Industry-specific nuances of cookie policies

Different industries face specific challenges when it comes to cookie policies, as the ways websites collect and use data vary widely across sectors. By understanding these nuances, businesses can create cookie policies that are not only compliant but also effectively tailored to their specific needs.

Ecommerce

Ecommerce websites rely heavily on cookies for functions like personalization, shopping cart functionality, and targeted advertising. Their cookie policies must strike a balance between enabling these features and being transparent about data collection. Many ecommerce sites now provide clear explanations of how cookies enhance the shopping experience, such as remembering items in a user’s cart or suggesting relevant products.

Healthcare

Healthcare websites face strict privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), in addition to various data privacy laws in the US or abroad. Therefore, a cookie policy for the healthcare sector often emphasizes the security measures used to protect sensitive health information, clearly distinguishing between necessary cookies for essential site functionality and optional cookies used for analytics or marketing purposes.

Health and wellness apps are also growing in popularity, and while they have different data collection mechanisms, there is increasing scrutiny. More focused regulations will likely follow, such as the Washington My Health My Data Act, governing how they can collect and use sensitive personal data from users.

Finance

Financial institutions must adhere to stringent data privacy and security requirements and build trust with their users. Like with healthcare, the financial sector has a whole industry-specific set of regulations they must abide by, which include additional data privacy requirements.

Financial companies’ cookie policies typically focus on the use of secure, encrypted cookies for essential functions like login sessions, while also providing detailed information on any tracking cookies used for marketing or analytics.

Media and entertainment

Websites in the media and entertainment industry often use a wide range of cookies for content personalization, advertising, and tracking user engagement. Their cookie policies usually include clear explanations of how these cookies improve the user experience, such as by remembering playback preferences or suggesting articles based on past reading behavior.

Build user trust and comply with privacy laws by implementing a cookie policy

A clear and well-structured cookie policy is essential for any website. It not only ensures compliance with data protection laws but also builds trust by being transparent about how user data is collected and used.

By empowering users with control over their privacy settings, you enhance their experience and reinforce your commitment to safeguarding their personal information. A thoughtful cookie policy is more than a legal requirement—it’s a step toward creating a trustworthy and user-friendly online presence.

If you operate an online business, whether via a website, mobile app, or both, your business needs a clear understanding of user consent for their data. As privacy protection laws become increasingly strict, failure to gain proper consent from visitors, customers, and users can lead to both hefty fines and brand distrust.

But there are many different types of consent, all with specific requirements levied by regulatory bodies. Understanding what consent you need and when and how you need to request it can help you build brand loyalty, make better decisions for your business, comply with regulations, and avoid penalties for noncompliance.

Different types of user consent

While there are two main consent models used in privacy regulations around the world, the conditions for valid consent under different data processing circumstances vary more widely. We break down what they are, where they’re relevant, and how to comply with them.

Opt-in vs. opt-out consent

Digital marketers need to obtain valid opt-in consent from users, for functions like subscribing to a newsletter or using their data to personalize ads shown to them. Similarly, users need the option to opt out of data-driven activities, such as unsubscribing from a newsletter or withdrawing from data collection for advertising or analytics.

Along with marketing functions, opt-in and opt-out consent also applies to cookie banners. A consent banner employed for CCPA/CPRA-compliant consent would include an opt-out option, and requires the phrase “Do Not Sell Or Share My Personal Information”. Users can click that link at any time, but companies don’t need to get consent before they start collecting users’ data in most cases. If the user has not explicitly opted out, consent is implied.

A cookie banner that follows an opt-in model would require users to manually click an “Accept” button or similar explicit action to agree to the data collection practices and purposes communicated. This style of banner is mandatory under GDPR law for consent to be valid.

In most cases it is not compliant to prevent users from accessing sites or their features if they decline consent, e.g. with a consent wall that can’t be bypassed, or for them to have a lesser user experience if they don’t consent. Here are tips for creating cookie banners that meet legal requirements.

Informed consent

Informed consent was once predominantly applied in sectors like research, healthcare, and media studies. But it’s becoming increasingly applicable in online data protection and relevant to marketers, especially since the introduction of the General Data Protection Regulation (GDPR) in the European Union.

Informed consent requires users to be informed of the details of digital data collection. Regardless of the consent model, all data privacy laws require that data subjects are provided with information about data collection and use and their rights.

Informed consent is especially relevant for businesses that are required to comply with the GDPR. Organizations that fail to obtain proper informed consent in the EU can be heavily fined.

Since then, Google has introduced solutions for data privacy protection with tools like Google Consent Mode and updates to its EU user consent policy.

Explicit consent

Explicit consent is clear and unambiguous on the part of the data subject. With informed consent, the individual knows what their data will be used for and what their rights are. With explicit consent, the user must perform a clear, dedicated action to express their acceptance with the request for access to their data.

Examples of this include:

By using explicit consent, not only are you meeting regulatory requirements, but you’re demonstrating respect for data privacy and building stronger trust with your users.

Granular consent

Granular consent involves requesting separate consent for different data processing purposes.

For example, rather than a cookie banner that only gives users the option to “Accept All” for cookies and other trackers in use, website hosts need to offer specific cookie consent options to comply with GDPR, like enabling visitors to say yes to analytics cookies but no to advertising ones, for example.

Users should be presented with clear and user-friendly options to accept or reject data processing, such as banners that allow users to opt-in or opt-out of specific cookies individually, like in the image below.

Implied consent

Unlike explicit consent, implied consent involves assuming consent based on a person’s actions or inactions. An example of this might be a user continuing to browse a website after a cookie banner pops up, and ignoring it. These are sometimes referred to as “browsewrap agreements”.

With a marked shift towards privacy-led marketing and regulatory authorities increasingly prohibiting assuming consent from a user not performing an explicit action, it’s recommended to err on the side of caution against implied consent.

Instead, follow informed and explicit consent best practices, following privacy-led and consent-based marketing principles.

General consent

Unlike granular consent, general consent offers limited control over what data users can agree to or reject.

An example of this could be a general online service agreement where users consent to the Terms of Service, without providing necessary details about the privacy policy and how data is being collected, stored, and processed.

General consent was once fairly commonplace, but it’s becoming increasingly discouraged in favor of granular consent. Consent “bundling” is also not allowed under a number of data privacy laws. Best practices involve separating out different kinds of required information, like in the Terms of Service and privacy policy, as well as having a cookie notice and consent banner for informed and explicit consent management.

Conditional consent

This typically follows a ‘this for that’ approach. Conditional consent can look like companies offering something in exchange for a user’s data. For example, a user accessing a whitepaper or webinar under the condition that the company can send them marketing messages. Or a discount code in exchange for a newsletter signup.

For businesses in the European Union, conditional consent can become convoluted as consent must be “freely given” under the GDPR. This blurs the lines with marketing strategies like gated content. It has generally not been frowned upon to make such offers, but what individuals are giving must be equivalent to what they’re getting, otherwise it looks like a bribe for consent, which is definitely frowned on by data protection authorities.

If you’re considering conditional consent-based marketing, using a consent management platform to follow proper protocol is recommended.

Ongoing and dynamic consent

Ongoing consent, otherwise known as dynamic consent, helps ensure that users have the opportunity to actively manage their data and adjust, update, or withdraw their consent at any point.

Unlike the traditional one-time model of consent, sometimes referred to as a “clickwrap agreement”, a dynamic consent approach is based on a few core factors.

Offering dynamic/ongoing consent is a crucial way to build trust with users by improving user experience, and adhering to data privacy laws.

Withdrawable consent

Whether using an opt-in or opt-out consent model, pretty much all data privacy laws require users to be able to withdraw consent at any time, even if their data has been collected and used for some time. Ideally individuals should be able to easily change consent preferences at any time as well, if they don’t want to entirely revoke them. Once the user opts out, data collection and processing must stop as soon as possible, ideally immediately, including processing by third parties working for the main controller.

Here are specific features of withdrawable consent:

The right to withdraw consent is, arguably, one of the most important aspects of data protection. Consider a consent management platform to help manage withdrawal functionality accordingly. Many data privacy laws require companies to maintain proof of consent, which includes user actions over time, like accepting, changing, or later withdrawing it.

Put all of the Usercentrics CMP’s premium features to work for your privacy-led marketing – free for 30 days!

Start free trial

Consent requirements under global privacy laws

Many of the world’s modern and comprehensive data privacy laws require opt-in consent, among other requirements. While all EU member states are covered by the GDPR, each country has additional consent requirements. The United States is the biggest market where opt-out consent is the norm, though in that country there is not yet a federal law managing privacy requirements, and in the US data privacy is handled state by state.

Consent requirements under the GDPR

When the GDPR came into effect it created a global standard for consent standards in privacy laws. But what, specifically, does the GDPR require around consent? Here are the key requirements.

Key requirements for consent

Follow our free checklist to achieve and maintain your GDPR compliance.

Get started

Consent requirements under the CCPA

The California Consumer Privacy Act (CCPA) and its expansion with the California Privacy Rights Act (CPRA), applies to for-profit organizations that conduct business in California and meet certain criteria.

The CCPA is generally less strict than the GDPR, especially with regards to consent requirements. Still, like the GDPR, failure to adhere to these criteria can result in serious penalties and damage to consumer trust and brand reputation. Here is a high-level checklist of its requirements.

Follow our free checklist to achieve and maintain your CCPA compliance.

Get started

Consent requirements under the LGPD

Another prominent data protection law is Brazil’s Lei Geral de Proteção de Dados (LGPD), which translates to General Data Protection Law in English. The LGPD was influenced heavily by the GDPR, and has actually expanded its coverage beyond the GDPR in some areas. Here are some of the core requirements for consent under the LGPD.

Learn everything you need to know to achieve and maintain LGPD compliance in Brazil.

Learn more

How to comply with different types of consent requirements: use a Google-certified CMP

Navigating different types of consent can be overwhelming, especially if you conduct business globally where customer expectations vary regionally and when technology and regulation frequently changes.

For example, business requirements are catching up to regulatory ones for consent. Due to Digital Markets Act (DMA) requirements on Google, for example, publishers and developers using Google AdSense, Ad Manager, or AdMob now require a Google-certified Consent Management Platform integrated with the latest version of Google Consent Mode if they want to retain access to all features of Google services, like personalization and retargeting, across the EU/EEA and UK. Google has also expanded their EU user consent policy to include Switzerland.

To ensure that you’re conducting business in these regions while complying with legal and business requirements, choose a Google-certified consent management platform (CMP) like Usercentrics CMP.

From obtaining compliant consent and better engaging customers to staying up to date with evolving regulations, a CMP like Usercentrics’ simplifies the process and helps to ensure you can both achieve and maintain privacy compliance while getting the data your company needs, and building trust and engagement with customers.

Boost the performance of your privacy-led marketing activities – try Usercentrics CMP free for 30 days!

Start free trial

Being a successful enterprise company today means understanding and adhering to global privacy regulations and business requirements to protect user data and respect privacy.

One critical digital component of privacy compliance is the cookie popup, which has become a familiar notification on websites and apps. These popups serve a dual purpose: they inform website and app users about data collection and request their permission to collect and use personal data.

As global privacy laws like the GDPR and CPRA tighten their grip and online consumers become more savvy, cookie popups have become indispensable tools for maintaining transparency, protecting revenue, and building trust with users.

We explore the importance of cookie popups, details of implementation, and best practices for great user experience, high consent rates, and achieving and maintaining privacy compliance.

What is a cookie popup?

A cookie pop-up, also known as a cookie banner or consent banner, is a notification that appears on a digital property to inform visitors and users about the use of components and other tracking cookies and to ask for their permission to use them to collect personal data.

A cookie popup appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs users about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the General Data Protection Regulation (GDPR) and ePrivacy Directive (also sometimes known as the “cookie law”), websites and apps must comply with more than just notification requirements. When collecting users’ personal data, digital property owners have certain obligations regarding users’ data privacy. For instance, securely storing data collected, including consent choices, or not disclosing or selling the data to third parties without prior consent from users in many cases.

Desktop Banner

The importance of a cookie popup

Cookie popups are important for website owners, app publishers, and others with platforms that collect personal data. They’re also important to consumers whose data is being requested as well. They let users know what technologies can collect their data, for what purposes, and enable (ideally) granular consent options, which usually also need to be changeable or revocable over time to be privacy-compliant.

The main reason to implement a cookie popup is to comply with global privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA). By using these popups, websites can demonstrate their compliance and commitment to user privacy, thereby building trust with visitors. This trust enhances user engagement, leading to higher-quality data, which in turn benefits marketing operations and boosts revenue.

Additionally, cookie popups give users control over their data. By enabling people to choose which cookies they feel comfortable accepting, website owners are improving the website browsing experience.

For businesses, cookie popups enable the collection of useful data for improving website performance and marketing strategies in a legally compliant way. This can also contribute to improving ecommerce and product development.

Cookie popups and data privacy laws

Cookie popups play a crucial role in compliance with data privacy laws across the globe. Many regulations, such as the GDPR, require websites to gather explicit consent from users before collecting, using, or sharing their data through cookies. Other laws, like those in the US, usually only require users to be able to opt-out.

To comply with global data privacy laws, website owners and app publishers must follow a few key requirements of cookie popup use.

While cookie popups are not explicitly mandated by all privacy laws, they have become a common practice for demonstrating compliance and respecting user privacy. For instance, while the CPRA doesn’t specifically require cookie popups, many websites use them to comply with the law’s broader privacy protection requirements.

Cookie popup

International laws requiring cookie consent popups

Various countries have different regulations related to cookie consent popups.

It’s important to note that while these laws influence cookie consent practices globally, the specific requirements for cookie popups can vary by jurisdiction. Many websites implement cookie consent mechanisms to comply with these various regulations, especially if they have a global audience.

Typically, data privacy laws protect residents of the jurisdiction where they are active, e.g. the GDPR protects residents of the EU. Many laws are also extraterritorial, which means it doesn’t matter where companies are located if they process the data of residents of the region where the law is active. So a US-based company has to comply with the GDPR if it processes data of EU residents.

The list above covers the more well-known privacy regulations, but it is not exhaustive. To date, the majority of the world’s population is covered by one or more privacy regulations. It’s important for website owners and app publishers to be up to date on the jurisdictions and laws relevant to their business, and the compliance requirements. Companies should consult qualified legal counsel and/or a privacy expert.

Cookie consent popup best practices checklist

When implementing a cookie consent popup on your website, it’s crucial to ensure compliance with privacy regulations and provide a good user experience. Use the following checklist to create an effective and compliant cookie consent mechanism:

  • Clear information: Explain which cookies you use, to collect which kinds of data, and why. Specify the types of cookies, e.g. necessary, functional, analytics, marketing). Mention if third-party cookies are used, and who sets them.
  • Give consent options: Provide equal consent options, like both “Accept and “Reject” buttons, both overall consent to cookie use and ideally options for granular consent to some cookies. Do not use manipulative tactics like prechecking boxes or only showing an “Accept All” option.
  • Active consent collection: Require users to take a clear affirmative action that’s recorded, e.g. clicking a button. Do not use scrolling or continued browsing as consent, which is prohibited under many laws.
  • Enable easy consent withdrawal: Provide a method for users to easily change their preferences or withdraw consent. Include a persistent “cookie widget” or callback button to make it easy to access.
  • Timely consent collection: Obtain consent before setting any non-essential cookies in jurisdictions where this is required. Best practice would be to block cookies automatically until consent is obtained.
  • Consent storage: Securely store user consents for as long as needed for privacy compliance and other legal requirements. Be ready to provide information in the event of data protection authorities’ inquiry or data subject access request.
  • Provide users with more information: Include a link to your full cookie policy or privacy policy that is prominent on any website page or app screen. Ensure it’s kept up to date.
  • Visibility and accessibility: Ensure the popup is prominently displayed and easily noticeable. Make it accessible on all devices (desktop and mobile) but also well branded and user-friendly to use. Don’t use it to block user access to websites or apps unless they give consent.
  • Language and readability: Use clear, understandable language without technical or legal jargon. Provide the banner in all languages your website supports, ideally with automatic geotargeting.
  • Respect user choices: Implement technical measures to honor user preferences. Block non-essential cookies until consent is given. If users decline consent, don’t ask again before the legally allowed period of time, e.g. 12 months, depending on the law. If your data processing purposes change, however, you may be legally required to get new consent, however.

By following this checklist, you can create a compliant cookie consent popup that respects user privacy and provides a good user experience.

How do you add a cookie popup to a website?

There are multiple ways to install a cookie popup on your website.

The first is to use a consent management platform (CMP), such as Usercentrics CMP or Cookiebot CMP, that enables you to create a customizable and compliant cookie banner in minutes.

These CMPs will scan your website so you know which cookies and tracking technologies are collecting data, and create a cookie declaration that you can use alongside a privacy policy. The CMPs also record and securely store consent records, with a log of the cookie consent you receive from website visitors over time.

If you have a WordPress website, WordPress offers a range of cookie popup plugins, like the Cookiebot™ WordPress Plugin, that enable website owners to add a privacy-compliant cookie popup without compromising user experience. We’ve compiled a resource that enables you to compare the 10 Best WordPress cookie consent plugins.

Another option is to manually code a cookie banner for your website. Add a short explanation of the purpose of cookies, a clear statement on which action will signify consent and a link to your cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

A “DIY” approach to a cookie popup is not recommended for small businesses, due to the amount of work to build and maintain it, the expense of accessing qualified legal consultation to enable compliance, and the regulatory risks of mistakes or missing crucial components.

Discover which cookies and tracking technologies are active on your website to be compliant with CCPA, GDPR, LGPD, and more.

Scan your website now

Consequences for a non-compliant cookie popup

Cookie popups are no longer just a formality, they are a necessity. If your cookie consent popup does not comply with relevant regulations, you could face hefty fines, operational disruptions, loss of customer trust and brand reputation, and a long-term hit to revenue.

For example:

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies. Fines are generally more severe for repeat offenses or willful violations.

Privacy compliance is now a key factor in business success. By taking data privacy seriously, you can gain a competitive edge and boost your marketing campaigns.

Learn more

How a Consent Management Platform (CMP) can help

A consent management platform (CMP) provides tools to help you achieve and maintain compliance with data privacy laws such as the GDPR, the ePrivacy Directive, and CPRA.

For example, Usercentrics CMP and Cookiebot CMP automatically scan your website to find, categorize, and list all cookies and trackers in use, including third-party ones. It helps you create personalized consent banners with relevant jurisdictional information to inform visitors and request their permission to use cookies.

Usercentrics and Cookiebot CMPs are also Google-certified, integrating seamlessly with Google Consent Mode and Google Tag Manager, enabling compliance with Google’s privacy requirements and maintenance of your marketing activities, including personalization and retargeting, in the EU, UK, and Switzerland.

Sign up for a free trial and experience how easily you can create a compliant cookie popup and start gathering consent from your website visitors.

Start your free trial of Cookiebot CMP!

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Cookies play a crucial role in enhancing online experiences, making websites more functional and personalized, and enabling digital marketing. The shopping cart that stores your customers’ items while they continue to browse? That’s made possible via cookies, for just one example.

Cookies have also evolved into sophisticated tools for tracking user behavior, and empower businesses with valuable insights to boost engagement and optimize marketing activity, amongst other things. However, with this increased functionality comes consumer privacy concerns and regulatory requirements.

Companies that do business in the EU and collect personal data from EU residents in the process must comply with the General Data Protection Regulation (GDPR), which requires clear, unambiguous, and freely given user consent before collecting or processing personal data. It also requires transparency about cookie usage, and a defensible legal basis for data collection, among other stipulations.

Businesses must also keep up with evolving standards from industry leaders like Google (Alphabet), which, along with other designated “gatekeepers,” has to comply with the Digital Markets Act (DMA) — and as a result has levied data privacy requirements on its customers.

The DMA mandates that the gatekeepers meet certain requirements designed to encourage fair competition in digital markets and uphold the privacy rights of users. This adds another piece to the privacy compliance puzzle.

To navigate this landscape and continue to grow digital marketing operations, you’ll need to blend robust privacy practices with consent management software. By finding innovative ways to leverage cookie technology while complying with data privacy regulations, you can enhance the user experience, build trust, and protect advertising revenue.

Cookies, the GDPR, and “cookie law”

While cookies play a pivotal role in enhancing user experience and delivering personalized content online, they can also raise significant privacy concerns, particularly the use of third-party cookies, which track users across websites.

The personal data collected can, in some cases, be used to identify individuals, and some of it can be quite sensitive, including financial details.

These concerns are addressed by the GDPR and the ePrivacy Directive (ePD), which mandate measures to ensure that an individual’s personal data is handled securely, with consent, and that the end user is provided with clear information about data handling, their rights, and consent options.

Let’s break down how these regulations impact cookie use and what businesses need to know to stay compliant.

How cookies are affected by the GDPR and the ePrivacy Directive

The GDPR and the ePrivacy Directive govern the usage of cookies. The GDPR outlines the conditions for explicit user consent and a valid legal basis for processing personal data, while the ePrivacy Directive focuses on the privacy implications of electronic communications.

What the GDPR says about cookie use

What the ePrivacy Directive says about cookie use

Key requirements of the GDPR and the ePrivacy Directive include:

These regulations apply to the various kinds of cookies and to similar technologies that store or access information on a user’s device, such as:

Businesses must conduct regular audits to identify and manage all such technologies used on their sites as they change over time, to ensure ongoing compliance with both the GDPR and the ePrivacy Directive.

A high performance consent management platform will include a cookie scanner that can scan sites regularly to detect and manage the cookies and trackers in use on websites, including hidden third-party ones that may change regularly.

GDPR cookies compliance myths

Cookie compliance misinformation can result in either overly cautious practices that hinder user experience or access to needed data, or insufficient preparation that risks noncompliance and potential penalties.

Debunking these myths will help to ensure your approach to cookie management is both effective and primed for GDPR compliance.

“My website doesn’t collect personal data.”

Many website owners assume that their site doesn’t collect personal data, especially if they’re only tracking website performance or functionality. Under the GDPR, however, the definition of personal data is broader than many realize.

Even cookies used for advertising or analytics often collect information that can, directly or indirectly, identify an individual. This includes IP addresses or unique identifiers within cookies.

In reality, nearly all cookies capture some form of personal data, bringing such practices under scrutiny from overseeing authorities.

“Cookies are not personal data, which is why the GDPR does not apply.”

While cookies themselves are not personal data, the data they collect can be. According to Recital 30. GDPR, identification is possible via online identifiers such as IP addresses or cookie identifiers. As such, it will depend on the kind of cookie in place as well as the data being collected.

It’s also wrong to assume that cookies are only regulated under the ePrivacy Regulation, which is expected to be in full effect by 2026.

While intended to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009, the forthcoming ePrivacy Regulation covers the processing of all electronic communications data, regardless of identifiable personal data. Read more about the ePrivacy Regulation below.

“I don’t need a cookie banner.”

Cookies collect personal data irrespective of the intended use, so you are required to inform users about the collection and processing of their personal data. Provided information must include: what data is collected, how it’s processed, for what purpose, and on what legal basis.

Furthermore, the website operator must communicate how long the data is kept, who will have access to it, how they can contact the controller (the entity collecting personal data, like a website owner), and where they can revoke their consent.

Google Certified Cookiebot by Usercentrics makes sure your platform is compliant and privacy is ensured.

Try us Today

“Telling users the site uses cookies is enough for compliance.”

Simply informing users that your site uses cookies is not sufficient for GDPR compliance, just like only presenting an “Accept” button for consent is not sufficient. The regulation demands a higher standard of transparency and user control.

Websites must provide clear, specific information about the types of cookies being used, the data they intend to collect, the purpose for processing, and who has access to this data.

Additionally, consent must be explicit and informed. This means users should be given the choice to accept or reject non-essential cookies without impacting their access to the website and its features.

Providing comprehensive cookie notices is crucial to ensure that users are fully aware of their choices and have meaningful control over their personal data.

A cookie notice can be a separate page on the website, but it’s commonly a section in the broader privacy policy. Regardless, like the privacy policy, it must be easy to access and understand for the average visitor.

“If I have a cookie banner in place, I’m safe.”

Having a cookie banner doesn’t mean you are automatically GDPR-compliant. The GDPR defines seven criteria for collection to be valid within the meaning of the Basic Data Protection Ordinance.

This means that the website operator must obtain the user’s consent via its cookie banner per these criteria.

Learn more: We define and explain these criteria in our article, GDPR consent requirements: 7 conditions for valid consent.

Moreover, compliance with other global privacy laws does not guarantee GDPR compliance. The GDPR has stringent and specific consent requirements that differ significantly from other jurisdictions.

For example, the GDPR uses an opt-in model for consent while US regulations such as the CCPA use an opt-out model.

“The ePrivacy Regulation will not affect the use of cookies.”

The ePrivacy Regulation contains additional provisions for the use of cookies. While essential cookies used for the technical operation of a website do not require the user’s consent, those used for tracking or advertising purposes require explicit, active, and voluntary user consent.

It is also not compliant to try and categorize marketing cookies as essential, for example, in order to skirt consent requirements.

The ePrivacy Regulation is intended to counteract and eliminate cookie walls. Accordingly, all of the website must be accessible, even if the user has not consented to the use of cookies.

GDPR cookie policy checklist

As you can see, these myths and assumptions can lead to confusion and compliance risks for website operators.

The following points should be noted to use cookies in a GDPR-compliant manner.

Quickly audit your website’s cookie use for data-driven insights

Try it free

Duty to provide information

Cookie banners (aka consent banners) should include all necessary information, including how cookies are used on each web page.

Consent banner with granular user Privacy Settings options and Data Processing Services information

Furthermore, as per Art. 21 GDPR, visitors should know if their data is used to create profiles and if their data may be transferred to third parties in countries outside of the EU. This is needed if the cookie technology providers are based in the US, for example.

Active consent

The cookie banner must ensure that the user can give their informed consent in advance, voluntarily, explicitly, and granularly for each web technology or category of technologies (or bundled for individual use areas).

There must also be a straightforward and simple way for users to object to the processing of their personal data, or to withdraw their consent.

Loading cookies

Under the GDPR, you may not use cookies to process or collect any data without a legal basis. Plus, cookies may not load until consent has been granted, meaning there must be a technical link between the cookie banner and your web technology. If the user refuses processing, cookies cannot be loaded.

Usercentrics CMP enables you to control cookies and block them until consent has been obtained. With the Google Consent Mode integration, it also signals consent information to Google services, controlling their function and data collection based on consent status.

Legally compliant documentation

In the event of a review by data protection authorities, the website operator must comply with its documentation obligation and be able to demonstrate their users’ consent.

To ensure all data is available in the event of an audit, various data points should be documented, including timestamps, user agents, and the version of the consent text.

The condition under which consent was given is also important — how large the “Accept” button was compared to the “Reject” button, whether the choice was voluntary, could the user use the site unhindered even when rejecting cookies, etc.

Most data privacy laws also include the right for consumers to know if website operators are collecting data about them, and to access a copy of that data, of which consent data is a part. This is another reason robust and secure documentation is important.

Opt-out

According to the GDPR, the process to opt out must be as straightforward as opting in. This ensures that users can easily decline the use of cookies initially, and similarly, can just as easily change their preferences or withdraw consent at any time.

Consent banner with data processing information, consent buttons, and informational links

It’s not sufficient to direct users to external links or third-party pages to opt out. From the moment a user opts out, no further data should be collected or forwarded to any third parties. Any processing taking place on the controller’s behalf by third parties must also cease right away.

Therefore, the opt-out mechanism must be technically integrated with the cookie settings on your site and documented for compliance and transparency. This approach helps meet legal requirements and builds trust by respecting user choices at every step.

How to ensure GDPR cookie compliance

Ensuring GDPR cookie compliance involves following a series of regulatory requirements and data protection best practices that also help build user trust and form the foundation of privacy-led marketing.

  1. Have a cookie policy: Clearly outline what cookies are used, their purpose, and how data is managed in a cookie policy. This policy should be easily accessible on your website, either as an independent document or as part of the privacy policy.
  2. Implement cookie consent banners: Present contextually relevant consent banners. For example, when a user first visits your site, provide them with immediate, clear options to accept or reject non-essential cookies. Ideally use geotargeting to determine which regulations are relevant to the user, with multi-language support to present consent information in the visitor’s preferred language.
  3. Obtain granular consent: Enable users to give separate consent for different types of cookies (e.g., analytics, advertising). This helps ensure that consent is specific and informed.
  4. Monitor tracking technologies: Continuously review and update the cookies and tracking technologies present on your site to ensure they comply with the latest legal standards and technical requirements. A robust scanner built into your CMP can automate this to save time and resources.
  5. Optimize consent mechanisms: Ensure that consent mechanisms are intuitive and enable users to withdraw consent as easily as they gave it. This can be streamlined using a consent management platform like Usercentrics.

Google has specific requirements of its own, especially concerning how advertisers use cookies and data.

With Google Consent Mode, you can adjust how your Google tags behave based on the consent status of your users. This ensures that you continue gathering valuable data while still complying with the GDPR by respecting user preferences about cookies and data tracking.

Usercentrics is a Google-certified CMP that integrates with the latest version of Google Consent Mode. Plus, with its library of over 2,200+ legal templates and comprehensive Data Processing Services (DPS) Scanner Usercentrics enables you to obtain, document, and signal granular cookie consent.

Run a quick audit of your website’s cookie use to ensure compliance with the GDPR.

Try it free

Managing cookies under the GDPR with Usercentrics

There’s a lot to consider when it comes to cookie compliance under the GDPR, but consent management tools like Usercentrics CMP simplify the process of collecting, managing, and signaling valid consent significantly.

Usercentrics provides a comprehensive solution for collecting, processing, and securely storing granular cookie consent, managing cookie banners, and documenting user consent as required by the GDPR. Speak to a Usercentrics expert today.

After several years of delays, in July 2024 Google announced that the company would not be deprecating third-party cookie use in the Chrome browser. The article’s content remains relevant, however, so we have left it in its original form, with this note, for educational and reference purposes.

Even without the inclusion of Google Chrome, other major browsers have already fully deprecated third-party cookie use, and we believe that privacy-led marketing is the “cookieless” future.

Google plans to phase out the use of third-party cookies (set by external companies to track user behavior across the web) in the Chrome browser, and other browsers — Firefox, Safari, Opera, and Brave — have already deprecated third-party cookie support. This affects the type and volume of data available for marketers. There are also increasing pressures on digital marketers to meet strict data privacy standards. These pressures now come from influential tech platforms that millions of companies rely on, perhaps even more than from data protection authorities.

The cookieless future doesn’t mean there won’t be any cookies of any kind in use, just that third-party cookies and their sometimes indiscriminate tracking will be phased out. While marketers have long relied on the data third-party cookies collect, this data has often been collected with questionable — if any — consent from the people it’s sourced from. The data itself is also often of lower quality, needing to be aggregated with other data sources to be useful (and profitable).

Given the Chrome browser’s 65 percent majority market share as of mid-2024, however, the final deprecation of third-party cookie use will mark a significant milestone in the evolution of data processing, digital marketing, and privacy online. So “cookieless future” is in many ways appropriate.

We look at what the evolution of cookie use, changes in requirements for use of Google services, demands for data, and evolving privacy laws mean for companies. We also delve into the impacts of massive changes to established ways of doing digital marketing, and the solutions that companies can implement to make the cookieless future much brighter and more privacy-compliant.

What are the biggest challenges of the cookieless future for marketers?

There are increasing limitations on and even elimination of third-party data — which is indirectly derived from customers via various sources using third-party trackers and tools. Combine this change with the move to zero- and first-party data, which is limited to what customers consent to, marketers will see reduced data visibility. This will impact the ability to track and target users online. However, as noted, these other data sources are of higher quality, and less data is needed to gain valuable insights, since it comes directly from customers.

Our guide clears it up for you.

Learn more

Additionally, there are tools and strategies to optimize data collection in ways that are privacy-compliant, and to use newer technologies to enable modeling to provide the information marketers need to understand audience segments, customer journeys, and more.

Previously it’s not that consumers didn’t care about companies collecting so much of their data without consent, it’s more that there was little they could do about it. However, that is changing, thanks to regulations putting more control over data access into consumers’ hands, and people understanding that their patronage — and data — hold influence. If companies want their data, people want to know what’s in it for them. And if they don’t feel that they can trust companies to respect their privacy and secure their data, they’re increasingly inclined to take their business and data elsewhere, as this PWC survey from 2022 noted.

Shifting strategy from “collect as much data as you can and we’ll figure out what to do with it later” to much more strategic data collection and analysis is not only a legal requirement today, it’s a much smarter strategy. Companies can ask consumers how they want communications, what they want to hear from companies about, and what data they consent to share. Companies demonstrate respect for privacy, better engage customers, and acquire much more accurate data that can inform all parts of marketing operations.

Once companies connect with customers and obtain data, they still need to analyze and measure the performance of their marketing efforts. Obviously, measurement based on old models, like those relying on third-party data, need an overhaul. Fortunately, there are new tools and strategies to help, which we’ll get into. Even when users decline consent, there are ways to obtain anonymized data and to model conversion journeys to know which channels are converting, the ROI of campaigns, and other key insights.

Get a performance boost.

Learn more

Why do you need to be ready for a Google cookieless future?

Change is coming for digital marketers on a number of fronts. Data privacy regulations have been spreading globally for years, and now influential tech partners are levying strict privacy requirements on their customers to ensure end to end privacy compliance in their operations. We look at the most important factors that marketers need to build into their operations to succeed in the privacy-led future.

1. Legal compliance with data protection and user privacy regulations

Data privacy laws are becoming well established, with the majority of the world’s population now protected by some form of privacy regulation. However, it’s not uncommon for many smaller companies to pay little attention even to established laws like the European Union’s General Data Protection Regulation (GDPR). It’s big and complex, there are large “gray areas” that require legal interpretation, and all the penalties that have grabbed headlines seem to exclusively land on giant tech companies with global operations and billions of Euros in revenue.

But what has grabbed the attention of millions of companies is new requirements handed down by Google to their customers and partners. Thanks to new laws like the Digital Markets Act (DMA), big tech platforms like Google, Meta, and Amazon have additional stringent privacy requirements to meet. And to ensure compliance, all the companies relying on their platforms for data, audience access, analytics, advertising, and more need to meet the same privacy standards.

2. Google’s requirements for advertisers

Google has also updated and is enforcing its EU user consent policy, which aligns with the requirements of the GDPR and ePrivacy Directive (ePD), further tightening consent requirements to its customer base.

If you’re using services like Google Ads or Analytics you need to implement a Google-certified consent management platform with the latest version of Consent Mode integrated. This enables you to collect user consent for data collection and processing and signal it to Google services, which are then controlled based on users’ consent choices. If you don’t comply, you can lose access to key functionality, like personalization features.

Get ready with our Google Consent Mode Checklist

Download now

3. Google’s requirements for publishers

Google also now requires publishers serving ads on websites or in apps in the EU/EEA or UK to implement the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP). Not implementing TCF 2.2 puts you at risk of loss of advertising revenue in significant markets.

While Google’s privacy requirements are not fully global yet, it’s inevitable that as data privacy regulations continue to spread and evolve, data privacy requirements and robust consent management — including for cookie use — will become the global standard for doing business with influential tech platforms, enforcing a cookieless future.

Data privacy and marketing alignment

Navigating these new requirements means marketers need to embrace privacy-centric marketing strategies and technologies that align with evolving user privacy expectations. It requires giving up old notions of control over data and bringing together technologies to update the marketing stack, using consented data to drive campaigns, and doing the work to get to know customers and prospects directly so they welcome simply being asked about what they want from your company.

Google has presented core strategies for the future of measurement, including Google Consent Mode, Customer Match, Server-side Tagging, and Enhanced Conversion Tracking, emphasizing the pivotal role of user consent and transparent data practices for robust marketing operations in the cookieless future.

We have you covered.

Read more

From third-party cookies to a cookieless world: embracing a privacy-first approach to marketing

A knee-jerk reaction to the evolution of digital marketing operations is that a lack of data will hamstring campaigns, affecting paid channel performance and measurement, for example. But this notion fails to take into account a critical fact outlined in a Google/Ipsos survey: providing a positive privacy experience can increase share of brand preference by 43%. Additionally, 71% of people prefer to buy from brands that are honest about what data they collect and why.

It’s not that valuable data is no longer available to marketers; it’s that it hasn’t occurred to some of them to provide customers and prospects with the right kind of experiences — that respect data privacy and are transparent about using data — that make them happy to provide it.

The impending end of third-party cookies in major web browsers calls for advertisers to take a proactive approach to adapt their marketing practices and data operations to the new cookieless world.

The same study confirms the positive impact the privacy experience users have on your website or app. A positive privacy experience and a sense of control over user data can bolster brand preference and sales, while a negative experience can have a detrimental impact. With more and more data privacy regulations including the user right of data portability, being able to vote with their feet (or phones) and wallets has never been easier, and marketers need to pay attention.

“Brands need to go beyond the basics to provide truly positive privacy experiences and there are clear, tangible actions advertisers can take to achieve that. This means letting people know why their data is being collected, what it will be used for, and how it is improving their experience. All these factors combine to create transparency and build trust with your customers.”

Zero- and first-party data in a cookieless world

The quality issue with third-party data — the kind collected by third-party cookies — is its distance from the source, i.e. companies website visitors, app users, ecommerce customers, etc. So much of it has to be aggregated to gain useful insights, and even then it’s still nowhere near ideal.

What is ideal is building a direct relationship with these customers and getting their informed consent and preferences. This enables you to personalize communications, sales offers, targeted marketing, and more. Individuals hear from your company when they want and about what they want, which builds trust and increases engagement to grow long-term customer relationships and revenue. To do this, companies need zero- and first-party data.

Zero-party data for marketing in a cookieless world

Zero-party data is also referred to as self-reported, explicit, or opt-in data. It’s the gold standard for marketing in a cookieless world because it comes directly from visitors, users, and customers. It’s shared voluntarily and intentionally with their consent, and goes hand in hand with their consent choices about access to their personal data. Zero-party data doesn’t need to be aggregated or analyzed, because it’s direct information about what customers want.

Some examples of sources of zero-party data include surveys, product reviews, product preferences from orders, etc.

McKinsey has reported that companies earn 40 percent more revenue from personalization, so investing in operations to obtain and activate zero-party data are well worth it, via preference management and other mechanisms.

Zero-party data is also valuable for product development and improvements, improved marketing programs, better sales strategy, and more.

First-party data for marketing in a cookieless world

First-party data is also referred to as proprietary, customer, in-house, or owned data. It’s obtained slightly less directly than zero-party data, so insights from it can be less accurate, but it’s still more valuable than third-party data, and an important source for marketing strategy and analysis.

Some examples of sources of first-party data include website analytics, ecommerce records, app usage data, and social media activities.

First-party data is particularly valuable for showing patterns in user behavior and preferences via activities, such as website session duration, page views, online purchases, software usage data, email engagement data, etc. Sometimes data from what people do can be more accurate than what they self-report via voluntary channels.

This data is useful for improving product user experience, enabling users to get more value from products, faster. On the business side, the data is useful for audience segmentation, marketing communications personalization, predictive modeling based on browsing and purchasing habits, campaign performance analysis, ROI interpretation, and budget optimization.

Preference management in a cookieless world

Preference management involves requesting information from users and customers, and then using it to tailor those individuals’ experiences with your company via communications, offers, and more. It’s a key source of zero-party data, and involves the most direct interaction rather than collecting data via user activities like web browsing.

Preference management also goes hand in hand with consent management, as when you want to know what customers want, that includes what personal data they agree to share with you and possibly with third-party partners.

Unlike with some third-party data collection, combining consent and preference management helps to ensure customers have full control over what they consent to in their interactions with companies regarding collection of data about them, communications, profiling and targeting, and more.

A preference management solution helps you gain higher open rates for emails, text messages, and more since they match the preferences of each customer. You target advertising more accurately, gain better visibility for product launches and sales, targeting customers who’ve specifically requested information about these campaigns.

Preference management delivers better customer experience all around and demonstrates respect for privacy and customer preference and choice. A cookieless future all companies can get behind.

Learn more

Server-side tagging in a cookieless world

Server-side tagging is another solution to the end of third-party tracking. With this function, your tags are served from a server directly, rather than in the visitor’s browser. This provides more control over privacy compliance in data collection and sharing with third parties, important when evolving marketing activities for a cookieless culture.

Client-side tagging transmits data to one or more servers, and commonly, with tag management, shares collected data with third parties, e.g. marketing technology partners. But there is no central control over data and who can access it, hence the privacy value of server-side tagging.

Server-side tagging is sitewide, so website and customer data are securely hosted on a central first-party server, which functions as a buffer between customers (and their consent) and third-parties that want their data for tracking and analysis. It enables a cookieless tracking solution where your customers’ consent choices determine what data is made available, and you control who gets access, when, how, and to what specific information.

Additional benefits of server-side tagging include:

Learn more

Digital marketing in a cookieless world

With all these changes to how marketing and advertising work online, it’s understandable that marketers could be worried. But there’s no need to be. There are already tools and solutions available that not only replace third-party data from cookies, but enable consented collection and use of higher quality zero- and first-party data, higher user engagement, better customer satisfaction, and sustainable revenue growth.

Marketing measurement in a cookieless world

Marketers are greatly concerned about moving away from relying on third-party data and meeting business and regulatory requirements for obtaining valid user consent to access personal data, primarily due to accuracy concerns. They need to maintain accurate measurement of marketing activities and target new and existing audiences accurately. Fortunately, there are solutions to help marketers accurately obtain and signal user consent and obtain the data they need for accurate measurement.

The Google cookieless future arrived for many companies with the advent of Google’s new requirements for marketers, advertisers, and publishers in the EU. As of early 2024, the company requires its Google Ads customers to use a Google-certified consent management platform (CMP) that’s integrated with the latest version of Consent Mode in order to maintain access to key features of its services, like personalization.

A solution like Usercentrics CMP enables companies to obtain valid consent for the processing of personal data, per the compliance requirements of laws like the GDPR. Then the integrated Consent Mode v2 signals the consent information to Google services, controlling tags for website and advertising performance with it, and blocking or enabling cookies and trackers depending on users’ consent choices.

Learn more

Watch our video to see how easy it is to enable Consent Mode with Google-certified Usercentrics CMP.

Where measurement is concerned, even when individuals decline consent, Consent Mode enables the collection of anonymized data only, which can’t identify an individual. This data is used for conversion modeling to develop insights while data privacy rights and requirements are respected. Website operators get back a significant amount of data for advertisers and gain conversion insights and information about consent banner interactions to optimize consent rates. It’s a strong example of a sophisticated solution for a cookieless world that’s driven by consent and enables marketing operations and business growth.

Learn more

Marketing attribution in a cookieless world

Digital marketing is moving away from multi-touch attribution tools as the phase-out of third-party cookies draws nearer. So how can marketers accurately track customers’ conversion journeys? Here, again, conversion modeling can help.

Conversion modeling uses machine learning to assign links between ad interactions and conversions. This provides accounting in cases where cookies or other identifiers aren’t available.

Ad interactions are grouped; one group has a clear link to conversion, and the others don’t. The conversions with clear conversion paths are subdivided into groups to identify patterns more specifically, e.g. distribution of product purchase volumes depending on the day of the week or time of day.

Machine learning can then predict characteristics for the other group of unidentified ad conversions based on data that is known, and characteristics from the clear conversion paths. Modeled conversions are typically only included in reporting when the degree of confidence is high that an ad display resulted in a conversion. This helps with reporting accuracy.

Google has also proposed Privacy Sandbox APIs. These are meant for several advertising use cases, including attribution reporting, while enabling data privacy compliance. Advertising interactions can be linked to specific actions or conversions, so individual tracking isn’t needed. Advertisers can understand campaign impact in a privacy-centric way.

Optimized targeting and retargeting in a cookieless world

First-party data, coming directly from users, allows for significantly greater precision in optimizing targeting and retargeting activities. Consumers are all too familiar with poorly targeted ads, especially when they seem to follow individuals around online. Companies need to know what a prospect who converts looks like, which can be modeled from data collected (with consent), ideally in real time. Google Ads enables optimized targeting to help you find your ideal audiences, and is one of the Google services supported by Consent Mode to help ensure adherence to privacy standards.

As marketing evolves away from cookies, contextual targeting is becoming more important. Companies can direct advertising based on users’ demonstrated interests, respecting their privacy and data preferences, rather than trying to broadly harvest enough data in an effort to understand the user and present ads that engage them.

To do retargeting well, companies need good data sources and user consent, which consent and preference management explicitly deliver. As retargeting evolves, along with many digital marketing operations — not to mention data privacy laws, business requirements, and consumer savvy — this will only continue to become more important.

For a successful user journey that results in conversions (and happy customers), companies will need tools and insights to carefully craft messaging that matches customers’ actions, interests, and consent choices. Instead of blasting individuals who didn’t immediately convert with ads and potentially questionable personalization, companies can use more sophisticated campaigns to stay top of mind with prospects where they like to browse, based on known patterns and interests, until they’re ready to buy.

Google’s tools to implement consent and a privacy-first approach also extend to retargeting efforts. The Privacy Sandbox APIs support it, enabling these important conversions on future interactions.

Learn more

Consent management is the lynchpin of these new marketing tactics, in addition to being a key tool to enable data privacy compliance with an ever-increasing number of regulations, guidelines, and policies around the world.

While companies have gotten used to established laws like the GDPR, more recently, regulations like the Digital Markets Act (DMA) have contributed to new pressures to achieve and maintain privacy compliance due to business requirements. As companies like Google, Meta, and Amazon are required to meet stringent new standards, to enable end to end privacy compliance, that means they need to levy their own requirements on their customers to ensure consent for advertising, analytics, and other data uses.

A consent management solution sits at the middle of the marketing stack to record customers’ consent preferences, and enable signaling them to control the many marketing functions, from Google tags to vendor campaigns. It also enables companies to prove that they obtained valid consent in the event of an audit or data subject request.

A consent management platform enables users to make granular choices about their data use, saying “yes” to cookie use for marketing purposes, “no” to analytics, etc. Or they can consent to all cookie use (increasingly first-party as third-party cookies are deprecated) or decline the use of all cookies and tracking technologies except those essential for core website functions.

 

Read more

What’s next for the marketing cookieless future?

While marketers have relied on third-party cookies for a long time, they have always been imperfect tools, and they simply don’t fit today’s technology and privacy requirements, and customers’ expectations.

Not to worry, there are plenty of tools now for the marketing stack, and evolving strategies that respect privacy and enable compliance, while still delivering the data marketers need for precision, engagement, and conversions.

Of course, as with any big change, getting your new privacy-led marketing tactics and measurement right will require some fine-tuning. You will need to test and optimize both to get the zero- and first-party data you need, and increase data volumes by improving opt-in rates and increasing user buy-in to personalization.

A layered approach is also important, including using advanced data modeling and AI. AI-driven attribution is being considered as a solution to stitch together longer customer journeys, enabling more effective tracking and personalized targeting in the absence of traditional cookie-based measurement systems.

Each company needs to determine the right toolkit for its operations; there isn’t one blanket solution to overhaul marketing operations or preserve traditional methods of measurement. Not all companies will have sufficient data volumes for functions like modeling, and so may need to shift to internal data science functions. Very small companies may lack both the data and resources, but even tiny startups can listen to their customers, respect their privacy, and deliver great customer experiences that make people happy to share their preferences and information.

The cookieless future is here, and it brings with it better customer experience by incorporating built-in end-to-end privacy in marketing operations, relying only on data coming directly from the customer, which in turn enables true personalization, and builds longer-term relationships based on trust.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

As privacy laws become stricter, achieving and maintaining compliance with the major data privacy regulations, like the General Data Protection Regulation (GDPR), and large tech platforms’ requirements resulting from the Digital Markets Act (DMA), is essential for marketers who want to gain in-depth insights, deliver personalized experiences, and win their customers’ trust.

To help you choose cookie tracking software that will meet your data privacy needs in 2025 and beyond, we’ve curated a list of tools that can deepen your understanding of user behavior while simultaneously navigating the complexities of major data privacy laws.

Our picks of the top cookie tracking software:

Software Key feature Recommended for Price*
Usercentrics Granular preference management: Provide users with the option to accept or reject a range of different cookies on one notice with just a few clicks. Businesses of any size: SMB to enterprise From USD 60/month

30-day free trial available
Cookie Information Daily and weekly scans: Get regular updates about all the cookies on your website. Medium-sized businesses From EUR 15/month

30-day free trial available
CookieFirst Re-consent: Increase opt-in rates by setting goals for returning visitors. Solopreneurs managing a single domain From EUR 9/month

Free tier available

2-week free trial
CookieYes WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin. Small businesses From EUR 10/month

Free tier available

Free 14-day trial
Axeptio Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users. Businesses needing a low-code solution From USD 29/month

Free tier available
Complianz Easy wizard: Get step by step guidance when setting Complianz up on your website. Businesses using WordPress From USD 59/month

30-day money-back guarantee
Termly Cookie Policy Generator: Generate one free cookie policy for your website. SMBs looking for a budget solution From USD 10/month

Free tier available

*As of July 2024

Why should you keep track of cookies?

Tracking cookies enable you to collect data about users — including visitor demographics, preferences, and behavior patterns — so that you can tailor your website content to enhance the user experience and increase engagement.

It’s not all about improving performance, though. First- and third-party cookies are a cornerstone of online advertising. However, as a data controller — the party responsible for the collection and processing of personal data — you must get explicit and prior consent from data subjects (visitors whose personal data is being collected by cookies) before loading any tracking cookies. This is a requirement for most of the major data privacy regulations.

Failing to meet the requirements of these laws can lead to hefty fines, damage your business’s reputation, and potentially limit future opportunities for growth.

This is where cookie consent management software comes in. These tools make it easy to tell your website and app visitors what types of tracking software are present on your website, to offer them clear and granular options for cookie consent, and finally, to keep a detailed record of their consent, as required by regulations such as the GDPR.

We assessed eight of the top cookie tracking software platforms on the market. We scoured user reviews and considered their key features for managing cookie consent, options for customization, and breadth of integrations and supported languages, etc.

1. Usercentrics

An all-in-one consent management platform (CMP), Usercentrics helps businesses manage cookies and GDPR compliance. Trusted by more than 2.2 million websites and apps in 195 countries, the platform is a market leader in solutions for data privacy and privacy-led marketing.

Usercentrics’ cookie detection, categorization, and autoblocking functionality helps enable GDPR cookie consent as well as adherence to other major privacy regulations like the Digital Markets Act (DMA) requirements handed down by designated “gatekeeper” companies, and California Consumer Privacy Act (CCPA).

Usercentrics CMP also comes with the latest version of Google Consent Mode and the IAB TCF 2.2 integrated, helping meet Google’s latest requirements for publishers and advertisers.

Key features

Usercentrics pricing

Usercentrics offers a free 30-day trial, after which users can sign up for one of the following paid plans.

✅ Pros ❌ Cons
Consent records stored on EU-based servers Analytics data only available for 90 days
Automatically blocks third-party cookies
A/B testing

Usercentric’s robust consent management platform makes it easy to offer clear and compliant cookie consent options to your users

Schedule demo

2. Cookie Information

Cookie Information has a stated mission to help businesses collect valid consents to comply with privacy laws and build trust with their customers. The platform offers consent management for both websites and mobile apps but doesn’t offer A/B testing.

Key features

Pricing

✅ Pros ❌ Cons
Plugin for WordPress available No A/B testing
Detailed consent rate insights
Google Certified CMP partner

3. CookieFirst

CookieFirst advertises a quick and easy signup to get users on their way to achieving GDPR compliance in minutes. Then the tool will scan your site for first- and third-party cookies, after which you can set up your settings and customize your cookie banner with just a few clicks. There is a free version, but you’ll only get a cookie banner in one language along with a one-off cookie scan.

Key features

Pricing

✅ Pros ❌ Cons
Free tier available No app consent solution
Google Consent Mode and Google Tag Manager integrations
44+ languages supported

4. CookieScript

CookieScript is a self-hosted CMP with geotargeting that works across 250 countries and 50 US states. While the platform does store all consent records on servers in the EU, users will need to sign up for its Plus tier for access to all of its GDPR features, such as record-keeping for user consents and IAB TCF 2.2 integration.

Key features

Pricing

CookieScript’s pricing is determined by the number of domains that the CMP is added to. Subscriptions are priced per month, but you’ll be locked into a year-long contract.

Pricing for one to two domains is as follows:

✅ Pros ❌ Cons
All data stored on EU servers All GDPR tools only available on the most expensive plan
Ability to manage multiple websites from one dashboard
Transparent, per-domain pricing

5. CookieYes

CookieYes states that the company is trusted by more than 1.5 million businesses worldwide. After starting out as a WordPress plugin, their product has since become a fully fledged cookie consent solution. Despite its range of features, essentials like Global Privacy Control and geotargeting are only available on its two most expensive plans.

Key features

Pricing

CookieYes offers a 14-day free trial, after which users can sign up for a month-to-month or annual subscription. Plan prices are for a single domain:

✅ Pros ❌ Cons
Available as a plugin for all major CMS All plans limit page scans
Multilingual banner, in 30+ languages
Customer support is responsive (G2 users report)

6. Axeptio

Axeptio brings some levity to cookie consent management branding itself as fun and approachable, with fresh UX. The platform is designed to be a low-code consent management suite, making it perfect for teams with limited tech expertise or resources.

Key features

Pricing

✅ Pros ❌ Cons
Single widget to manage all consents Cookie management only available in the Enterprise and Agency plans
Supports 25 languages
Live training and webinars

7. Complianz

Complianz is a native privacy suite for WordPress websites. Thanks to a setup wizard, it’s easy to set up. It also includes over 250 service and plugin integrations. While it does come with a cookie scanner, Complianz users have reported that it isn’t always accurate and doesn’t recognize third-party cookies.

Key features

Pricing

Complianz plans are priced per year.

✅ Pros ❌ Cons
Includes setup wizard Self-hosted only
30-day money back guarantee
WCAG and ADA compliant

8. Termly

Designed with small businesses in mind, Termly is an out of the box compliance solution that aims to help users stay up to date with major data privacy laws in more than 25 regions. The platform’s pricing is competitive, but it lacks some features and functions that larger businesses would need for it to be useful.

Key features

Pricing

✅ Pros ❌ Cons
Supports IAB TCF 2.2 and Google Consent Mode Only one domain included in the license
Automatic policy generation
Supports compliance with data privacy laws in 25+ regions

Choosing the right cookie tracking software is essential for staying compliant and building trust with your users. Here are the must-have features to look for:

The right cookie tracking software can help you to achieve compliance with the major data privacy laws without affecting the quantity or quality of insights you’re able to gain from tracking user behavior.

Usercentrics helps you ensure quality marketing insights and maintain personalization — while respecting user privacy and building trust.

The Usercentrics CMP is compatible with all your favorite marketing tools, enabling you to offer users a personalized experience on every platform and achieve privacy compliance with the GDPR, ePrivacy Directive, and Google’s EU user consent policy.

Offer clear and compliant cookie consent options with Usercentrics. Achieve compliance with major data privacy regulations.

Schedule demo

When it comes to online privacy compliance, understanding the nuances between opt-in and opt-out consent is crucial for businesses and website owners. These concepts form the backbone of how personal information is collected, used, and shared online.

Different global privacy laws dictate the specific consent model to be used, impacting how website owners engage with their users. Some international companies may have to navigate both models, depending on where their customers are located and relevant regulations.

That’s why it’s vital to understand the differences between opt-in and opt-out consent, the regulatory requirements surrounding them, users’ rights, and best practices for implementing these models effectively.

Opt-out vs opt-in — what’s the difference?

Opt-in and opt-out are both ways of managing people’s consent for collecting, using, and disclosing their personal information online. However, they differ in how they work and the process they take to do so.

To know when a website owner should implement opt-in or opt-out measures, it’s important to understand the difference between the concepts and what each option seeks to accomplish.

What is opt-in?

Opt-in consent requires website visitors to actively and explicitly agree to the collection, use, or sharing of their personal data. Opt-in means website owners must ask for someone’s consent or permission before or at the time when personal data would be collected, like when a visitor arrives on a website.

Example of opt-in consent

Website owners may use this method to seek user consent for storing cookies, subscribing to marketing emails, or for other activities that collect users’ personal data.

For example, when creating an account on Amazon, users will need to fill in a form, provide their name, email address, and create a password. Below this is a section dedicated to communication preferences, and there’s an unchecked box with the following text:

“Yes, I want to receive personalized product recommendations and exclusive deals from Amazon. By checking this box, I agree to receive marketing emails. I understand I can unsubscribe at any time by clicking the link in the email or adjusting my account settings.”

To agree to this, users need to take action and check the box. It is not pre-checked.

By presenting this opt-in choice, Amazon ensures that customers who receive marketing communications have actively consented to do so, aligning with data protection regulations and respecting user preferences.

A common sight for consumers online in the European Union — and increasingly around the world — is consent banners that pop up when people arrive on websites for the first time (or after a long period when previous consent choices may have expired). These banners request consent for the use of cookies that collect personal data, which can include contact, financial, and order information for ecommerce transactions, or tracking of user behavior to improve website performance or marketing initiatives. This is also the opt-in model of consent in action.

Which global privacy laws require opt-in consent?

Several global privacy laws and frameworks mandate that website owners use an opt-in consent model. These include:

It’s important to note that while these laws generally require opt-in consent, the specific requirements and circumstances under which opt-in consent is necessary may vary. Some laws may have exceptions or different standards for certain types of data processing. Additionally, the implementation and enforcement of these laws can differ across jurisdictions.

The list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation. Generally, the opt-in consent model is the most common globally.

What is opt-out?

The opt-out consent model requires website owners to share that they collect personal data, how it is used, and other information, but they do not have to get explicit user consent before collecting or processing the data.

Individuals have the option to take specific action to refuse or withdraw consent at any time, however, for functions like the sale or sharing of their data, or its use for profiling or targeted advertising, depending on jurisdiction. Individuals are responsible for actively opting out if they wish to protect their data.

A common exception to this is when the personal data in question has been categorized as “sensitive”. This is data that can be extra harmful if misused and can include information like healthcare history, sexual orientation, financial information, religious beliefs, and more. The data of known children is also commonly categorized as sensitive by default. For sensitive data, prior consent (opt-in) is typically needed, from the parent or guardian in the case of children.

Example of opt-out consent

The California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA), provides a clear example of an opt-out consent model.

Imagine a popular ecommerce website that operates in California. Under the CPRA, this website can collect and use customer data for various purposes, including targeted advertising and sharing with third-party partners, without obtaining explicit consent upfront. However, the law requires the website to provide consumers with a straightforward way to opt out of these practices.

To comply, the ecommerce site must prominently display a “Do Not Sell or Share My Personal Information” link on its homepage and in its privacy policy. When a customer clicks this link, they are directed to a page where they can exercise their right to opt out of the sale or sharing of their personal information. The website must then honor this request and stop selling or sharing that customer’s data.

Also under the CPRA, companies that process sensitive personal data are required to implement a link reading “Limit the Use of My Sensitive Personal Information” to enable visitors to exercise their rights, or a “single, clearly-labeled link if such link effortlessly allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.”

Which privacy laws allow opt-out consent?

Multiple global privacy laws authorize website owners to use opt-out consent models. These include:

It’s important to note that while these laws generally permit opt-out consent, the specific requirements and circumstances under which opt-out consent is allowed may vary. Some laws may have exceptions or different standards for certain types of data processing.

Additionally, the list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation.

If you collect personal data from people in the EU, sensitive personal information, personal information from minors, or use non-essential cookies (including third-party cookies), you most likely need explicit consent and must implement an opt-in consent model, unless another lawful basis for processing applies.

To ask for opt-in consent in a privacy-compliant manner, there are eight steps website owners must follow. These are:

  1. Be clear and transparent: Use plain, easy-to-understand language to explain what data you’re collecting, how it will be used, and other parties that may have access to it. Avoid legal jargon or complex terms. This is often done via a cookie banner.
  2. Make it specific: Obtain separate consent for different purposes rather than using blanket consent. This enables users to choose which activities they want to opt in to.
  3. Use active opt-in methods: Use unchecked boxes, toggles set to “off” by default, or explicit confirmation buttons. Avoid pre-ticked boxes or other methods that assume consent, as manipulative design to encourage consent is strongly frowned upon by authorities.
  4. Provide granular options: Enable users to select which types of data they’re willing to share or which specific activities they consent to.
  5. Make it easy to withdraw consent: Provide a clear and simple way for users to change consent preferences or withdraw their consent at any time.
  6. Use just-in-time consent: Request consent at the moment you need to collect or use the data, providing context for why it’s needed. A blanket “clickwrap” agreement is not compliant with most personal data collection regulations.
  7. Keep records: Maintain detailed records of when and how consent was obtained for each user, and any changes over time.
  8. Test different approaches: A/B test different UI configurations and/or consent flows to find what works best for your users while maintaining privacy compliance.

Learn how to provide a great user experience, obtain valid consent to comply with privacy laws, and increase your opt-in rates to get the data you need for your marketing campaigns.

Optimize your opt-in rates

By following these eight steps, website owners can gather opt-in consent in a manner that complies with the GDPR, LGPD, and multiple other global privacy laws. This process also respects user privacy and builds trust.

If you are collecting and processing personal data in a jurisdiction that allows you to do so without obtaining prior consent, you will still legally need to notify users and enable them to opt-out.

To do this in a CPRA-compliant manner, for example, here are eight best practices website owners must follow. These are:

  1. Clear and prominent notice: Provide a clear, conspicuous notice about data collection and use practices, along with an easy-to-find opt-out option. This could be a prominent link or button labeled “Do Not Sell or Share My Personal Information” or similar, depending on what the relevant regulation outlines.
  2. Easy opt-out process: Make the opt-out process simple and straightforward. Avoid multi-step processes or requiring users to create accounts to opt-out.
  3. Clear communication: Explain in simple terms what opting out means for the user’s experience and what data will no longer be collected or shared.
  4. Timely response: Process opt-out requests promptly, typically within 15 days, as required by laws like the CPRA.
  5. Granular options: Enable users to opt out of specific data uses rather than only offering an all-or-nothing approach. This also benefits marketing operations, as some data collection can be maintained with the user’s consent.
  6. Maintain records: Keep detailed records of opt-out requests and how they were honored.
  7. Respect opt-out duration: Once a user opts out, honor that choice for at least 12 months before asking them to opt back in.
  8. Third-party compliance: Ensure that any third parties you share data with also honor user opt-out choices. Under many laws, the controller has ultimate responsibility for privacy compliance, including the activities of third-party processors working for them.

By implementing these practices, website owners can create a transparent and user-friendly opt-out process that respects privacy rights while complying with relevant data protection regulations.

Email marketing and opt-in or opt-out

Email marketing requires businesses to navigate the rules around opt-in and opt-out practices.

Opt-in emails are essential for ensuring that consumers have willingly provided their email addresses for marketing purposes.

Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, mandate explicit opt-in consent.

To comply, businesses should display an unchecked checkbox for users to select if they want to receive marketing communications and include an easy opt-out option in every subsequent email.

In contrast, opt-out practices focus on allowing recipients to unsubscribe from marketing emails they no longer wish to receive.

This approach is particularly relevant in the United States, where the CAN-SPAM Act governs direct marketing practices.

The Act requires that all marketing messages be clearly identifiable as commercial communications, provide a simple and prominent unsubscribe mechanism, and include accurate header information and subject lines.

Additionally, organizations must provide a valid physical postal address to inform recipients of their location.

Combining these practices ensures that businesses respect consumer preferences while complying with international and local regulations, thereby maintaining trust and improving the effectiveness of their email marketing campaigns.

What is double opt-in, and when is it necessary?

Double opt-in is an email marketing consent process that requires subscribers to confirm their subscription through a verification email after initially signing up. This process typically involves a user submitting their email address through a signup form, receiving a confirmation email with a verification link, and clicking the link to confirm their subscription and be added to the mailing list. This mechanism is used for marketing emails, newsletter subscriptions, and other voluntary communications.

Double opt-in is necessary or beneficial in several scenarios:

Double opt-in has benefits, but it’s also worth noting that it could result in slower list growth compared to single opt-in. However, the trade-off is often a more engaged and higher quality subscriber base, and more robust and trustworthy consent management practices.

Preference management

One potentially important addition to the marketing toolkit for companies is preference management, which works hand in hand with consent management. It’s also a source of zero-party data, which is something of a “holy grail” in marketing as it’s high-quality data that comes directly from customers. This is even more valuable with the phasing out of third-party cookies.

Preference management involves obtaining information from customers about their interests and preferences directly, like whether they prefer marketing emails or SMS notifications, or if they want communications about sales only or also about new product launches, etc.

This information can be collected in a dedicated preference management center, or account settings, via surveys, and other mechanisms. The advantage of consent management is that companies then have explicit information about what customers want, and their consent to deliver it in specified ways.

Choose the right approach for your data privacy needs

Navigating the complexities of opt-in and opt-out consent models is essential for maintaining compliance with global privacy laws and respecting user preferences.

Opt-in consent requires explicit agreement from users before their data can be collected or used, ensuring a high level of transparency and user control. Conversely, the opt-out model presumes consent until the user explicitly withdraws it, placing the onus on users to protect their data and privacy in most cases.

Understanding and implementing these consent practices, along with adhering to specific regulations like the GDPR, helps businesses build trust, enhance user engagement, expand Privacy-Led Marketing operations, and stay compliant with data privacy requirements.

By following best practices for both consent models, website owners can create a user-friendly and legally sound environment for their online activities, no matter where their visitors are located.

Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.

We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.

Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.

What is Google Tag Manager?

At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.

Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.

Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.

Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.

In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.

Does Google Tag Manager use cookies?

The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.

While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.

Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).

Google Tag Manager and cookie consent

Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.

However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.

Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.

Is Google Tag Manager GDPR-compliant?

Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.

By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.

To use GTM in a GDPR-compliant manner, website owners need to take several steps:

GDPR data processing using Google Tag Manager

Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.

One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.

Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.

Navigating consent management with Google Tag Manager

To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.

The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.

In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.

By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.

Google Tag Manager and Google Consent Mode

Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.

With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.

GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.

We’ve put together a checklist to help you obtain valid user consent for privacy compliance.

Learn more

The consequences of GDPR noncompliance when using Google Tag Manager

Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.

The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.

Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.

Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.

How a consent management platform can help with GTM GDPR cookie consent

A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.

Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.

Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.

By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.

Usercentrics CMP and Google Tag Manager cookie consent

Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.

Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.

Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.

Experience what Usercentrics CMP can do for you. Sign up for a free trial today

Start your free trial

Google is phasing out third-party cookies in Chrome, marking a significant shift in the digital marketing landscape. Our in-depth session explores what this means for marketers, advertisers, publishers, and users. We address the challenges ahead and provide actionable solutions.

During this webinar, we cover the impact on personalized advertising, delve into alternative tracking technologies, and share strategies to maintain user privacy while achieving marketing goals.

What You’ll Learn:

Who Should Watch:

Stay ahead of the curve and ensure your marketing efforts succeed in a cookieless future. Register now to watch the recording!

Google checklist: your toolkit for compliance with the new consent requirements in Switzerland

As Google expands its EU user consent policy to include Switzerland, it’s crucial for Swiss businesses to stay informed and become or maintain compliance. Our exclusive checklist provides a clear roadmap to understand the new requirements and provides actionable steps to achieve compliance before the 31 July 2024 deadline.

Who this checklist is for

Why you should download our Google checklist

❓When is Google’s deadline?

✅ Enforcement starts 31 July 2024.

❓What regions are included in the requirements?

✅ Online users residing in Switzerland to whom companies target advertising.

❓What are the new requirements?

✅ Businesses using Google advertising and/or monetization products are required to obtain Swiss users’ consent for the use of cookies or other local storage where legally required, as well as for the collection, sharing, and use of personal data for the personalization of ads.

❓Do the new requirements apply to all publishers and advertisers targeting Swiss traffic?

✅ No. The new Google consent requirements in Switzerland mandate the use of a Google-certified CMP that fully supports the Transparency and Consent Framework (TCF) for publishers.

✅ For advertisers that don’t monetize their platforms with digital ads, the only requirement is to obtain consent from Swiss users where legally required.

❓What are the requirements for verifiable consent under Google’s EU user consent policy?

✅ Based on existing requirements from regulations like the Swiss Federal Act on Data Protection (FADP), which is compatible with the General Data Protection Regulation (GDPR).

The main requirements for third parties using Google services:

and

❓What Google services are included in the requirements?

✅ Google’s advertising platforms or services, like AdSense, AdMob, Ad Manager, Google Ads, Google Analytics, or Google Marketing Platform.

✅ Personalization features on these platforms.

❓I am a publisher. What do I need to do to become compliant?

✅ Implement a Google-certified Consent Management Platform (CMP) for the TCF, such as Usercentrics CMP.

✅ Activate the Transparency and Consent Framework (TCF) v2.2 on your CMP.

✅ Use your CMP to obtain prior consent from users to collect their personal data for advertising purposes.

✅ Consider implementing the latest version of Google Consent Mode for additional marketing benefits.

❓I am an advertiser. What do I need to do to become compliant?

✅ Obtain consent from Swiss users where legally required.

💡 For now, you’re not expected to send a verified consent signal for Swiss traffic through Google Consent Mode — a requirement already in force for EU/EEA audiences — but this may change in the future.

❓How do I collect valid consent with Usercentrics CMP?

✅ Start with one of Usercentrics CMP’suser-friendly templates, or fully customize your banner design and messaging.

✅ Set up the CMP for all regulations relevant to your business.

✅ The Usercentrics CMP consent banner enables users on websites to record their consent preference for use of their personal data with the click of a button.

✅ Website users can also revoke consent or update their preferences at any time.

✅ Consent information is securely stored in the event of an audit or data subject access request.

❓How does Usercentrics CMP integrate with the IAB TCF 2.2?

Usercentrics CMP integrates with the IAB’s Transparency and Consent Framework 2.2 via an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end users can choose between IAB Purposes and Vendors before submitting their consent.

❓How do you set up Usercentrics CMP with Google Consent Mode?

  1. Create an account and add your domain.
  2. Select and customize your banner.
  3. Implement the code into your website. Done!

For detailed instructions on how to set up and implement the Usercentrics consent banner with the IAB TCF v2.2 integration enabled, check our documentation.

❓Is Google Consent Mode v2 implementation included in the new requirements?

✅ Not for now.

✅ You should consider implementing Consent Mode v2 for additional marketing benefits, such as analytics and conversion modeling. It also helps you avoid losing marketing data due to users declining consent.

Get Usercentrics CMP to achieve compliance with Google’s CMP requirements in Switzerland

By using Usercentrics CMP IAB Framework (TCF v2.2) integration as your website’s consent management platform, you can ensure compliance with Google’s new consent requirements for Swiss traffic.

With Usercentrics CMP, advertisers and publishers can also ensure compliant data collection and processing across the board.

On your website or app, with our mobile app CMP SDK

Start your 30-day free trial