Skip to content

The cookieless future is no longer a concept — it’s here. While Google paused its full phase-out of third-party cookies in Chrome in 2024, other major browsers like Safari and Firefox have already eliminated them. That means marketers can’t afford to wait.

However, the cookieless future doesn’t mean there won’t be cookies of any kind in use. It just means that third-party cookies and their sometimes indiscriminate tracking will be phased out. While marketers have long relied on the data third-party cookies collect, it has often been collected with questionable consent or without any consent at all. The data is also often of lower quality and needs to be aggregated with other data sources to be useful and profitable.

As we say goodbye to third-party cookies, let’s delve into the resulting changes in requirements, the impact of this shift, and how to future-proof your marketing strategy.

What is a cookieless future?

A cookieless future refers to the shift away from using third-party cookies. This change doesn’t mean the end of cookies altogether; first-party cookies will still play a vital role for marketers. But this change marks a departure from invasive tracking practices that compromise user privacy.

In a cookieless future, marketers will rely more on zero-party data, which is explicitly shared by users, first-party data, which is collected directly from user interactions, and consent-based technologies. It also involves new methods like contextual advertising and privacy-enhancing technologies.

A  cookieless future is not the end of digital advertising. It’s the beginning of a smarter, more privacy-conscious era where trust and transparency must be central to strategy.

What are cookies?

Cookies are small text files stored on a user’s browser that help websites remember user preferences, login status, and behavior. There are two primary types:

Marketers have long relied on third-party cookies to build audience profiles and run retargeting campaigns. However, these cookies often collect data without meaningful user consent, which raises concerns about transparency and privacy.

Learn more about how cookies differ from personal data.

Why are third-party cookies being phased out?

Third-party cookies have long been a staple of digital advertising because they enable cross-site tracking, behavioral targeting, and detailed user profiling. However, they’ve come under scrutiny due to privacy concerns and their lack of transparency.

Browsers like Safari, Firefox, and Brave started blocking third-party cookies by default as early as 2017. And Google is giving users the option to allow or block third-party cookies.

This shift is not just a browser-led initiative, it’s also driven by global data protection laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These data privacy laws mandate greater transparency, accountability, and user control over personal data.

This movement reflects a broader shift toward user empowerment and ethical data use. Marketers must now explore cookieless tracking solutions that prioritize trust, transparency, and privacy compliance.

The impact of a cookieless future on marketers

The shift away from third-party cookies is reshaping digital marketing. Since marketers have long relied on these tools, they now face a series of challenges that demand adaptation.

Reduced audience visibility and segmentation

Without third-party cookies, it’s harder to identify user interests across websites. This limits marketing teams’ ability to create detailed audience segments and reach people based on behavior across platforms. 

The shift to first-party and zero-party data means marketers need to rely on information users choose to share. While this data is more limited, it tends to be more accurate and useful. That means even with less of it, you can still gain meaningful insights.

Personalization becomes more challenging

Personalization used to rely heavily on tracking users’ past behavior across the web. Now, that level of insight requires users to directly share preferences or interact meaningfully with your brand. If you don’t have a strategy to collect and act on this kind of data, personalized content and ads will be less effective. 

Measurement and attribution are disrupted

Standard attribution models built on third-party data no longer work. It’s harder to see how users move between devices or platforms before converting, which makes it difficult to measure the impact of different channels. Fortunately, there are privacy-compliant ways to fill these gaps, like using anonymized data, modeled conversion paths, and newer tools that help estimate performance even when tracking is limited.

Growing need for trust and transparency

People are more aware than ever of how their data is collected and used. Thanks to changing regulations and rising expectations, users now want clear explanations and meaningful benefits in return for sharing their data. If a brand can’t offer that, or doesn’t appear trustworthy, users are more likely to opt out or take their business elsewhere.

The numbers don’t lie. If you’re curious to learn more, here are 150+ data privacy statistics you need to know about.

Shift from volume to strategy

The outdated approach of collecting as much data as possible and figuring out how to use it later is no longer acceptable. Today, marketers need a more deliberate strategy. Ask users what they want to hear from you, how they want to be contacted, and what they’re comfortable sharing. Direct communication supports privacy compliance and results in better data and stronger engagement.

How to prepare for a cookieless future

Preparing for Google’s cookieless future presents an opportunity to build more sustainable, Privacy-Led Marketing strategies.

A foundational step is strengthening the collection and use of first-party and zero-party data. First-party data comes from user interactions with your digital properties. Zero-party data is information users voluntarily share, such as preferences or interests, which means it is highly accurate and based on trust.

Marketing teams must revise their marketing and advertising strategies to prioritize these sources. Doing so may include updating consent mechanisms with tools like Consent Management Platforms (CMPs) that support privacy compliance and allow for clear, customizable user choices.

Beyond data collection, marketers’ broader digital strategy must evolve. Contextual targeting — which might look like placing sports-related ads on a fitness blog — offers a non-invasive alternative to behavior-based advertising. Companies should also explore privacy-enhancing technologies that provide insights without compromising individual privacy.

The goal is not just to adapt to a cookieless future, but to lead with a marketing approach that builds trust. That means offering clear value exchanges, following ethical data practices, and committing to responsible, long-term data use.

Curious to learn more? Check out our detailed guide about privacy-first marketing.

Strategies for data collection in a cookieless world

In a cookieless future, data collection must be more intentional and privacy-conscious. Marketers need strategies that prioritize consent and transparency from the outset to build a foundation of trust while still enabling effective personalization.

Zero-party data is shared proactively by users through channels like surveys, preference centers, and feedback forms. Because this data comes directly from the source, it tends to be more accurate, reliable, and effective for segmentation and personalization. Encouraging users to share this data requires offering clear value exchanges, such as more relevant content or product recommendations.

First-party data, collected through direct interactions like purchases, logins, and website behavior, is equally important. Loyalty programs, gated content, and tailored user experiences are effective ways to gather this data while reinforcing engagement and brand affinity.

Marketers are also increasingly adopting data clean rooms to enable secure collaboration with partners like platforms or publishers. These environments use techniques like hashed identifiers to match audiences without sharing raw data, enabling insights while preserving user privacy.

CMPs are also helpful to collect data transparently and in compliance with privacy regulations. CMPs give users clear choices and control over how their data is used. Customizing consent experiences through layered information, region-specific settings, and accessible design can boost opt-in rates and strengthen confidence in your brand’s data practices.

By aligning data collection strategies with user expectations and evolving privacy standards, marketers can build a more resilient and trusted foundation for personalization in a cookieless world.

Implementing cookieless tracking solutions

Implementing cookieless tracking solutions can help you retain campaign measurement and user insights while respecting privacy norms. These solutions prioritize consent, transparency, and secure data handling.

These solutions are built around consent-first frameworks. That means data collection must be legally compliant and ethically sound, goals that align with both regional laws and user expectations. These frameworks require clear user permissions before any data is processed or activated, and are increasingly supported by mechanisms built into CMPs.

Server-side tagging also plays a key role. It shifts data processing from the user’s browser to secure, cloud-based servers, reducing reliance on browser-stored identifiers that are often blocked or restricted. This approach improves data accuracy, control, and resilience.

“Server-Side Tagging is a mechanism where tracking tags — pixels, scripts, analytics events — are managed and executed on a server-side environment rather than directly in the user’s browser.”
 — Tom Wilkinson, Senior Marketing Consultant

Read more about the details of Server-Side Tagging and tracking.

Similarly, event-based measurement focuses on tracking meaningful user interactions, such as clicks, video views, scroll depth, or form completions, within your digital properties. These first-party events, captured with user consent, offer actionable insights without relying on third-party tracking.

To fully embrace these solutions, marketers can integrate tracking with a CMP and Customer Data Platforms (CDPs). CMPs manage permissions and help ensure user choices are respected across systems. CDPs centralize consented user data, enabling personalization, segmentation, and analytics that stay privacy-compliant.

Cookieless attribution and measurement

Effective campaign measurement in a cookieless future demands new attribution models, as traditional multi-touch models that rely on third-party cookies become less viable.

One of the most promising alternatives is predictive modeling. This method uses machine learning algorithms to analyze patterns in available data and forecast likely user behaviors and conversions. By referencing variables like past interactions, demographics, and contextual signals, predictive models can estimate the likelihood of specific actions, such as a purchase or an engagement. This approach works without requiring cookies or personal identifiers, relying instead on aggregate data and privacy-safe signals.

Conversion modeling is being prioritized by platforms like Google. It estimates conversions that cannot be directly observed using privacy-safe signals. This approach is central to Google’s evolving measurement tools. In fact, Google supports this shift with tools such as Google Consent Mode, Enhanced Conversions, Server-Side Tagging, and Customer Match. These technologies are designed to maintain insight integrity while aligning with shifting privacy standards.

Media mix modeling (MMM) offers another approach. It evaluates the impact of various marketing channels based on aggregated data, helping marketers allocate budget effectively even without individual user tracking.

Another emerging approach is server-side tracking (SST), which shifts data processing from the user’s browser to the server. This can improve data accuracy, mitigate signal loss from browser restrictions or ad blockers, and support compliance with privacy regulations.

Usercentrics’ server-side tracking solution is built with these priorities in mind. It enables organizations to maintain essential measurement capabilities in a privacy-conscious, configurable environment—without relying on third-party cookies.

Learn more about the Usercentrics SST solution

Cookieless advertising

Let’s not forget the phase out of third-party cookies. Fortunately, there are cookieless advertising options that still deliver results. 

One method is contextual advertising, which uses the content of a web page, rather than user behavior, to determine ad placement. By aligning ads with the content on the page, this approach supports both relevance and privacy, making it a natural fit for the cookieless era.

Identity solutions are also emerging to bridge the personalization gap. Technologies like Unified ID 2.0 and platforms such as LiveRamp use encrypted, email-based identifiers to enable privacy-conscious targeted advertising. These tools help preserve capabilities like personalization, audience segmentation, and frequency capping without relying on invasive tracking methods.

Another alternative is cohort-based targeting through tools like Google’s Topics API. This tool groups users based on shared interests rather than individual behavior. This method maintains a degree of audience targeting while protecting user anonymity.

As targeting methods shift, advertisers will also need to rethink their creative strategies. Without behavioral data to guide personalization, success will require a deeper understanding of context and the ability to craft messaging that fits naturally within the surrounding content.

Aligning marketing and privacy teams

To thrive in a cookieless future, marketing teams need to embrace Privacy-Led Marketing strategies and technologies. Data privacy compliance cannot be an afterthought, it must be integrated into campaign planning, technology selection, and performance reporting.

Strategies should focus on:

This shift enables not only regulatory compliance but also better engagement, higher-quality insights, and more resilient data strategies.

What’s next in a cookieless world?

The shift away from third-party cookies is a turning point in how businesses approach privacy, compliance, and user trust. Regulations like the GDPR, the ePrivacy Directive, and others are driving the need for more transparent data practices, and browsers are enforcing these changes with stricter tracking limitations.

So what’s next?

Companies will need to adapt by building stronger first-party data strategies, investing in technologies that prioritize the user’s privacy first, and integrating solutions like a CMP to support ongoing compliance. We can expect to see a growing focus on contextual targeting and consent-based personalization.

Organizations with a global footprint will also need to understand how regional laws intersect with platform-level changes, and plan for a future where privacy isn’t an obstacle but a competitive advantage.

Learn more

Marketers, designers, and developers need high quality data to deliver optimal online experiences and grow their businesses. A lot of that data comes from your audience and their activities on your website.

To collect that data in a way that respects data privacy laws and users’ privacy means that you need to be transparent and provide consent options. Laws like the GDPR and CCPA require you to inform people about what data you collect, how you use it, and what their rights are. 

Different laws in different regions also require you to obtain user consent before collecting data, or provide granular options about what data uses that users can accept or decline, or enable them to opt out of various data uses.

Not to mention that there are an increasing number of business requirements for companies that rely on important platforms like Google’s to provide proof of consent if your company uses them for advertising, analytics, and other key marketing functions.

Smart consent management strategy with Webflow and Usercentrics enables you to meet data privacy requirements, build trust with your audience, and protect your marketing efforts and growing business. 

Provide clear information and user-friendly consent options that match your brand and that are customized to where your users are located.

We look at why you need a Webflow cookie banner, how it benefits your data privacy compliance and marketing performance strategies, and how to set it up. Support customer-friendly Privacy-Led Marketing and Webflow cookie consent.

Let’s look at why having a Webflow cookie consent banner on your website is so important for your business. Then we’ll cover the setup process.

No disruption to your Google services campaigns

Google Ads campaigns are popular among Webflow website owners for generating traffic, especially with retargeting. Government regulations aren’t the only requirements business owners need to navigate today. Large tech platforms that many businesses rely on are also implementing and enforcing privacy-centric policies. 

Setting up Webflow cookie consent via Usercentrics CMP and displaying a user-friendly and privacy-compliant consent banner enables you to maintain access to Google services that your business relies on. This includes key features like Google Ads’ personalization and remarketing.

Usercentrics CMP is Gold Tier certified with Google’s CMP Partner Program, and comes with Google Consent Mode v2 built in. Start collecting and signalling compliant consent right from implementation.

Get the required consent information from your users, securely store it for regulatory requirements, and signal it via Consent Mode to Google Services. This controls the firing of tags for ads, analytics, and other services to comply with user consent requirements for users in the US, EU, and around the world.

With Google Tag Manager, it’s easy to get up and running with Usercentrics CMP on your Webflow website.

Embrace Privacy-Led Marketing

Marketing performance strategy and optimization is already a full-time job, but it grows more complex every day.

Marketers have to stay abreast of evolving privacy regulations, changes in tech platforms’ policies and functions, the expectations of customers and prospects, and more. 

The risks of data breaches and other privacy violations go far beyond just fines and legal penalties.

They can irreparably damage your brand reputation and customers’ trust. They can require time- and resource-consuming remediation activities, like ongoing audits. And they can discourage potential new customers, partners, investors, and advertisers.

Your Webflow cookie consent banner can be a powerful tool, especially combined with a clear Webflow cookie policy, to enable you to achieve and automate privacy compliance, and maintain access to the business platforms you rely on. 

Plus, you keep your customers happy that their privacy concerns are being addressed. Which means higher long-term engagement and more valuable data to boost your marketing efforts.

We will walk you through the steps to ensure you have the accounts and access you need, and that your tags are set up to respond to consent signals correctly.

Set up your Google Tag Manager account

The easiest and most streamlined way to set up and control services on your Webflow website is by using Google Tag Manager to conditionally load scripts.

If you have a Google Tag Manager account already, you’re all set to get started. If not, create one for free.

Once your account is active, you can use it to set up Usercentrics CMP and to configure the tags that require user consent. Next we’ll cover the Usercentrics CMP setup and customization, then later we’ll get back to Webflow and how to add the CMP to your account.

You can refer to our Usercentrics CMP setup guide as well.

Sign up for your Usercentrics account

Go to the Free Trial page, then click the Usercentrics Web CMP tab. Click START FREE to get started with your 14-day free trial by providing the required information to set up your 

Usercentrics account. 

Configure your banner in the Usercentrics Admin Interface

Once your new account is set up (or you’re logged in if you already have an account), it’s time to set up your configuration. In the Admin Interface, click Configuration. This section is where you’ll add information about your domain (your Webflow site), where you’ll display the banner, your language preferences, and more. 

Configuration of Usercentrics CMP

Initial website scan

In the Admin Interface, click Service Settings, then click the Initial Website Scan button to start the first scan of your Webflow website. This will detect the cookies and trackers (Data Processing Services, or DPS) that are in use. 

Once the scan is completed, it will generate your scan report, which you can see under the DPS Overview.

Categorize the Data Processing Services

Usercentrics CMP will automatically categorize the DPS for you that were detected in the initial scan. Essential, Functional, and Marketing are included by default. You can edit the classifications, or manually categorize anything that comes up as unclassified. You’ll do that under Service Categories, which includes predefined categories or enables you to define your own. 

Service settings in Usercetrics CMP Admin interface

Add the Data Processing Services

Use the list of DPS from the initial scan report to add all the relevant cookies and other trackers in use on your website. Click Add Service to the right of each DPS listing in the Admin Interface.

This will add them to the CMP, enabling users to access and control their consent preferences by category. Your list of DPS can also be added to your Cookie Declaration. 

Note: Scripts for the DPS may need to be adjusted to enable blocking until consent is obtained. Get more information in our guide.

Click the Appearance tab to get started customizing how your consent banner will look. Under the Styling tab you can adjust the brand styling, fonts, logos, and more. 

Under the Layout tab you can customize the settings for the banner’s first and section layer settings and the Privacy Trigger. That’s a shortcut that visitors can use to update their consent preferences on future visits to your website. 

Appearance settings in Usercentrics CMP Admin interface

Click the Content tab to start customizing the text, links, and other elements that users will see and read on your consent banner. Usercentrics CMP supports 60 languages, and you can customize the banner here for relevant legal frameworks, like the “Do Not Sell Or Share My Personal Information” link required by the CCPA. 

Content settings in Usercentrics CMP Admin interface

Implement the Usercentrics CMP on your Webflow website

Now you will add the Google Tag Manager snippet to your Webflow website. Please note that you will need a Basic, CMS, or Business Webflow account in order to be able to add scripts to your Webflow website.

Login to your Webflow account and ensure that you are in Design mode. You can select this at the top left of the menu. Click the + button to open up the menu of options you can add, then scroll down to the Advanced section. Click on Code Embed.

Screenshot presenting the section of the Webflow website where the Google Tag Manager snippet should be added

Add your Google Tag Manager snippet. You must replace “GTM-XXXXXX” in the last line with your own Google Tag Manager Container ID.

If you exclusively use Google Tag Manager to load third-party scripts, remember to configure them to require “additional consent” so cookies will be set without prior consent if that regulatory requirement is relevant to your business and website.

<!-- Google Tag Manager -->

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':

new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],

j=d.createElement(s),dl=l!=’dataLayer’?’&l=’+l:”;j.async=true;j.src=

‘https://www.googletagmanager.com/gtm.js?id=’+i+dl;f.parentNode.insertBefore(j,f);

})(window,document,’script’,’dataLayer’,’GTM-XXXXXX’);</script>

<!– End Google Tag Manager –>

The Usercentrics CMP runs a daily website scan and automatically sends the report to your inbox when it’s complete. We recommend regularly checking your scan report to make sure all the cookies and other tracking technologies in use on your site are correctly classified and have a purpose description. 

Marketing operations evolve quickly, so this is one way to stay ahead and make sure only the cookie categories that your users have consented to are activated. The scanner also automatically updates your Cookie Declaration to accurately reflect your Webflow website’s cookie usage.

Usercentrics CMP helps protect your business and grows with you

Usercentrics CMP makes it easy for you to meet regulatory requirements no matter where you do business. Keep your customers informed about your data processing and their privacy rights to build trust. 

Also stay on top of the cookies and other tracking technologies that you’re using to collect data, so you can provide accurate information and valid consent options, and compliantly control your data collection and use. Build a Privacy-Led Marketing strategy that scales.

In just a few steps, you can set up a cookie banner on your Webflow website that looks great, is user-friendly, and helps protect your business. Check out our opt-in optimization whitepaper for more information about optimizing user experience and consent rates. 

Show customers that you respect their privacy, get the high quality marketing data you need, and get automated peace of mind regarding your legal obligations.

Learn more

When visitors land on your website, they make a split-second decision about whether to engage or leave. While factors like design, speed, and usability play a role, one of their first interactions with your brand is often your cookie consent banner. This seemingly small element has an outsized impact on how users perceive your website, affecting not only compliance but also trust, engagement, and overall user experience.

A poorly designed or intrusive banner can frustrate users, leading to immediate exits or a lack of engagement with your content. On the other hand, a well-crafted consent banner signals transparency, respect for privacy, and a commitment to user control, all of which contribute to a positive first impression. When users feel in control of their data, they are more likely to trust a brand, explore the website further, and take meaningful actions — whether that’s signing up for a newsletter, making a purchase, or engaging with content.

Businesses often think of consent banners as just a legal necessity, something to check off a compliance list. But in reality, they are a crucial touchpoint in the customer journey. The way a consent banner is presented—its design, language, and placement — can influence how users interact with the website and whether they feel confident in sharing their data. With privacy regulations like GDPR, CCPA, and other evolving frameworks, businesses need to approach consent management strategically, not just for legal reasons but to build relationships based on trust and transparency.

A/B testing offers a powerful way to refine this first interaction. By experimenting with different banner placements, CTA wording, and design elements, businesses can identify what resonates most with users and optimize for higher engagement, better opt-in rates, and stronger brand credibility. 

This guide explores how A/B testing can transform a simple consent banner into a trust-building tool, helping businesses align privacy compliance with a seamless user experience.

Watch our on-demand session to learn how to properly manage cookies and avoid legal risks.

This webinar, featuring Magdalena Aleksova (Usercentrics) and Adrian Nowakowski (Up Blue), provides practical insights into cookie compliance, legal risks, and best practices for managing cookies on your website.

What You’ll Learn:

Who Should Watch?

When visitors land on your website, they make a split-second decision about whether to engage or leave. While factors like design, speed, and usability play a role, one of their first interactions with your brand is often your cookie consent banner. This seemingly small element has an outsized impact on how users perceive your website, affecting not only compliance but also trust, engagement, and overall user experience.

A poorly designed or intrusive banner can frustrate users, leading to immediate exits or a lack of engagement with your content. On the other hand, a well-crafted consent banner signals transparency, respect for privacy, and a commitment to user control, all of which contribute to a positive first impression. When users feel in control of their data, they are more likely to trust a brand, explore the website further, and take meaningful actions — whether that’s signing up for a newsletter, making a purchase, or engaging with content.

Businesses often think of consent banners as just a legal necessity, something to check off a compliance list. But in reality, they are a crucial touchpoint in the customer journey. The way a consent banner is presented—its design, language, and placement — can influence how users interact with the website and whether they feel confident in sharing their data. With privacy regulations like GDPR, CCPA, and other evolving frameworks, businesses need to approach consent management strategically, not just for legal reasons but to build relationships based on trust and transparency.

A/B testing offers a powerful way to refine this first interaction. By experimenting with different banner placements, CTA wording, and design elements, businesses can identify what resonates most with users and optimize for higher engagement, better opt-in rates, and stronger brand credibility. 

This guide explores how A/B testing can transform a simple consent banner into a trust-building tool, helping businesses align privacy compliance with a seamless user experience.

On December 20, 2024, the Bundesrat (German Federal Council), approved an ordinance pursuant to Section 26 Paragraph 2 of the Telecommunications Digital Services Data Protection Act (TDDDG) and amending the Special Telecommunications Fee Ordinance (DE, PDF). Officially, the update is the “Verordnung über Dienste zur Einwilligungsverwaltung nach dem Telekommunikation-DigitaleDienste-Datenschutz-Gesetz (Einwilligungsverwaltungsverordnung – EinwV)”.

The goal of this ordinance is to reduce the “flood” of consent banners displayed on websites to German residents. We delve into what this new law says, when it comes into effect, and how your business can navigate the requirements.

What is the TDDDG?

The Telecommunications Digital Services Data Protection Act (TDDDG in German, TTDPA in English) covers similar territory to the General Data Protection Regulation (GDPR) regarding data handling, privacy, and user rights, but gets into more detail in certain areas. 

The TDDDG came into effect in Germany in December 2021. It shares the scope of the ePrivacy Directive for requirements regarding use of consent management solutions, and applies to any company offering goods or services in Germany if they access information (not just personal data) stored on a user’s device, or store information on users’ devices. 

The regulation requires informed and explicit user consent for the use of more digital technologies, and storage of and access to data stored on or collected from users’ devices, in line with the GDPR’s consent requirements. It is permissible to use bundled consent to cover both regulations when providing users with notification and consent choices, though in many cases there will be two legal bases required: one for the GDPR and one for the TDDDG. 

The new ordinance comes into effect April 1, 2025, giving affected organizations three months for preparation and implementation if they choose. It’s meant “to protect Internet users from disruptive and misleading consent requests” by reducing the number of cookie banners or comparable displays that users are faced with regularly. The Bundesrat has recommended that the ordinance undergo evaluation within two years.

The goal is for users to make one-time decisions about cookie consent using a consent management solution, with the information they provide centrally stored and used over time to signal the individual’s consent preferences to any digital services collecting data. As a result, users will not be presented with cookie banners over and over when they visit different websites. 

Additionally, the ordinance is meant to strengthen web users’ freedom of choice regarding access to their personal data online. Explicit and informed consent from users for data collection and use via cookies remains a requirement. The core strategy in achieving the ordinance’s goals while making use of existing consent management solutions is the introduction of “recognized consent management services”. To become a “recognized” service, there is an annual certification process. 

However, it is unclear whether this strategy supports the overarching goals of data privacy and specific regulatory requirements, particularly as it centers ID-based solutions.

The requirements of the ordinance are voluntary for both website operators, who can choose if they want to implement the new framework, and for users, who can choose if they want to engage with these services and save consent choices for reuse.

What is the certification approval process for the new ordinance?

To become a “recognized consent management service” under the new regulation, a company offering a consent management services must undergo an approval process that is overseen by the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — the Federal Data Protection Commissioner. 

The process requires demonstrating compliance with current data protection laws, like the GDPR, and passing security audits. The estimated annual administrative costs to maintain certification are 79,000, which may be out of reach for smaller companies providing consent management solutions. However, as noted, the requirements of the ordinance are voluntary.

The regulation applies to website operators and digital service providers that collect consent under 25 TDDDG (DE). 

Internet users can benefit from a more streamlined process for managing consent and cookie preferences online, and an improved user experience overall when browsing. Consent preferences set once and centrally stored with a recognized consent management service will automatically be signalled to subsequent websites users visit, so they will see fewer cookie banners pop up.

Website operations and digital service providers would continue to need to respect the user’s consent selection, so using a consent management platform (CMP) is important. Also, recognized consent management services would need to signal user consent to the CMP that a website operator has implemented, thus a compatible CMP is necessary. 

Consent management service providers will have to develop solutions that can pass the certification requirements and enable compliance with the ordinance and other relevant data privacy regulations and frameworks like the GDPR and ePrivacy Directive. Consent management services will need to work with CMPs to pass the user consent signal information. Providers can benefit from increased business from organizations that want to implement a recognized service.

Website operators and digital service providers in Germany and throughout the EU already need to respect users’ privacy and rights and obtain explicit and informed consent for collecting and processing data. So organizations already using a CMP will need to continue to do so. (Those who are still not using one are taking increasingly large risks with their revenue, legal standing, brand reputation, and customer retention.)

Because the ordinance’s requirements are voluntary, companies can continue to use their existing CMP, which likely displays consent banners to users infrequently but at specific intervals, e.g. first visit to the site, after the consent expires, if the user clears their browser cache, etc. 

If a website operator wants to comply with the ordinance, they will also need to ensure their CMP can seamlessly accept and process consent information signals from users who have set them using a recognized consent management service.  Usercentrics specializes in smooth integrations that enable consent information to be obtained in a user-friendly manner and  signaled throughout your tech and marketing ecosystem. 

As of yet some ambiguity remains regarding how the functionality will be required to work, if there are standards, etc. that recognized consent management services and CMPs will need to meet, etc. The ordinance also does not specify for how long a user’s consent information remains valid. 

Of note is that the ordinance’s mechanism with recognized consent management services is a new proposal, as it uses an opt-in model. To date there have only been opt-out solutions, like Global Privacy Control (GPC) or other universal opt-out mechanism (UOOM). Recognizing such signals is not universal, but has been finding traction in more of the newer data privacy regulations passed, e.g. at the state level in the United States. 

There are tools to signal consent information that work with CMPs, like Google Consent Mode, but are not relevant to the ordinance’s requirements. They don’t function on the user’s side, as they forward consent choices that users’ have made with the CMP through to services like Google Ads.

No consent management services have been certified yet, as the ordinance was only passed in late December 2024. However, it will be critical for any recognized consent management services to work well with CMPs to ensure legally compliant processing of users’ consent choices. Maintaining good user experience with seamless functionality is also important for happy website visitors, as well as for interaction and consent rates.

It will be important for companies to use a CMP like Usercentrics CMP that enables compliant and secure collection, storage, and signaling of consent information. It also enables a full range of integrations and is updated regularly for the latest regulatory and technology changes and requirements. We will continue to update on this ordinance and its requirements as more information becomes available.

This new ordinance does not mean CMPs are no longer needed for consent management. Quite the opposite; it points to the need for companies to implement a CMP backed by constantly evolving technology and legal expertise. This enables companies to maintain privacy compliance, marketing monetization, and positive user experiences no matter what changes the future brings from regulators, influential tech platforms, or elsewhere.

Understanding and implementing a cookie policy is crucial for any website that values transparency, user trust, and legal compliance.

As digital privacy concerns continue to grow, both users and regulatory bodies demand greater clarity on how personal data is collected and used. And a cookie policy serves as an essential document that informs visitors about the types of cookies a website uses, the data they collect, and how this information is managed.

So let’s take a look at what a cookie policy is, the benefits of adding one to your website, and what it must include.

What is a cookie and how do they work?

Cookies are small text files that websites send to a user’s device, like a web browser on a desktop or phone, on their first visit. They are then stored there for (usually) a specified amount of time. They help track user behavior, remember login details, and maintain session information, enabling a personalized browsing experience. For example, cookies can keep items in a shopping cart or save user preferences.

On subsequent visits, your browser sends the cookie data back to the server, enabling the site to recognize you. There are different types of cookies, like first-party and third-party, which are used for different types of data collection.

Learn more about cookies

What is a cookie policy?

A cookie policy is a document containing a list of all the cookies present and used on a website, along with detailed information about each. It tells website visitors which cookies are present, how they will be used, what information they collect, who sets them and collects information from them (e.g. advertising vendors), and how users can control their cookie preferences.

What’s the difference between a cookie policy and a privacy policy?

The main differences between a cookie policy and a privacy policy lie in their scope, content, and legal requirements.

A privacy policy is broader, covering how a company collects, uses, and protects all types of personal data, while a cookie policy focuses specifically on cookies and similar tracking technologies used on a website.

Additionally, a privacy policy explains data collection methods, purposes, storage, sharing practices, and user rights for all personal information, whereas the cookie policy details the types of cookies used, their purposes, duration, and how users can manage cookie preferences.

The cookie policy can be its own document, e.g. on a company’s website, or it can be a section in the privacy policy. The important thing is the information contained, that it’s kept up to date, and that it’s clear and easy for website visitors to access.

Generate your privacy policy

Why is a cookie policy important?

Cookie policies are essential for several reasons, particularly in the context of data privacy and user experience.

Build trust through transparency

A well-crafted cookie policy reflects your commitment to transparency. By clearly explaining the cookies used on your website, how they function, and what data they collect, you empower users to make informed decisions about their privacy. This openness fosters trust with your audience, an invaluable asset in today’s privacy-conscious world.

Comply with data protection laws

Cookie policies are typically a legal requirement, especially in regions with strict data protection laws. For example, the GDPR in the European Union requires websites to obtain user consent before storing or accessing cookies on their devices. Similarly, the UK’s Privacy and Electronic Communications Regulations (PECR) outlines specific rules for cookie usage. Ensuring your cookie policy complies with these laws is crucial to avoid penalties.

Empower users through control and consent

An effective cookie policy provides users with clear information on how to manage their cookie preferences, though opt-in/opt-out rights will vary by jurisdiction. This includes instructions on opting out of certain types of cookies or adjusting their settings. By offering this level of control, you not only meet legal requirements but also show respect for user autonomy.

Reduce legal risks

Having a transparent cookie policy in place helps mitigate legal risks. It demonstrates your proactive approach to data protection and compliance with regulatory requirements to inform visitors. This is important if your practices are ever scrutinized by regulatory authorities.

Provide a better user experience

By explaining the purpose of different types of cookies, your policy can help users understand how these cookies contribute to their browsing experience. This understanding can lead to more informed decisions about cookie acceptance. And improve their overall experience on your site by giving users a feeling of control over their data and how it’s used.

Gain a competitive advantage

In an era where privacy concerns are at the forefront, having a clear and comprehensive cookie policy can differentiate you from competitors. It signals that you take user privacy seriously, which can be a deciding factor for privacy-conscious consumers.

Is a cookie policy on a website mandatory?

The implementation of cookie policies is not just a matter of best practice, it’s often a legal necessity.

Key regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Privacy Rights Act (CPRA) in the United States have set strict requirements for transparency in data collection practices. These laws mandate that websites inform users about the use of internet cookies and obtain consent before deploying them, especially for non-essential tracking purposes. Even when the consent requirements of privacy laws differ, all privacy laws have a clear set of requirements for information that has to be provided to customers about data use, privacy, and rights.

Start your scan now

Requirements for a cookie policy for a website

Crafting a cookie policy isn’t just about listing the cookies your website uses. It’s about creating a document that’s clear, transparent, and user-friendly. A well-thought-out policy can help build trust with your visitors by clearly explaining how cookies are used and how they can manage their preferences.

Here are the key components to include to create a compliant cookies policy for a website.

Types of cookies used

Provide a clear description of the various categories of cookies on your website, such as strictly necessary, functional, analytical, and marketing cookies. Use a consent management platform like Cookiebot CMP by Usercentrics to help automate this process by regularly scanning and updating your site for new cookies.

The purpose of cookies

Explain the specific purpose of each type of cookie, detailing how they benefit the user experience or contribute to website functionality.

Mention all third-party cookies

Disclose any third-party services that may place cookies on users’ devices through your website, including their purpose and how they’re used. These can be tricky to detect and may change regularly, making a consent management platform that can detect them even more important.

Address the lifespan of placed cookies

Provide information on how long cookies remain on a user’s device, distinguishing between session cookies, which are temporary, and persistent cookies, which remain for a longer period. Most cookies have an expiry date, but not all. However, many privacy laws and guidelines also include requirements for how long cookies can be active, and when new consent has to be obtained, where relevant.

Provide user controls

Offer clear instructions on how users can manage their cookie preferences, including how to opt-in or opt-out, change existing preferences, or disable cookie use. It should also include clear information about the effects of opting out or disabling cookie use. Particularly where doing so would affect the function or user experience on the website, or prevent the delivery of certain services.

Address policy updates

Include a statement on how users will be notified of changes to the cookie policy, ensuring they stay informed about any updates.

Website cookie policy example

Armed with the knowledge of what a cookie policy should include, let’s look at an example.

Cookiebot by Usercentrics has a cookie declaration in addition to a privacy policy. The page has a straightforward, user-friendly layout, making it easy for visitors to navigate and understand how cookies are used on the site.

The policy starts with a clear explanation of what cookies are and their purpose, which is helpful for users unfamiliar with the technology. It then categorizes cookies into four groups: necessary, preferences, statistics, and marketing. Each category is clearly defined, helping users quickly grasp the different types of cookies and their functions.

Cookiebot also provides specific details about each cookie, including its name, provider, and expiration period. This level of detail is important for users who want to understand how cookies affect their privacy.

Cookie Declaration

This information is presented in a clear and accessible manner to enable website visitors to make informed choices about their cookie preferences.

Industry-specific nuances of cookie policies

Different industries face specific challenges when it comes to cookie policies, as the ways websites collect and use data vary widely across sectors. By understanding these nuances, businesses can create cookie policies that are not only compliant but also effectively tailored to their specific needs.

Ecommerce

Ecommerce websites rely heavily on cookies for functions like personalization, shopping cart functionality, and targeted advertising. Their cookie policies must strike a balance between enabling these features and being transparent about data collection. Many ecommerce sites now provide clear explanations of how cookies enhance the shopping experience, such as remembering items in a user’s cart or suggesting relevant products.

Healthcare

Healthcare websites face strict privacy regulations, including the Health Insurance Portability and Accountability Act (HIPAA), in addition to various data privacy laws in the US or abroad. Therefore, a cookie policy for the healthcare sector often emphasizes the security measures used to protect sensitive health information, clearly distinguishing between necessary cookies for essential site functionality and optional cookies used for analytics or marketing purposes.

Health and wellness apps are also growing in popularity, and while they have different data collection mechanisms, there is increasing scrutiny. More focused regulations will likely follow, such as the Washington My Health My Data Act, governing how they can collect and use sensitive personal data from users.

Finance

Financial institutions must adhere to stringent data privacy and security requirements and build trust with their users. Like with healthcare, the financial sector has a whole industry-specific set of regulations they must abide by, which include additional data privacy requirements.

Financial companies’ cookie policies typically focus on the use of secure, encrypted cookies for essential functions like login sessions, while also providing detailed information on any tracking cookies used for marketing or analytics.

Media and entertainment

Websites in the media and entertainment industry often use a wide range of cookies for content personalization, advertising, and tracking user engagement. Their cookie policies usually include clear explanations of how these cookies improve the user experience, such as by remembering playback preferences or suggesting articles based on past reading behavior.

Build user trust and comply with privacy laws by implementing a cookie policy

A clear and well-structured cookie policy is essential for any website. It not only ensures compliance with data protection laws but also builds trust by being transparent about how user data is collected and used.

By empowering users with control over their privacy settings, you enhance their experience and reinforce your commitment to safeguarding their personal information. A thoughtful cookie policy is more than a legal requirement—it’s a step toward creating a trustworthy and user-friendly online presence.

If you operate an online business, whether via a website, mobile app, or both, your business needs a clear understanding of user consent for their data. As privacy protection laws become increasingly strict, failure to gain proper consent from visitors, customers, and users can lead to both hefty fines and brand distrust.

But there are many different types of consent, all with specific requirements levied by regulatory bodies. Understanding what consent you need and when and how you need to request it can help you build brand loyalty, make better decisions for your business, comply with regulations, and avoid penalties for noncompliance.

While there are two main consent models used in privacy regulations around the world, the conditions for valid consent under different data processing circumstances vary more widely. We break down what they are, where they’re relevant, and how to comply with them.

Opt-in vs. opt-out consent

Digital marketers need to obtain valid opt-in consent from users, for functions like subscribing to a newsletter or using their data to personalize ads shown to them. Similarly, users need the option to opt out of data-driven activities, such as unsubscribing from a newsletter or withdrawing from data collection for advertising or analytics.

Along with marketing functions, opt-in and opt-out consent also applies to cookie banners. A consent banner employed for CCPA/CPRA-compliant consent would include an opt-out option, and requires the phrase “Do Not Sell Or Share My Personal Information”. Users can click that link at any time, but companies don’t need to get consent before they start collecting users’ data in most cases. If the user has not explicitly opted out, consent is implied.

A cookie banner that follows an opt-in model would require users to manually click an “Accept” button or similar explicit action to agree to the data collection practices and purposes communicated. This style of banner is mandatory under GDPR law for consent to be valid.

In most cases it is not compliant to prevent users from accessing sites or their features if they decline consent, e.g. with a consent wall that can’t be bypassed, or for them to have a lesser user experience if they don’t consent. Here are tips for creating cookie banners that meet legal requirements.

Informed consent

Informed consent was once predominantly applied in sectors like research, healthcare, and media studies. But it’s becoming increasingly applicable in online data protection and relevant to marketers, especially since the introduction of the General Data Protection Regulation (GDPR) in the European Union.

Informed consent requires users to be informed of the details of digital data collection. Regardless of the consent model, all data privacy laws require that data subjects are provided with information about data collection and use and their rights.

Read about email marketing privacy policy now

Informed consent is especially relevant for businesses that are required to comply with the GDPR. Organizations that fail to obtain proper informed consent in the EU can be heavily fined.

Since then, Google has introduced solutions for data privacy protection with tools like Google Consent Mode and updates to its EU user consent policy.

Explicit consent

Explicit consent is clear and unambiguous on the part of the data subject. With informed consent, the individual knows what their data will be used for and what their rights are. With explicit consent, the user must perform a clear, dedicated action to express their acceptance with the request for access to their data.

Examples of this include:

By using explicit consent, not only are you meeting regulatory requirements, but you’re demonstrating respect for data privacy and building stronger trust with your users.

Granular consent

Granular consent involves requesting separate consent for different data processing purposes.

For example, rather than a cookie banner that only gives users the option to “Accept All” for cookies and other trackers in use, website hosts need to offer specific cookie consent options to comply with GDPR, like enabling visitors to say yes to analytics cookies but no to advertising ones, for example.

Users should be presented with clear and user-friendly options to accept or reject data processing, such as banners that allow users to opt-in or opt-out of specific cookies individually, like in the image below.

Implied consent

Unlike explicit consent, implied consent involves assuming consent based on a person’s actions or inactions. An example of this might be a user continuing to browse a website after a cookie banner pops up, and ignoring it. These are sometimes referred to as “browsewrap agreements”.

With a marked shift towards privacy-led marketing and regulatory authorities increasingly prohibiting assuming consent from a user not performing an explicit action, it’s recommended to err on the side of caution against implied consent.

Instead, follow informed and explicit consent best practices, following privacy-led and consent-based marketing principles.

General consent

Unlike granular consent, general consent offers limited control over what data users can agree to or reject.

An example of this could be a general online service agreement where users consent to the Terms of Service, without providing necessary details about the privacy policy and how data is being collected, stored, and processed.

General consent was once fairly commonplace, but it’s becoming increasingly discouraged in favor of granular consent. Consent “bundling” is also not allowed under a number of data privacy laws. Best practices involve separating out different kinds of required information, like in the Terms of Service and privacy policy, as well as having a cookie notice and consent banner for informed and explicit consent management.

Conditional consent

This typically follows a ‘this for that’ approach. Conditional consent can look like companies offering something in exchange for a user’s data. For example, a user accessing a whitepaper or webinar under the condition that the company can send them marketing messages. Or a discount code in exchange for a newsletter signup.

For businesses in the European Union, conditional consent can become convoluted as consent must be “freely given” under the GDPR. This blurs the lines with marketing strategies like gated content. It has generally not been frowned upon to make such offers, but what individuals are giving must be equivalent to what they’re getting, otherwise it looks like a bribe for consent, which is definitely frowned on by data protection authorities.

If you’re considering conditional consent-based marketing, using a consent management platform to follow proper protocol is recommended.

Ongoing and dynamic consent

Ongoing consent, otherwise known as dynamic consent, helps ensure that users have the opportunity to actively manage their data and adjust, update, or withdraw their consent at any point.

Unlike the traditional one-time model of consent, sometimes referred to as a “clickwrap agreement”, a dynamic consent approach is based on a few core factors.

Offering dynamic/ongoing consent is a crucial way to build trust with users by improving user experience, and adhering to data privacy laws.

Withdrawable consent

Whether using an opt-in or opt-out consent model, pretty much all data privacy laws require users to be able to withdraw consent at any time, even if their data has been collected and used for some time. Ideally individuals should be able to easily change consent preferences at any time as well, if they don’t want to entirely revoke them. Once the user opts out, data collection and processing must stop as soon as possible, ideally immediately, including processing by third parties working for the main controller.

Here are specific features of withdrawable consent:

The right to withdraw consent is, arguably, one of the most important aspects of data protection. Consider a consent management platform to help manage withdrawal functionality accordingly. Many data privacy laws require companies to maintain proof of consent, which includes user actions over time, like accepting, changing, or later withdrawing it.

Start free trial

Many of the world’s modern and comprehensive data privacy laws require opt-in consent, among other requirements. While all EU member states are covered by the GDPR, each country has additional consent requirements. The United States is the biggest market where opt-out consent is the norm, though in that country there is not yet a federal law managing privacy requirements, and in the US data privacy is handled state by state.

Consent requirements under the GDPR

When the GDPR came into effect it created a global standard for consent standards in privacy laws. But what, specifically, does the GDPR require around consent? Here are the key requirements.

Key requirements for consent

Get started

Consent requirements under the CCPA

The California Consumer Privacy Act (CCPA) and its expansion with the California Privacy Rights Act (CPRA), applies to for-profit organizations that conduct business in California and meet certain criteria.

The CCPA is generally less strict than the GDPR, especially with regards to consent requirements. Still, like the GDPR, failure to adhere to these criteria can result in serious penalties and damage to consumer trust and brand reputation. Here is a high-level checklist of its requirements.

Get started

Consent requirements under the LGPD

Another prominent data protection law is Brazil’s Lei Geral de Proteção de Dados (LGPD), which translates to General Data Protection Law in English. The LGPD was influenced heavily by the GDPR, and has actually expanded its coverage beyond the GDPR in some areas. Here are some of the core requirements for consent under the LGPD.

Learn more

Navigating different types of consent can be overwhelming, especially if you conduct business globally where customer expectations vary regionally and when technology and regulation frequently changes.

For example, business requirements are catching up to regulatory ones for consent. Due to Digital Markets Act (DMA) requirements on Google, for example, publishers and developers using Google AdSense, Ad Manager, or AdMob now require a Google-certified Consent Management Platform integrated with the latest version of Google Consent Mode if they want to retain access to all features of Google services, like personalization and retargeting, across the EU/EEA and UK. Google has also expanded their EU user consent policy to include Switzerland.

To ensure that you’re conducting business in these regions while complying with legal and business requirements, choose a Google-certified consent management platform (CMP) like Usercentrics CMP.

From obtaining compliant consent and better engaging customers to staying up to date with evolving regulations, a CMP like Usercentrics’ simplifies the process and helps to ensure you can both achieve and maintain privacy compliance while getting the data your company needs, and building trust and engagement with customers.

Start free trial

Being a successful enterprise company today means understanding and adhering to global privacy regulations and business requirements to protect user data and respect privacy.

One critical digital component of privacy compliance is the cookie popup, which has become a familiar notification on websites and apps. These popups serve a dual purpose: they inform website and app users about data collection and request their permission to collect and use personal data.

As global privacy laws like the GDPR and CPRA tighten their grip and online consumers become more savvy, cookie popups have become indispensable tools for maintaining transparency, protecting revenue, and building trust with users.

We explore the importance of cookie popups, details of implementation, and best practices for great user experience, high consent rates, and achieving and maintaining privacy compliance.

A cookie pop-up, also known as a cookie banner or consent banner, is a notification that appears on a digital property to inform visitors and users about the use of components and other tracking cookies and to ask for their permission to use them to collect personal data.

A cookie popup appears on websites, apps, and other digital platforms where data is collected, and outlines the types of third-party cookies and other tracking technologies used on the site and what they’re used for. It also informs users about the data collected via cookies, parties that may access the data, and other factors, depending on relevant privacy regulation requirements.

Under European rules like the General Data Protection Regulation (GDPR) and ePrivacy Directive (also sometimes known as the “cookie law”), websites and apps must comply with more than just notification requirements. When collecting users’ personal data, digital property owners have certain obligations regarding users’ data privacy. For instance, securely storing data collected, including consent choices, or not disclosing or selling the data to third parties without prior consent from users in many cases.

Desktop Banner

Cookie popups are important for website owners, app publishers, and others with platforms that collect personal data. They’re also important to consumers whose data is being requested as well. They let users know what technologies can collect their data, for what purposes, and enable (ideally) granular consent options, which usually also need to be changeable or revocable over time to be privacy-compliant.

The main reason to implement a cookie popup is to comply with global privacy laws, such as the GDPR and the California Privacy Rights Act (CPRA). By using these popups, websites can demonstrate their compliance and commitment to user privacy, thereby building trust with visitors. This trust enhances user engagement, leading to higher-quality data, which in turn benefits marketing operations and boosts revenue.

Additionally, cookie popups give users control over their data. By enabling people to choose which cookies they feel comfortable accepting, website owners are improving the website browsing experience.

For businesses, cookie popups enable the collection of useful data for improving website performance and marketing strategies in a legally compliant way. This can also contribute to improving ecommerce and product development.

Cookie popups play a crucial role in compliance with data privacy laws across the globe. Many regulations, such as the GDPR, require websites to gather explicit consent from users before collecting, using, or sharing their data through cookies. Other laws, like those in the US, usually only require users to be able to opt-out.

To comply with global data privacy laws, website owners and app publishers must follow a few key requirements of cookie popup use.

While cookie popups are not explicitly mandated by all privacy laws, they have become a common practice for demonstrating compliance and respecting user privacy. For instance, while the CPRA doesn’t specifically require cookie popups, many websites use them to comply with the law’s broader privacy protection requirements.

Cookie popup

International laws requiring cookie consent popups

Various countries have different regulations related to cookie consent popups.

It’s important to note that while these laws influence cookie consent practices globally, the specific requirements for cookie popups can vary by jurisdiction. Many websites implement cookie consent mechanisms to comply with these various regulations, especially if they have a global audience.

Typically, data privacy laws protect residents of the jurisdiction where they are active, e.g. the GDPR protects residents of the EU. Many laws are also extraterritorial, which means it doesn’t matter where companies are located if they process the data of residents of the region where the law is active. So a US-based company has to comply with the GDPR if it processes data of EU residents.

The list above covers the more well-known privacy regulations, but it is not exhaustive. To date, the majority of the world’s population is covered by one or more privacy regulations. It’s important for website owners and app publishers to be up to date on the jurisdictions and laws relevant to their business, and the compliance requirements. Companies should consult qualified legal counsel and/or a privacy expert.

When implementing a cookie consent popup on your website, it’s crucial to ensure compliance with privacy regulations and provide a good user experience. Use the following checklist to create an effective and compliant cookie consent mechanism:

  • Clear information: Explain which cookies you use, to collect which kinds of data, and why. Specify the types of cookies, e.g. necessary, functional, analytics, marketing). Mention if third-party cookies are used, and who sets them.
  • Give consent options: Provide equal consent options, like both “Accept and “Reject” buttons, both overall consent to cookie use and ideally options for granular consent to some cookies. Do not use manipulative tactics like prechecking boxes or only showing an “Accept All” option.
  • Active consent collection: Require users to take a clear affirmative action that’s recorded, e.g. clicking a button. Do not use scrolling or continued browsing as consent, which is prohibited under many laws.
  • Enable easy consent withdrawal: Provide a method for users to easily change their preferences or withdraw consent. Include a persistent “cookie widget” or callback button to make it easy to access.
  • Timely consent collection: Obtain consent before setting any non-essential cookies in jurisdictions where this is required. Best practice would be to block cookies automatically until consent is obtained.
  • Consent storage: Securely store user consents for as long as needed for privacy compliance and other legal requirements. Be ready to provide information in the event of data protection authorities’ inquiry or data subject access request.
  • Provide users with more information: Include a link to your full cookie policy or privacy policy that is prominent on any website page or app screen. Ensure it’s kept up to date.
  • Visibility and accessibility: Ensure the popup is prominently displayed and easily noticeable. Make it accessible on all devices (desktop and mobile) but also well branded and user-friendly to use. Don’t use it to block user access to websites or apps unless they give consent.
  • Language and readability: Use clear, understandable language without technical or legal jargon. Provide the banner in all languages your website supports, ideally with automatic geotargeting.
  • Respect user choices: Implement technical measures to honor user preferences. Block non-essential cookies until consent is given. If users decline consent, don’t ask again before the legally allowed period of time, e.g. 12 months, depending on the law. If your data processing purposes change, however, you may be legally required to get new consent, however.

By following this checklist, you can create a compliant cookie consent popup that respects user privacy and provides a good user experience.

Read about wordpress cookie consent now

There are multiple ways to install a cookie popup on your website.

The first is to use a consent management platform (CMP), such as Usercentrics CMP or Cookiebot CMP, that enables you to create a customizable and compliant cookie banner in minutes.

These CMPs will scan your website so you know which cookies and tracking technologies are collecting data, and create a cookie declaration that you can use alongside a privacy policy. The CMPs also record and securely store consent records, with a log of the cookie consent you receive from website visitors over time.

If you have a WordPress website, WordPress offers a range of cookie popup plugins, like the Cookiebot™ WordPress Plugin, that enable website owners to add a privacy-compliant cookie popup without compromising user experience. We’ve compiled a resource that enables you to compare the 10 Best WordPress cookie consent plugins.

Another option is to manually code a cookie banner for your website. Add a short explanation of the purpose of cookies, a clear statement on which action will signify consent and a link to your cookie policy. However, under EU law, if your website uses any non-exempt cookies or scripts, these scripts must be prevented from running until a website visitor explicitly grants consent.

A “DIY” approach to a cookie popup is not recommended for small businesses, due to the amount of work to build and maintain it, the expense of accessing qualified legal consultation to enable compliance, and the regulatory risks of mistakes or missing crucial components.

Read about cookie policy now

Scan your website now

Cookie popups are no longer just a formality, they are a necessity. If your cookie consent popup does not comply with relevant regulations, you could face hefty fines, operational disruptions, loss of customer trust and brand reputation, and a long-term hit to revenue.

For example:

Fines can be imposed for various reasons, such as not obtaining proper consent, not providing clear information about data collection and use, or not giving users a genuine choice to accept or reject cookies. Fines are generally more severe for repeat offenses or willful violations.

Learn more

A consent management platform (CMP) provides tools to help you achieve and maintain compliance with data privacy laws such as the GDPR, the ePrivacy Directive, and CPRA.

For example, Usercentrics CMP and Cookiebot CMP automatically scan your website to find, categorize, and list all cookies and trackers in use, including third-party ones. It helps you create personalized consent banners with relevant jurisdictional information to inform visitors and request their permission to use cookies.

Usercentrics and Cookiebot CMPs are also Google-certified, integrating seamlessly with Google Consent Mode and Google Tag Manager, enabling compliance with Google’s privacy requirements and maintenance of your marketing activities, including personalization and retargeting, in the EU, UK, and Switzerland.

Start your free trial of Cookiebot CMP!

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Cookies play a crucial role in enhancing online experiences, making websites more functional and personalized, and enabling digital marketing. The shopping cart that stores your customers’ items while they continue to browse? That’s made possible via cookies, for just one example.

Cookies have also evolved into sophisticated tools for tracking user behavior, and empower businesses with valuable insights to boost engagement and optimize marketing activity, amongst other things. However, with this increased functionality comes consumer privacy concerns and regulatory requirements.

Companies that do business in the EU and collect personal data from EU residents in the process must comply with the General Data Protection Regulation (GDPR), which requires clear, unambiguous, and freely given user consent before collecting or processing personal data. It also requires transparency about cookie usage, and a defensible legal basis for data collection, among other stipulations.

Businesses must also keep up with evolving standards from industry leaders like Google (Alphabet), which, along with other designated “gatekeepers,” has to comply with the Digital Markets Act (DMA) — and as a result has levied data privacy requirements on its customers.

The DMA mandates that the gatekeepers meet certain requirements designed to encourage fair competition in digital markets and uphold the privacy rights of users. This adds another piece to the privacy compliance puzzle.

To navigate this landscape and continue to grow digital marketing operations, you’ll need to blend robust privacy practices with consent management software. By finding innovative ways to leverage cookie technology while complying with data privacy regulations, you can enhance the user experience, build trust, and protect advertising revenue.

While cookies play a pivotal role in enhancing user experience and delivering personalized content online, they can also raise significant privacy concerns, particularly the use of third-party cookies, which track users across websites.

The personal data collected can, in some cases, be used to identify individuals, and some of it can be quite sensitive, including financial details.

These concerns are addressed by the GDPR and the ePrivacy Directive (ePD), which mandate measures to ensure that an individual’s personal data is handled securely, with consent, and that the end user is provided with clear information about data handling, their rights, and consent options.

Let’s break down how these regulations impact cookie use and what businesses need to know to stay compliant.

How cookies are affected by the GDPR and the ePrivacy Directive

The GDPR and the ePrivacy Directive govern the usage of cookies. The GDPR outlines the conditions for explicit user consent and a valid legal basis for processing personal data, while the ePrivacy Directive focuses on the privacy implications of electronic communications.

What the GDPR says about cookie use

What the ePrivacy Directive says about cookie use

Key requirements of the GDPR and the ePrivacy Directive include:

These regulations apply to the various kinds of cookies and to similar technologies that store or access information on a user’s device, such as:

Businesses must conduct regular audits to identify and manage all such technologies used on their sites as they change over time, to ensure ongoing compliance with both the GDPR and the ePrivacy Directive.

A high performance consent management platform will include a cookie scanner that can scan sites regularly to detect and manage the cookies and trackers in use on websites, including hidden third-party ones that may change regularly.

GDPR cookies compliance myths

Cookie compliance misinformation can result in either overly cautious practices that hinder user experience or access to needed data, or insufficient preparation that risks noncompliance and potential penalties.

Debunking these myths will help to ensure your approach to cookie management is both effective and primed for GDPR compliance.

“My website doesn’t collect personal data.”

Many website owners assume that their site doesn’t collect personal data, especially if they’re only tracking website performance or functionality. Under the GDPR, however, the definition of personal data is broader than many realize.

Even cookies used for advertising or analytics often collect information that can, directly or indirectly, identify an individual. This includes IP addresses or unique identifiers within cookies.

In reality, nearly all cookies capture some form of personal data, bringing such practices under scrutiny from overseeing authorities.

“Cookies are not personal data, which is why the GDPR does not apply.”

While cookies themselves are not personal data, the data they collect can be. According to Recital 30. GDPR, identification is possible via online identifiers such as IP addresses or cookie identifiers. As such, it will depend on the kind of cookie in place as well as the data being collected.

It’s also wrong to assume that cookies are only regulated under the ePrivacy Regulation, which is expected to be in full effect by 2026.

While intended to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009, the forthcoming ePrivacy Regulation covers the processing of all electronic communications data, regardless of identifiable personal data. Read more about the ePrivacy Regulation below.

“I don’t need a cookie banner.”

Cookies collect personal data irrespective of the intended use, so you are required to inform users about the collection and processing of their personal data. Provided information must include: what data is collected, how it’s processed, for what purpose, and on what legal basis.

Furthermore, the website operator must communicate how long the data is kept, who will have access to it, how they can contact the controller (the entity collecting personal data, like a website owner), and where they can revoke their consent.

Try us Today

“Telling users the site uses cookies is enough for compliance.”

Simply informing users that your site uses cookies is not sufficient for GDPR compliance, just like only presenting an “Accept” button for consent is not sufficient. The regulation demands a higher standard of transparency and user control.

Websites must provide clear, specific information about the types of cookies being used, the data they intend to collect, the purpose for processing, and who has access to this data.

Additionally, consent must be explicit and informed. This means users should be given the choice to accept or reject non-essential cookies without impacting their access to the website and its features.

Providing comprehensive cookie notices is crucial to ensure that users are fully aware of their choices and have meaningful control over their personal data.

A cookie notice can be a separate page on the website, but it’s commonly a section in the broader privacy policy. Regardless, like the privacy policy, it must be easy to access and understand for the average visitor.

“If I have a cookie banner in place, I’m safe.”

Having a cookie banner doesn’t mean you are automatically GDPR-compliant. The GDPR defines seven criteria for collection to be valid within the meaning of the Basic Data Protection Ordinance.

This means that the website operator must obtain the user’s consent via its cookie banner per these criteria.

Moreover, compliance with other global privacy laws does not guarantee GDPR compliance. The GDPR has stringent and specific consent requirements that differ significantly from other jurisdictions.

For example, the GDPR uses an opt-in model for consent while US regulations such as the CCPA use an opt-out model.

“The ePrivacy Regulation will not affect the use of cookies.”

The ePrivacy Regulation contains additional provisions for the use of cookies. While essential cookies used for the technical operation of a website do not require the user’s consent, those used for tracking or advertising purposes require explicit, active, and voluntary user consent.

It is also not compliant to try and categorize marketing cookies as essential, for example, in order to skirt consent requirements.

The ePrivacy Regulation is intended to counteract and eliminate cookie walls. Accordingly, all of the website must be accessible, even if the user has not consented to the use of cookies.

As you can see, these myths and assumptions can lead to confusion and compliance risks for website operators.

The following points should be noted to use cookies in a GDPR-compliant manner.

Try it free

Duty to provide information

Cookie banners (aka consent banners) should include all necessary information, including how cookies are used on each web page.

Consent banner with granular user Privacy Settings options and Data Processing Services information

Furthermore, as per Art. 21 GDPR, visitors should know if their data is used to create profiles and if their data may be transferred to third parties in countries outside of the EU. This is needed if the cookie technology providers are based in the US, for example.

Active consent

The cookie banner must ensure that the user can give their informed consent in advance, voluntarily, explicitly, and granularly for each web technology or category of technologies (or bundled for individual use areas).

There must also be a straightforward and simple way for users to object to the processing of their personal data, or to withdraw their consent.

Loading cookies

Under the GDPR, you may not use cookies to process or collect any data without a legal basis. Plus, cookies may not load until consent has been granted, meaning there must be a technical link between the cookie banner and your web technology. If the user refuses processing, cookies cannot be loaded.

Usercentrics CMP enables you to control cookies and block them until consent has been obtained. With the Google Consent Mode integration, it also signals consent information to Google services, controlling their function and data collection based on consent status.

Legally compliant documentation

In the event of a review by data protection authorities, the website operator must comply with its documentation obligation and be able to demonstrate their users’ consent.

To ensure all data is available in the event of an audit, various data points should be documented, including timestamps, user agents, and the version of the consent text.

The condition under which consent was given is also important — how large the “Accept” button was compared to the “Reject” button, whether the choice was voluntary, could the user use the site unhindered even when rejecting cookies, etc.

Most data privacy laws also include the right for consumers to know if website operators are collecting data about them, and to access a copy of that data, of which consent data is a part. This is another reason robust and secure documentation is important.

Opt-out

According to the GDPR, the process to opt out must be as straightforward as opting in. This ensures that users can easily decline the use of cookies initially, and similarly, can just as easily change their preferences or withdraw consent at any time.

Consent banner with data processing information, consent buttons, and informational links

It’s not sufficient to direct users to external links or third-party pages to opt out. From the moment a user opts out, no further data should be collected or forwarded to any third parties. Any processing taking place on the controller’s behalf by third parties must also cease right away.

Therefore, the opt-out mechanism must be technically integrated with the cookie settings on your site and documented for compliance and transparency. This approach helps meet legal requirements and builds trust by respecting user choices at every step.

Ensuring GDPR cookie compliance involves following a series of regulatory requirements and data protection best practices that also help build user trust and form the foundation of privacy-led marketing.

  1. Have a cookie policy: Clearly outline what cookies are used, their purpose, and how data is managed in a cookie policy. This policy should be easily accessible on your website, either as an independent document or as part of the privacy policy.
  2. Implement cookie consent banners: Present contextually relevant consent banners. For example, when a user first visits your site, provide them with immediate, clear options to accept or reject non-essential cookies. Ideally use geotargeting to determine which regulations are relevant to the user, with multi-language support to present consent information in the visitor’s preferred language.
  3. Obtain granular consent: Enable users to give separate consent for different types of cookies (e.g., analytics, advertising). This helps ensure that consent is specific and informed.
  4. Monitor tracking technologies: Continuously review and update the cookies and tracking technologies present on your site to ensure they comply with the latest legal standards and technical requirements. A robust scanner built into your CMP can automate this to save time and resources.
  5. Optimize consent mechanisms: Ensure that consent mechanisms are intuitive and enable users to withdraw consent as easily as they gave it. This can be streamlined using a consent management platform like Usercentrics.

Google has specific requirements of its own, especially concerning how advertisers use cookies and data.

With Google Consent Mode, you can adjust how your Google tags behave based on the consent status of your users. This ensures that you continue gathering valuable data while still complying with the GDPR by respecting user preferences about cookies and data tracking.

Usercentrics is a Google-certified CMP that integrates with the latest version of Google Consent Mode. Plus, with its library of over 2,200+ legal templates and comprehensive Data Processing Services (DPS) Scanner Usercentrics enables you to obtain, document, and signal granular cookie consent.

Try it free

Managing cookies under the GDPR with Usercentrics

There’s a lot to consider when it comes to cookie compliance under the GDPR, but consent management tools like Usercentrics CMP simplify the process of collecting, managing, and signaling valid consent significantly.

Usercentrics provides a comprehensive solution for collecting, processing, and securely storing granular cookie consent, managing cookie banners, and documenting user consent as required by the GDPR. Speak to a Usercentrics expert today.