As privacy laws become stricter, achieving and maintaining compliance with the major data privacy regulations, like the General Data Protection Regulation (GDPR), and large tech platforms’ requirements resulting from the Digital Markets Act (DMA), is essential for marketers who want to gain in-depth insights, deliver personalized experiences, and win their customers’ trust.
To help you choose cookie tracking software that will meet your data privacy needs in 2025 and beyond, we’ve curated a list of tools that can deepen your understanding of user behavior while simultaneously navigating the complexities of major data privacy laws.
Our picks of the top cookie tracking software:
Cookie tracking software platforms
Software | Key feature | Recommended for | Price* |
---|---|---|---|
Usercentrics | Granular preference management: Provide users with the option to accept or reject a range of different cookies on one notice with just a few clicks. | Businesses of any size: SMB to enterprise | From USD 60/month
30-day free trial available |
Cookie Information | Daily and weekly scans: Get regular updates about all the cookies on your website. | Medium-sized businesses | From EUR 15/month
30-day free trial available |
CookieFirst | Re-consent: Increase opt-in rates by setting goals for returning visitors. | Solopreneurs managing a single domain | From EUR 9/month
Free tier available 2-week free trial |
CookieYes | WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin. | Small businesses | From EUR 10/month
Free tier available Free 14-day trial |
Axeptio | Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users. | Businesses needing a low-code solution | From USD 29/month
Free tier available |
Complianz | Easy wizard: Get step by step guidance when setting Complianz up on your website. | Businesses using WordPress | From USD 59/month
30-day money-back guarantee |
Termly | Cookie Policy Generator: Generate one free cookie policy for your website. | SMBs looking for a budget solution | From USD 10/month
Free tier available |
*As of July 2024
Why should you keep track of cookies?
Tracking cookies enable you to collect data about users — including visitor demographics, preferences, and behavior patterns — so that you can tailor your website content to enhance the user experience and increase engagement.
Read about tracking cookies now
It’s not all about improving performance, though. First- and third-party cookies are a cornerstone of online advertising. However, as a data controller — the party responsible for the collection and processing of personal data — you must get explicit and prior consent from data subjects (visitors whose personal data is being collected by cookies) before loading any tracking cookies. This is a requirement for most of the major data privacy regulations.
Failing to meet the requirements of these laws can lead to hefty fines, damage your business’s reputation, and potentially limit future opportunities for growth.
This is where cookie consent management software comes in. These tools make it easy to tell your website and app visitors what types of tracking software are present on your website, to offer them clear and granular options for cookie consent, and finally, to keep a detailed record of their consent, as required by regulations such as the GDPR.
8 of the best cookie tracking software platforms
We assessed eight of the top cookie tracking software platforms on the market. We scoured user reviews and considered their key features for managing cookie consent, options for customization, and breadth of integrations and supported languages, etc.
1. Usercentrics

An all-in-one consent management platform (CMP), Usercentrics helps businesses manage cookies and GDPR compliance. Trusted by more than 2.2 million websites and apps in 195 countries, the platform is a market leader in solutions for data privacy and privacy-led marketing.
Usercentrics’ cookie detection, categorization, and autoblocking functionality helps enable GDPR cookie consent as well as adherence to other major privacy regulations like the Digital Markets Act (DMA) requirements handed down by designated “gatekeeper” companies, and California Consumer Privacy Act (CCPA).
Usercentrics CMP also comes with the latest version of Google Consent Mode and the IAB TCF 2.2 integrated, helping meet Google’s latest requirements for publishers and advertisers.
Key features
- Cross-domain and cross-device consent: Signal user consent across your websites and apps to improve the user experience, all from one place.
- Granular consent management: Give users the option to accept or reject a range of different cookies on one notice with just a few clicks.
- Robust analytics and reporting: Get in-depth insights about user behavior and banner interactions to drive informed decision-making to optimize opt-in rates.
- Full UI customization: Tailor the look and feel of your cookie banners and other privacy notices to match your brand identity.
- Geolocation: Serve users cookie notices with the appropriate language and regulation-specific features based on the country or region from which they’re visiting your site.
Usercentrics pricing
Usercentrics offers a free 30-day trial, after which users can sign up for one of the following paid plans.
- Starter: USD 60/month for up to 50,000 sessions
- Advanced: USD 175–1,150/month for 50,000+ sessions
- Premium: Custom pricing
Consent records stored on EU-based servers | Analytics data only available for 90 days |
Automatically blocks third-party cookies | |
A/B testing |

Read about shopify cookie banner now
2. Cookie Information

Cookie Information has a stated mission to help businesses collect valid consents to comply with privacy laws and build trust with their customers. The platform offers consent management for both websites and mobile apps but doesn’t offer A/B testing.
Key features
- Daily and weekly scans: Get regular updates about all the cookies present on your website.
- Free trial: Try Cookie Information for free on your website or app for 30 days.
- Customer Data Platform: Create customer profiles and segment them into audiences to personalize your client journey.
Pricing
- Essential: From EUR 15/month, per domain
- Professional: From EUR 45/month, per domain
Plugin for WordPress available | No A/B testing |
Detailed consent rate insights | |
Google Certified CMP partner |
3. CookieFirst

CookieFirst advertises a quick and easy signup to get users on their way to achieving GDPR compliance in minutes. Then the tool will scan your site for first- and third-party cookies, after which you can set up your settings and customize your cookie banner with just a few clicks. There is a free version, but you’ll only get a cookie banner in one language along with a one-off cookie scan.
Key features
- Re-consent: Increase opt-in rates by setting goals for returning visitors.
- Consent Audit Trail: Store user consents in an anonymous, encrypted database, including details of any changes in consent permissions.
- Cookie Policy: Create and edit an auto-generated cookie policy.
Read about cookie policy now
Pricing
- Free: EUR 0
- Basic: EUR 9/month or EUR 99/year
- Plus: EUR 19/month or EUR 209/year
- Enterprise: Custom pricing
Free tier available | No app consent solution |
Google Consent Mode and Google Tag Manager integrations | |
44+ languages supported |
4. CookieScript

CookieScript is a self-hosted CMP with geotargeting that works across 250 countries and 50 US states. While the platform does store all consent records on servers in the EU, users will need to sign up for its Plus tier for access to all of its GDPR features, such as record-keeping for user consents and IAB TCF 2.2 integration.
Key features
- Cookie banner sharing: Invite additional users — like clients — to view banner information, statistics, and consents.
- Integrations: Compatible with Google Tag Manager, WordPress, Wix, Shopify, and other popular platforms.
- Cookie scanner: Scan your site for cookies and access an in-depth cookie declaration report, complete with categorized cookies.
Read about wix cookie banner now
Pricing
CookieScript’s pricing is determined by the number of domains that the CMP is added to. Subscriptions are priced per month, but you’ll be locked into a year-long contract.
Pricing for one to two domains is as follows:
- Free: EUR 0/month
- Lite: EUR 8/month
- Standard: EUR 15/month
- Plus: EUR 19/month
All data stored on EU servers | All GDPR tools only available on the most expensive plan |
Ability to manage multiple websites from one dashboard | |
Transparent, per-domain pricing |
5. CookieYes

CookieYes states that the company is trusted by more than 1.5 million businesses worldwide. After starting out as a WordPress plugin, their product has since become a fully fledged cookie consent solution. Despite its range of features, essentials like Global Privacy Control and geotargeting are only available on its two most expensive plans.
Key features
- WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin.
- Auto translation: Display banners in one of 30+ languages based on users’ default browser language.
- Cookie auto-blocking: Support users’ Do Not Track (DNT) browser settings even if they provide consent.
Pricing
CookieYes offers a 14-day free trial, after which users can sign up for a month-to-month or annual subscription. Plan prices are for a single domain:
- Free: USD 0
- Basic: USD 10/month or USD 100/year
- Pro: USD 20/month or USD 200/year
- Ultimate: USD 40/month or USD 400/year
Available as a plugin for all major CMS | All plans limit page scans |
Multilingual banner, in 30+ languages | |
Customer support is responsive (G2 users report) |
6. Axeptio

Axeptio brings some levity to cookie consent management branding itself as fun and approachable, with fresh UX. The platform is designed to be a low-code consent management suite, making it perfect for teams with limited tech expertise or resources.
Key features
- Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users.
- Native Mobile SDKs: Build cookie banners for Android and iOS apps with ease.
- Shake: Scan third-party vendors on your website to understand whether your banners meet data privacy requirements.
Pricing
- Free: USD 0/month
- Small: USD 29/month or USD 313/year
- Medium: USD 69/month or USD 745/year
- Large: USD 129/month or USD 1,393/year
- Enterprise: Custom pricing
- Agency: Custom pricing
Single widget to manage all consents | Cookie management only available in the Enterprise and Agency plans |
Supports 25 languages | |
Live training and webinars |
7. Complianz

Complianz is a native privacy suite for WordPress websites. Thanks to a setup wizard, it’s easy to set up. It also includes over 250 service and plugin integrations. While it does come with a cookie scanner, Complianz users have reported that it isn’t always accurate and doesn’t recognize third-party cookies.
Key features
- Easy wizard: Get step by step guidance when setting Complianz up on your WordPress website.
- Script Center: Add necessary documents to your website without the need for coding.
- Privacy statements for children: Request parental consent for the collection of data from website or app visitors under the age of 13.
Pricing
Complianz plans are priced per year.
- Personal: USD 59 for 1 website
- Professional: USD 150 for 5 websites
- Agency: USD 359 for 25 websites
Includes setup wizard | Self-hosted only |
30-day money back guarantee | |
WCAG and ADA compliant |
8. Termly

Designed with small businesses in mind, Termly is an out of the box compliance solution that aims to help users stay up to date with major data privacy laws in more than 25 regions. The platform’s pricing is competitive, but it lacks some features and functions that larger businesses would need for it to be useful.
Key features
- Do Not Sell or Share Links: Add links to your cookie banner to give users complete control over their personal data.
- Automatic Consent Logs: Collect and store user consent in a centralized log that can be accessed via the dashboard.
- Cookie Policy Generator: Generate one free cookie policy for your website.
Pricing
- Free: USD 0 for 1 user and 10,000 banner views
- Starter: USD 10/month, billed annually for 5 users and 100,000 banner views
- Pro: USD 15/month, billed annually for unlimited users and banner views
- Agency: Custom pricing and configuration
Supports IAB TCF 2.2 and Google Consent Mode | Only one domain included in the license |
Automatic policy generation | |
Supports compliance with data privacy laws in 25+ regions |
Must-have features for cookie tracking software
Choosing the right cookie tracking software is essential for staying compliant and building trust with your users. Here are the must-have features to look for:
- Compliance with global data privacy regulations: Meets all of the requirements on the GDPR cookie checklist as well as those for major regulations such as the ePrivacy Directive, CCPA, and other laws.
- Promotes transparency and active, informed consent: Enhances transparency and active user consent, by enabling users to easily opt in or out, or withdraw their consent.
- Provides more control for users: Empowers users with options to manage their cookie preferences at a granular level.
- Google certified: Ensures compatibility and reliable consent signaling with Google Consent Mode v2.
- Cookie scanning: Identifies and catalogs all tracking cookies, including third-party cookies, and informs users about any third-party tracking taking place.
Find the best cookie software for tracking
The right cookie tracking software can help you to achieve compliance with the major data privacy laws without affecting the quantity or quality of insights you’re able to gain from tracking user behavior.
Usercentrics helps you ensure quality marketing insights and maintain personalization — while respecting user privacy and building trust.
The Usercentrics CMP is compatible with all your favorite marketing tools, enabling you to offer users a personalized experience on every platform and achieve privacy compliance with the GDPR, ePrivacy Directive, and Google’s EU user consent policy.
Read about wordpress cookie consent now
The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.
When it comes to online privacy compliance, understanding the nuances between opt-in and opt-out consent is crucial for businesses and website owners. These concepts form the backbone of how personal information is collected, used, and shared online.
Different global privacy laws dictate the specific consent model to be used, impacting how website owners engage with their users. Some international companies may have to navigate both models, depending on where their customers are located and relevant regulations.
That’s why it’s vital to understand the differences between opt-in and opt-out consent, the regulatory requirements surrounding them, users’ rights, and best practices for implementing these models effectively.
Opt-out vs opt-in — what’s the difference?
Opt-in and opt-out are both ways of managing people’s consent for collecting, using, and disclosing their personal information online. However, they differ in how they work and the process they take to do so.

To know when a website owner should implement opt-in or opt-out measures, it’s important to understand the difference between the concepts and what each option seeks to accomplish.
What is opt-in?
Opt-in consent requires website visitors to actively and explicitly agree to the collection, use, or sharing of their personal data. Opt-in means website owners must ask for someone’s consent or permission before or at the time when personal data would be collected, like when a visitor arrives on a website.
Example of opt-in consent

Website owners may use this method to seek user consent for storing cookies, subscribing to marketing emails, or for other activities that collect users’ personal data.
For example, when creating an account on Amazon, users will need to fill in a form, provide their name, email address, and create a password. Below this is a section dedicated to communication preferences, and there’s an unchecked box with the following text:
“Yes, I want to receive personalized product recommendations and exclusive deals from Amazon. By checking this box, I agree to receive marketing emails. I understand I can unsubscribe at any time by clicking the link in the email or adjusting my account settings.”
To agree to this, users need to take action and check the box. It is not pre-checked.
By presenting this opt-in choice, Amazon ensures that customers who receive marketing communications have actively consented to do so, aligning with data protection regulations and respecting user preferences.
A common sight for consumers online in the European Union — and increasingly around the world — is consent banners that pop up when people arrive on websites for the first time (or after a long period when previous consent choices may have expired). These banners request consent for the use of cookies that collect personal data, which can include contact, financial, and order information for ecommerce transactions, or tracking of user behavior to improve website performance or marketing initiatives. This is also the opt-in model of consent in action.
Which global privacy laws require opt-in consent?
Several global privacy laws and frameworks mandate that website owners use an opt-in consent model. These include:
- General Data Protection Regulation (GDPR)
- ePrivacy Directive (also known as the “Cookie Law”)
- Brazil’s Lei Geral de Proteção de Dados (LGPD)
- South Africa’s Protection of Personal Information Act (POPIA)
- China’s Personal Information Protection Law (PIPL)
It’s important to note that while these laws generally require opt-in consent, the specific requirements and circumstances under which opt-in consent is necessary may vary. Some laws may have exceptions or different standards for certain types of data processing. Additionally, the implementation and enforcement of these laws can differ across jurisdictions.
The list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation. Generally, the opt-in consent model is the most common globally.
What is opt-out?
The opt-out consent model requires website owners to share that they collect personal data, how it is used, and other information, but they do not have to get explicit user consent before collecting or processing the data.
Individuals have the option to take specific action to refuse or withdraw consent at any time, however, for functions like the sale or sharing of their data, or its use for profiling or targeted advertising, depending on jurisdiction. Individuals are responsible for actively opting out if they wish to protect their data.
A common exception to this is when the personal data in question has been categorized as “sensitive”. This is data that can be extra harmful if misused and can include information like healthcare history, sexual orientation, financial information, religious beliefs, and more. The data of known children is also commonly categorized as sensitive by default. For sensitive data, prior consent (opt-in) is typically needed, from the parent or guardian in the case of children.
Example of opt-out consent
The California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA), provides a clear example of an opt-out consent model.

Imagine a popular ecommerce website that operates in California. Under the CPRA, this website can collect and use customer data for various purposes, including targeted advertising and sharing with third-party partners, without obtaining explicit consent upfront. However, the law requires the website to provide consumers with a straightforward way to opt out of these practices.
To comply, the ecommerce site must prominently display a “Do Not Sell or Share My Personal Information” link on its homepage and in its privacy policy. When a customer clicks this link, they are directed to a page where they can exercise their right to opt out of the sale or sharing of their personal information. The website must then honor this request and stop selling or sharing that customer’s data.
Also under the CPRA, companies that process sensitive personal data are required to implement a link reading “Limit the Use of My Sensitive Personal Information” to enable visitors to exercise their rights, or a “single, clearly-labeled link if such link effortlessly allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.”
Read about eCommerce consent requirements now
Which privacy laws allow opt-out consent?
Multiple global privacy laws authorize website owners to use opt-out consent models. These include:
- California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act
- Connecticut Data Privacy Act
- Utah Consumer Privacy Act
- Japan’s Act on the Protection of Personal Information (APPI)
- South Korea’s Personal Information Protection Act (PIPA)
- Singapore’s Personal Data Protection Act (PDPA)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
It’s important to note that while these laws generally permit opt-out consent, the specific requirements and circumstances under which opt-out consent is allowed may vary. Some laws may have exceptions or different standards for certain types of data processing.
Additionally, the list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation.
Best practices to collect opt-in consent
Read about cookie opt in now
If you collect personal data from people in the EU, sensitive personal information, personal information from minors, or use non-essential cookies (including third-party cookies), you most likely need explicit consent and must implement an opt-in consent model, unless another lawful basis for processing applies.
To ask for opt-in consent in a privacy-compliant manner, there are eight steps website owners must follow. These are:
- Be clear and transparent: Use plain, easy-to-understand language to explain what data you’re collecting, how it will be used, and other parties that may have access to it. Avoid legal jargon or complex terms. This is often done via a cookie banner.
- Make it specific: Obtain separate consent for different purposes rather than using blanket consent. This enables users to choose which activities they want to opt in to.
- Use active opt-in methods: Use unchecked boxes, toggles set to “off” by default, or explicit confirmation buttons. Avoid pre-ticked boxes or other methods that assume consent, as manipulative design to encourage consent is strongly frowned upon by authorities.
- Provide granular options: Enable users to select which types of data they’re willing to share or which specific activities they consent to.
- Make it easy to withdraw consent: Provide a clear and simple way for users to change consent preferences or withdraw their consent at any time.
- Use just-in-time consent: Request consent at the moment you need to collect or use the data, providing context for why it’s needed. A blanket “clickwrap” agreement is not compliant with most personal data collection regulations.
- Keep records: Maintain detailed records of when and how consent was obtained for each user, and any changes over time.
- Test different approaches: A/B test different UI configurations and/or consent flows to find what works best for your users while maintaining privacy compliance.
By following these eight steps, website owners can gather opt-in consent in a manner that complies with the GDPR, LGPD, and multiple other global privacy laws. This process also respects user privacy and builds trust.
Best practices to collect opt-out consent
If you are collecting and processing personal data in a jurisdiction that allows you to do so without obtaining prior consent, you will still legally need to notify users and enable them to opt-out.
To do this in a CPRA-compliant manner, for example, here are eight best practices website owners must follow. These are:
- Clear and prominent notice: Provide a clear, conspicuous notice about data collection and use practices, along with an easy-to-find opt-out option. This could be a prominent link or button labeled “Do Not Sell or Share My Personal Information” or similar, depending on what the relevant regulation outlines.
- Easy opt-out process: Make the opt-out process simple and straightforward. Avoid multi-step processes or requiring users to create accounts to opt-out.
- Clear communication: Explain in simple terms what opting out means for the user’s experience and what data will no longer be collected or shared.
- Timely response: Process opt-out requests promptly, typically within 15 days, as required by laws like the CPRA.
- Granular options: Enable users to opt out of specific data uses rather than only offering an all-or-nothing approach. This also benefits marketing operations, as some data collection can be maintained with the user’s consent.
- Maintain records: Keep detailed records of opt-out requests and how they were honored.
- Respect opt-out duration: Once a user opts out, honor that choice for at least 12 months before asking them to opt back in.
- Third-party compliance: Ensure that any third parties you share data with also honor user opt-out choices. Under many laws, the controller has ultimate responsibility for privacy compliance, including the activities of third-party processors working for them.
By implementing these practices, website owners can create a transparent and user-friendly opt-out process that respects privacy rights while complying with relevant data protection regulations.
Email marketing and opt-in or opt-out
Email marketing requires businesses to navigate the rules around opt-in and opt-out practices.
Opt-in emails are essential for ensuring that consumers have willingly provided their email addresses for marketing purposes.
Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, mandate explicit opt-in consent.
To comply, businesses should display an unchecked checkbox for users to select if they want to receive marketing communications and include an easy opt-out option in every subsequent email.
In contrast, opt-out practices focus on allowing recipients to unsubscribe from marketing emails they no longer wish to receive.
This approach is particularly relevant in the United States, where the CAN-SPAM Act governs direct marketing practices.
The Act requires that all marketing messages be clearly identifiable as commercial communications, provide a simple and prominent unsubscribe mechanism, and include accurate header information and subject lines.
Additionally, organizations must provide a valid physical postal address to inform recipients of their location.
Combining these practices ensures that businesses respect consumer preferences while complying with international and local regulations, thereby maintaining trust and improving the effectiveness of their email marketing campaigns.
What is double opt-in, and when is it necessary?
Double opt-in is an email marketing consent process that requires subscribers to confirm their subscription through a verification email after initially signing up. This process typically involves a user submitting their email address through a signup form, receiving a confirmation email with a verification link, and clicking the link to confirm their subscription and be added to the mailing list. This mechanism is used for marketing emails, newsletter subscriptions, and other voluntary communications.
Double opt-in is necessary or beneficial in several scenarios:
- While not explicitly required by GDPR, double opt-in provides stronger proof of consent, which can be helpful for proof of compliance with data protection authorities.
- It helps ensure list quality by filtering out passive prospects, bad emails, and spam accounts, resulting in a higher-quality mailing list with better engagement rates.
- Double opt-in improves email deliverability by verifying email addresses, which can reduce hard bounces and enhance overall email performance.
- The confirmation email can be used as an opportunity to welcome new subscribers and introduce your brand, creating a more personalized experience from the start.
- Double opt-in prevents problems related to typos in signup forms or users submitting email addresses that don’t belong to them.
- Although it may result in a smaller list initially, double opt-in helps to ensure that your subscribers are genuinely interested in your content, potentially leading to higher engagement rates.
Double opt-in has benefits, but it’s also worth noting that it could result in slower list growth compared to single opt-in. However, the trade-off is often a more engaged and higher quality subscriber base, and more robust and trustworthy consent management practices.
Preference management
One potentially important addition to the marketing toolkit for companies is preference management, which works hand in hand with consent management. It’s also a source of zero-party data, which is something of a “holy grail” in marketing as it’s high-quality data that comes directly from customers. This is even more valuable with the phasing out of third-party cookies.
Preference management involves obtaining information from customers about their interests and preferences directly, like whether they prefer marketing emails or SMS notifications, or if they want communications about sales only or also about new product launches, etc.
This information can be collected in a dedicated preference management center, or account settings, via surveys, and other mechanisms. The advantage of consent management is that companies then have explicit information about what customers want, and their consent to deliver it in specified ways.
Choose the right approach for your data privacy needs
Navigating the complexities of opt-in and opt-out consent models is essential for maintaining compliance with global privacy laws and respecting user preferences.
Opt-in consent requires explicit agreement from users before their data can be collected or used, ensuring a high level of transparency and user control. Conversely, the opt-out model presumes consent until the user explicitly withdraws it, placing the onus on users to protect their data and privacy in most cases.
Understanding and implementing these consent practices, along with adhering to specific regulations like the GDPR, helps businesses build trust, enhance user engagement, expand Privacy-Led Marketing operations, and stay compliant with data privacy requirements.
Read about marketing compliance checklist now.
By following best practices for both consent models, website owners can create a user-friendly and legally sound environment for their online activities, no matter where their visitors are located.
Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.
We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.
Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.
What is Google Tag Manager?
At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.
Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.
Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.
Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.
In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.
Does Google Tag Manager use cookies?
The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.
While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.
Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).
Read about GDPR and cookies now
Google Tag Manager and cookie consent
Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.
However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.
Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.
Is Google Tag Manager GDPR-compliant?
Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.
By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.
Read about google analytics GDPR now
To use GTM in a GDPR-compliant manner, website owners need to take several steps:
- audit all tags to be up-to-date on what they are for, what data collection they may trigger, and ensure they are necessary for business operations
- enable restricted data processing for certain types of personal data
- install a consent management platform (CMP) to obtain and manage user consent
- configure tags to only fire after obtaining user consent
- avoid collecting Personally Identifiable Information (PII) where possible
GDPR data processing using Google Tag Manager
Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.
One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.
Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.
Navigating consent management with Google Tag Manager
To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.
The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.
In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.
By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.
Google Tag Manager and Google Consent Mode
Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.
With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.
GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.
The consequences of GDPR noncompliance when using Google Tag Manager
Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.
The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.
Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.
Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.
How a consent management platform can help with GTM GDPR cookie consent
A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.
Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.
Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.
By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.
Usercentrics CMP and Google Tag Manager cookie consent
Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.
Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.
Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.
Google is phasing out third-party cookies in Chrome, marking a significant shift in the digital marketing landscape. Our in-depth session explores what this means for marketers, advertisers, publishers, and users. We address the challenges ahead and provide actionable solutions.
During this webinar, we cover the impact on personalized advertising, delve into alternative tracking technologies, and share strategies to maintain user privacy while achieving marketing goals.
What You’ll Learn:
- How Chrome’s changes will affect your marketing and data capabilities.
- The impact on your current marketing strategy.
- Effective strategies to thrive in the new marketing environment.
Who Should Watch:
- Companies that rely on cookies for marketing and advertising.
- Marketing professionals preparing for the end of third-party cookies.
- Marketers seeking guidance on navigating the new privacy landscape.
- Anyone interested in future-proofing their marketing strategies.
Stay ahead of the curve and ensure your marketing efforts succeed in a cookieless future. Register now to watch the recording!
Google checklist: your toolkit for compliance with the new consent requirements in Switzerland
As Google expands its EU user consent policy to include Switzerland, it’s crucial for Swiss businesses to stay informed and become or maintain compliance. Our exclusive checklist provides a clear roadmap to understand the new requirements and provides actionable steps to achieve compliance before the 31 July 2024 deadline.
Who this checklist is for
- Digital marketers: Understand the compliance requirements for transparent and user-controlled data processing for targeted ads.
- Publishing managers: Implement compliant consent management practices and provide transparency in data processing for content monetization.
- Ad operations managers: Understand the implications of the expanded policy on ad serving and audience targeting. Align your online advertising strategy accordingly.
- Compliance managers or legal counsel: Guide your organization to effectively adopt Google’s expanded policy requirements.
- IT and data security specialists: Gain insights into the technical aspects of user consent and data processing, aligning with compliance requirements for data protection.
- Business owners and entrepreneurs: Enable compliance for your business’s online activities with the expanded EU user consent policy to safeguard user privacy.
Why you should download our Google checklist
- Stay informed: Gain a comprehensive understanding of the expanded Google EU user consent policy and its implications for businesses marketing to Swiss audiences.
- Simplify compliance: Get actionable steps and guidance to comply with the new requirements easily and effectively.
- Future-proof your strategy: Anticipate potential developments and stay ahead of evolving data privacy and consent management standards.
❓When is Google’s deadline?
✅ Enforcement starts 31 July 2024.
❓What regions are included in the requirements?
✅ Online users residing in Switzerland to whom companies target advertising.
❓What are the new requirements?
✅ Businesses using Google advertising and/or monetization products are required to obtain Swiss users’ consent for the use of cookies or other local storage where legally required, as well as for the collection, sharing, and use of personal data for the personalization of ads.
❓Do the new requirements apply to all publishers and advertisers targeting Swiss traffic?
✅ No. The new Google consent requirements in Switzerland mandate the use of a Google-certified CMP that fully supports the Transparency and Consent Framework (TCF) for publishers.
✅ For advertisers that don’t monetize their platforms with digital ads, the only requirement is to obtain consent from Swiss users where legally required.
❓What are the requirements for verifiable consent under Google’s EU user consent policy?
✅ Based on existing requirements from regulations like the Swiss Federal Act on Data Protection (FADP), which is compatible with the General Data Protection Regulation (GDPR).
The main requirements for third parties using Google services:
- legally valid consent must be obtained from end users for:
- use of cookies or other local storage where legally required
and
- collection, sharing, and use of personal data for ad personalization
- when requesting end-user consent, parties must:
- retain records of users’ consent
- enable end users to revoke consent at any time
- provide clear instructions to revoke consent
❓What Google services are included in the requirements?
✅ Google’s advertising platforms or services, like AdSense, AdMob, Ad Manager, Google Ads, Google Analytics, or Google Marketing Platform.
✅ Personalization features on these platforms.
❓I am a publisher. What do I need to do to become compliant?
✅ Implement a Google-certified Consent Management Platform (CMP) for the TCF, such as Usercentrics CMP.
✅ Activate the Transparency and Consent Framework (TCF) v2.2 on your CMP.
✅ Use your CMP to obtain prior consent from users to collect their personal data for advertising purposes.
✅ Consider implementing the latest version of Google Consent Mode for additional marketing benefits.
❓I am an advertiser. What do I need to do to become compliant?
✅ Obtain consent from Swiss users where legally required.
💡 For now, you’re not expected to send a verified consent signal for Swiss traffic through Google Consent Mode — a requirement already in force for EU/EEA audiences — but this may change in the future.
❓How do I collect valid consent with Usercentrics CMP?
✅ Start with one of Usercentrics CMP’suser-friendly templates, or fully customize your banner design and messaging.
✅ Set up the CMP for all regulations relevant to your business.
✅ The Usercentrics CMP consent banner enables users on websites to record their consent preference for use of their personal data with the click of a button.
✅ Website users can also revoke consent or update their preferences at any time.
✅ Consent information is securely stored in the event of an audit or data subject access request.
❓How does Usercentrics CMP integrate with the IAB TCF 2.2?
Usercentrics CMP integrates with the IAB’s Transparency and Consent Framework 2.2 via an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end users can choose between IAB Purposes and Vendors before submitting their consent.
❓How do you set up Usercentrics CMP with Google Consent Mode?
- Create an account and add your domain.
- Select and customize your banner.
- Implement the code into your website. Done!
For detailed instructions on how to set up and implement the Usercentrics consent banner with the IAB TCF v2.2 integration enabled, check our documentation.
❓Is Google Consent Mode v2 implementation included in the new requirements?
✅ Not for now.
✅ You should consider implementing Consent Mode v2 for additional marketing benefits, such as analytics and conversion modeling. It also helps you avoid losing marketing data due to users declining consent.
Get Usercentrics CMP to achieve compliance with Google’s CMP requirements in Switzerland
By using Usercentrics CMP IAB Framework (TCF v2.2) integration as your website’s consent management platform, you can ensure compliance with Google’s new consent requirements for Swiss traffic.
With Usercentrics CMP, advertisers and publishers can also ensure compliant data collection and processing across the board.
In this insightful on-demand webinar, our experts discuss Preference Management and the significance of consent preferences in today’s digital ecosystem. They present current trends, discuss market conditions, and explain how Usercentrics’ Preference Manager solution can help your growing business thrive in today’s rapidly evolving digital landscape.
During the webinar you’ll learn:
- How to unlock universal consent in today’s digital ecosystem.
- Why zero- and first-party data are the best foundation for your data strategy.
- How to get permissions for using the data across your tech stack.
- Useful strategies for navigating data tracking and privacy beyond third-party cookies.
- Insights into the significance of collecting user consent and preferences.
Watch now to ensure your consent management strategy remains effective in the face of industry changes. The webinar is free to watch.
Digital marketers already know that “consent is the new gold.” But what if a website visitor simply ignores your cookie banner or intentionally clicks the reject button?
Without their explicit consent, are they lost forever for any targeted marketing activities? Or is there still a way to re-engage users who have opted out?
To answer these questions with confidence, first you need to understand what cookie consent is, how best to obtain it, and what tools are at your disposal.
In this article you will learn:
- best practices for obtaining cookie consent
- when it can be profitable to re-engage users who have opted out
- actionable tips on how to re-engage those users
- how a consent management platform (CMP) can help maximize user opt-in rates
What is cookie consent?
Cookie consent is permission that websites must obtain from users before collecting, storing or using any personal information — by way of session or tracking cookies — on their computer, smartphone, or other device.
Read about tracking cookies now
Cookie consent is required by many data privacy regulations and frameworks, such as the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive. The aim is to protect personal data and inform users about how their information is collected, used, and shared.
To obtain cookie consent, websites typically use a cookie opt-in consent banner, which informs visitors about their use of cookies and provides options to accept or reject them.
Alternatively, depending on the jurisdiction, they may make use of an opt-out model that informs visitors about the use of cookies and provides them with an option to exercise cookie consent preferences, including access to a “Do Not Sell Or Share My Personal Information” link.
This is a requirement in jurisdictions like U.S. states where in many cases consent is not required before data collection, but users must be able to opt out of certain uses of their data. This not only helps in complying with legal requirements but also demonstrates transparency and fosters user trust.
Do all cookies require consent?
No, not all cookies require consent. That said, a ruling by the the Court of Justice of the European Union improves our understanding of cookie consent requirements under the GDPR.
Read about GDPR and cookies now
It notes that website owners may not assume or coerce consent, and must obtain consent for cookies before or at the commencement of data collection, especially for cookie types that may present privacy issues for the user, per Recital 30 GDPR. These include:
- Third-party cookies: These are installed on web domains by entities other than the site owner, and are often used for tracking and advertising across different websites. Third-party cookies require explicit user consent because they track behavior across various sites and collect a wealth of information that may be used to identify individuals.
- Analytical cookies: These cookies track how users interact with a website, such as which pages they visit most often. They generally require user consent unless configured to collect data anonymously without identifying individual users.
- Marketing cookies: These are used to create user profiles and track behavior across websites to deliver targeted advertising. Marketing cookies require user consent as they collect a variety of data that can be assigned to a known user account, e.g. by Google, and can be easily identifying, so they affect user privacy.
- Social media cookies: These cookies are placed by social media platforms and track users both on and off the platforms. Social media cookies are typically used for advertising and market research, so they require prior consent.
GDPR-compliant cookie consent can only be attained via the opt-in principle. Personal data may only be collected and used for marketing purposes if the user has actively consented to this. Consent also needs to meet other GDPR criteria. Learn more: 7 criteria for a GDPR-compliant consent)
Note: if the user ignores your consent banner and continues to navigate around the website, it does not count as legitimate consent according to the GDPR, as there was no explicit action performed to give consent.
While there are a number of tricks used to get website visitors to opt in, these are forbidden by some laws and strongly frowned upon by data protection authorities. For more details about these, see our article Obtaining user consent: these 5 tricks are not compliant with the GDPR.
Find out your cookie compliance risk in seconds.

Consequences of not obtaining cookie consent
Failing to obtain cookie consent can lead to serious consequences under the GDPR, and not just for big tech companies that draw headlines for huge fines.
Organizations found to be noncompliant can face substantial fines reaching up to 4 percent of annual global turnover or EUR 20 million, whichever is higher, for more severe or repeated violations.
Neglecting to obtain proper consent can also lead to loss of customer trust and reputational damage, as users and consumer rights groups are increasingly aware of data privacy issues.
Once noncompliance is out in the open, regulatory scrutiny is likely to increase, leading to further audits and investigations. Organizations found to be negligent or to have wilfully violated privacy laws are unlikely to get lenience or the benefit of the doubt in the future.
Noncompliance can also hurt the bottom line beyond fines. Consumer trust is crucial for growing and maintaining a loyal customer base. When taken together, these consequences can significantly damage an organization’s reputation and financial health.
How to implement cookie consent: best practices
Implementing cookie consent is crucial to comply with data protection regulations, such as the GDPR. Below are some key dos and don’ts to consider in your cookie consent strategy.
Cookie consent dos
- Provide clear information: Explain what cookies are in use, their purpose, how they track user data, who may access that data, and how long they remain in place.
- Offer granular choices: Enable users to accept or decline all cookie use, or different types of cookies individually.
- Simplify consent withdrawal: Include easily accessible options so that users can change their consent preferences at any time.
- Document consent: Always maintain records of when and how users consent, as proof of compliance in case of an audit or data subject access requests.
Cookie consent don’ts
- Avoid pre-checked boxes: Consent must be given actively, so pre-ticked boxes don’t constitute valid consent. Accept and deny options must also be equally visible and accessible.
- Don’t hide information: Keep details about cookies and their use clear and accessible. Ensure key information isn’t buried in lengthy legal documents. Make links to your privacy policy easy to find.
- Don’t require consent for non-essential cookies: Users must be able to access your website and its functions without having to agree to non-essential cookies.
- Regularly update consent practices: Keep your cookie policy up to date and in line with current legal requirements and technological standards.
Read about cookie policy now
Why is the acceptance rate of cookies key for improving revenue?
For digital marketers, it makes a big difference whether the majority of users accept only essential cookies or also marketing cookies. After all, the information gained through optional cookies forms the basis for targeted content delivery.
⇨ Acceptance rate is the key to a treasure trove of relevant marketing data, which in turn has a direct impact on ad revenue.
Is re-engaging users who have opted out from cookies worthwhile?
Before devising a strategy to win back users who have opted out, first consider how many can potentially be won back.
How high is the current acceptance rate? What percentage of users are giving their consent to the use of all cookies, on average? If it’s already relatively high, you can still take targeted optimization measures, but the effort is only really worthwhile if there’s a high proportion of users opting out.
Interesting fact: on average, about two-thirds of users give their consent for the use of marketing cookies, according to an internal Usercentrics evaluation.
However, this value does not apply to every website or every industry, because whether a user agrees to the use of their data depends on various factors.
For example:
- How privacy savvy is the user?
- How trustworthy is the brand perceived to be?
- How much does the website operator/company rely on obtaining consent?
Cookie expiration and consent
Even with user consent, cookies don’t last forever. Different types of cookies expire after different periods of time, depending on a number of factors. So you likely will get the opportunity to ask opted-out users for consent again in the future.
Some laws also stipulate how soon you can ask certain types of users for consent again if they opt out. Other laws outline how often user consent has to be renewed.
Become familiar with the requirements and prohibitions of privacy laws for cookie consent in jurisdictions relevant to your business.
Before you pull too many levers at once to get a user to opt in, one important thing must be taken into consideration: the user must freely choose to do so (Recital 42, GDPR). They cannot be manipulated or forced into opting in, e.g. by blocking their access to the website with a cookie wall.
Cookie consent tips: Win back users who have opted out
Option 1: Use contextual consent
To convince a user to consent, ensure the added value is clearly evident. Individual, embedded content is a good option here.
For example, if a user who has opted out wants to interact with a certain type of content on the website, a cookie consent dialog is displayed and the user is asked for consent again for that specific context.
For example, this option is available for:
- embedded social media posts from Facebook
- embedded profile page from Instagram
- embedded YouTube videos
The user recognizes exactly what they get access to by providing their consent, and why consent is needed for that function to work. Cookie consent now fits perfectly into their user journey and increases the likelihood of increased consent rates.
Our assessment
✔ Easy to implement
✔ Fully customizable for branding, messaging and context
✔ High user acceptance
Option 2: Use programmatic display
While the benefits of contextual consent are immediately obvious, with programmatic display you have to go deeper into data analysis. Using the data obtained from users who have opted in, you need to find out which subpages and landing pages have a high trust factor, and then play out the cookie consent on these pages again.
Keep an eye on the development of programmatic display. To make it as unobtrusive as possible for the user, initially limit the display to a small proportion of users, and only increase the frequency when the data shows corresponding signs.
Our assessment
✔ Unobtrusive option to increase the likelihood of consent
⚠ Requires elaborate data evaluation or analysis
⚠ Strategy must be tracked and readjusted if necessary
Option 3: Replaying the cookie banner during sale events
Major sales promotions, such as Black Friday or Cyber Monday, not only attract more users to retailers’ websites, but also increase consent willingness.
For example, Usercentrics Black Friday research shows that opt in is significantly higher on these days than usual as consumers are highly motivated to pursue very specific and ideally personalized online experiences.
Read about cookie opt in now
People want to get to the bargains as quickly as possible and therefore tend to set aside privacy concerns. Additionally, providing consent may gain them access to even better deals, like discounts at checkout.
It’s up to each retailer to decide to what extent they want to take advantage of this shift in the usual “pain threshold.” However, the replay of the cookie banner should be used judiciously in order to avoid risking users feeling so harassed by it that they leave the page.
Read about optimize cookie banners now
Our assessment
✔ A lot of potential to significantly increase the acceptance rate
⚠ Develop deep contextual understanding of users’ “pain threshold” for banner presentation
Option 4: Incentivization via voucher
Anyone who has visited a web store has likely seen the obligatory “coupon code in exchange for receiving the newsletter” deal. However, this marketing tactic can also be used to solicit a cookie consent opt in from users who initially declined.
So make your users an offer. “Do you really want to decline? How about a 5% discount code for your next purchase?”
Caution: pay attention to moderation and middle ground here. If you entice users with goodies that are too extravagant, you could quickly come under suspicion of unduly manipulating them to consent.
An offer that looks too good to refuse may be indistinguishable from a bribe. We recommended strictly adhering to the “voluntary” element of consent (Recital 42, GDPR) in order to act in a GDPR-compliant manner.
Our assessment
✔ High user acceptance
⚠ Potentially low retention
⚠ Potential to draw regulatory scrutiny if incentives are too generous
⚠ The user’s choice to consent is not based on building trust
Consent management platforms (CMP) and cookie consent
Using a consent management platform like Usercentrics CMP can enhance your ability to manage cookie consent efficiently, aiding in compliance with the GDPR and streamlining the implementation of Google Consent Mode.
Usercentrics CMP offers a flexible and customizable platform that can adapt to the specific legal requirements of your website or app. It facilitates easy tracking of user consent and integrates seamlessly with existing website tools. Key benefits include:
- Granular consent options: Users can select which types of cookies they consent to and adjust their preferences easily, enabling consent that is freely given, specific, informed and unambiguous, as the GDPR and most other privacy laws require.
- Comprehensive documentation: The CMP automatically documents all user consent, providing an audit trail that can be used to prove compliance in case of any regulatory inquiries or provided with a data subject access request.
- Integration with Google Consent Mode: Usercentrics is a Google-certified CMP and supports Google Consent Mode, which you can use to adjust how Google applications interact with your site based on the consent given by users.
Do you want to collect user data for marketing purposes in a legally compliant manner while increasing customer trust in your brand? Talk to our experts and let us show you the Usercentrics CMP in action. We look forward to answering your questions!

Apply your cookie consent solution
While tracking cookies are a powerful tool for any business with a website, they need to be used responsibly and in accordance with relevant data privacy legislation. In other words, with appropriate user consent.
Having read this article, you should now be equipped to roll out an effective and privacy-compliant cookie consent strategy and solution. We also explored consent rate optimization, with several approaches to obtaining consent from users who initially declined.
Depending on how low your acceptance rate is, winning back these users offers great potential. Just be mindful that implementing these measures requires varying degrees of effort, and, depending on the scenario, can be intrusive or noncompliant.
While most people are unlikely to be bothered by contextual consent, for example, other approaches require much more sensitivity and fine-tuning. Ultimately, great user experience should be a strong driver of your consent and marketing strategies.
The extra effort can be very worthwhile. The additional data collected in compliance with data protection regulations over a longer period of time makes a significant contribution to the total usable data volume, which in turn has a direct impact on ad revenue. You also clearly demonstrate your respect for privacy to customers and prospects.
Our recommendation: keep an eye on your consent rates and regularly check how you can increase them through targeted initiatives. Because sometimes even small levers, such as targeted incentives, can have a big effect.
Internet or browser tracking cookies are a type of technology that everyone should understand, especially when it comes to data privacy.
Primarily, cookies collect information about your interests and actions online, like helping websites track your browser activity. While this may sound problematic, it usually makes your life easier.
For example, many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. If websites didn’t set cookies, your shopping cart would reset to zero every time you clicked on a new product. They also help maintain convenient settings like your language preference or account login.
But not all cookies are created equal, and they collect different kinds of information. There are session cookies that are temporary and only in use for a single session. For example, as long as you browse a website or until you check out with your shopping cart.
There are also first-party and third-party persistent cookies, also known as tracking cookies. Data privacy regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) affect how they can be used.
In this article, we’ll examine tracking cookies, how they work, and what’s required to ensure compliance with relevant data privacy regulations while getting the data you need for marketing operations.
What are tracking cookies and what are they used for?
Tracking cookies are small files that are stored on a user’s device when they visit websites. There are two main kinds: first-party tracking cookies and third-party tracking cookies.
These cookies collect data about the user’s online activities, enabling websites to “remember” their interactions and preferences so they can serve them more relevant content, ensure a better user experience, and numerous other use cases. Collected data includes search history, geographic location, purchasing trends, and other behavioral information.
Cookies are used practically everywhere online — Google, Facebook, Amazon, and almost all business or commercial websites — making it difficult to browse the web without some kind of tracking.
What’s the difference between regular session cookies and tracking cookies? Session cookies are temporary files that are only active during individual browser interactions and are usually needed to retain needed information, like the contents of the online shopping cart we mentioned above.
Tracking cookies are set up by websites and will “follow” you as you browse. They conduct cross-site tracking and build up information on a user. Think of this as an information string that’s being pulled along to each new website a user visits, accumulating data until the end of the browsing session.
The data is then used by the organization that owns the site where the cookies were set, or used by or sold to third parties. This is usually other companies or websites that focus on creating personalized campaigns and serving you product ads that match your browsing history and presumed interests.
Find out how GDPR-compliant your website is today and what cookies your site is setting. Just enter the URL, start the audit, then view the detailed list.

What are third-party tracking cookies?
Third-party tracking cookies are set by a vendor other than the website owner. These cookies are used by third-party organizations to collect user data across multiple sites. Most often, this kind of cookie is used for targeted advertising and analytics, enabling these entities to build detailed profiles of a user’s browsing habits and then sell to them.
What are first-party tracking cookies?
A first-party tracking cookie, on the other hand, is set by the website owner. This kind of tracking cookie typically collects data on that one site, which is used to improve the site experience for visitors, like the aforementioned language preferences or user authentication. If a site makes use of a chatbot, it may need first-party tracking cookies to function.
How do tracking cookies work?
Tracking cookies work by monitoring a user’s actions and preferences as they navigate different websites. When the user returns to a website or visits others within the same advertising network, the cookies send information back to the host. This helps build a detailed profile of individual users, which is valuable for analytics and marketing.
This tracking makes it possible for websites and advertisers to remember that visit, tailor content, and display targeted ads based on the user’s browsing history.
What data do tracking cookies collect?
Tracking cookies collect a range of data to improve website functionality and personalize ads. Here is what they typically track:
- URLs and pages visited
- time spent on pages
- clicks on links and advertisements
- login data (by first-party cookies) and user preferences
- device type, operating system, and browser type and version
- search history and input data in forms
Are tracking cookies illegal or dangerous?
Tracking cookies are not illegal, but depending on the type of cookie and the information being collected, their use is governed by regulations like the GDPR and the ePrivacy Directive (to be replaced by the ePrivacy Regulation (ePR)). So the use of tracking cookies without a valid legal basis like consent can be a regulatory violation of data privacy.
Tracking cookies collect a wealth of information about individuals that could be used to identify them. Some personal data, like names and unique ID numbers, are obviously identifying. But other types, like purchase history or IP address, could also be identifying if combined with other data points. Recital 30 of the GDPR states that, in these circumstances, this data may be considered personal data, and be subject to the GDPR.
While tracking cookies are not inherently dangerous, there are some concerns about privacy and compliance with global regulations. This is because they can track extensive information about a user’s internet behavior, which could be misused, used for decision-making purposes with significant effects on the individual, or handled in ways that are not secure.
Read about GDPR and cookies now
Privacy laws and tracking cookies
Many privacy laws around the world regulate the use of tracking cookies. These laws are primarily designed to protect user data and online privacy, and ensure transparency between businesses and consumers. Let’s take a closer look at cookie tracking compliance with respect to two such laws: the European Union’s GDPR and California’s CCPA.
GDPR tracking cookies
Using tracking cookies and being fully compliant with the GDPR can be tricky. Regulations require that website providers let their visitors know when websites are using cookies, especially third-party tracking cookies.
They also require upfront information about which cookies (or at least which categories), their purposes, how the data collected may be used, and who may have access to it.
Once visitors know that tracking cookies are being set, such as via the website’s privacy policy and/or a consent banner, they must be able to provide prior consent for each data processing service that collects information.
Without consent, according to a ruling by the European Court of Justice, the collected data cannot be processed, passed on, or sold to third parties, otherwise, the company risks large fines.
This means that no cookies can be set and no data can be tracked without the user first explicitly acknowledging and accepting data collection and use.
While collecting information such as search history, purchase information, and location might not seem too bad, the amount and types of information collected rarely stops there.
“Device information, the time and date when a user clicked on something, the ads a user focuses on, as well as TV shows that are watched are just a small part of the information that is collected,” says Justin Brookman privacy expert at Consumer Reports, “Consent for this must be requested.”
Find out how a CMP solution can help you be fully GDPR-compliant today

Tracking cookies and CCPA
The CCPA is a data privacy law in California that impacts how businesses use and protect individuals’ (data subjects) personal data and rights, part of which relates to how they handle tracking cookies.
Under the law, businesses that collect the personal information of California residents through tracking cookies must inform them about the types of data being collected and the reason for its collection.
The law also requires businesses to provide a clear “Do Not Sell My Personal Information” link on their websites, enabling users to opt out of the sale of their personal data at any time. (Note: since the CPRA has also come into force in California, the statement must now read “Do Not Share Or Sell My Personal Information”.)
While the CCPA uses an opt-out consent model, unlike the opt-in model outlined by the GDPR, for data subjects between the ages of 13 and 16, organizations must obtain consent before they can collect or sell their personal information.
For children under 13, businesses need to obtain prior consent from a parent or guardian. Prior consent is also required if the data to be processed is categorized as “sensitive.”
This regulation highlights the need for transparency and user control in the deployment of tracking cookies. To learn more about the regulation, read our guide to the CCPA here.
Obtaining consent for tracking cookies
Data-driven marketing today requires valid user consent. However, not all consent is created equal. In fact, “The way in which you collect consent is just as relevant,” says Hans Skilrud, CEO of privacy policy generator Termageddon.
Art. 7 GDPR explicitly outlines the conditions for valid consent, a definition adopted by most data privacy laws around the world.
With this in mind, here are guidelines for obtaining valid consent for tracking cookies:
Consent must be freely given
Consent should be voluntary, i.e. given without any pressure or manipulation. Offer clear, unbiased choices without any pre-selections. Tools like the Usercentrics Consent Management Platform (CMP), for instance, make it easy to offer users clear consent options via customizable cookie banners.
Consent must be informed
Users should know exactly what they are agreeing to — with the option of reviewing cookies in use at a granular level — when giving consent for tracking cookies.
This includes details about the data collector, the data being collected, its purpose, third parties with access to it, and retention period. Include all relevant information in a detailed privacy policy. It can also be accessible in the consent banner.
Consent must be explicit
Consent should be an active, deliberate choice. This means that users should not be coerced or influenced into giving consent, such as with only a single button option, pre-checked boxes, or vague and confusing language.
Make sure your language is clear and accessible and that consent options, like buttons, are equally visible and accessible.
Consent must be granular
Consent should be obtained for each data processing activity. As such, clearly differentiate between different tracking cookies and give users the option to consent to their chosen selection.
Consent must be received in advance
No user data can be collected prior to opt in, so tracking cookies should only take effect after consent is obtained. This means your first action with every new user should be asking for their consent via a clear, comprehensive, and intuitive cookie banner.
Google Consent Mode can be used (and is required in the EU in many cases) to signal this consent from the CMP to Google services to control data collection based on consent.
Consent must be well documented
Website operators are subject to the burden of proof in the event of an audit, so it’s crucial that all user consent is documented and easily accessible. A CMP, like Usercentrics, helps keep all relevant consent data in a centralized, secure location.
Data privacy laws also usually give individuals the right to access data collected about them, so consent data may also be a part of a data subject access request.
Consent must be easy to withdraw
Users have the right to change prior consent or withdraw it at any time, and doing so should be as easy as giving it. This means the option to change or withdraw consent should be easy to find on your website, without unnecessary steps or complexity.
Find out the latest in marketing, legal and tech topics and ask any question of our many global experts.

How users stay in control of their data
When using cookies, it is important that users remain in control of their data and are aware of why it is being collected and for whom.
In a study conducted by Ponemon institute, which involved surveying 652 U.S. consumers, as many as 86% of respondents said they are “very concerned when using Facebook and Google,” while 66% of respondents said they are “very concerned when shopping online or using online services.”
This mirrors increasing consumer mistrust. In the same study, two-thirds of consumers (68%) indicated that they are more concerned about the privacy and security of their personal information than they were only a few years ago.
“This lack of empowerment can have devastating effects on consumers’ privacy if it goes unchecked,” Ponemon researchers noted.
This is why it’s important for users to know why website providers set cookies, and to have a clear overview of which cookies are set. Being in control of data also means that users can revoke their consent at any time and be able to give consent only for specific data processing services. Website providers must offer consumers a choice: to opt in granularly and to revoke consent at any time.
Recent data privacy laws also increasingly provide consumers with the right to data portability, enabling them to minimize the inconvenience of taking their data with them to a company’s competitor.
Confused with all of the regulatory changes? You don’t have to be
According to a study conducted by Pew Research, the lack of understanding about data privacy laws among the general public is significant 63% of U.S. residents say they understand little to nothing about the laws and regulations that are currently in place to protect their data privacy. Don’t contribute to that statistic.
Usercentrics offers plenty of webinars and articles to help you stay informed and up to date on the latest policy changes for your company, so you can keep your users informed and obtain the necessary consent for cookie use, as privacy regulations require.
You can also listen to our podcast, Consented, where experts from around the world discuss the critical role of data privacy in consent marketing.
With Usercentrics, your journey to full compliance doesn’t stop at the CMP. You gain access to legal experts, dedicated support and guidance every step of the way so you can be confident about your company’s use of tracking cookies and privacy compliance.
Learn more about how easy it is to implement a CMP on your website and be one step closer to securing your company’s ad revenue with a strong privacy strategy

After several years of delays, in July 2024 Google announced that the company would not be deprecating third-party cookie use in the Chrome browser. The article’s content remains relevant, however, so we have left it in its original form, with this note, for educational and reference purposes.
Even without the inclusion of Google Chrome, other major browsers have already fully deprecated third-party cookie use, and we believe that privacy-led marketing is the “cookieless” future.
Google started making announcements and began changes relating to phasing out third-party cookies some time ago. Cookieless solutions typically refer to the end of third-party cookie use, but not the end of every type of cookie or tracker. Given the company’s dominant market share, the final deprecation of third-party cookie use in the Chrome browser will mark a significant milestone in the evolution of data processing and digital marketing.
Expert Insights
“Once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”
David Temkin
Director of Product Management, Ads Privacy and Trust at Google
Google has also been rolling out new data privacy-related requirements for its customers, spurred in good part by requirements in regulations like the Digital Markets Act (DMA). The company has updated and is enforcing its EU user consent policy. Many publishers in the EU that need to retain full access to Google services are also being required to implement Google Consent Mode and/or the TCF 2.2.
It’s not all stick and no carrot, though. Google provides cookieless future solutions to help enable data privacy compliance with regulations and the company’s own requirements, while also helping organizations replace strategies that relied on third-party cookies. Millions of companies rely on Google services for advertising, analytics, and more, and there is a suite of options to help your company evolve its digital marketing strategy. Become privacy-led, better engage your audience, and achieve strong growth.
Consent Mode
Google Consent Mode is a tool used by websites to signal visitors’ choices about consent for the use of cookies and other tracking technologies. It’s commonly used with a Google-certified consent management platform (CMP) like Usercentrics CMP, which displays a consent banner to site visitors to obtain the consent choice information.
Expert Insights
“Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.”
Eike Paulat
Director of Product, Usercentrics
How does Consent Mode work?
Google tags are loaded onto web pages before the consent banner is displayed. This way Consent Mode enables websites to adjust tag behavior dynamically based on whether a user accepts or rejects cookies. When the user provides consent, only then are measurement solutions employed for specific purposes.
The two tag settings Consent Mode has added for managing cookie and tracker behavior based on consent are:
- “analytics_storage”: determines how analytics services behave (e.g. Google Analytics)
- “ad_storage”: determines how ad services behave (e.g. Google Ads)
Once consent information is obtained, Consent Mode then signals it to Google tags in various services that are used for measurement of website and advertising performance. Each user’s consent preferences control whether Google services collect and process all or some relevant types of available data, or only anonymized data that can’t identify an individual, potentially a cookieless identity solution where needed.
Watch next: Google Consent Mode: 4 steps you need to take now
What are the benefits of using Consent Mode?
The original version of Consent Mode was primarily for anonymized data tracking. However, with its update to v2 in November 2023, its value and intent have evolved to focus more on signaling capabilities, which help website operators to meet compliance requirements.
Consent Mode enables automation of obtaining and activating visitors’ consent choices for privacy compliance and peace of mind over meeting consent requirements. It also helps with systems integration, enabling more seamless control over data collection and access.
Expert Insights
“Implementing Consent Mode normally takes me 1-2 hours. Implementation with Google Tag Manager and a CMP like Cookiebot™ by Usercentrics is really simple. So, if you are not implementing Consent Mode because it’s difficult, don’t be afraid.”
Adriaan Dekker
Top 50 PPC Expert
Google Consent Mode enables website operators to get back a significant amount of data for advertisers. Even when a visitor does not provide consent for all cookie and tracker use, you can still gain conversion insights and consent banner interaction information to optimize consent rates. For example, conversion modeling enables you to use anonymized data collected from users who do not consent to cookie use to gather insights. The future is modeled, providing a cookieless solution.
Consent Mode helps website operators to move toward cookieless future solutions, away from mass collection of users’ personal data — like from use of third-party cookies — to a future-proofed, consent-driven system. Regulations and users’ privacy are respected while your advertising business model remains intact, marketers get the data they need, and clarity on conversions.
Google services that Consent Mode supports
Consent Mode currently supports these Google services:
- Google Analytics 4
- Google Ads (Google Ads Conversion Tracking and Remarketing)
- Floodlight
- Conversion Linker
Enhanced Conversions
We mentioned that Consent Mode enables conversion modeling, so let’s look at that more closely. Third-party cookies track users across websites, making it easy to get a full view of the conversion journey, among other data. In a world driven by cookieless solutions, there are new challenges, like knowing whether visitors are first-timers or repeat, if they come from paid or organic traffic sources, or how to connect users’ ad interactions to conversions.
Expert Insights
“2024 will be the year of 𝐄𝐧𝐡𝐚𝐧𝐜𝐞𝐝 𝐂𝐨𝐧𝐯𝐞𝐫𝐬𝐢𝐨𝐧 and 𝐂𝐨𝐧𝐬𝐞𝐧𝐭 𝐌𝐨𝐝𝐞. Those privacy measurement solution can help us reveal more conversion signals and user data while respecting GDPR. But beware:
– This feature is intended for properties with web data streams. At this time, Google does not recommend it if you have an app data stream.
– Expect at least 30 days to see a data enhancement.
– This is not recommended for advertisers using BigQuery!”
Thomas Eccel
Top 50 PPC Expert, Ex-Google Ads Support, Founder of Custom PPC ChatGPT
What is conversion modeling?
Marketers need new solutions to help them adapt their strategies and retain the ability to gain insights into user behavior. Broadly, conversion modeling uses machine learning to assign links between ad interactions and conversions to account for instances where cookies, trackers, and other identifiers weren’t available (like the user declined consent).
Conversion modeling helps to evaluate each user visit’s incremental impact on visitor behavior data, even if you can’t directly observe a final conversion. Advertisers still get data and insights to optimize campaigns for desired outcomes, whether signups, increased sales, or other goals.
Benefits of conversion modeling
Companies need to understand customers’ and visitors’ behavior better to optimize marketing campaigns. Conversion modeling brings several strategic advantages:
- Identify barriers and conversion paths: Better understand cross-device and cross-channel conversion paths that result from ad interactions, while also pinpointing conversion roadblocks
- Improve automatic bidding: Fill in data gaps to enable automated bidding decisions that rely on accurate information about website/app activity, not assumptions.
- Higher marketing ROI: Make smarter data-driven decisions and allocate marketing spend better by targeting customers and prospects who are more likely to convert.
- Accurate and privacy-driven measurement: Comply with privacy requirements and safeguard users’ identities while obtaining quality, actionable data.
- Capture a competitive advantage: Get past outdated reliance on third-party data to future-proof marketing strategy by positioning your company for privacy compliance, better data-driven marketing, and privacy-led growth.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
Enhanced conversions with Google
Google Analytics 4 (GA4) and Google Ads are the most popular tools on the market for conversion modeling, and they enable predictions on unobserved conversions without identifying individuals, thus complying with privacy requirements. Marketers are increasingly going to need cookieless identity solutions.
Further to improved bidding and user identity protection, Google’s enhanced conversions is a feature to improve conversion measurement accuracy and unlock better, smarter bidding. It acts as a supplement to existing conversion tags, securely sending hashed first-party conversion data from your website to Google using a one-way hashing algorithm. That data is then used to match the customer to their Google account, which they were signed into when they interacted with your ad.
Learn more: Google Ads, GA4 and consent management
Read about google analytics GDPR now
How enhanced conversions work
When a customer converts on your website, first-party data is often captured, e.g. name, address, email address, etc. Conversion tracking tags can capture this information, which, once hashed, can be sent to Google privately and securely. It’s then used to enhance conversion measurement in various ways, depending on which type of enhanced conversions you use, e.g. tracking on-site sales or off-site sales from leads.
Use the Google tag, Google Tag Manager, or Google Ads API to set up enhanced conversions. Recover previously unmeasurable conversions, better optimize your bidding based on quality data, and be confident in your privacy compliance operations with the secure hashing of the first-party customer data.
How to set up enhanced conversions for web
There are three ways to set up enhanced conversions for web:
- Google Tag Manager
- Google tag (if conversion tracking is implemented directly on your page and not with iFrame or a third-party tool)
- Google Ads API (for more flexibility and control over your data)
How to set up enhanced conversions for leads
Conversion data from website lead forms (first-party data) can be imported or uploaded into Google Ads, and doesn’t require modifications to your lead forms or CRM. It’s easy to set up — configure measurement right from your Google Ads account — and enables you to better optimize campaigns to off-site sales and transactions for better performance.
- Google Tag Manager
- Google tag (if conversion tracking is implemented directly on your page and not with iFrame or a third-party tool)
- Lead form ads (if lead form ads are activated, you can set up enhanced conversion leads without changing your tagging setup)
- Google Ads API (for more flexibility and control over your data)
Server-side tagging
Server-side tagging involves serving your tags directly from a server instead of in the visitor’s browser. By moving your core tags to the server, this server-side tracking gives you more control over privacy-compliant data collection and sharing.
It’s an evolution from client-size tagging, which uses tags and data from the user’s browser, transmitted to one or more servers. Commonly, tag management uses this function to share customer data from your website with third parties, like marketing technology partners or other vendors. However, from a privacy perspective, there isn’t any centralized control over the data or who can access it.
Instead of relying on third-party services, with this sitewide tagging, both your website and customers’ data are hosted securely on a centralized server, helping meet privacy regulation requirements. Server-side tags provide a buffer between your customers and third-party vendors that want their data for tracking. It’s a way to integrate cookieless tracking solutions. Third parties cannot directly access collected first-party data from your website(s). You control who gets access, when, how, and to what specific data.

What is server-side tracking?
Both functions use a server for data management, but server-side tagging involves directly procuring data from the server, rather than only from the client’s browser. Using this method improves data accuracy, can enhance your website’s performance, and lessens the workload on the client’s side.
Benefits of server-side tagging
In addition to the privacy compliance benefits, there are a number of advantages to adopting server-side tagging and its single data stream:
Marketing teams use this sitewide tagging to benefit from improved visibility through the whole purchasing cycle. Boost conversion rates and advertising ROI. Greater control over the quality of data collection enables more precise insights and better data-driven decision-making for both in-house and third-party activities.
Website visitors also benefit from server-side tagging, as its focus is the privacy and security of their data. Consent choices can be seamlessly communicated across tools and systems to help ensure privacy compliance and controlled access to their data.
Server-side tagging with Google Tag Manager
Using Google Tag Manager for server-side tagging enables website operators to manage their tags, triggers, and variables on a server instead of in the user’s browser. It’s an easy to use solution that’s popular among marketers and web developers.
Tag management is shifted from the client side (the user’s browser), over which you have little control, to the server your company manages. This is particularly valuable to companies focusing on privacy compliance and privacy-led marketing, as well as those handling more sensitive user data.
Server-side tagging with Google Analytics
Google Analytics 4 (GA4) is easy to use, and integrates well with many widely used platforms, making it a popular choice for server-side tracking. Consent Mode also works with GA4 using the analytics_storage tag. Server-side tagging with GA4 involves sending data directly from your server to Google Analytics, so it bypasses the user’s browser entirely. In addition to enhancing security and data privacy, this provides better quality control over data and improves your website performance.
Customer Match
Customer Match is an advertising tool that helps you better leverage your company’s unique online and offline customer data and insights while maintaining robust privacy standards. It uses the high quality data your customers have provided to you to target ads to them — customers control the ads they see via their Google Ads settings — and other potential customers like them. It’s a way to implement cookieless advertising solutions.
Increase brand awareness, drive conversions, and more. Customer Match helps you to reach and re-engage custom segments of your existing customer base with tailored messaging at the most relevant moments using first-party data matched against Google account holders. Customer Match also helps you reach new customers across Google platforms like Search, Gmail, and YouTube in a privacy-led way.
Particularly with the deprecation of third-party cookie use, Customer Match helps you preserve performance and can be a key part of your measurement strategy for revenue growth. It’s a scalable solution to help make the most of your invaluable first-party data in privacy-compliant ways.
Read about first party data marketing now
How Customer Match works
Customer Match is available for Search, Shopping, Display, Gmail, and YouTube. To get started, segment your customers and upload your first-party data to Google Ads, which then matches your customer data to existing Google accounts. From there, you will target or exclude your new audience list across channels and devices. You can also use auto-generated segments that are similar to expand your list to new customers.
Benefits of Customer Match
In addition to enhancing your privacy compliance operations while still effectively engaging with your audience, Customer Match brings a number of additional advantages:
Google’s Privacy Sandbox
Google’s Privacy Sandbox is and will include initiatives and guidelines to enhance data privacy, as well as cookieless solutions and technologies that support those goals. It was initially launched in 2019.
Privacy Sandbox has two big goals:
- phasing out use of and support for third-party cookies when there are newer, better solutions available.
- reducing cross-site and cross-app tracking while also helping to keep online content and services free for all
The Privacy Sandbox is developing public proposals and working with data protection authorities. Ideas, policies, and tools to display relevant web content, fight spam and fraud, limit covert tracking, and more, will continue to evolve and roll out over time.
Learn more: The Privacy Sandbox timeline for the Web
Comparison of Google’s cookieless tools
Solution: Consent Mode
Function: Signals consent information to Google tags to control data processing functions for privacy compliance. Works with a Google-certified CMP.
Benefits:
- Helps enable compliance with privacy regulations and Google’s requirements.
- Protects ad revenue.
- Demonstrates respect for user privacy and builds trust.
Solution: Enhanced Conversions
Function: Related to conversion modeling, helps to improve accuracy of conversion measurement and improve bidding. Supplements conversion tags, securely sending hashed first-party conversion data to Google to be matched to customer accounts.
Benefits:
- Helps improve advertising accuracy and budget allocation.
- Secure and privacy-centric way to evolve digital advertising operations and leverage user data better.
Solution: Server-side tagging
Function: A method of serving website tags from a server instead of the user’s browser. Enables more control over data privacy compliance and processing. Can be done with Google Tag Manager and with Google Analytics 4.
Benefits:
- A solution for phasing out third-party cookie use and better controlling collection of, access to, and processing of user data collected via websites.
- Helps enable regulatory compliance and privacy-led marketing.
- Works with Google tools you’re probably already using.
Solution: Customer Match
Function: An advertising tool to help better leverage data customers provide to your company (first-party data matched against Google accounts) for better insights while maintaining strong privacy standards. Used for ad targeting to drive conversions, target new relevant audiences, and build brand awareness on platforms like Search, Gmail, and YouTube in a privacy-led way.
Benefits:
- Helps improve advertising performance while phasing out third-party data use.
- Helps with evolving privacy-led advertising strategy.
- Enables expansion of targeted marketing to existing and new audience via popular Google platforms.
Solution: Privacy Sandbox
Function: Google’s Privacy Sandbox is an initiative to create and evolve web technologies in privacy-led ways. Main goals are phasing out third-party cookies and reducing cross-site and cross-app tracking (while keeping online content and solutions free). Also meant to fight online fraud and spam.
Benefits:
- Widely available tools and solutions to evolve data processing and digital marketing.
- Helps meet regulatory and Google requirements and fight fraud.
- Helps to leverage user data in safer, smarter ways to grow businesses.
The future is cookieless with Google solutions
While it was easy to rely on third-party cookies and the data they provided, this marketing strategy often failed to respect user privacy. It also doesn’t tend to enable the precision needed for today’s digital audiences and markets. The future is consented for marketers.
Zero- and first-party data are higher quality, can be obtained in a variety of consent-driven ways, and can be used to drive and scale privacy-led marketing campaigns to better grow revenue. Google provides sophisticated yet easy to use and integrate tools — that work with platforms you’re probably already relying on. These solutions enable marketers to continue to find their audiences and engage them while building trust, get the data marketing operations need, and comply with data privacy regulations and Google’s requirements today, and in the future.
For everything from better customer segmentation to improving your website’s performance, there are Google tools to improve your marketing tech stack that also make data privacy compliance easier.
Don’t forget to tie it all together with the most key privacy-led marketing solution — Usercentrics CMP — to obtain, store, document, and signal valid user consent. Comply with global privacy regulations, control data collection and processing, and make that high quality customer data work even harder for you to provide great user experiences and boost revenue.
Expert Insights
“Companies must learn only to collect the data that matters and create great experiences around that instead of treating everything as important.”
Adelina Peltea
CMO, Usercentrics
Want to learn more about Google tools and how they can help you manage the cookieless future with Usercentrics’ data privacy solutions? We’re here to help.
Contact salesUsercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
By now, pretty much everyone knows about the ever-expanding number of data privacy laws around the world, and the need for consent to process personal data from users online. Added to that are a growing number of requirements levied on businesses from influential tech platforms. As enforcement expands, the risk of revenue loss can bring a far more immediate and pressing impact on digital marketing strategy and operations.
Fortunately, there is a way forward and marketers are already embracing it. The evolution away from third-party cookies and the data they collect has been in process for some time. These changes continue to ramp up as companies have increasing motivation to adapt their digital marketing and privacy compliance practices to protect revenue operations.
We look at the practicalities that come with the end of third-party cookies, why new data sources bring greater opportunities for marketers, and what Privacy-Led Marketing promises for growth in the era of greater customer control and choice.
How are privacy regulations influencing the changes in marketing?
A number of legacy marketing operations now need to be conducted in new ways to meet privacy compliance requirements. Some older technologies are being phased out, and new ones are being developed and evolving. Marketing is increasingly being seen as and conducted as an ecosystem, where all tools and activities are connected and influenced, if not outright controlled, by data privacy. New tools are increasingly becoming necessary to better manage this ecosystem, to enable more successful campaigns, analysis, and optimization that are compliant with regulatory and business requirements.
Consumers online are also increasingly aware of their rights as granted by these regulations, and how they pertain to companies’ access to and use of their personal data. Companies can’t just take what they want. Some types and tactics in digital marketing could have negative effects on brand reputation these days.
“We need to understand how data is flowing, what data we actually need, and to really challenge that — not to collect everything but to get first-party data and build strategies around that.”
– Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)
It has been common in the past to collect a lot of third-party data from people online, much of it without their awareness, and certainly without their consent. Regulations now prevent that in many cases around the world. More and more, companies must notify users about what personal data they collect, how, for what purposes, and who may have access to it, among other things. No more harvesting vast amounts of data from anywhere companies can get it.
Many privacy regulations now also require companies to get user consent before collecting or processing their data, or at least meet requirements for a different legal basis before doing so. Even in areas like the United States where prior consent is not required in many cases, people must have the option to opt out of companies’ processing of their data.
All of this affects how companies can interact with customers and users, how they get information about them, how they run campaigns and analyze performance, and more. The good news is that Privacy-Led marketing enables companies to do all of these things in more sophisticated and lucrative ways than before.
Read about marketing data privacy now
What are the issues with third-party cookies?
Third-party cookies are typically set by domains (companies) other than the one operating a website. They’re set by elements integrated into the website, rather than built as part of the website itself, and they track people across the internet, not just while they’re on a particular website.
Sometimes information about how they function, what data they collect, and who receives that data is known or easily accessible to website operators, and therefore easily communicated. Those third-party services can also be more easily controlled, enabling compliance with data privacy requirements.
Plenty of these services, however, are nested several layers deep, and run by vendors, for other vendors, for yet other vendors. This obfuscates their presence and functions from the website operator, not to mention the website users. This can be a problem for controlling all data-collecting services and for transparently providing comprehensive information to users, as well as for getting valid consent for data use.
Why are third-party cookies being phased out?
The strategy with third-party data collected via these services has largely been “get as much as you can and sort it out later”. Third-party cookies certainly did provide marketers with a lot of data. There are obvious issues with transparency and consent, and thus for data privacy compliance. Additionally, much of the data has been of poor quality, and needs to be combined with vast amounts of other data to enable meaningful analysis and application.
This data use also does little to build trust with customers and develop long-term engagement and relationships. Customers feel a lack of control over what should belong to them. Increasingly, ensuring people feel in control over their data and building trust with your company is critical for effective marketing. Laws are only getting more strict, activists continue to push for change, and consumers are becoming more savvy about their data and rights. In a nutshell: it just doesn’t work well anymore.
Third-party cookie use is an old, imperfect, and blunt instrument for marketing purposes. Fortunately, technologies have evolved along with privacy regulations. Marketers have more precise and sophisticated tools now to know what data collecting services are in use, provide transparency to users, obtain data with consent, and use both the consent and the data in smarter, more integrated ways throughout the marketing ecosystem.
It’s important to note, however, that as Usercentrics CMO Adelina Peltea noted in our recent episode of the Consented podcast, “Cookieless does not mean all cookies are disappearing.”
Google is phasing out third-party cookies in Chrome – why it’s important
Google announced that they would be phasing out the use of third-party cookies several years ago. Their plans for how to do so and the exact timeline for the changes have evolved several times. However, Google began disabling third-party cookies in early January 2024 in the Chrome browser.
Google is actually late to the party, as Mozilla’s Firefox, Brave Software’s Brave, and Apple’s Safari browsers have blocked third-party cookie use for some time.
Why are changes to cookie use in Chrome influential?
This initiative initially affected about one percent of Chrome’s global users, with the rollout to expand over the course of the year until third-party cookies are fully deprecated in Chrome. While this is only one web browser, Chrome does have the majority market share, so this will affect nearly 3.5 billion web users (over 42 percent of the global population).
What are marketers using to replace third-party cookies?
Marketers need to shift away from third-party cookie data sources to more owned channels, which can be better controlled. There’s the added benefit that they tend to result in higher quality data and better conversion rates, though marketers do need to determine new ways of handling measurement and attribution. These changes also streamline being transparent with users, obtaining valid consent for privacy compliance, and providing better user experience.
Zero-party and first-party data are replacing third-party sources, and driving development of new tools and tactics to collect and activate these rich data sources.
Zero-party and first-party data – what they are and why they’re they are better for marketing
Zero- and first-party data are generally collected by a company about its own users and/or customers via various means. They are more targeted, more likely to be obtained with consent, and easier to provide information about as required by privacy laws.
Read about first party data marketing now
Zero-party data – marketing gold standard
Zero-party data is so categorized because it comes directly to the company from the customer. There are no intermediary vendors or systems collecting, packaging, or processing it first. It’s also referred to as opt-in or self-reported data due to its consensual nature and customer origins.
Zero-party data is shared by customers, visitors, and users intentionally and voluntarily. This is typically prompted by the company, but with the goal to enable the customer to decide what data they consent to share, and shape their experience with the organization and its products and services.
How is zero-party data collected and deployed?
This data can be collected via many mechanisms, including:
- surveys and feedback forms
- preference inquiries about products, services, and features
- user account fields and profiles to record demographic information and preferences
- ratings and reviews
- incentives where personal data is exchanged for benefits
Customers can inform companies about how often they want to be contacted, by what medium (e.g. email, SMS, newsletter), for what purposes, and with what information (e.g. notification of sales, personalized deals, or launch of a new product). They can inform companies what they think about products or services and what they’d like to see more of. Companies can build customer profiles with detailed information on customer identity, interests, preferences, and permissions.
All of this means the data is more likely to be highly accurate. It enables very personalized marketing, and companies can demonstrate their respect for user privacy and customer preferences. This helps develop higher engagement and long-term customer relationships, which grow revenue.
First-party data – marketing work horse
First-party data is obtained slightly less directly than zero-party data and can be slightly less accurate. But it is still a big improvement in quality and maintaining data privacy compliance over third-party data. It’s sometimes referred to as customer, proprietary, owned or in-house data.
First-party data is typically collected via a company’s owned properties, like websites and apps. It isn’t directly collected from customers and users, but is collected about their activities. These services assign unique identifiers to users, and so can recognize them to enable personalized experiences, everything from login status to maintaining the contents of their shopping cart.
“First party data refers to the data we are getting directly from our customers, and this is typically considered one of the most valuable types of data that we can get because it is provided to us, it is reliable, and it is accurate.”
Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)
Read about first party data marketing now
How is first-party data collected and deployed?
First-party data is largely collected from the widest variety of sources, which include:
Given how much the average person does online these days, you can see that first-party data can provide a huge amount of information about what people do, when and how they do it, and what interests them. This enables site and app optimization, audience segmentation, personalized ads and communications, and predictive modeling of browsing and purchasing behavior.
First-party data is also critical for evaluating communications and campaigns for effectiveness, determining ROI, and strategizing future efforts to best deploy budgets.
Preference management
Preference management is how zero- and first-party data are obtained and most effectively used. Your preference manager is how you collect zero-party data about customer preferences and record permissions they’ve granted. Preference management also helps fill in data gaps from loss of third-party data, and enable first-party data to be activated more effectively, e.g. via syncing across the CRM and marketing tools.
Preference management also benefits privacy compliance strategies, as granular consent can be obtained, then signaled across the marketing stack and to third-party partners to control data collection and use per the customer’s expressed preferences.
Companies should also look into server-side tagging as a way to collect, centralize and activate their zero-party data, consent, and preferences.
Learn more: What is universal consent and how does it benefit companies and their customers?
What are the risks of not updating your marketing strategy away from third-party cookies?
Privacy noncompliance due to old marketing strategies can be a risk for the whole company, both with regulatory and newer business requirements. The loss of data, audience access, and ad revenue from Google restricting access to its services, for example, could be a huge financial blow for a company. It can also tarnish your brand in the eyes of customers and prospects.
Fines, loss of data, and other penalties
Fines can be up to 4 percent of a company’s annual global revenue under the GDPR in the EU. While GDPR fines levied on big tech companies make the headlines, any size of organization processing EU residents’ personal data can be penalized for noncompliance.
Many sources of valuable first-party data, as well as ad revenue, are also at risk without evolving marketing strategy, complying with new requirements, and obtaining valid consent for first-party data processing services, like those from Google.
Government and corporate enforcement is ramping up
Data protection authorities have already begun investigations into companies the Digital Markets Act (DMA) designates as gatekeepers, including Alphabet, Apple, and Meta. Those companies are likely to make whatever changes are needed to how customers access and use their platforms sooner rather than later to protect their business interests.
To meet DMA compliance requirements, Google (Alphabet is the parent company) has made a number of changes to its requirements of its customers. These include requiring signaling of valid user consent via the use of Consent Mode v2 with a Google-certified consent management platform (CMP). Companies can work with Basic Mode or Advanced Mode, depending on their business needs and the degree to which they’ve embraced Privacy-Led marketing.
New requirements for Google customers
Google also now requires publishers in the EU/EEA and UK to implement the TCF 2.2 via a certified CMP if they are using Google AdSense, Ad Manager, or AdMob. Companies risk loss of access to these services’ full functionality if they don’t comply.
Google also has recommendations for tools and strategies for companies to adapt to the new ecosystem for ads and measurement. These include:
- Consent Mode (preferably via Google-certified CMP partner)
- Customer Match
- Enhanced Conversions
- Use of GA4
Google was building on their Privacy Sandbox to enable web browsers to work in new ways to protect privacy and enable data use, but as of early 2025 has cancelled plans to deprecate third-party cookie use in the Chrome browser. This essentially spells the end for the Privacy Sandbox, but we shall see what future initiatives the company launches to replace it.
Learn more: Are ecommerce businesses ready for the new consent requirements?
Customers ain’t gonna take it
Consumers’ awareness and demands for control of their data and rights continues to grow as privacy laws spread. They are no longer passively accepting of having their data collected and used by entities they don’t know and purposes they haven’t approved. People will vote with their wallets, and are increasingly likely to end a business relationship if they don’t trust a company’s security or use of their data.
Data privacy regulations also increasingly include the right to portability, which means it’s easier for people to take their data and quit a company — probably for a competitor that may offer better products or pricing in addition to demonstrable respect for user privacy.
Companies have access to more sources and types of user data than ever before, but that means they have greater responsibility for how they access and use that data. Increasingly, around the world, there are consequences for not taking that responsibility seriously.
What is Privacy-Led marketing and why is it the future?
Privacy-Led Marketing includes everything we’ve already looked at. Tied to the idea of privacy by design, it puts privacy first marketing strategy and operations, and in customer relations. It involves embracing the benefits and competitive advantages data privacy brings to a company, rather than focusing on what you lose with third-party data, or what can still get away with and for how long.
Privacy-Led Marketing values quality over quantity in user data, learns when and where the right times are to communicate (clearly and right at the beginning), ask for consent and data access (and optimize these over time), and doesn’t focus excessively on what data and access companies no longer have (wasn’t the best anyway).
It values building trust by being transparent with customers and remembering that they want to know “what’s in it for me?” And of course, making it easy for them to express their preferences and manage their consent.
Privacy-Led Marketing thinks about the user journey, not a single opportunity. It strategizes how it can provide a continuous user experience with control, over time becoming clearer and honed for maximum benefit to the company and user, while meeting regulatory and business requirements.
“Users value tradeoffs. When we can provide them with a tradeoff that will be personalized recommendations or targeted adverts that are of interest to them, then users are more prone to share that data with us.”
– Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)
Smart marketers are strategizing new paths forward with the knowledge that happy customers share more data and develop more loyalty with brands, which benefits the bottom line.
These strategies focus on using the tools companies now need, like a consent management platform, Google Consent Mode, and the TCF 2.2 to maximum advantage. They understand that marketing is an ecosystem, and that consent and data need to flow throughout and control not only the company’s campaigns, but data access and use by third parties like partners and vendors.
Privacy-Led Marketing is the future because there is no path forward for old ways of doing things. Thanks to ever-evolving data privacy regulations and new requirements from influential platforms, old strategies are too risky, have become primitive and noncompetitive, and, ultimately, simply will not work.
Make consent management part of your Privacy-Led marketing strategy
Consent management has been important for some time to enable data privacy compliance, but companies need to start seeing it as one part of Privacy-Led Marketing, if they aren’t already.
Using a high performance consent management platform (CMP), companies can not only obtain valid user consent, but they can get rich data about user interactions with consent banners. These analytics enable insights and smart optimization to increase opt-in rates. This helps offset any data loss from third-party cookie use.
For even better user experience and maximized opt-in rates, you can deploy contextual consent, asking at specific times for specific services and purposes. Visitors and customers will know exactly why you are asking for consent, and what the benefit is to them.
“Collect the right information at the right time, then we will have higher consent rates and we’ll have the trust of the users.”
– Adelina Peltea, Chief Marketing Officer, Usercentrics (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)
Consent management also helps deliver peace of mind, as a solution like Usercentrics CMP can block nonessential cookies and other trackers until user consent is obtained, helping to ensure privacy compliance. It also enables customization for compliance with multiple data privacy laws, so visitors see the right banner for their location. You can even customize the language the banner is displayed in for optimal user experience while achieving privacy compliance.
Your CMP enables you to set up the required signaling for your tag manager, including Google Tag Manager. The Usercentrics and Cookiebot CMP solutions are Google-certified, so can signal consent in the necessary way to meet Google’s latest requirements.
The future of marketing is privacy-led. You’re not alone in figuring out how to embrace these new solutions. Achieve and maintain your privacy compliance while obtaining the data you need, signaling the consent that your marketing ecosystem requires, and growing your loyal customer base and revenue.
Check out the full Consented podcast, Episode 2: Is Privacy-led Marketing the solution to the cookieless future? It’s available on Spotify and YouTube.