Data privacy Archives

Organizations collect vast amounts of data from their users, which ranges from personal information to website usage patterns to financial details. This data collection helps improve services, tailor experiences, and drive business growth. However, it can also bring significant risks related to data breaches and unauthorized access to or misuse of personal data.

A Data Protection Impact Assessment (DPIA) helps organizations identify these risks, implement necessary safeguards, and maintain regulatory compliance, specifically with the European Union’s (EU) General Data Protection Regulation (GDPR).

A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organizations identify and reduce the risks to personal data they process. It involves examining how personal data is collected, handled, and stored, and ensuring there are adequate measures in place to protect individuals’ privacy and rights as they pertain to that data. Requirements for a DPIA are included in Art. 35 GDPR.

Conducting an effective DPIA enables organizations to detect and address potential problems at an early stage, helping prevent data breaches, avoid legal complications, and protect the organization’s reputation.

Who should implement a DPIA?

The GDPR can require the data controller to carry out a DPIA. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

While the data controller may appoint third-party data processors to carry out processing activities on its behalf, the responsibility for the DPIA remains with the data controller who is ultimately responsible for GDPR compliance and data security. The data processor should assist the controller in carrying out the DPIA by providing any necessary information, as required by Article 28(3)(f) GDPR.

If a Data Protection Officer (DPO) is appointed under the regulation, the controller must consult with the DPO when carrying out a DPIA. The advice given by the DPO and the decisions made by the controller should be documented within the DPIA.

The DPIA may be carried out by someone outside the organization, but the data controller remains accountable for ensuring that it is completed appropriately.

When is a DPIA required?

A DPIA is required whenever a processing activity, in particular using new technologies, triggers one of the obligations to conduct it under the law. Art. 35 requires a DPIA where data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” According to the guidelines issued by the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), these rights and freedoms include the rights to data protection and privacy, and may also include:

freedom of speech
freedom of thought
freedom of movement
prohibition of discrimination
right to liberty, conscience, and religion

The GDPR specifically requires controllers to carry out a DPIA when:

there is a systematic and extensive evaluation of personal aspects of individuals, including profiling and automated decision-making
sensitive data, or data related to criminal convictions and offenses, is processed on a large scale
publicly accessible areas are systematically monitored on a large scale

A DPIA may be required in other cases, and the controller must evaluate whether processing activities may result in a high risk to the rights and freedoms of individuals. Some examples from the WP29 and Recital 75 GDPR include cases where the processing:

involves the use of new technologies
involves matching or combining datasets from two different processing operations
involves personal data of vulnerable individuals, including children
is done to track behavior, location, or movements
may give rise to significant economic or social disadvantage, including identity theft or fraud, discrimination, or financial loss
may prevent data subjects from exercising control over their personal data

A DPIA can address either a single processing operation or multiple operations that share similar characteristics in terms of their nature, scope, context, purpose, and risks.

Read about marketing data management now

Exclusions from the DPIA requirements

There are two circumstances when a DPIA is specifically not required under the GDPR:

when the processing operations fall under a list established by a supervisory authority or Data Protection Authority of an EU member state as not requiring a DPIA
when the processing has a legal basis in EU law or in the law of the member state that applies to the controller, and that law specifically regulates the processing activity

At what stage should a DPIA be carried out?

A DPIA should be carried out before any type of processing begins that is likely to result in a high risk, ideally during the early planning stages of the project, new feature, or new use case. This early assessment helps identify and manage potential risks even if some processing details are still being finalized.

DPIAs are an ongoing activity, and the controller’s obligation doesn’t end once the initial DPIA has been carried out. If data processing has commenced for specific purposes, but the conditions of processing — such as purpose or type of personal data collected — change significantly and are likely to result in a high risk to individuals’ rights and freedoms, the controller must revisit the DPIA before these new processing conditions are implemented. If a DPIA was not initially required before data processing began but changes in processing conditions make it necessary, then it must be conducted when those new conditions arise.

There are certain minimum regulatory requirements for what a DPIA must include. The key components of a DPIA are:

systematic description of the processing operations, including the nature, scope, context, and purposes of the processing
assessment of whether the processing operations are necessary and proportional in relation to the purposes, to evaluate whether the same objectives can be met with less data or through less intrusive means
identification and assessment of the likelihood and severity of potential risks to data subjects’ rights and freedoms
measures to address and mitigate the risks, including safeguards and security measures such as encryption, access controls, and regular audits to protect personal data and demonstrate compliance with the GDPR

DPIA Infographic

DPIAs under US law

There is no comprehensive federal data privacy law in the US, and a number of states have enacted laws to protect the personal data — often referred to as “personal information” in some laws — of their residents.

Many of these US state-level data privacy laws require controllers to conduct DPIAs. While there may be some variations among state laws, they are usually required in the following cases:

processing of personal data for the purposes of:
- targeted advertising
- profiling
sale of personal data
processing of sensitive data (which usually includes children’s data)
processing activities that present a heightened risk of harm to consumers

What constitutes “sensitive data” or “sensitive personal information” may differ across various laws, so controllers must ensure they follow the specific requirements of each applicable law.

States that require these assessments include Colorado, Texas, Maryland, Connecticut, Virginia, Nebraska, Oregon, and Tennessee, among others. California requires a DPIA under the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).

DPIA procedure

The GDPR doesn’t specify a procedure for conducting a DPIA, giving controllers the flexibility to approach it in a way that effectively assesses risks and informs data processing decisions. The basic steps to conduct a DPIA are as follows.

1. Identify if a DPIA is required

The first step is to determine whether a DPIA is necessary before data processing activities begin. It may not be immediately clear if a DPIA is necessary, and controllers might realize it partway through the project. In such a case, controllers must ensure the DPIA is completed before they begin any processing activities or begin collecting data.

Check if your website complies with the GDPR by conducting a thorough data privacy audit.

Start audit now

2. Consult the DPO, if appointed

Art. 35(2) of the GDPR makes it mandatory to consult the DPO if the organization has appointed one. The DPO’s advice must be documented in the DPIA and, if the advice is overruled, the DPIA must explain why.

3. Identify all parties to be consulted

Controllers must list all internal and external stakeholders to be consulted. This includes data processors and data subjects or their representatives. The DPIA must include their feedback on the processing activities and, if feedback is disregarded, why.

4. Document the nature, scope, context, and purposes of the data processing

Controllers should list all the data processing activities, including why and how the data is being processed. This should cover, among other things:

what types of personal data are being collected and processed, including whether the data is sensitive, the volume of data, and how long it will be retained
the source of the data, and whether it will be shared with any third parties
how much control data subjects will have over the data, and whether any new technologies will be used in processing
the intended effect on data subjects and benefits for the controller

5. Assess the necessity and proportionality

The GDPR requires controllers to evaluate whether the data processing is necessary and proportional to achieve the intended purposes, including determining the lawful basis for processing. Controllers should consider what information will be shared with data subjects in their privacy policy, how to achieve data minimization and data quality, and how international transfers will be handled.

6. Identify and assess potential risks

Controllers are required to identify and evaluate the potential risks to data subjects’ rights and freedoms, and outline measures to mitigate these risks. They must assess the likelihood and severity of each risk, considering factors like the nature of the data, the context of processing, and the potential impact on individuals. Controllers should develop a risk mitigation plan that includes specific measures such as encryption, anonymization, access controls, and regular security audits.

7. Validate and sign the DPIA

Controllers must validate and sign the DPIA once it is completed. This involves recording who approved the protection measures and any residual risks. Documenting the decision-making process and identifying those responsible for its implementation and authorization provides a clear record of the approval process.

There is no official template from the EDPB, and controllers that need structure or guidance to get started may use templates from Data Protection Authorities such as France’s National Commission on Informatics and Liberty (CNIL) or the UK’s Information Commissioner’s Office. Although the EU GDPR doesn’t apply to the UK post-Brexit, the UK GDPR is nearly identical to the EU version and includes the same provisions for DPIA requirements.

Conclusion and next steps

Conducting a DPIA is a vital practice for safeguarding personal data, maintaining data subjects’ trust, and avoiding reputational damage. By conducting a DPIA, organizations can identify and mitigate potential risks, ensuring that data processing activities are both secure and compliant.

Organizations should consult a qualified legal professional, privacy expert, or DPO to ensure compliance with the GDPR’s DPIA requirements and to implement the necessary safeguards effectively.

Safeguarding personal information online has become more critical than ever as data privacy laws expand and consumers’ expectations grow. One of the most effective strategies for protecting data is through data minimization.

This principle, enshrined in various data protection and privacy laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), emphasizes the importance of collecting, processing, and storing only the minimum amount of personal data necessary for a specific purpose, and retaining it only as long as needed to fulfill the stated purpose.

But what exactly is data minimization, how does it work, and how can your company implement measures to limit its data collection in beneficial ways? Let’s delve into it.

What is data minimization?

Data minimization is a fundamental principle in data protection and privacy laws like the General Data Protection Regulation (GDPR).

Data minimization refers to collecting, processing, and storing only the minimum amount of personal information necessary for a specific purpose, and retaining it only as long as needed to fulfill that purpose.

This approach aims to reduce risks associated with companies’ potential privacy overreach, data breaches, and other misuse while helping to ensure compliance with various data protection regulations. It also shows respect for customers by demonstrably limiting data collection and use to only what’s needed, communicated, and consented to.

Organizations implementing data minimization strategies only collect relevant data and retain it for the shortest time possible. They also regularly review, delete, or anonymize unnecessary information.

By adhering to this principle, companies can better protect individual privacy, enhance data security, improve data management efficiency, meet legal requirements, and improve customer experience.

Read about marketing data management now

Data minimization and GDPR

Data minimization is a key principle of the GDPR. It requires organizations to collect and process only the personal data that is necessary for their specified purposes. It explicitly addresses data minimization in Article 5(1)(c) GDPR, which states that personal data shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).”

This principle is further reinforced by Article 25 GDPR, which requires that data minimization be applied by default to each specific purpose of data processing. These articles mean that website owners and businesses must identify the minimum amount of personal data required to fulfill their purpose and collect and hold only that information.

To comply with data minimization requirements, organizations should regularly review their data collection mechanisms, like website cookies, what data they collect, and for what purposes. Then they should also review what data they currently store and use, and if the purposes for which the data was collected are still valid. Finally, they should delete or anonymize data that is no longer needed.

By adhering to this principle, organizations can demonstrate accountability and reduce their risk of noncompliance with the GDPR.

Data minimization and CPRA

The California Privacy Rights Act (CPRA) also introduces data minimization as a key principle for businesses handling consumer personal information.

Under the CPRA, businesses are required to collect, use, retain, and share personal information only to the reasonably necessary extent and proportionate to achieve the specific purposes for which it was collected or processed.

Therefore, businesses must clearly define and disclose the purposes for data collection and ensure that the data is not used beyond these purposes without additional consumer notification and consent where required. In addition, the law requires businesses to implement data retention schedules and delete or anonymize (depending on the law or relevant policies) personal information once it is no longer necessary for disclosed processing purposes.

Is your website compliant?

Scan your website and find out which cookies and tracking technologies are collecting data.

Scan for free now

What is an example of data minimization?

Data minimization doesn’t have to be a complicated affair. For example, let’s look at data minimization in action in the context of an ecommerce website’s checkout process.

Instead of collecting extensive personal information from customers, the website could request only the necessary details for completing the transaction and shipping the product. This might include the customer’s email address, to send a receipt and order confirmation; name and shipping address, to send the order; and payment information. The company also receives various data just as part of the ordering process, like that from website cookies that track the customer’s shopping process, and order specifics like which product, size, and color.

In this example, there is no real need to ask for additional data, such as the customer’s date of birth, gender, or occupation, which are not essential for processing the order, even if these details would provide the company with more demographic information about the customer.

By limiting data collection to only what is required, the ecommerce site reduces its data liability and enhances customer privacy, while still effectively fulfilling its primary function of selling and delivering products.

Read about GDPR email marketing now

Benefits of data minimization

Many website owners and companies prefer to collect a lot of data. After all, more data helps you understand your target audience and optimize marketing campaigns. However, this is a poor practice in the age of digital privacy.

While privacy laws like the GDPR and CPRA require businesses to implement data minimization practices, the benefits go beyond regulatory compliance. Additional benefits of data minimization include:

Reduced costs: Collecting and storing only necessary data significantly lowers storage and management expenses.
Enhanced security: Collecting less data reduces the potential impact of breaches and theft, leaving less potentially sensitive information at risk.
Efficient data management: With less data to process, analyze, and prune, organizations can manage their information more effectively, improving operational efficiency.
Better data quality: Focusing on relevant and necessary data improves the overall quality and accuracy of datasets.
Reduced risk profile: Minimizing data collection and storage decreases an organization’s risk related to data access and handling.
Enhanced customer trust: Data minimization shows a commitment to protecting customer privacy, boosting consumer confidence.
Simplified data governance: Fewer data assets make it easier to implement and maintain effective data governance.
Faster data processing: Smaller data volumes allow for quicker analysis and decision-making.

The principles of data minimization

Data minimization is a key principle of data privacy regulation, along with closely related ones like maintaining accuracy and purpose limitation. It’s meant to guide organizations in collecting, processing, and storing personal data to fulfill specific purposes, from ecommerce sales to marketing campaigns to product development.

Here are key principles that website owners should follow to reduce their privacy noncompliance risk.

Clearly define the specific purpose(s) for data collection and use before any personal data is collected. This will inform what data is needed to fulfill the purpose.
Only collect data that is directly relevant and necessary for a specific purpose. Be extra vigilant if any of the data is typically categorized as “sensitive” or belongs to children, as this often requires additional consent and safeguards.
Do not repurpose data without necessary notification, justification, and updated consent.
Collect enough data to fulfill the stated purpose without exceeding what is required.
Keep personal data only as long as necessary to achieve the specified purpose. Establish and follow data retention policies to delete or anonymize data when it is no longer needed.
Embed data minimization into the design of systems and processes from the start to ensure privacy protection is built in.
When possible, anonymize personal data to reduce the risk of identifying individuals, especially for long-term retention or secondary uses.
Regularly review data collection, processing, and holdings to determine if they remain relevant, or need to be updated or deprecated.

By following these principles, website owners can reduce privacy risks, enhance data security, improve regulatory compliance, roll out more precise marketing initiatives, and build trust with their customers.

Read about Big data marketing now

Data minimization and risk mitigation

Data minimization is a powerful strategy for reducing risks when handling personal information.

By collecting and keeping only essential personal data and cookies, website owners can significantly lessen the impact of potential breaches. This approach simplifies data protection efforts, as there’s less information to safeguard.

From a legal perspective, holding less data means fewer chances of violating privacy laws. This is particularly important given strict regulations like the GDPR. Data minimization brings companies one step closer to complying with these laws, avoiding hefty fines, reputational damage, and legal complications.

There’s also a financial advantage to this approach. Storing and managing large amounts of information can be costly, from both a financial and resource perspective. By cutting down on unnecessary data, companies can save on storage and processing expenses. Not to mention the work of maintaining or expunging it, or finding all of it to fulfill a data subject access request, for example.

In the event of a data issue, having less information to sort through enables quicker response times and a higher likelihood of accuracy. This rapid action can help limit damage and preserve customer trust.

Moreover, data minimization demonstrates respect for customer privacy. By only requesting and retaining necessary information, businesses can build stronger, more trusting relationships with their clients. This practice not only protects the company but also enhances its reputation in an increasingly privacy-conscious market.

How to boost your opt-in rates

Learn how to provide a great user experience, obtain valid consent to comply with privacy laws, and boost opt-ins to get the high-quality data you need for your marketing strategy.

Increase your opt-in rates

How to implement data minimization measures

Data minimization may sound simple, but in practice, companies must consider how they collect, use, store, and dispose of customer data. In addition to being prepared to do the work to update policies, processes, and the management of the data itself.

Thus, if your company is considering implementing a data minimization policy, there are certain steps you need to follow.

Assess your current data practices: Evaluate how your organization currently collects, retains, and manages access to personally identifiable information. This involves:
1. identifying what types of data are being collected
2. determining how long the organization has had the data
3. determining why each piece of data is being collected
4. evaluating if the collected data is necessary for the stated purpose
5. reviewing who has access to data (e.g. third-party vendors) and what they may be doing with it
6. review where data is stored (e.g. in various departments) and who has access
Implement proportional data collection: Only collect data that is proportional and relevant to the purposes for which you are collecting it. Justify why you collect, process, or store consumer data and ensure these purposes align with your current business and data privacy objectives.
Establish needs-based retention: Develop a strict data retention policy that ensures your business only retains data needed for specific purposes and only for as long as necessary. Once these purposes are met or the required retention period has passed, the data should be deleted.
Use data anonymization techniques: When possible, anonymize data to protect individual privacy while still allowing for necessary data processing.
Control data access: Implement a system that enables secure management of data access privileges across your organization. This ensures that only specific applications or individuals have access to the data fields required for their business processes.
Regularly review data and delete unnecessary information: Establish procedures to periodically review the data your organization processes and the purposes for it, and remove anything that is no longer necessary to fulfill its original purpose. Consider implementing an automated solution that deletes certain data at predefined intervals.
Define data retention schedules: Set specific retention periods for each type of data your website and company processes. This should be part of your overall data map and governance strategy.
Streamline data collection processes: Review your data collection methods and forms to ensure you’re only asking for essential information. For example, if you only need a customer’s email for communication, don’t ask for their phone number or physical address.

By following these steps, website owners can effectively implement data minimization, enhance protection, reduce risks, and build customer trust.

Collect less to build consumer trust

Data minimization is not just a regulatory requirement, but a fundamental practice that can transform how organizations handle personal information.

By collecting only what is necessary, website owners can visibly demonstrate dedication to data security, user privacy, and respect for users’ rights under privacy regulations. The principles of data minimization, as outlined in regulations like GDPR and CPRA, offer a clear framework for organizations to follow, helping companies achieve and maintain compliance.

As digital privacy concerns continue to grow, adopting data minimization practices will be crucial for any organization aiming to maintain its reputation and safeguard its stakeholders’ information.

On April 4, 2024, Kentucky became the fifteenth state in the United States to enact a consumer privacy bill with the passing of House Bill 15, the Kentucky Consumer Data Protection Act (KCDPA). The law goes into effect on January 1, 2026 and gives organizations close to two years to prepare for compliance.

We look at the KCDPA, who it applies to, how it protects consumers, and how organizations can prepare for compliance.

What is the Kentucky Consumer Data Protection Act?

The Kentucky Consumer Data Protection Act (KCDPA) aims to protect the privacy and personal data of the state’s 4.5 million residents by regulating how it is collected and used. It sets obligations on businesses that operate in Kentucky or produce products or services consumed by its residents and process their personal data.

The KCDPA protects the personal data of residents acting in “an individual context” and not for commercial or employment purposes and defines them as “consumers”.

Like most other US states with consumer privacy laws, Kentucky follows an opt-out consent model. Businesses must clearly explain to consumers:

what personal data they collect
why they collect it
third parties they share it with
how consumers can opt out of its collection and processing for certain purposes

Definitions under the Kentucky Consumer Data Protection Act

The KCDPA defines key terms concerning the data it protects and data processing activities.

Personal data under the KCDPA

The Kentucky privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, account name, IP address, passport number, or driver’s license number.

Sensitive data under the KCDPA

Sensitive data under Kentucky’s privacy law is personal data that could harm consumers if abused and includes:

racial or ethnic origin
religious beliefs
mental or physical health diagnosis
sexual orientation
citizenship or immigration status
genetic or biometric data processed for the purpose of uniquely identifying a specific natural person
personal data collected from a known child (under 13 years of age)
precise geolocation data that can accurately identify an individual’s specific location within a radius of 1,750 feet (533.4 meters)

Consent under the KCDPA

The Kentucky data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Controller under the KCDPA

A controller under the law is “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, often referred to as a “data controller” in some regulations, is responsible for protecting personal data and must comply with the legal requirements for data protection.

Processor under the KCDPA

A controller may share personal data it collects with a third party for processing purposes. This third-party is known as a processor under the Kentucky privacy law and is defined as “a natural or legal entity that processes personal data on behalf of a controller.”

Sale of personal data under the KCDPA

The Kentucky privacy law defines sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.“

Sale does not include disclosure of personal data:

to a processor that processes the personal data on the controller’s behalf
to a third party for the purposes of providing a product or service the consumer has requested
or its transfer:
- to the controller’s affiliate
- to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction
that the consumer intentionally made available to the public through a mass media channel not restricted to a specific audience

Many other US state-level privacy laws define sale as the exchange of personal data “for monetary or other valuable consideration” by the controller or third party. The KCDPA, like the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), requires monetary consideration for the exchange of personal data to be considered sale.

Non-monetary consideration does not constitute sale under the Kentucky privacy law.

Targeted advertising under the KCDPA

The KCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict that consumer’s preferences or interests.”

The definition excludes:

ads based on activities within a controller’s own websites or online apps
ads based on the context of a consumer’s current search query, visit to the website, or online app
ads directed to a consumer in response to the consumer’s request for information or feedback
processing of personal data solely for measuring or reporting ad performance, reach, or frequency

Who must comply with the Kentucky Consumer Data Protection Act

The Kentucky privacy law applies to businesses that operate in the Commonwealth of Kentucky or produce products or services aimed at its residents and which, during a calendar year:

controlled or processed the personal data of at least 100,000 consumers

controlled or processed the personal data of at least 25,000 consumers and derived more than 50 percent of gross revenue from the sale of personal data

Unlike some other US state laws, including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the KCDPA does not require businesses to comply based on revenue alone.

Exemptions to compliance with the Kentucky Consumer Data Protection Act

The Kentucky data privacy law exempts certain entities and types of data from compliance. Entity-level exemptions include, among others:

city or state agencies or state political subdivisions
financial institutions or affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
nonprofit organizations, including nonprofit controllers that process personal data solely to help:
- law enforcement agencies investigating suspected insurance-related crimes or fraud
- first responders dealing with catastrophic events
higher education institutions
small telephone utilities

Data-level exemptions include, among others:

protected healthcare-related information, health data, and patient identifying information
data processed or maintained as emergency contact information for a natural person and used for emergency contact purposes
data created for or collected under several federal laws, including, among others:
- Health Care Quality Improvement Act
- Patient Safety and Quality Improvement Act
- HIPAA
- Fair Credit Reporting Act (FCRA)
- Combat Methamphetamine Epidemic Act
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)

Consumer rights under the Kentucky Consumer Data Protection Act

Consumers have several rights under the Kentucky privacy law to protect their personal data.

Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, unless doing either requires the controller to reveal trade secrets
Right to correction: consumers can have inaccuracies in their personal data corrected, taking into account the nature of the personal data and purposes of processing
Right to deletion: consumers can request controllers to delete any personal data provided by, or obtained about, them, with exceptions
Right to data portability: consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions
Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, use in targeted advertising, or profiling in furtherance of “decisions that produce legal or similarly significant effects” concerning them

There is no private right of action — or right to directly sue a controller — under the KCDPA.

Does your website use cookies to display targeted ads to visitors?

Check your KCDPA compliance risk level with a data privacy audit.

Get started

Controllers’ obligations under the Kentucky Consumer Data Protection Act

Organizations subject to KCDPA compliance have several obligations under the law to protect consumers’ personal data.

Privacy policy under the KCDPA

Controllers must publish a privacy notice, or, similarly, privacy policy, that informs consumers about:

categories of personal data the controller processes
purpose(s) for processing personal data
method of exercising their rights under the law and how to appeal the controller’s decision regarding a request
categories of personal data shared with third parties, if any
categories of third parties who receive personal data, if any

Controllers must clearly inform consumers if they sell personal data to third parties or process it for targeted advertising purposes. Unlike the CCPA, Florida Digital Bill of Rights (FDBR), and Texas Data Privacy and Security Act (TDPSA), the Kentucky privacy law doesn’t require any specific wording to be used to disclose this information. Controllers must also advise consumers how they can opt out of sale or processing for targeted advertising.

The privacy notice must be accessible, clear, and meaningful. It is usually published through a link on the controller’s website, like in the footer, to ensure that consumers can access it from any page.

Consumer rights requests under the KCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. Consumers may be asked to log in to an existing account for identity verification, but they can’t be required to create a new account solely for this purpose.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If they need an extension, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision. Controllers must respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer a method to contact the Attorney General online to submit a complaint.

Purpose limitation under the KCDPA

Controllers are required to disclose the purpose(s) for which they collect personal data, and the KCDPA requires them to limit the personal data they collect to only what is “adequate, relevant, and reasonably necessary” for the purposes.

Controllers cannot process personal data for any purposes other than those that are disclosed to consumers. If the purpose of data processing changes, they must inform consumers about the new purpose and obtain consent for processing their data, if applicable.

Data security under the KCDPA

Controllers must ensure the confidentiality, integrity, and accessibility of the personal data they collect and process. The Kentucky data privacy law requires them to establish, implement, and maintain reasonable administrative, technical, and physical security measures that are appropriate to the volume and nature of the personal data.

Data protection assessments under the KCDPA

The Kentucky privacy law requires controllers to conduct and document a data protection impact assessment (DPIA) when processing personal data:

for the purpose of targeted advertising
for sale
for the purpose of profiling that presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of or disparate impact on consumers
- financial, physical, or reputational injury
- physical or other intrusion into consumers’ private affairs
- other substantial injury to consumers
that is classified as sensitive data under the law, including childrens’ data
presents a heightened risk of harm to consumers

DPIAs are classified information under the law and are exempt from disclosure, public inspection, and copying. However, the Attorney General can request the controller to disclose a DPIA during its investigations into any alleged violations, and the controller must make it available in this circumstance.

If a controller has already conducted a DPIA for other laws or regulations, and it is similar in scope and effect to what is required under the law, the controller can use that DPIA to comply with the KCDPA.

DPIAs shall be required for data processing activities on or after June 1, 2026.

Consent requirements under the KCDPA

The KCDPA primarily follows an opt-out model for personal data processing, like the other US state-level data privacy laws. This means that, in most cases, businesses can collect and process personal data without needing prior consumer consent. An exception to this is processing that involves sensitive data, and controllers must obtain explicit consent before its processing.

Controllers are required to clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling.

Unlike several other privacy laws, the Kentucky privacy law does not require controllers to recognize consumer consent preferences communicated through a universal opt-out mechanism such as Global Privacy Control (GPC).

With respect to children’s data, the KCDPA aligns with the Children’s Online Privacy Protection Act (COPPA), as is standard among the US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as the Kentucky privacy law considers all personal data of children under this age as sensitive data.

Nondiscrimination under the KCDPA

The KCDPA explicitly prohibits businesses from discriminating against consumers who exercise their rights under the law. Businesses cannot deny goods or services, charge different prices, or offer varying quality levels to these consumers. However, they may offer different prices, rates, levels, quality, or selections of goods or services to consumers if the offer is related to a voluntary loyalty, rewards, premium features, discounts, or club card program in which the consumer participates.

If a consumer chooses not to allow their personal data to be collected, processed, or sold, businesses cannot deny them access to their website. However, certain website features requiring essential cookies may not function properly if those cookies are declined. This limitation is not considered discrimination under the law.

Businesses are not required to offer a product or service that requires personal data they do not collect or maintain. They are also required to comply with state and federal discrimination laws and cannot process personal information in violation of these laws.

Data processing agreement under the KCDPA

The Kentucky privacy law requires controllers and processors to enter into contracts that govern data processing procedures. This contract is known as a “data processing agreement” under the European Union’s General Data Protection Regulation (GDPR) and Virginia’s CDPA and must include:

instructions for processing personal data
nature and purpose of processing
type of data subject to processing
duration of processing
rights and obligations of both parties

Processors must ensure confidentiality of the personal data and that, at the controller’s direction or when the contract is complete, all personal data will be deleted or returned to the controller.

Under most data privacy laws, controllers are held accountable for the data processing actions, breaches, and violations by processors. However, the KCDPA provides two exceptions:

if a controller or processor lawfully shares personal data with a third-party controller or processor, they are not liable for any violations by the recipient, provided they were unaware of any intent to break the law at the time of sharing
if a controller or processor lawfully receives personal data, they are not responsible for any legal violations committed by the party that disclosed the data

The Nebraska Data Privacy Act (NDPA) contains a similar provision regarding controllers’ ultimate accountability for data processing activities.

Enforcement of the Kentucky Consumer Data Protection Act

The Kentucky Attorney General has the exclusive enforcement authority under the KCDPA. Consumers do not have a private right of action, but they can report potential violations or denials of their privacy rights directly to the Attorney General’s office.

Before initiating an enforcement action, the Attorney General must provide written notice to the implicated party, detailing the alleged violations and offering a 30-day cure period for organizations to address and resolve any issues. This cure period, which is a permanent aspect of the law, enables companies to rectify problems and implement measures to prevent future breaches.

Organizations found in violation must inform the Attorney General in writing of their corrective actions and confirm that future breaches will not occur.

Fines and penalties under the KCDPA

The Attorney General can initiate a civil action seeking damages against organizations that do not cure the violation within the 30-day period or breach the written statement they provide. Violations of the Kentucky privacy law may result in civil penalties of up to USD 7,500 per violation.

The KCDPA adopts an opt-out model for data privacy, which allows businesses to collect and process personal data without requiring prior consent from individuals. However, exceptions are made for sensitive personal data and data belonging to children, where prior consent is mandatory. This approach is consistent with other US state-level data privacy laws.

Consumers must be able to opt out of data collection and processing for purposes such as sale, targeted advertising, or profiling. Businesses are required to make this opt-out option clearly available on their websites, usually through the privacy policy or privacy notice.

Websites often use consent banners on their websites that include clear links or buttons enabling users to opt out of data processing. Consent management platforms (CMPs) like Usercentrics CMP automate this process by managing cookies and other tracking technologies, ensuring they are blocked until the consumer gives consent, where this is required by law. CMPs also provide transparent information about the types of data collected, the purposes for which it is collected, and any third parties with whom the data is shared.

In the absence of a single federal privacy law in the US, businesses operating across the US and/or internationally may need to comply with various state and international privacy laws. CMPs assist by customizing cookie banners based on the user’s location, ensuring adherence to state-level laws like the KCDPA and international regulations like the GDPR.

Updates to the Kentucky Consumer Data Protection Act

Even before the KCDPA comes into effect, Kentucky legislators have passed a bill to update its requirements. Governor Andy Beshear signed HB 473 into law on March 15, 2025.

There are two healthcare-related updates. One is that information collected by health care providers that are acting covered entities under HIPAA, and that maintain protected health information according to HIPAA requirements, are exempt from relevant KCDPA requirements.

The second is that information maintained in limited data sets by entities covered by HIPAA in accordance with relevant HIPAA requirements is also exempt from relevant KCDPA requirements.

The other update limits the requirement for completing a Data Protection Impact Assessment (DPIA) in profiling cases to only those cases with unlawful disparate impact (the potential for disproportionate harm or disadvantage to members of a protected group).

These updates go into effect when the rest of the Kentucky Consumer Data Protection Act does, on January 1, 2026.

Preparing for the Kentucky Consumer Data Protection Act

Businesses operating in Kentucky have until 2026 to comply with the KCDPA. Companies already adhering to privacy laws in other states will find that much of their existing compliance work aligns with the KCDPA requirements. Businesses that meet the compliance thresholds set by the law must be prepared to offer users clear opt-out options and accessible privacy notices. Implementing privacy by design improves all aspects of organizational operations, not just compliance with regulations.

As the KCDPA adapts to new technologies and shifting consumer expectations, it is strongly recommended for businesses to seek guidance from a qualified legal professional or data privacy expert, such as a Data Protection Officer, to achieve and maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

After several years of delays, in July 2024 Google announced that the company would not be deprecating third-party cookie use in the Chrome browser. The article’s content remains relevant, however, so we have left it in its original form, with this note, for educational and reference purposes.

Even without the inclusion of Google Chrome, other major browsers have already fully deprecated third-party cookie use, and we believe that privacy-led marketing is the “cookieless” future.

Google plans to phase out the use of third-party cookies (set by external companies to track user behavior across the web) in the Chrome browser, and other browsers — Firefox, Safari, Opera, and Brave — have already deprecated third-party cookie support. This affects the type and volume of data available for marketers. There are also increasing pressures on digital marketers to meet strict data privacy standards. These pressures now come from influential tech platforms that millions of companies rely on, perhaps even more than from data protection authorities.

The cookieless future doesn’t mean there won’t be any cookies of any kind in use, just that third-party cookies and their sometimes indiscriminate tracking will be phased out. While marketers have long relied on the data third-party cookies collect, this data has often been collected with questionable — if any — consent from the people it’s sourced from. The data itself is also often of lower quality, needing to be aggregated with other data sources to be useful (and profitable).

Given the Chrome browser’s 65 percent majority market share as of mid-2024, however, the final deprecation of third-party cookie use will mark a significant milestone in the evolution of data processing, digital marketing, and privacy online. So “cookieless future” is in many ways appropriate.

We look at what the evolution of cookie use, changes in requirements for use of Google services, demands for data, and evolving privacy laws mean for companies. We also delve into the impacts of massive changes to established ways of doing digital marketing, and the solutions that companies can implement to make the cookieless future much brighter and more privacy-compliant.

What are the biggest challenges of the cookieless future for marketers?

There are increasing limitations on and even elimination of third-party data — which is indirectly derived from customers via various sources using third-party trackers and tools. Combine this change with the move to zero- and first-party data, which is limited to what customers consent to, marketers will see reduced data visibility. This will impact the ability to track and target users online. However, as noted, these other data sources are of higher quality, and less data is needed to gain valuable insights, since it comes directly from customers.

Confused about zero-party, first-party, and third-party data?

Our guide clears it up for you.

Learn more

Additionally, there are tools and strategies to optimize data collection in ways that are privacy-compliant, and to use newer technologies to enable modeling to provide the information marketers need to understand audience segments, customer journeys, and more.

Previously it’s not that consumers didn’t care about companies collecting so much of their data without consent, it’s more that there was little they could do about it. However, that is changing, thanks to regulations putting more control over data access into consumers’ hands, and people understanding that their patronage — and data — hold influence. If companies want their data, people want to know what’s in it for them. And if they don’t feel that they can trust companies to respect their privacy and secure their data, they’re increasingly inclined to take their business and data elsewhere, as this PWC survey from 2022 noted.

Shifting strategy from “collect as much data as you can and we’ll figure out what to do with it later” to much more strategic data collection and analysis is not only a legal requirement today, it’s a much smarter strategy. Companies can ask consumers how they want communications, what they want to hear from companies about, and what data they consent to share. Companies demonstrate respect for privacy, better engage customers, and acquire much more accurate data that can inform all parts of marketing operations.

Once companies connect with customers and obtain data, they still need to analyze and measure the performance of their marketing efforts. Obviously, measurement based on old models, like those relying on third-party data, need an overhaul. Fortunately, there are new tools and strategies to help, which we’ll get into. Even when users decline consent, there are ways to obtain anonymized data and to model conversion journeys to know which channels are converting, the ROI of campaigns, and other key insights.

Is privacy-led marketing the solution to the cookieless future?

Get a performance boost.

Learn more

Why do you need to be ready for a Google cookieless future?

Change is coming for digital marketers on a number of fronts. Data privacy regulations have been spreading globally for years, and now influential tech partners are levying strict privacy requirements on their customers to ensure end to end privacy compliance in their operations. We look at the most important factors that marketers need to build into their operations to succeed in the privacy-led future.

1. Legal compliance with data protection and user privacy regulations

Data privacy laws are becoming well established, with the majority of the world’s population now protected by some form of privacy regulation. However, it’s not uncommon for many smaller companies to pay little attention even to established laws like the European Union’s General Data Protection Regulation (GDPR). It’s big and complex, there are large “gray areas” that require legal interpretation, and all the penalties that have grabbed headlines seem to exclusively land on giant tech companies with global operations and billions of Euros in revenue.

But what has grabbed the attention of millions of companies is new requirements handed down by Google to their customers and partners. Thanks to new laws like the Digital Markets Act (DMA), big tech platforms like Google, Meta, and Amazon have additional stringent privacy requirements to meet. And to ensure compliance, all the companies relying on their platforms for data, audience access, analytics, advertising, and more need to meet the same privacy standards.

2. Google’s requirements for advertisers

Google has also updated and is enforcing its EU user consent policy, which aligns with the requirements of the GDPR and ePrivacy Directive (ePD), further tightening consent requirements to its customer base.

If you’re using services like Google Ads or Analytics you need to implement a Google-certified consent management platform with the latest version of Consent Mode integrated. This enables you to collect user consent for data collection and processing and signal it to Google services, which are then controlled based on users’ consent choices. If you don’t comply, you can lose access to key functionality, like personalization features.

Do you know how to meet Google’s EU privacy requirements?

Get ready with our Google Consent Mode Checklist

Download now

3. Google’s requirements for publishers

Google also now requires publishers serving ads on websites or in apps in the EU/EEA or UK to implement the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP). Not implementing TCF 2.2 puts you at risk of loss of advertising revenue in significant markets.

While Google’s privacy requirements are not fully global yet, it’s inevitable that as data privacy regulations continue to spread and evolve, data privacy requirements and robust consent management — including for cookie use — will become the global standard for doing business with influential tech platforms, enforcing a cookieless future.

Data privacy and marketing alignment

Navigating these new requirements means marketers need to embrace privacy-centric marketing strategies and technologies that align with evolving user privacy expectations. It requires giving up old notions of control over data and bringing together technologies to update the marketing stack, using consented data to drive campaigns, and doing the work to get to know customers and prospects directly so they welcome simply being asked about what they want from your company.

Google has presented core strategies for the future of measurement, including Google Consent Mode, Customer Match, Server-side Tagging, and Enhanced Conversion Tracking, emphasizing the pivotal role of user consent and transparent data practices for robust marketing operations in the cookieless future.

What are the key Google tools for campaigns and measurement in the cookieless future?

We have you covered.

From third-party cookies to a cookieless world: embracing a privacy-first approach to marketing

A knee-jerk reaction to the evolution of digital marketing operations is that a lack of data will hamstring campaigns, affecting paid channel performance and measurement, for example. But this notion fails to take into account a critical fact outlined in a Google/Ipsos survey: providing a positive privacy experience can increase share of brand preference by 43%. Additionally, 71% of people prefer to buy from brands that are honest about what data they collect and why.

It’s not that valuable data is no longer available to marketers; it’s that it hasn’t occurred to some of them to provide customers and prospects with the right kind of experiences — that respect data privacy and are transparent about using data — that make them happy to provide it.

The impending end of third-party cookies in major web browsers calls for advertisers to take a proactive approach to adapt their marketing practices and data operations to the new cookieless world.

Check if your website meets key privacy standards

Quickly check if your site meets legal privacy standards and ad platform rules. Help protect your ad campaigns and revenue by scanning your website with our free cookie checker.

Check your website

The same study confirms the positive impact the privacy experience users have on your website or app. A positive privacy experience and a sense of control over user data can bolster brand preference and sales, while a negative experience can have a detrimental impact. With more and more data privacy regulations including the user right of data portability, being able to vote with their feet (or phones) and wallets has never been easier, and marketers need to pay attention.

“Brands need to go beyond the basics to provide truly positive privacy experiences and there are clear, tangible actions advertisers can take to achieve that. This means letting people know why their data is being collected, what it will be used for, and how it is improving their experience. All these factors combine to create transparency and build trust with your customers.”

Maxwell Minckler, Google Customer Insights EMEA, Google

Zero- and first-party data in a cookieless world

The quality issue with third-party data — the kind collected by third-party cookies — is its distance from the source, i.e. companies website visitors, app users, ecommerce customers, etc. So much of it has to be aggregated to gain useful insights, and even then it’s still nowhere near ideal.

What is ideal is building a direct relationship with these customers and getting their informed consent and preferences. This enables you to personalize communications, sales offers, targeted marketing, and more. Individuals hear from your company when they want and about what they want, which builds trust and increases engagement to grow long-term customer relationships and revenue. To do this, companies need zero- and first-party data.

Zero-party data for marketing in a cookieless world

Zero-party data is also referred to as self-reported, explicit, or opt-in data. It’s the gold standard for marketing in a cookieless world because it comes directly from visitors, users, and customers. It’s shared voluntarily and intentionally with their consent, and goes hand in hand with their consent choices about access to their personal data. Zero-party data doesn’t need to be aggregated or analyzed, because it’s direct information about what customers want.

Some examples of sources of zero-party data include surveys, product reviews, product preferences from orders, etc.

McKinsey has reported that companies earn 40 percent more revenue from personalization, so investing in operations to obtain and activate zero-party data are well worth it, via preference management and other mechanisms.

Zero-party data is also valuable for product development and improvements, improved marketing programs, better sales strategy, and more.

First-party data for marketing in a cookieless world

First-party data is also referred to as proprietary, customer, in-house, or owned data. It’s obtained slightly less directly than zero-party data, so insights from it can be less accurate, but it’s still more valuable than third-party data, and an important source for marketing strategy and analysis.

Some examples of sources of first-party data include website analytics, ecommerce records, app usage data, and social media activities.

First-party data is particularly valuable for showing patterns in user behavior and preferences via activities, such as website session duration, page views, online purchases, software usage data, email engagement data, etc. Sometimes data from what people do can be more accurate than what they self-report via voluntary channels.

This data is useful for improving product user experience, enabling users to get more value from products, faster. On the business side, the data is useful for audience segmentation, marketing communications personalization, predictive modeling based on browsing and purchasing habits, campaign performance analysis, ROI interpretation, and budget optimization.

Read about Google additional consent now

Preference management in a cookieless world

Preference management involves requesting information from users and customers, and then using it to tailor those individuals’ experiences with your company via communications, offers, and more. It’s a key source of zero-party data, and involves the most direct interaction rather than collecting data via user activities like web browsing.

Preference management also goes hand in hand with consent management, as when you want to know what customers want, that includes what personal data they agree to share with you and possibly with third-party partners.

Unlike with some third-party data collection, combining consent and preference management helps to ensure customers have full control over what they consent to in their interactions with companies regarding collection of data about them, communications, profiling and targeting, and more.

A preference management solution helps you gain higher open rates for emails, text messages, and more since they match the preferences of each customer. You target advertising more accurately, gain better visibility for product launches and sales, targeting customers who’ve specifically requested information about these campaigns.

Preference management delivers better customer experience all around and demonstrates respect for privacy and customer preference and choice. A cookieless future all companies can get behind.

Increase conversions and long-term customer engagement with Usercentrics Preference Manager.

Learn more

Server-side tagging in a cookieless world

Server-side tagging is another solution to the end of third-party tracking. With this function, your tags are served from a server directly, rather than in the visitor’s browser. This provides more control over privacy compliance in data collection and sharing with third parties, important when evolving marketing activities for a cookieless culture.

Client-side tagging transmits data to one or more servers, and commonly, with tag management, shares collected data with third parties, e.g. marketing technology partners. But there is no central control over data and who can access it, hence the privacy value of server-side tagging.

Server-side tagging is sitewide, so website and customer data are securely hosted on a central first-party server, which functions as a buffer between customers (and their consent) and third-parties that want their data for tracking and analysis. It enables a cookieless tracking solution where your customers’ consent choices determine what data is made available, and you control who gets access, when, how, and to what specific information.

Additional benefits of server-side tagging include:

more centralized source of information for legal audits
a comprehensive view of customers across touchpoints
improved website performance in terms of page speed, conversion rates and SEO (Core Web Vitals)
improved monetization and data collection by bypassing ad blockers
improved customer experience by recording consent preferences once and enabling transferring across devices and platforms

Gain more control over privacy-compliant data collection and sharing with server-side tagging.

Learn more

Digital marketing in a cookieless world

With all these changes to how marketing and advertising work online, it’s understandable that marketers could be worried. But there’s no need to be. There are already tools and solutions available that not only replace third-party data from cookies, but enable consented collection and use of higher quality zero- and first-party data, higher user engagement, better customer satisfaction, and sustainable revenue growth.

Marketing measurement in a cookieless world

Marketers are greatly concerned about moving away from relying on third-party data and meeting business and regulatory requirements for obtaining valid user consent to access personal data, primarily due to accuracy concerns. They need to maintain accurate measurement of marketing activities and target new and existing audiences accurately. Fortunately, there are solutions to help marketers accurately obtain and signal user consent and obtain the data they need for accurate measurement.

The Google cookieless future arrived for many companies with the advent of Google’s new requirements for marketers, advertisers, and publishers in the EU. As of early 2024, the company requires its Google Ads customers to use a Google-certified consent management platform (CMP) that’s integrated with the latest version of Consent Mode in order to maintain access to key features of its services, like personalization.

A solution like Usercentrics CMP enables companies to obtain valid consent for the processing of personal data, per the compliance requirements of laws like the GDPR. Then the integrated Consent Mode v2 signals the consent information to Google services, controlling tags for website and advertising performance with it, and blocking or enabling cookies and trackers depending on users’ consent choices.

Your marketing operations need a Google-certified consent management platform. Find out why.

Learn more

Watch our video to see how easy it is to enable Consent Mode with Google-certified Usercentrics CMP.

Where measurement is concerned, even when individuals decline consent, Consent Mode enables the collection of anonymized data only, which can’t identify an individual. This data is used for conversion modeling to develop insights while data privacy rights and requirements are respected. Website operators get back a significant amount of data for advertisers and gain conversion insights and information about consent banner interactions to optimize consent rates. It’s a strong example of a sophisticated solution for a cookieless world that’s driven by consent and enables marketing operations and business growth.

Your marketing operations need a Google-certified consent management platform. Find out why.

Learn more

Marketing attribution in a cookieless world

Digital marketing is moving away from multi-touch attribution tools as the phase-out of third-party cookies draws nearer. So how can marketers accurately track customers’ conversion journeys? Here, again, conversion modeling can help.

Conversion modeling uses machine learning to assign links between ad interactions and conversions. This provides accounting in cases where cookies or other identifiers aren’t available.

Ad interactions are grouped; one group has a clear link to conversion, and the others don’t. The conversions with clear conversion paths are subdivided into groups to identify patterns more specifically, e.g. distribution of product purchase volumes depending on the day of the week or time of day.

Machine learning can then predict characteristics for the other group of unidentified ad conversions based on data that is known, and characteristics from the clear conversion paths. Modeled conversions are typically only included in reporting when the degree of confidence is high that an ad display resulted in a conversion. This helps with reporting accuracy.

Google has also proposed Privacy Sandbox APIs. These are meant for several advertising use cases, including attribution reporting, while enabling data privacy compliance. Advertising interactions can be linked to specific actions or conversions, so individual tracking isn’t needed. Advertisers can understand campaign impact in a privacy-centric way.

Optimized targeting and retargeting in a cookieless world

First-party data, coming directly from users, allows for significantly greater precision in optimizing targeting and retargeting activities. Consumers are all too familiar with poorly targeted ads, especially when they seem to follow individuals around online. Companies need to know what a prospect who converts looks like, which can be modeled from data collected (with consent), ideally in real time. Google Ads enables optimized targeting to help you find your ideal audiences, and is one of the Google services supported by Consent Mode to help ensure adherence to privacy standards.

As marketing evolves away from cookies, contextual targeting is becoming more important. Companies can direct advertising based on users’ demonstrated interests, respecting their privacy and data preferences, rather than trying to broadly harvest enough data in an effort to understand the user and present ads that engage them.

To do retargeting well, companies need good data sources and user consent, which consent and preference management explicitly deliver. As retargeting evolves, along with many digital marketing operations — not to mention data privacy laws, business requirements, and consumer savvy — this will only continue to become more important.

For a successful user journey that results in conversions (and happy customers), companies will need tools and insights to carefully craft messaging that matches customers’ actions, interests, and consent choices. Instead of blasting individuals who didn’t immediately convert with ads and potentially questionable personalization, companies can use more sophisticated campaigns to stay top of mind with prospects where they like to browse, based on known patterns and interests, until they’re ready to buy.

Google’s tools to implement consent and a privacy-first approach also extend to retargeting efforts. The Privacy Sandbox APIs support it, enabling these important conversions on future interactions.

What is consent-based marketing? We’ve got tips and benefits for marketers.

Learn more

Read about cookie consent tips now

Consent management is the lynchpin of these new marketing tactics, in addition to being a key tool to enable data privacy compliance with an ever-increasing number of regulations, guidelines, and policies around the world.

While companies have gotten used to established laws like the GDPR, more recently, regulations like the Digital Markets Act (DMA) have contributed to new pressures to achieve and maintain privacy compliance due to business requirements. As companies like Google, Meta, and Amazon are required to meet stringent new standards, to enable end to end privacy compliance, that means they need to levy their own requirements on their customers to ensure consent for advertising, analytics, and other data uses.

A consent management solution sits at the middle of the marketing stack to record customers’ consent preferences, and enable signaling them to control the many marketing functions, from Google tags to vendor campaigns. It also enables companies to prove that they obtained valid consent in the event of an audit or data subject request.

A consent management platform enables users to make granular choices about their data use, saying “yes” to cookie use for marketing purposes, “no” to analytics, etc. Or they can consent to all cookie use (increasingly first-party as third-party cookies are deprecated) or decline the use of all cookies and tracking technologies except those essential for core website functions.

Time to get ready for the Google cookieless future – learn all about Usercentrics CMP and Consent Mode v2

What’s next for the marketing cookieless future?

While marketers have relied on third-party cookies for a long time, they have always been imperfect tools, and they simply don’t fit today’s technology and privacy requirements, and customers’ expectations.

Not to worry, there are plenty of tools now for the marketing stack, and evolving strategies that respect privacy and enable compliance, while still delivering the data marketers need for precision, engagement, and conversions.

Of course, as with any big change, getting your new privacy-led marketing tactics and measurement right will require some fine-tuning. You will need to test and optimize both to get the zero- and first-party data you need, and increase data volumes by improving opt-in rates and increasing user buy-in to personalization.

A layered approach is also important, including using advanced data modeling and AI. AI-driven attribution is being considered as a solution to stitch together longer customer journeys, enabling more effective tracking and personalized targeting in the absence of traditional cookie-based measurement systems.

Each company needs to determine the right toolkit for its operations; there isn’t one blanket solution to overhaul marketing operations or preserve traditional methods of measurement. Not all companies will have sufficient data volumes for functions like modeling, and so may need to shift to internal data science functions. Very small companies may lack both the data and resources, but even tiny startups can listen to their customers, respect their privacy, and deliver great customer experiences that make people happy to share their preferences and information.

The cookieless future is here, and it brings with it better customer experience by incorporating built-in end-to-end privacy in marketing operations, relying only on data coming directly from the customer, which in turn enables true personalization, and builds longer-term relationships based on trust.

CookieYes is a consent management platform (CMP) that’s designed to help its users comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Digital Markets Act (DMA), and other data privacy laws and regulations.

While it does offer powerful features for managing consent, CookieYes users report some frustrations over subscription limitations and customization capabilities. It also lacks some of the tools and functions that some businesses may need to achieve and maintain privacy compliance.

We share our picks of the top six CookieYes alternatives to help you manage user consent and stay privacy compliant.

Our picks of the top CookieYes alternatives:

Usercentrics
CookieFirst
Osano
illow
CookiePro by OneTrust
Cookie Information

CookieYes competitors

Software	Key feature	Recommended for
Usercentrics	Extensive analytics and reporting: Gain deep insights into user behavior to drive informed decision-making	Small businesses to enterprises
CookieFirst	Re-consent: Set goals for returning visitors to increase opt-in rates and support your marketing goals	Mid-market enterprises
Osano	“No Fines, No Penalties” Pledge: Get compensation of up to USD 200,000 for fines or penalties you incur while using the product according to set requirements	Solopreneurs
illow	Automated cookie categorization: Use the library of 50,000+ pre-categorized cookies to easily see which trackers are present on your website and what they’re used for	Agencies
CookiePro by OneTrust	DataGuidance-powered recommendations: Access regulatory analyses created by lawyers from across 300 jurisdictions to better understand and fulfill requirements	Medium-sized businesses
Cookie Information	Data Discovery: Find and categorize personal data collected and stored across your tech stack	Small businesses

*As of July 2024

Why look for a CookieYes alternative?

CookieYes is a tool to create and customize consent banners and manage cookie consent. It’s available as a plugin for most major content management systems. While G2 users enjoy its intuitive interface, others express frustration over options for customization, and paywalls on numerous features.

Limited customer support: CookieYes only offers support via email.
Subscription limitations: G2 users have expressed frustration that important features are locked behind higher pricing tiers, while the free package limits the number of visitors that can see the consent banner.
Limited customization options: G2 users are looking for more opportunities for banner customization. Plus, CookieYes branding can only be removed if you sign up for the most expensive plan.

Our picks of the 6 top CookieYes competitors

Having a robust consent management solution for customer data empowers your website and app visitors to control what information they share. This leads to two of the main benefits of consent: complying with major data privacy regulations and building trust with your audience.

1. Usercentrics

Usercentrics is committed to keeping up with regulatory changes and helping companies achieve and maintain data privacy compliance. This mission has earned it multiple G2 leaders badges in 2024.

Since 2012, Usercentrics has helped enable companies to provide seamless consent management solutions to respect user privacy and meet legal requirements in line with the GDPR, DMA, CCPA, and other global data privacy regulations and frameworks.

The platform gives you the convenience of being able to configure web and app consent in one place. Plus, features like its powerful DPS Scanner enable you to keep track of all data processing services that are collecting data on your website.

Key features

Robust analytics and reporting: Get insights about user behavior, including cookie acceptance and denial rates, to drive informed decision-making.
Legal template database: Make use of an extensive database of over 2,200 legal templates to ensure effective and compliant messaging across regions.
Extensive customization: Tailor pre-built templates with HTML, CSS, or JavaScript to meet brand requirements.
Multi-regulation compliance: Meet the requirements of the GDPR, CCPA, DMA (via Google’s Consent Mode requirements), and major data privacy laws and guidelines.
Geolocation: Detect user locations and automatically update consent banners based on this information.

Pricing

Usercentrics offers a 30-day free trial to get businesses started with consent management, after which they can select one of three pricing plans.

Starter: USD 60/month for up to 50,000 sessions
Advanced: USD 175–1,150/month for 50,000+ sessions
Premium: Custom pricing

Pros	Cons
Flexible, scalable CMP that enables both web and app consent management	Steep learning curve for advanced features (G2 user reviews)
Database of over 2,200 legal templates
In-depth analytics and reporting

Usercentrics vs CookieYes

While CookieYes users note customization limitations, Usercentrics’ enables a wide range of customization options directly in the Admin Interface. Plus, features such as geolocation and full banner customization, which are only available on the two most expensive CookieYes tiers, are available from the lowest tier for Usercentrics.

Obtain granular, explicit consent

Usercentrics’ flexible and scalable CMP integrates seamlessly with your CMS to streamline data privacy and consent management.

Schedule demo

2. CookieFirst

CookieFirst advertises that its users can get on a path to privacy compliance in mere minutes, thanks to its quick and easy signup process. Start with a site scan for first- and third-party cookies, after which you’ll be prompted to customize your cookie banner, which supports over 44 languages.

A free version is available, but you only get one cookie banner (in one language) as well as a one-time cookie scan of your website. Additionally, many essential features, such as IAB TCF 2.2 support, consent audit trails, and opt-in optimization, are not available on its entry-level paid plan.

Key features

Cookie scanner: Detect first-, second-, and third-party cookies and local storage items present on your site with automatic monthly scans.
Cookie policy generator: Create and edit an auto-generated cookie policy to share details on the trackers present on your site.
Re-consent: Set goals for returning visitors to increase opt-in rates and support your marketing goals.

Pricing

CookieFirst gives users a two-week free trial or one month free when you sign up for the annual plan. There are four CookieFirst subscription options.

Free: EUR 0/month
Basic: EUR 9/month or EUR 99/year
Plus: EUR 19/month or EUR 209/year
Enterprise: Custom pricing

Pros	Cons
Multilingual support for over 44 languages	License is needed for many basic features, such as IAB TCF 2.2 support and banner customization
Integrates with Google Consent Mode v2
Uses EU based sub-processors

3. Osano

US-based Osano offers a range of privacy tools, including consent banner management and Subject Rights Management, as well as an additional privacy consultation tool.
While the platform uses automation to save time and reduce errors in consent management, customization options are somewhat limited (per G2 reviews).

Key features

“No Fines, No Penalties” pledge: Get compensation of up to USD 200,00 for fines or penalties incurred due to noncompliance with data privacy regulations while using their solution, so long as you meet the requirements of this policy.
Regulatory guidance: Receive alerts about upcoming legislative and regulatory changes to stay ahead of requirements and maintain compliance.
Expert consultants: Access a team of data privacy attorneys and other privacy professionals to gain expert insights.

Pricing

Osano’s self-service cookie consent plans are priced as follows:

Free: Free for 1 user on 1 domain with up to 5,000 visitors per month
Plus: USD 199/month for 2 users on 3 domains with up to 30,000 visitors per month

Reach out to Osano for pricing on the following plans:

Privacy Trust & Assurance
Privacy Essentials
Privacy Operations & Governance

Pros	Cons
Easy to implement (G2 user reviews)	Limited customization options (G2 user reviews)
Free tier available
Option to use Osano as a third-party, EU-based DPO

4. illow

illow is a consent management banner that claims ultra speedy setup — enabling you to implement it with Google Consent Mode v2 in a few minutes.

Using its AI functionality, illow can automatically adapt your cookie banner and display a language- and regulation-specific banner to your visitors.

Despite these pros, G2 users make note of limitations to customization options for banners and policies.

Key features

Automated cookie categorization: Use the library of 50,000+ pre-categorized cookies to easily see which trackers are present on your website and what they’re used for.
Roles and permissions: Give specific authorizations and functions to teams or individuals based on the domain they interact with.
Integrations: Add illow to your WordPress site and synchronize it with Google Tag Manager to improve consent management performance.

Pricing

You can choose from four illow plans based on the number of users that visit your website each month. Signing up for an annual subscription will save you 20 percent.

Free: USD 0/month for up to 30,000 visitors
Plus: USD 89/month for up to 1 million visitors
Agency: Custom pricing and number of visitors
Custom: Custom pricing for unlimited visitors

Pros	Cons
Plug-and-play solution	Limited customization options (G2 user reviews)
Responsive, multi-lingual support for 25 different languages
Cloud-based storage

5. CookiePro by OneTrust

CookiePro by OneTrust is a widely used cookie compliance solution that processes hundreds of thousands of requests each month, for over 750,000 websites. However, after being acquired, CookiePro now forms part of the OneTrust data privacy platform.

Although existing customers are still able to log in to the CookiePro by OneTrust app, new users are directed to the OneTrust Consent & Preferences product, which includes powerful features beyond cookie consent, such as the new DataGuidance support portal.

Key features

DataGuidance-powered recommendations: Access regulatory analyses, created by lawyers from across 300 jurisdictions, to better understand and fulfill consent management requirements. Or speak directly with an expert and receive additional guidance within 48 hours. (Via OneTrust)
A/B testing: Test wording, layout, and other banner features to identify which configuration generates the highest conversions. (Via OneTrust)
GRC and security assurance: Enables GRC (Governance, Risk, and Compliance) Management for numerous global compliance laws. (Via OneTrust)

Pricing

OneTrust offers custom pricing based on business needs and functionality. Contact them for a quote.

Pros	Cons
Blocks third-party cookies by default	Nontransparent pricing
Includes A/B testing
Includes mobile app consent

6. Cookie Information

Cookie Information aims to make consent management easy. The platform enables businesses to deploy cookie banners and policies, and manage consent on both their app and website. Despite this, the tool lacks key features to help enable opt-in rate optimization, including A/B testing.

Key features

Data Discovery: Find and categorize personal data collected and stored across your tech stack.
Data Subject Requests: Centralize all data access and erasure requests to reduce response times.
Whistleblowing: Give employees, partners, and clients a place to anonymously disclose incidents and suspected violations.

Pricing

Cookie Information has a flexible pricing structure based on the number of domains. The Essential and Professional plans share many features, but the latter has more robust monitoring capabilities.

Essential: From EUR 15/month, per domain
Professional: From EUR 45/month, per domain

Pros	Cons
Automatic cookie classification	No A/B testing
Data stored on EU servers
Advanced reporting capabilities, including consent rate insights

A reliable CMP makes it easier to achieve privacy compliance, increase cookie opt-ins, and build trust with your customers. In addition to meeting the provisions of international laws, business requirements, and frameworks — like the GDPR, Google’s Consent Mode v2, and TCF 2.2 — your chosen platform should:

Work across all of your domains, platforms, and devices
Give users granular control over their consent preferences
Be able to generate custom cookie consent banners and policies
Feature robust data security measures
Automatically block unwanted cookies and trackers
Use geotargeting and support multiple languages

Read about wordpress cookie consent now

Choose a flexible, scalable, and reliable CookieYes alternative

CookieYes offers an attractive user interface and good geographic coverage for regulations. That said, no single platform will be able to meet the requirements of each and every use case, and some users may find that the platform falls short of their compliance needs and expectations.

Each of the CMPs outlined in this article can enable you to improve user experience on your website or app, grow your privacy-led marketing initiatives, achieve and maintain privacy compliance, and build trust with your customers.

As an all-in-one CMP, Usercentrics stands out. It seamlessly integrates with your existing tech stack to ensure that you can effectively collect, store, manage, and signal user consent. This is key to help you achieve your business goals while complying with all relevant global regulations.

Future-proof your privacy compliance

Simplify consent management and stay ahead of changing privacy regulations with Usercentrics’ flexible and scalable CMP

Schedule demo

The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.

As privacy laws become stricter, achieving and maintaining compliance with the major data privacy regulations, like the General Data Protection Regulation (GDPR), and large tech platforms’ requirements resulting from the Digital Markets Act (DMA), is essential for marketers who want to gain in-depth insights, deliver personalized experiences, and win their customers’ trust.

To help you choose cookie tracking software that will meet your data privacy needs in 2025 and beyond, we’ve curated a list of tools that can deepen your understanding of user behavior while simultaneously navigating the complexities of major data privacy laws.

Our picks of the top cookie tracking software:

Usercentrics
Cookie Information
CookieFirst
CookieScript
CookieYes
Axeptio
Termly
Complianz

Software	Key feature	Recommended for	Price*
Usercentrics	Granular preference management: Provide users with the option to accept or reject a range of different cookies on one notice with just a few clicks.	Businesses of any size: SMB to enterprise	From USD 60/month 30-day free trial available
Cookie Information	Daily and weekly scans: Get regular updates about all the cookies on your website.	Medium-sized businesses	From EUR 15/month 30-day free trial available
CookieFirst	Re-consent: Increase opt-in rates by setting goals for returning visitors.	Solopreneurs managing a single domain	From EUR 9/month Free tier available 2-week free trial
CookieYes	WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin.	Small businesses	From EUR 10/month Free tier available Free 14-day trial
Axeptio	Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users.	Businesses needing a low-code solution	From USD 29/month Free tier available
Complianz	Easy wizard: Get step by step guidance when setting Complianz up on your website.	Businesses using WordPress	From USD 59/month 30-day money-back guarantee
Termly	Cookie Policy Generator: Generate one free cookie policy for your website.	SMBs looking for a budget solution	From USD 10/month Free tier available

*As of July 2024

Why should you keep track of cookies?

Tracking cookies enable you to collect data about users — including visitor demographics, preferences, and behavior patterns — so that you can tailor your website content to enhance the user experience and increase engagement.

Read about tracking cookies now

It’s not all about improving performance, though. First- and third-party cookies are a cornerstone of online advertising. However, as a data controller — the party responsible for the collection and processing of personal data — you must get explicit and prior consent from data subjects (visitors whose personal data is being collected by cookies) before loading any tracking cookies. This is a requirement for most of the major data privacy regulations.

Failing to meet the requirements of these laws can lead to hefty fines, damage your business’s reputation, and potentially limit future opportunities for growth.

This is where cookie consent management software comes in. These tools make it easy to tell your website and app visitors what types of tracking software are present on your website, to offer them clear and granular options for cookie consent, and finally, to keep a detailed record of their consent, as required by regulations such as the GDPR.

We assessed eight of the top cookie tracking software platforms on the market. We scoured user reviews and considered their key features for managing cookie consent, options for customization, and breadth of integrations and supported languages, etc.

1. Usercentrics

An all-in-one consent management platform (CMP), Usercentrics helps businesses manage cookies and GDPR compliance. Trusted by more than 2.2 million websites and apps in 195 countries, the platform is a market leader in solutions for data privacy and privacy-led marketing.

Usercentrics’ cookie detection, categorization, and autoblocking functionality helps enable GDPR cookie consent as well as adherence to other major privacy regulations like the Digital Markets Act (DMA) requirements handed down by designated “gatekeeper” companies, and California Consumer Privacy Act (CCPA).

Usercentrics CMP also comes with the latest version of Google Consent Mode and the IAB TCF 2.2 integrated, helping meet Google’s latest requirements for publishers and advertisers.

Key features

Cross-domain and cross-device consent: Signal user consent across your websites and apps to improve the user experience, all from one place.
Granular consent management: Give users the option to accept or reject a range of different cookies on one notice with just a few clicks.
Robust analytics and reporting: Get in-depth insights about user behavior and banner interactions to drive informed decision-making to optimize opt-in rates.
Full UI customization: Tailor the look and feel of your cookie banners and other privacy notices to match your brand identity.
Geolocation: Serve users cookie notices with the appropriate language and regulation-specific features based on the country or region from which they’re visiting your site.

Usercentrics pricing

Usercentrics offers a free 30-day trial, after which users can sign up for one of the following paid plans.

Starter: USD 60/month for up to 50,000 sessions
Advanced: USD 175–1,150/month for 50,000+ sessions
Premium: Custom pricing

Pros	Cons
Consent records stored on EU-based servers	Analytics data only available for 90 days
Automatically blocks third-party cookies
A/B testing

Seamlessly manage cookie tracking and consent

Usercentric’s robust consent management platform makes it easy to offer clear and compliant cookie consent options to your users

Schedule demo

Read about shopify cookie banner now

2. Cookie Information

Cookie Information has a stated mission to help businesses collect valid consents to comply with privacy laws and build trust with their customers. The platform offers consent management for both websites and mobile apps but doesn’t offer A/B testing.

Key features

Daily and weekly scans: Get regular updates about all the cookies present on your website.
Free trial: Try Cookie Information for free on your website or app for 30 days.
Customer Data Platform: Create customer profiles and segment them into audiences to personalize your client journey.

Pricing

Essential: From EUR 15/month, per domain
Professional: From EUR 45/month, per domain

Pros	Cons
Plugin for WordPress available	No A/B testing
Detailed consent rate insights
Google Certified CMP partner

3. CookieFirst

CookieFirst advertises a quick and easy signup to get users on their way to achieving GDPR compliance in minutes. Then the tool will scan your site for first- and third-party cookies, after which you can set up your settings and customize your cookie banner with just a few clicks. There is a free version, but you’ll only get a cookie banner in one language along with a one-off cookie scan.

Key features

Re-consent: Increase opt-in rates by setting goals for returning visitors.
Consent Audit Trail: Store user consents in an anonymous, encrypted database, including details of any changes in consent permissions.
Cookie Policy: Create and edit an auto-generated cookie policy.

Read about cookie policy now

Pricing

Free: EUR 0
Basic: EUR 9/month or EUR 99/year
Plus: EUR 19/month or EUR 209/year
Enterprise: Custom pricing

Pros	Cons
Free tier available	No app consent solution
Google Consent Mode and Google Tag Manager integrations
44+ languages supported

4. CookieScript

CookieScript is a self-hosted CMP with geotargeting that works across 250 countries and 50 US states. While the platform does store all consent records on servers in the EU, users will need to sign up for its Plus tier for access to all of its GDPR features, such as record-keeping for user consents and IAB TCF 2.2 integration.

Key features

Cookie banner sharing: Invite additional users — like clients — to view banner information, statistics, and consents.
Integrations: Compatible with Google Tag Manager, WordPress, Wix, Shopify, and other popular platforms.
Cookie scanner: Scan your site for cookies and access an in-depth cookie declaration report, complete with categorized cookies.

Read about wix cookie banner now

Pricing

CookieScript’s pricing is determined by the number of domains that the CMP is added to. Subscriptions are priced per month, but you’ll be locked into a year-long contract.

Pricing for one to two domains is as follows:

Free: EUR 0/month
Lite: EUR 8/month
Standard: EUR 15/month
Plus: EUR 19/month

Pros	Cons
All data stored on EU servers	All GDPR tools only available on the most expensive plan
Ability to manage multiple websites from one dashboard
Transparent, per-domain pricing

5. CookieYes

CookieYes states that the company is trusted by more than 1.5 million businesses worldwide. After starting out as a WordPress plugin, their product has since become a fully fledged cookie consent solution. Despite its range of features, essentials like Global Privacy Control and geotargeting are only available on its two most expensive plans.

Key features

WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin.
Auto translation: Display banners in one of 30+ languages based on users’ default browser language.
Cookie auto-blocking: Support users’ Do Not Track (DNT) browser settings even if they provide consent.

Pricing

CookieYes offers a 14-day free trial, after which users can sign up for a month-to-month or annual subscription. Plan prices are for a single domain:

Free: USD 0
Basic: USD 10/month or USD 100/year
Pro: USD 20/month or USD 200/year
Ultimate: USD 40/month or USD 400/year

Pros	Cons
Available as a plugin for all major CMS	All plans limit page scans
Multilingual banner, in 30+ languages
Customer support is responsive (G2 users report)

6. Axeptio

Axeptio brings some levity to cookie consent management branding itself as fun and approachable, with fresh UX. The platform is designed to be a low-code consent management suite, making it perfect for teams with limited tech expertise or resources.

Key features

Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users.
Native Mobile SDKs: Build cookie banners for Android and iOS apps with ease.
Shake: Scan third-party vendors on your website to understand whether your banners meet data privacy requirements.

Pricing

Free: USD 0/month
Small: USD 29/month or USD 313/year
Medium: USD 69/month or USD 745/year
Large: USD 129/month or USD 1,393/year
Enterprise: Custom pricing
Agency: Custom pricing

Pros	Cons
Single widget to manage all consents	Cookie management only available in the Enterprise and Agency plans
Supports 25 languages
Live training and webinars

7. Complianz

Complianz is a native privacy suite for WordPress websites. Thanks to a setup wizard, it’s easy to set up. It also includes over 250 service and plugin integrations. While it does come with a cookie scanner, Complianz users have reported that it isn’t always accurate and doesn’t recognize third-party cookies.

Key features

Easy wizard: Get step by step guidance when setting Complianz up on your WordPress website.
Script Center: Add necessary documents to your website without the need for coding.
Privacy statements for children: Request parental consent for the collection of data from website or app visitors under the age of 13.

Pricing

Complianz plans are priced per year.

Personal: USD 59 for 1 website
Professional: USD 150 for 5 websites
Agency: USD 359 for 25 websites

Pros	Cons
Includes setup wizard	Self-hosted only
30-day money back guarantee
WCAG and ADA compliant

8. Termly

Designed with small businesses in mind, Termly is an out of the box compliance solution that aims to help users stay up to date with major data privacy laws in more than 25 regions. The platform’s pricing is competitive, but it lacks some features and functions that larger businesses would need for it to be useful.

Key features

Do Not Sell or Share Links: Add links to your cookie banner to give users complete control over their personal data.
Automatic Consent Logs: Collect and store user consent in a centralized log that can be accessed via the dashboard.
Cookie Policy Generator: Generate one free cookie policy for your website.

Pricing

Free: USD 0 for 1 user and 10,000 banner views
Starter: USD 10/month, billed annually for 5 users and 100,000 banner views
Pro: USD 15/month, billed annually for unlimited users and banner views
Agency: Custom pricing and configuration

Pros	Cons
Supports IAB TCF 2.2 and Google Consent Mode	Only one domain included in the license
Automatic policy generation
Supports compliance with data privacy laws in 25+ regions

Choosing the right cookie tracking software is essential for staying compliant and building trust with your users. Here are the must-have features to look for:

Compliance with global data privacy regulations: Meets all of the requirements on the GDPR cookie checklist as well as those for major regulations such as the ePrivacy Directive, CCPA, and other laws.
Promotes transparency and active, informed consent: Enhances transparency and active user consent, by enabling users to easily opt in or out, or withdraw their consent.
Provides more control for users: Empowers users with options to manage their cookie preferences at a granular level.
Google certified: Ensures compatibility and reliable consent signaling with Google Consent Mode v2.
Cookie scanning: Identifies and catalogs all tracking cookies, including third-party cookies, and informs users about any third-party tracking taking place.

The right cookie tracking software can help you to achieve compliance with the major data privacy laws without affecting the quantity or quality of insights you’re able to gain from tracking user behavior.

Usercentrics helps you ensure quality marketing insights and maintain personalization — while respecting user privacy and building trust.

The Usercentrics CMP is compatible with all your favorite marketing tools, enabling you to offer users a personalized experience on every platform and achieve privacy compliance with the GDPR, ePrivacy Directive, and Google’s EU user consent policy.

Read about wordpress cookie consent now

Take control of your cookie consent process

Offer clear and compliant cookie consent options with Usercentrics. Achieve compliance with major data privacy regulations.

Schedule demo

Protecting your customer data is more than just good business practice, it’s a legal requirement under the General Data Protection Regulation (GDPR).

This regulation applies to all businesses with websites and applications that collect personal data from visitors who are based in the European Union (EU), regardless of the business’ location. It exists to protect those individuals’ privacy rights and mitigate the misuse of their data.

Simply adding a cookie consent banner to your website won’t automatically equal compliance. You’ll also need to implement specific technical and organizational measures to meet the GDPR’s stringent requirements.

Read about wordpress cookie consent now

Fortunately, there are a number of GDPR compliance software options that will help you to do just this. We’ll take a look at some of the best solutions out there.

Our top picks for GDPR compliance software:

Usercentrics
Osano
OneTrust
Didomi
Cookie Information
CookieYes
Borlabs Cookies

Software	Key feature	Recommended for	Price*
Usercentrics	Extensive database of legal templates: Over 2,200 templates to help enable compliance and save time and resources	Businesses of all sizes	From USD 60/month after 30-day free trial
Osano	“No Fines, No Penalties” Pledge: Receive compensation of up to USD 200,000 if you receive a fine related to data privacy while using Osano	Medium-sized businesses	Custom pricing, available on request
OneTrust	Data intelligence: Identify sensitive data and understand data risks	Large corporations	Custom pricing, available on request
Didomi	Site scanner: Obtain a Health Score for your website to determine GDPR compliance level	Multinational companies	Custom pricing, available on request
Cookie Information	Website and app consent management: Collect user consent across different platforms	Small businesses	From EUR 15/month
CookieYes	Cookie Policy Generator: Create a custom cookie policy in a few minutes	Freelancers	From USD 0/month
Borlabs Cookie	Dashboard statistics: See the past 10,000 cookie consents on your website in one place	Agencies	From EUR 49/month

*As of July 2024

Failing to comply with the GDPR’s requirements will expose your business to significant risks, including hefty fines and reputational damage. Robust GDPR compliance software can help you streamline a variety of privacy compliance operations.

Effectively handle sensitive data: ensure the proper collection, management, and protection of personal data.
Manage data processing activities: integrates with the tools in your marketing stack to ensure consent information is obtained and communicated to control tag firing and cookie use that collects personal data.
Support your data protection officer: Aid your data protection officer (DPO) in executing their responsibilities, with mechanisms for granular consent management, detailed consent logs, automated updates, and more.
Map customer data: Provide clear visualizations of data flow and storage locations.
Clearly communicate with visitors: Automate collection of information like which cookies are in use, and provide it on the consent banner and your privacy policy. All data privacy laws, including the GDPR, require companies to provide clear, comprehensive information about the data they collect, for what purposes, who may access it, and more.

Meeting GDPR requirements is crucial for businesses that want to protect personal data to avoid penalties, develop their privacy-led marketing operations, and build trust with their customers.

We highlight the top 7 GDPR compliance software platforms to help your business continually meet the regulation’s requirements.

1. Usercentrics

Usercentrics offers market-leading compliance software that helps enable businesses to comply with the GDPR and other data privacy regulations. Organizations in 195 countries have relied on Usercentrics to effectively manage user consent requirements since 2012.

Usercentrics is available as an out of the box solution. However, it also enables extensive customization of visual elements, data processing services, and regulatory coverage for websites, apps, and other connected platforms.

Although mastering this consent management platform’s (CMP) advanced tools may involve a bit of a learning curve, say G2 users, the end result is invaluable for building trust with users.

Key features

Dynamic consent notices: Display banners and other notices in more than 60 languages, covering relevant regulations, to help enable compliance with local regulations (like the GDPR), based on the user’s location.
DPS database: Over 2,200 legal templates are available to help you categorize and describe your data processing services, saving time and resources.
EU servers: Store consent records on servers in European data centers to comply with regulatory requirements and alleviate international data transfer concerns. (Usercentrics is headquartered in the EU.)
Granular consent management: Give website visitors and app users complete control over the data they share, which can be easily changed or revoked at any time.
Consent storage: Document consent records over time in the event of regulatory inquiries, or to provide user consent history in the event of a data access request by a user.

Pricing

Free trial: 30 days’ access to the Starter package.
Starter: USD 60/month for up to 50,000 sessions with one configuration on one domain.
Advanced: USD 175–1,150/month for 50,000+ sessions, with no limit to configurations and domains.
Premium: Custom pricing for all Advanced features, plus premium support.

Pros	Cons
Provides compliance notices in 60+ languages	Analytics data only available for 90 days
2,200+ legal templates
Detailed analytics and reporting

Simplify GDPR compliance with Usercentrics

Stay ahead of regulations with a flexible and scalable consent management platform tailored to your business

Schedule demo

2. Osano

Osano software advertises numerous features that help enable GDPR compliance, including the option to use Osano as a third-party, EU-based DPO, and to assess vendor privacy risk.

Osano also offers a bold pledge to pay any fine or penalty — up to USD 200,000 — that a business incurs due to noncompliance with data privacy regulations while using its CMP. However, this only applies to customers on Premium plans or higher who have implemented products in line with Osano’s documentation.

Key features

Data mapping: Identify potential data management risks and opportunities with an interactive map of your data.
Data protection officers: Meet GDPR requirements with a third-party DPO based in the EU. (Osano is headquartered in the US.)
Regulatory notifications: Get updates about upcoming regulatory and legislative changes.

Pricing

Contact Osano for a custom quote.

Pros	Cons
Free, self-service cookie consent available	No A/B testing
Provides dynamically generated policies based on the location of each user
Easy to set up (G2 users report)

3. OneTrust

OneTrust comes with an extensive set of data privacy management tools for websites and apps, including cookie scanners, functionality for cookie consent management, and autoblocking functionality.

OneTrust also touts that it works with a network of lawyers and legal experts to provide relevant updates via the platform, to help enable and maintain GDPR compliance.

Key features

Data intelligence: Identify sensitive data and understand data risks.
Streamlined workflows: Automate repetitive tasks to save time and reduce errors in processes such as DSAR fulfillment.
Vendor risk management: Identify and manage risks associated with vendors.

Pricing

OneTrust uses custom pricing based on user needs. Contact OneTrust for a quote.

Pros	Cons
In-depth support and documentation via the Knowledge Base (G2 user reviews)	Non-transparent pricing
Includes incident and breach management
A system for automating compliance assessments

4. Didomi

Didomi provides a cloud-based CMP that offers data privacy tools, including cross-device consent management, supporting over 50 languages. While it does support multiple data privacy laws and regulations, there are no self-serve solutions, and customers must go through a consultation process. Nonetheless, G2 users praise Didomi’s customer support.

Key features

Site scanner: Obtain a Health Score for your website to determine GDPR compliance.
Powerful integrations: Can be easily added to your existing tech stack.
Language support: Display banners and policies in 50+ languages.

Pricing

Pricing only available on request.

Pros	Cons
Based in the EU	No self-serve solution
Robust integration framework
Customer support via live chat and email

5. Cookie Information

Cookie Information enables businesses to deploy cookie banners that comply with the GDPR, Digital Markets Act (DMA), and the California Consumer Privacy Act (CCPA). Although the platform provides its customers with cookie policies and banners that can meet the latest regulatory requirements, it lacks features such as A/B testing.

Key features

Website and app consent management: Collect user consent across different platforms.
Data Discovery: Find and categorize data collected and stored across your tech stack.
Compliance check: Run a free compliance check of your website to assess compliance with the GDPR and ePrivacy Directive.

Pricing

Essential: From EUR 15/month
Professional: From EUR 34/month

Pros	Cons
Google-certified CMP partner	No geotargeting
Personal account manager
Free 30-day trial

6. CookieYes

CookieYes aims to simplify the consent management process with a claim of “foolproof consent management” and a cookie banner that can be launched in just a few minutes. G2 users praise the platform’s intuitive interface that makes it easy to set up and manage consent banners. However, advanced features such as geotargeting are only available on the two most expensive paid plans.

Key features

Cookie Policy Generator: Create a custom cookie policy in a few minutes.
Cookie Scanner: Identify and categorize all cookies on your website.
CSS customization: Use CSS coding to tailor the appearance of your cookie banner.

Pricing

Free: USD 0
Basic: USD 10/month or USD 100/year
Pro: USD 20/month or USD 200/year
Ultimate: USD 40/month or USD 400/year

Pros	Cons
Banners available in 30+ languages	Geotargeting only available on two most expensive plans
Available as a WordPress plugin
Responsive support team (G2 user reviews)

7. Borlabs Cookie

A quarter of a million websites use Borlabs Cookie to display GDPR- and ePrivacy-compliant cookie banners. The platform comes with an extensive library of templates for popular services and compatibility patches for plugins, as well as automatic translation, and geotargeting. However, as a WordPress plugin, this tool does not provide cross-platform consent management.

Key features

Statistics: See the past 10,000 cookie consents on your website in one place.
Cookie Box: Customize the layout and components of your cookie consent banner using 150+ templates.
Powerful scanner: Scan your site, then install features from an extensive library based on your compliance requirements.

Pricing

All Borlabs Cookie plans are priced per annum and come with one year of Borlabs Service (the license needed to use the library, geotargeting, IAB TCF, scanner, translation service), free updates and free support.

Personal: EUR 49 for 1 website
Business – Medium: EUR 109 for 5 websites
Agency – Small: EUR 229 for 25 websites
Agency: EUR 499 for 99 websites

Pros	Cons
Includes auto-blocking	WordPress-only plugin
Geotargeting
Flexible pricing based on number of websites

To ensure your business is able to meet data privacy requirements — and help the person or team who is responsible for GDPR compliance to execute their duties effectively — your software must:

Simplify the collection and management of user consent
Enable granular consent collection
Signal consent information to third-party partners, such as Google
Provide robust data and account protection protocols for security
Help with the identification and mitigation of compliance risks
Meet GDPR data storage requirements

Understanding the capabilities of these GDPR compliance software solutions will help you to choose a platform that suits your budget and business needs and get you on a path to GDPR compliance.

Each platform that we’ve outlined in this article will help you to fulfill at least some of the GDPR’s requirements. However, if you’re looking for an all-in-one solution that helps streamline achieving and maintaining GDPR compliance, consider Usercentrics.

Trusted on over 2.2 million websites and apps by businesses in 195 countries, Usercentrics is a market-leading CMP that enables businesses to gain access to the data insights they need to bolster their marketing performance while staying on the right side of privacy law and building user trust.

GDPR compliance made easy

Ensure your business meets all GDPR standards with our all-in-one compliance platform — obtain granular, explicit consent with ease.

Schedule demo

Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.

We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.

Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.

What is Google Tag Manager?

At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.

Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.

Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.

Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.

In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.

Does Google Tag Manager use cookies?

The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.

While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.

Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).

Check if your website meets key privacy standards

Quickly check if your site meets legal privacy standards and ad platform rules. Help protect your ad campaigns and revenue by scanning your website with our free cookie checker.

Check your website

Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.

However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.

Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.

Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.

By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.

To use GTM in a GDPR-compliant manner, website owners need to take several steps:

audit all tags to be up-to-date on what they are for, what data collection they may trigger, and ensure they are necessary for business operations
enable restricted data processing for certain types of personal data
install a consent management platform (CMP) to obtain and manage user consent
configure tags to only fire after obtaining user consent
avoid collecting Personally Identifiable Information (PII) where possible

Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.

One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.

Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.

To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.

The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.

In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.

By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.

Google Tag Manager and Google Consent Mode

Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.

With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.

GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.

Do you know how to comply with Google’s privacy requirements?

We’ve put together a checklist to help you obtain valid user consent for privacy compliance.

Learn more

Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.

The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.

Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.

Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.

A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.

Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.

Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.

By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.

Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.

Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.

Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.

Try Usercentrics for free!

Experience what Usercentrics CMP can do for you. Sign up for a free trial today

Start your free trial

EU-WIDE REGULATIONS AND GUIDELINES

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) protects the personal data of residents of the European Union and European Economic Area. The law is extraterritorial, so it applies to organizations even if they are not located in the EU. Privacy regulation requirements for the GDPR must be applied in addition to country-specific requirements, such as for data subjects’ consent (i.e. online user, customer, visitor, gamer, etc.)

Who needs to comply with the GDPR?

Any organization (not just commercial enterprises) that collects and processes the personal data of residents of the EU/EEA. Unlike the United States, there are no thresholds for GDPR compliance, like company revenue or number of people whose data is processed in a year. There are some exceptions to GDPR compliance, like for journalists or law enforcement, but overall, there are few exceptions for companies and other organizations that need user data.

Legal bases for personal data processing under the GDPR

The GDPR provides six options for legal bases for processing of personal data. Consent is one of the options.

the data subject has given prior consent to the processing of his or her personal data for one or more specific purposes
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect the vital interests of the data subject or of another natural person
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Download our 9-step GDPR compliance checklist and start implementing it today.

Download for free

Organizations must be able to prove the necessity and validity of their choice of legal basis. A company cannot just choose legitimate interest to avoid the resource investment required to implement consent management, for example.

However, organizations that need to obtain consent must do so in a way that complies with the GDPR’s requirements, e.g. making consent choices clear and equal. They must also be able to prove — to data protection authorities or in the event of a data subject access request — that valid consent was obtained from users, including when and for what, and recording any changes to consent information over time.

Conditions for valid consent under the GDPR

Art. 7 GDPR outlines the conditions for legally valid consent. These requirements have been influential around the world on data privacy legislation and privacy guidelines.

In short: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.”

Achieve GDPR compliance

Implement Usercentrics Consent Management Platform (CMP) to achieve GDPR compliance.

Find out more

ePrivacy Directive (ePD)

The ePrivacy Directive is considered the precursor to the ePrivacy Regulation. Passing of the latter continues to be delayed, though the ePD was significantly updated in 2009.

Colloquially known as the “cookie law”, the ePD influenced the adoption of consent banners. It addresses data privacy and protection in electronic communications and has several mandates:

prioritizing confidentiality of communications over public networks
requiring user consent for use of cookies and other tracking technologies
setting guidelines for the security of electronic communication services
regulating direct marketing practices

The ePrivacy Directive requires incorporation into national laws of EU member states, as a result enforcement across EU member countries has varied.

The conditions for valid consent under the ePrivacy Directive (and eventual ePrivacy Regulation), and who is required to comply are the same as those for the GDPR.

Digital Markets Act (DMA)

The Digital Markets Act came into force in late 2022 as part of the Digital Services Act Package of regulations. Its goals are to promote fair and competitive digital markets in the EU, and to enhance privacy and protections for consumers’ personal data.

The DMA directly targets six large and influential tech companies, designated “gatekeepers”. However, for those companies to meet regulatory compliance requirements, they need to set their own compliance requirements for all the third-party organizations that rely on their platforms, e.g. for data, audience access, ecommerce, advertising, and more.

Get your Digital Markets Act (DMA) checklist to become compliant.

Download for free

Importantly, that includes the requirement of obtaining valid user consent for collection and processing of personal data, and also signaling that consent information to the platform or service, e.g. for Google Ads or Analytics. To comply with this requirement, companies need to implement a consent management platform (CMP) that collects user consent, and then signals that information to the platforms. In Google’s case, it requires implementing a Google-certified CMP integrated with the latest version of Google Consent Mode.

DMA compliance requirements for obtaining consent align with the requirements of the GDPR and ePrivacy Directive, which are also required in the EU.

Achieve compliance with the European Digital Markets Act (DMA)

IAB Europe Transparency & Consent Framework v2.2

Publishers serving ads on websites or in apps in the EU/EEA or UK are now required to have the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP).

The TCF originally set industry standards to ensure transparency with users online regarding the collection of data for targeted advertising, as well as provide them control and enable valid consent mechanisms. The framework also standardizes working with vendors, reduces data privacy risks and enables compliance with regulations like the GDPR and ePrivacy Directive.

The update to the TCF v2.2 in late 2023 addresses criticisms and is designed to better meet the needs of regulators and users. Updates include:

only consent can be selected as a legal basis for advertising and content personalization – legitimate interest can no longer be selected
information about purposes and features has been made more user-friendly and less “legalese”
vendor disclosures have been standardized and expanded to include categories of data collected, retention periods, and whether legitimate interest applies
total number of vendors used by a publisher should be displayed on the first layer of the CMP UI
consent management platform redesign is mandatory so that users have the ability to opt out of consent

Google’s EU user consent policy was introduced in 2015 and is a key component in their data privacy requirements for third parties using their platforms and services for marketing, analytics, etc. The policy aligns with the requirements of the GDPR (it was significantly updated when the law came into force) and ePrivacy Directive.

Google’s EU user consent policy applies to companies that operate websites and/or apps meeting the following criteria:

use cookies or other local storage where legally required
collect, share, and use personal data for ad personalization

Websites or apps that serve non-personalized ads that only use contextual information are still subject to the policy if they use cookies or mobile identifiers where legally required. Organizations using third parties to collect and/or process data must also employ “commercially reasonable efforts” to ensure they comply with the policy.

The policy has four main criteria pertaining to consent. Companies must:

obtain legally valid consent (aligned with the GDPR’s requirements)
retain consent records
enable revocation of consent (with clear instructions)
identify each party involved in data handling

Noncompliance with the policy can result in suspension of access to Google’s services, or contract termination. Additionally, noncompliance with EU regulatory requirements for user consent can result in fines and other penalties.

Take action and

Are you meeting Google’s EU privacy requirements? Find out with our Google Consent Mode checklist

Download now

All regulations and guidelines included are currently in effect in the countries listed.

Andorra data privacy laws and consent requirements

Andorra flag

Protected groups: Website users (or equivalent)

Relevant cookie use: All cookies and similar tracking technologies used on websites and in apps, as well as smart devices like TVs, video game consoles, voice assistants, network-connected vehicles, etc.

Consent definition: Any specific, informed and unambiguous expression of free will by which the data subject consents, by means of a statement or a clear affirmative action, to the processing of personal data concerning him or her.

Prior consent: Yes, in most cases, though that explicit wording is not used.

Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.

Cookie duration:

session-based cookies – deleted at the end of a session (closing the browser window)
permanent cookies – most have an expiry date for automatic deletion, the guideline does not provide a specific duration
third-party cookies – duration depends on the party using the third-party cookie, they are also responsible to fulfill requirements on their own website
maximum storage: twenty-five (25) months is the maximum recommended time

Consent solution requirements in Andorra

must include an opt out button on the first layer
clear and complete information provided prior to requesting/receiving consent
users must receive equal information about all available consent options
pre-checked boxes in the second layer where users can make granular selections violate valid consent
consent must be obtained through a clear, explicit, positive action, passive actions like continuing to scroll do not constitute valid consent
use of manipulative design or other dark patterns may invalidate consent (e.g. confusing colors or interactive elements)
there must be a simple, persistent element available for withdrawal of consent
legitimate interest is not a valid legal basis for processing personal data collected via cookies

Austria flag

Protected groups: Website users

Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data. Website operators using cookies or other tracking technologies are responsible for data privacy compliance with the use of those data processing services (with some exceptions) in accordance with Arts. 4 (7) and 26 GDPR.

Consent definition: Follows GDPR consent requirements, and consent must be obtained prior to setting all “technically unnecessary” cookies. Data collected by cookies should not be qualified as personal or non-personal by default and definitions will depend on each case.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.

Cookie duration: No explicit guidelines.

Consent solution requirements in Austria

cookies can be grouped based on duration (e.g. session and persistent cookies) or by the domain to which they belong (e.g. first-party and third-party cookies)
website operators can design to their preference, but consent requirements of Art. 4 (11) and Art. 7 GDPR must be followed for privacy compliance
must be clear to data subjects that they are giving consent, hidden consent buttons, confusing colors or other elements, etc. that are hard to find or that could be selected accidentally, or other manipulative design
mechanisms (“nudging” or “dark patterns”) do not constitute valid consent
passive actions like continuing to scroll do not constitute valid consent, the consent action must be explicit and positive
pre-checked boxes or other elements are not permitted in the banner
consent must be voluntary and not coerced, there cannot be the threat of discrimination or disadvantage to data subjects who do not give consent, e.g. denial of access to the website
the banner must clearly and precisely describe where and how consent can be revoked, and doing so must be as simple as giving consent
it must be as easy to decline consent as it is to give it
clear and complete information provided prior to requesting/receiving consent
paying for access to a website (e.g. “pay or ok”) can be a viable alternative to consent (the current data protection authority view as there is no case law from the CJEU yet) if:
- all data privacy compliance requirements are met
- the price is reasonable and not prohibitively high
- if the user accesses the website via the payment method, no personal data can be collected or used for advertising purposes
- website operator is not an authority or public body
- website owner does not have a monopoly position in the market
- no content or service exclusivity that non-consenting users cannot access

Belgium flag

Protected groups: Focuses on privacy in device use, so not explicitly user-focused, but all users of devices from which data can be tracked/collected.

Relevant cookie use: All cookies and similar tracking technologies used on devices, so all companies doing tracking via devices

Consent definition: Follows GDPR and ePrivacy Directive consent requirements for prior consent for use of all but strictly necessary cookies (includes cookies which are absolutely necessary to provide a service that the user has expressly requested and/or to send a communication via an electronic communications network)

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users can withdraw consent at any time, and it must be as easy as giving consent. Users should also be informed about the ability to withdraw when initially requested to provide consent.

Cookie duration: Cookies cannot be kept beyond the time necessary to fulfill the expressed purpose. No cookies can have an indefinite retention period. Cookies exempt from requiring consent must have a duration directly related to the expressed purpose for use and be configured to expire as soon as no longer needed for that purpose.

Consent solution requirements in Belgium

the data protection authority recommends providing the ability to select granular-level consent as best practice; this ability is also a legal requirement
cookies should be categorized according to purpose, e.g. audience measurement, statistical, etc.
consent must be obtained through a clear, explicit, positive action, having been fully informed prior to the consent request
passive actions like continuing to scroll do not constitute valid consent
pre-checked boxes or other elements are not permitted
use of browser settings to indicate consent is not valid
cookie walls that block access to the website are not valid as they prevent consent from being freely given

Protected groups: Data subjects, e.g. website users

Relevant cookie use: All cookies and similar tracking technologies used on websites.

Consent definition: “Consent should above all be free, specific, informed, and unequivocal. The data subject must have the simple option of not giving consent, without this implying harm for him (e.g. unavailability of website content).”

Prior consent: Yes, in most cases, though that explicit wording is not used. Consent is not required for the use of technical cookies, but that exception only applies to the storage and reading of cookies in the user’s browser.

Consent withdrawal: Data subjects can revoke consent to personal data processing at any time, and doing so must be as easy as giving consent. If consent is granted via a consent banner, for example, requiring withdrawal of consent via a different format, e.g. sending an email cannot be required. Ideally, changing or withdrawing consent should be accessible via an easy to find and use button or link.

Read about email marketing laws now

“Consent to the processing of personal data can be revoked by the data subject at any time, and the withdrawal of consent must be as easy as giving it. In the case of granting consent via the cookie bar, it cannot be accepted that the withdrawal of consent is only possible, for example, by telephone. Ideally, there should be an easily accessible button or link on the website with which consent can be withdrawn.”

Cookie duration: The data protection authority considers a lifespan of six months to be reasonable in principle. That period can be shorter if one or more processing purposes significantly change or the website operator can no longer monitor previous consent (or rejection) preferences, e.g., due to the user deleting cookies on their device.

Consent solution requirements in Czechia

appearance and colors of buttons must enable consent to be freely given (no manipulative design)
cookie walls are not acceptable as they make access to functions or services conditional
active user action is required for valid consent, e.g. clicking an “Accept” button, or closing the banner is not valid consent
pre-ticked boxes cannot be used for valid consent
user must be able to grant informed consent for individual purposes to individual administrators in the browser, so a list of individual cookies with their purposes needs to be clear and easily accessible to the user, e.g. via clicking a “more information” link
third-party tags cannot be loaded until consent is given, so must be integrated into the CMP
processing personal data with legitimate interest as the legal basis is allowed in some cases, but if the user does not consent to the storage and reading of cookies, no further processing of personal data can take place.

Denmark flag

Protected groups: Website visitors

Relevant cookie use: All cookies and similar tracking technologies used on websites.

Consent definition: “A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.”

Prior consent: Yes, in most cases. “Consent of the data subject(s) must be obtained before the controller starts processing the data to which the consent relates”. Only necessary cookies required for the website to function (e.g. shopping cart) can be set without consent.

Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy as giving it, and once consent is withdrawn, data processing must cease immediately.

Cookie duration: Not addressed, though users must be provided information about when each cookie expires.

Consent solution requirements in Denmark

Users must have equal consent and rejection options in the banner, so if there is only an “Accept” button and not a “Reject” one, consent is not valid
Transparency and granularity are required for consent to be considered voluntary, so sufficient information about data collected via which cookies, for which purposes, by whom, when they expire, etc. must be clear and accessible
Pre-ticked boxes cannot be used for valid consent
A click-through (consent is assumed if the user continues to use the website without actually interacting with the consent banner, for example) is not considered valid consent
“Nudging” or other manipulative design tactics/dark patterns cannot be used for consent to be considered “freely given” and valid
It must be as easy to reject consent as to give it, and it must be possible to opt out of all data processing/cookie use.
If a company wants to use a cookie wall, but a user does not want to consent to the processing of their data (to get access to the website), the company must provide a reasonable alternative to the user, such as access for a moderate fee (that still enables real choice) or access to similar functions or services
If offering the choice between consent to data processing and an alternative, the necessity of the consent request (the data and use purposes) must be demonstrable (so that it is reasonable for those not to be included if the user chooses the alternative)
If the user chooses not to consent to data use, but to access the functions or services account creation is needed, the company can process the personal data that is necessary to manage the user profile and provide the service in question, but no more

Finland flag

Protected groups: End users, e.g. for websites and apps

Relevant cookie use: This applies to cookies and similar technologies used by service providers when creating and operating websites or other electronic communications services, like mobile apps.

Consent definition: “Any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.” The conditions for valid consent are the same as for the GDPR.

Prior consent: Yes, in most cases. Consent is not required for “essential” cookies, but it’s recommended to include information about them and their use. Essential uses for cookies include:

enabling the website to function correctly, e.g. shopping cart
if the sole purpose of storing or using the data is to carry out the transmission of a message in communication networks
storing and using the data is necessary for the service provider to provide a service that the subscriber or service user has specifically requested
if analytics cookies are categorized as strictly necessary for the provision of the service in question, the service provider must be able to provide clear justification for the procedure and ensure that the user’s privacy
is protected, e.g. ensuring data collected through analytics is not shared with third parties or that individual visitors cannot be identified

Consent withdrawal: Changing or withdrawing consent (or refusing it in the first place) must be as easy to do as giving it.

Cookie duration:

Session-specific cookies – stored on the user’s device only during the use of the site or service, removed when the browser is closed. Can enable ecommerce, for example, wherein the site can “remember” user activity for a short time.
Permanent cookies – stored on the user’s device until the time specified for each cookie or until the user manually deletes them. Can “remember” user preferences for the site, like language or login credentials for a longer period of time.

Consent solution requirements in Finland

Cookies may not be set on the user’s device, e.g. browser, until the user has given valid consent. Consent via browser settings is not considered valid as they may not be configured or configurable to the user’s preference.
Consent must be an active expression of will, so it is not valid if you silence it, ignore consent requests/options, or do not take action.
Consent must be freely given, so pre-ticked boxes, activated sliders, etc. cannot be used.
Service providers must clearly inform users about the cookies or similar tracking technologies they use, the types, purposes of use, and duration of operation, and ask for your consent to store and use the information.
The service provider is responsible for requesting consent and doing so in a compliant way. The consent request mechanism should include at least the following information:
- clear and thorough explanation of what cookies and other tracking technologies are in use and what data they collect
- clear and thorough information about the purpose of the cookies in use and their period of duration
- whether any third parties may process cookie data (and who those parties are and what the purposes are)
- access to more detailed information, e.g. privacy policy

France flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition:

Uses the GDPR definition.
While lack of explicit action cannot be construed as consent, silence can be construed as explicit denial of consent.
Pre-ticked boxes cannot be construed as valid consent.
Cookie walls cannot likely be used to obtain valid consent due to the likelihood of infringing on the user’s consent freedom, but they are not universally prohibited.
Companies need to be able to prove valid consent at any time.

Prior consent:

Yes, “before any action aimed at storing information or accessing information stored in the equipment terminal of a subscriber or user, apart from the applicable exceptions”
References the GDPR and ePrivacy Directive regarding valid consent and the requirement to clearly and comprehensively notify users prior to collecting data.
Essential cookies/trackers do not require consent, but use must be strictly limited; they include audience and performance measurement, navigation detection issues, technical optimization, etc.
Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy to do so as it was to give it. It also must be as easy to deny consent initially (e.g. same action or number of steps) as to give consent.

Cookie duration:

CNIL recommends consent renewal every six months for publishers.
CNIL recommends that the lifetime of the trackers should be limited to a duration allowing a relevant comparison of audiences over time, as is the case for a 13-month period.
Tracker duration should not be automatically extended for new visits.
Information collected through trackers should be kept for a maximum period of 25 months.

Consent solution requirements in France

Clearly and accessibly include all purposes with short descriptions, categorized, including for personalized advertising, geo-specific advertising, sharing on other social platforms, etc.
Recommended to provide accept and reject buttons on the first layer of the consent banner.
Dark patterns cannot be used to manipulate user actions.

German flag

Protected groups: Focuses on privacy regarding end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition:

Uses the GDPR definition.
If personal data is not processed, the GDPR does not apply, but the TTDSG still does.

Prior consent: Yes, in most cases, with conditions.

GDPR and TTDSG consent can be “bundled” with a single button click (accept or reject). However, for consent to be valid (e.g. device access and data processing for marketing purposes) users must be informed about the two distinct consent requests: access (under the TTDPA) and processing (under the GDPR).
There are two options for accessing data without consent. Art. 6 para. 1 lit. f GDPR is not enough for the TTDSG. Consent is not required if a message is transmitted via a public telecommunications network or if the user desires the service.

Consent withdrawal: Required, and should be as easy to withdraw as it is to give consent.

Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.

Consent solution requirements in Germany

Bundled consent for the GDPR and TTDSG is acceptable, but the user must be informed about both distinct consent requests.
The legal basis for data collection/processing must be communicated to users.
If the banner’s “accept” option is placed on the first layer, all data collection/processing purposes must also be stated in the first layer. However, granular consent choices do not have to be provided in the first layer.
It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e., in the banner. Browser settings changes are not enough, and dark patterns cannot be used to obtain consent.
Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.

Greece flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc., even if personal data is not collected.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases.

Consent is not required for trackers that are necessary for the website to function, or if it’s a service explicitly requested by the user, for example:
- identifying and/or maintaining content or user-provided information for the duration of the session (e.g. shopping cart)
- connection to services that require prior authentication
- security
- load balancing
- user preferences for website appearance and experience, e.g. language, search history, etc.
Browser settings that allow the use of cookies are not considered consent.
If the user does not make a choice, no non-essential cookies should be used.

Consent withdrawal: Yes, consent can be withdrawn at any time, and it must be as easy to do so as to give it. It also must be as easy to deny consent initially (e.g., the same action or number of steps) as to give consent.

Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.

Consent solution requirements in Greece

Accepting or rejecting the use of non-essential cookies or trackers must require the same amount of effort or number of clicks (e.g., you can’t enable accepting on the first layer of the banner but rejecting only on the second layer). Not giving users a reject option is not valid consent.
Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
Users who deny consent cannot be penalized in their website experience.
Dark patterns/nudging are prohibited.
The consent banner should reappear after the same period of time, regardless if the user consented or rejected it, e.g. if users who do consent see the banner again to renew consent after 12 months, then users who reject consent can also only see the banner again after 12 months, and not sooner.

Ireland flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition, and also ePrivacy Directive definition: “The law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment – this means through the use of browser cookies or other technologies such as device fingerprinting or the use of pixels or similar devices. It is irrelevant whether the information stored or accessed consists of, or contains, personal data. The ePrivacy Regulations apply when any information is stored on or accessed from the device.”

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: Required, users must be informed how they can withdraw consent, and should be as easy to withdraw as it is to give consent. Also cannot be bundled, e.g. with terms and conditions.

Cookie duration: Six months for cookie use requiring consent. For other cookies, lifespan should be proportional to their purpose and no longer than necessary to fulfill the purpose.

Consent solution requirements in Ireland

As the six-month expiry requirement for some cookies is shorter than the common 12-month default, the configuration in the CMP needs to be updated.
It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e. in the banner. Browser settings changes are not enough. Dark patterns/nudging to obtain consent cannot be used, nor can pre-checked boxes, etc.
A banner that only displays an “Accept” option does not enable valid consent.
A “Manage cookies” button, for example, could be used with an “Accept” button if the “Manage cookies” button immediately takes the user to a layer (of the banner) where they can directly accept or reject granular cookie category usage).
Users must be provided with information to reject non-essential cookies and/or request information about cookie use. The banner’s second layer must include information about the types and purposes of cookies used and third parties that will have access to/process the information the cookies collect.
Users must have easy access to the privacy notice or policy, which cannot be obscured, so without having to provide consent choices before accessing that information.
Implementing accessibility best practices in the design and implementation of the consent banner is recommended.
Having a specific cookie policy is recommended, while not explicitly required.

Italy flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: “all the entities providing their users with publicly accessible online services through electronic communications networks or else operating websites that rely on cookies and/or other tracking tools”

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: Required, or modifying consent choices or providing consent after rejecting it. It must be provided in a simple, easy, and user-friendly way accessible via the website footer, and that is as easy as giving consent.

Cookie duration: Not explicitly referenced, recommended to err on as short a period of time as is necessary to fulfill the purpose of the specific cookie type and/or processing operations.

Consent solution requirements in Italy

”Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
Users should be able to close the banner (i.e. via clicking the “X” at the top right of the banner UI) to maintain default settings and not provide additional consent. As a result, this should enable only essential cookies and does not provide consent for use of any others.
Users must be notified about the use of cookies, including those that can be used without consent (i.e. “technical” ones).
A link to the privacy policy must be easily accessible, or it should be included in the second layer of the banner.
Users must be able to select the cookie functions and/or third parties with access to their data at a granular level. These services and vendors in use must be kept up to date.
Use of pre-checked boxes is not allowed.
Use of cookie walls is not allowed as the requirement to accept all cookie use or not gain access to the website is not valid consent.
Continued scrolling by the user (e.g. ignoring the consent banner) does not constitute valid consent.
New consent must be obtained from users if the purposes for requesting consent change or if previous consent choices cannot be detected when the user revisits the website (e.g., they cleared their settings).

Latvia flag

Protected groups: Users who use services and whose data is collected on websites, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: This is required. Users must be informed how they can withdraw consent, and it should be as easy to withdraw as it is to give consent.

Cookie duration: “There is no specific time limit for how long consent is valid. The length of time consent is valid depends on the context, the scope of the original consent and what the data subject expects. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained.”

Consent solution requirements in Latvia

The first layer of the banner should include:
- name of the controller (unless provided in other areas of the website like the “About” section or Contact Us page, etc.)
- purposes of cookies used on the website
- whether cookies in use are first-party only (controller) or third-party
- types of data collected and used
- where user profiling is carried out (e.g. analytical cookie use)
- how users can accept, reject, or change consent for the use of cookies
- a clearly visible link to the second layer, which contains more detailed information
Users must be provided with granular information and options re. cookie use purposes (so not necessarily for each specific cookie)
There can be no risk of negative consequences if users decline cookie use.
Users must have granular ability to accept or reject all cookies or use at a granular level, and must have easy access to comprehensive information about the cookies in use, their purposes, etc., as well as easy access to the cookie and privacy policy.
User-facing language must be clear and simple.
All options must be visually equal and accessible, nudging and dark patterns are prohibited.
Ignoring, scrolling, or closing the consent banner without making a consent choice cannot be construed as accepting cookie use, and no cookies except strictly necessary ones can be used.
Browser settings are not considered valid consent (per GDPR guidelines).

Netherlands flag

Protected groups: Users of websites, or equivalent, e.g. apps, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases. Consent can be provided in writing, by ticking a box, clicking a button or link, filling out an electronic form, sending an email, providing an electronic signature or scanned document with a signature, or verbal consent.

Consent withdrawal: Yes, and it has to be as easy to withdraw consent as it was to give consent.
Cookie duration: No explicit time period is provided, but users must be notified about the duration of all cookies set.

Consent solution requirements in the Netherlands

The guidelines divide cookie types into Functional, Analytical, and Tracking. Users must be provided with information about the use of cookies in these categories.
Pre-checked boxes, use of cookie walls, and manipulating users into consenting (e.g. dark patterns, nudging, etc.) are all prohibited.
Ignoring the consent banner and continuing to scroll/browse or closing the banner without making a consent selection cannot be construed as having given consent.
Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
Website operators must maintain consent records and be able to prove consent was obtained, when, how, and what information they received before making consent choices, etc.

Spain flag

Protected groups: Users of websites, mobile applications, or other platforms. (Contractual agreements are also required with third parties.)

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases. Cookies used for the purpose of obtaining traffic or performance statistics may be exempt from consent requirements under specific conditions:

use is limited to what is strictly necessary for the provision of the service
processing must be carried out exclusively on behalf of the publisher and used only to produce anonymous statistical data
use of these cookies/trackers must not result in data being matched with other processing operations or transmitted to third parties
aggregate tracking of the navigation of the person using different applications or browsing different websites is prohibited

Consent withdrawal: Required, at any time, as easily as it is to give consent, and users must be provided with information on how to do so.

Cookie duration:

Duration or lifetime of cookies or similar technologies must be limited to a period that allows meaningful comparison of audiences over time, e.g. 13 months. Duration cannot automatically be extended if users make new visits to the site.
Information collected via cookies or other tracking technologies will not be retained for more than 25 months. (Best practices state no more than 24 months.)
Lifetime and retention periods will be subject to periodic review to limit it to what is strictly necessary.

Consent solution requirements in Spain

Consent options must be presented equally, at the same time, in the same place, e.g. on the same level of the consent banner.
Ignoring or closing the consent banner, scrolling, taking no action, or any other non-explicit action is prohibited from being construed as valid consent.
Use of pre-checked boxes, other default opt-ins, or cookie walls that block access to the website unless the user consents are prohibited.
Users must be able to consent at a granular level to cookie purposes. If a cookie is used for two purposes but the user only consents to one, the cookie can only be used for the consented purpose.
Users must be provided with information about the use of cookies and similar technologies – purpose, duration, third parties with access to the data, etc.
The first layer of the consent banner must present essential information and be displayed when users access the page or application:
- identify the managing website editor/name of the publisher
- purpose of the cookies in use
- if cookies are owned by the website provider (or comparable) or are set by third parties
- types of cookies and types of data that will be collected and used
- options to accept, set up/configure, or reject cookie use
- link to a second information layer to access more detailed information
The second layer must contain more detailed information:
- more specific information about the cookies in use, purposes, third-party access, etc.
- control panel or settings panel with info about how to save the selection
If cookies in use, purposes, or other factors affecting consent change, the user must be given the opportunity to provide or reject new consent.
Language must be simple and clear.
Dark patterns/nudging are prohibited.

Protected groups: Users of websites, mobile applications, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition, and granular consent options for specific purposes are required.

Prior consent: Yes, with no exceptions for necessary cookies.

Consent withdrawal: Yes, and it must be as easy as giving consent. Users must also be provided clear information on how to withdraw consent or otherwise change preferences. Revoking consent cannot have negative consequences for users, e.g., no longer being able to access the website.

Cookie duration: No explicit time period provided.

Consent solution requirements in Sweden

Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
Consent language must be clear and explicit, e.g. “I understand” is not the same as “I accept”.
New consent options must be provided to users if the purposes for cookie usage change.
Users must be provided with clear information about cookies in use, purposes, duration, third-party access to data, etc.
The use of pre-checked boxes is prohibited.
Cookie walls that block or restrict access to a site unless the user gives consent are prohibited.
Scrolling, browsing, ignoring the consent banner or closing it cannot be construed as valid consent.

Norway data privacy laws and consent requirements

Norway flag

Protected groups: Website users.

Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data.

Consent definition: Follows GDPR definition and requirements. Storage and processing of information is not permitted unless the user is informed about, and has consented to, which information is processed, the purpose(s) of the processing, and who processes the information.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, at any time.

Cookie duration:

Session-based cookies: deleted after the end of the session, i.e. when the user closes the browser.
Persistent cookies: not deleted after the end of the session and often contain information about authentication, language settings, and menu selections. Most permanent cookies have an expiry date when they are automatically deleted after a certain period. However, the guidelines do not set a specific expiration date.
Third-party cookies: can be session-based or persistent, but they’re set by someone other than the website operator. Their duration is dependent on the third-party vendor, who is also responsible for providing relevant information about their cookies’ use, their identity, duration, etc.

Consent solution requirements in Norway

Users must be informed about and be able to consent to cookie use at a granular level.
A consent banner or other consent solution must be clearly accessible on the site and clear about what it’s for.
Pre-checked boxes are prohibited. No guidelines on the use of cookie walls.
Scrolling, ignoring, or closing the consent banner without making a consent action cannot be construed as the user has given consent.
Browser settings to accept cookies are considered valid consent.

Switzerland flag

Protected groups: Swiss citizens.

Relevant cookie use: Yes, in some cases when personal data is collected and processed, and also if data is transferred across international borders.

Consent definition: Uses GDPR requirements.

Prior consent:

Yes, in some cases. However, it is not always necessary to obtain consent from users before collecting or processing personal data. Though there are other legal bases, it is always necessary to inform them about the controller and processing.
Prior consent is always required for processing:
- of sensitive data
- for high-risk profiling by a private person
- for profiling by a federal body (government)
- with data transfers to third countries where there is not adequate data protection

Consent withdrawal: Yes, at any time.

Cookie duration: There are no explicit guidelines, but data must be deleted or anonymized when the processing purpose has been fulfilled.

Learn all about Switzerland’s data protection law and its latest updates.

Uses the principles of “privacy by design” and “privacy by default” by law, requiring companies to take data processing principles into account in the planning and design states of websites and applications (and not just seek to secure and protect data retroactively).
Default browser settings and similar mechanisms are not considered valid for consent for more processing than is absolutely necessary.
Consent must involve an explicit action, e.g. checking a box.
Consent banners are not legally required, but clear user notification is required about whether a legal basis is required for data collecting and processing, and about the parties involved, as is a user-friendly consent mechanism where data processing requiring consent takes place.

From 31 July 2024, Google has new consent requirements for publishers and advertisers marketing to Swiss audiences.

United Kingdom flag

Protected groups: Individuals whose personal data is processed.

Relevant cookie use: The cookie rules apply to the subscriber or user’s “terminal equipment” e.g. computer or mobile phone. The subscriber is the person who pays the bill for the use of an online service, and the user is the person who uses a device to access an online service.

Consent definition: Uses GDPR definition and requirements.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users must be able to withdraw consent at any time as easily as they gave it, and receive information about how consent can be withdrawn, and how cookies already set can be removed.

Cookie duration: There are no explicit guidelines, but it will depend on the service and the purpose of the processing for the data the cookie collects (and for which user consent is required). It should be limited to the minimum time necessary to fulfill the purpose of processing. Cookie duration may also affect exemptions in Regulation 6(4).

Consent solution requirements in the UK

Users must be given clear and equal access to all consent choices. Dark patterns or nudging are prohibited (as is denying the option to reject cookies entirely).
Users should have access to information about cookie use and the opportunity to make consent choices as soon as they arrive on the website.
The privacy policy or notice must include full details about data collection and processing, third-party access, and other relevant details. It should be easily accessible via a prominent link in the site’s header or footer.
Use of pre-checked boxes is prohibited.
Inactivity, scrolling, ignoring, or closing the consent banner cannot be construed as valid user consent.
Users cannot be penalized for rejecting consent, e.g. lack of access to the website or features.
Browser settings do not constitute valid consent.
Consent cannot be bundled into terms and conditions or other documentation.
Cookie walls are not prohibited, but they must comply with GDPR standards. For example, users cannot be blocked from the site unless or until they give consent.

How did Brexit change data processing and consent requirements in the UK?

Learn more

Protecting your website from bots is important to protect your organization and customer data. To mitigate risk, many companies use a CAPTCHA on their website.

In practice, this means that website visitors have to search for traffic lights, click on crosswalks and buses, or recognize which letters and number combinations are hidden behind a blurred image. In recent years, this is how website users have become used to proving that a real flesh and blood human being was logging in to an account or otherwise accessing online content.

With Google’s reCAPTCHA v3, those days are now over. Let’s look at what has changed, the benefits and limitations of Google reCAPTCHA, and how to comply with the European Union General Data Protection Regulation (GDPR) if your company uses it.

In 2014, Google reCAPTCHA v2 went live and the “I am not a robot” checkbox was born.

What is a CAPTCHA and how does it work?

A CAPTCHA (“Completely Automated Public Turing tests to tell Computers and Humans Apart”) is a security mechanism used to distinguish between real and automated users, such as bots. CAPTCHAs pose tasks that are difficult for computers, but relatively easy for humans to solve.

The most common type of CAPTCHA involves displaying distorted text or images that the user must interpret and enter correctly. Here’s how it typically works:

When accessing a website or performing actions like logging in or making a purchase, a CAPTCHA is triggered.
The user sees a distorted image with letters, numbers, or objects that are hard for bots to recognize but easier for humans.
The user types the characters or identifies the objects in the image.
If correct, the user is verified as human and allowed to proceed; if incorrect, access is denied or a retry is required.

Illustration presenting icons related to reCAPTCHA

What is Google reCAPTCHA and how does it work?

Google reCAPTCHA, including invisible reCAPTCHA, is a free service that helps protect websites from spam and abuse by distinguishing between human users and automated bots or programs.

It uses advanced risk analysis techniques powered by artificial intelligence and machine learning to analyze user behavior, device information, IP addresses, and other signals to determine the likelihood that a user is human or a bot.

While not perfect, reCAPTCHA’s advanced techniques are more difficult for bots to bypass, providing an effective way to filter out automated spam and abuse on websites. However, it can be bypassed by advanced bots, machine learning systems trained on solving CAPTCHAs, or CAPTCHA-solving services.

Google reCAPTCHA v2 vs v3

Google offers two main versions of its reCAPTCHA service: reCAPTCHA v2 and reCAPTCHA v3. Here are the key differences between them.

Infographic presenting the differencef between Google reCAPTCHA v2 vs v3

The advantages of reCAPTCHA version 3

The key advantage of reCAPTCHA v3 is that it can provide a seamless and uninterrupted user experience by working invisibly in the background without presenting any visible challenges or interactive elements, like checkboxes, to users.

In addition to more sophisticated bot detection, there’s another benefit to the new version: companies have a lot more control.

While version 3 only means that CAPTCHAs are no longer noticeable from the website user’s point of view, it’s about much more than that for website operators. They now have to define granular risk-scoring thresholds for different parts of a website (login, social, payment, etc.), which can include transaction histories and usage profiles from non-Google data.

These shifts bring a technical change and, more importantly, sweeping industry change. Website owners must now take responsibility for their bot traffic and cannot simply outsource the issue to third parties.

The short answer is no, Google reCAPTCHA is not inherently GDPR-compliant when used out of the box on websites, or if it’s poorly implemented.

This is because CAPTCHA V3 operates invisibly to the user, which seems convenient but lacks transparency in terms of data processing or protection. User behavior is analyzed behind the scenes, and the user is not informed that the following data, among others, is sent to Google during the analysis:

ReCIP address
Referrer URL
operating system
cookies
mouse movements/keyboard strokes
length of pauses between actions
device settings (e.g. language or location)

As a result, this lack of transparency in the use of CAPTCHA poses risks for website operators.

To comply with the latest privacy regulations, a website’s privacy policy should transparently describe how CAPTCHA works while simultaneously obtaining the visitors’ consent, for example, via the cookie banner of the Consent Management Platform (CMP). However, even with this, it may not be fully legally compliant, as Google does not make it sufficiently clear which processing and requests are made by the tool.

Read about wordpress cookie consent now

is, it may not be fully legally compliant, as Google does not make it sufficiently clear which processing and requests are made by the tool.

Our advice: be sure to consult your legal department or data protection officer on this issue.

Always stay up to date with biweekly talks on data protection

Whether it’s data protection, law, or tech, we know what drives the industry. Stay up to date with our biweekly expert talks on the Consented podcast.

Get the latest episode

GDPR-compliant alternatives to Google’s reCAPTCHA

There are several GDPR-compliant alternatives to Google’s reCAPTCHA that can offer a better balance between security and user-friendliness, such as Friendly Captcha, ALTCHA, and Cloudflare Turnstile.

Friendly Captcha is a privacy-friendly CAPTCHA solution that does not use cookies or track users, enabling it to be fully GDPR-compliant. It processes EU user data within the EU, so no sensitive information is transferred to other countries, even those with an adequacy agreement in place.

ALTCHA is an open-source, self-hosted alternative that employs a proof-of-work mechanism and machine learning for spam filtering without using cookies, fingerprinting, or tracking users, adhering to GDPR requirements.

Lastly, Cloudflare Turnstile is another GDPR-compliant option that can be used on any server and incorporates a Data Processing Addendum into its terms of service.

Check if your website meets key privacy standards

Quickly check if your site meets legal privacy standards and ad platform rules. Help protect your ad campaigns and revenue by scanning your website with our free cookie checker.

Check your website

To ensure GDPR compliance when using Google reCAPTCHA, you need to take several key steps.

First, obtain explicit user consent before activating reCAPTCHA. Do this by implementing a cookie banner or consent mechanism. Additionally, update your privacy and cookie policies to include detailed information about reCAPTCHA, its data collection, and usage.

Furthermore, document your compliance efforts and provide users with an opt-out mechanism. Consider using reCAPTCHA v2 instead of v3, as it’s more privacy-conscious and can be deployed only on specific pages.

Finally, consult with a legal professional specializing in data protection to ensure full compliance, as there are ongoing debates about whether reCAPTCHA can be fully GDPR-compliant due to concerns about data transfers and Google’s status under US law.

Google reCAPTCHA setup guide

While it’s important to get legal guidance before implementing reCAPTCHA v3, here are the basics of how you can set it up.

1. Register your website and receive a Secret Key

Register your website with Google.
Log in to your Google account and fill in the appropriate form.
Select reCAPTCHA v3 and enable the “I am not a robot” option in it.
Save and submit the changes, then you will receive the Site Key and Secret Key from Google. These are needed to configure the form.

2. Integrate reCAPTCHA into your website

To integrate reCAPTCHA into your website, you must include it on both the client and server sides.

reCAPTCHA v3 is invisible to the user. This means that you will not see a CAPTCHA form on your website, and you’ll have to record the CAPTCHA response in your JavaScript code.

After completing all the required actions, you will see the reCAPTCHA icon on your website. This will enable you to get the service running on the client side.

The system will now analyze individual users, then create a token and associate it with a hidden submission item.

3. Server-side integration

Since there is no checkbox-style CAPTCHA, the reCAPTCHA response must be collected and sent to the backend for validation. Use a PHP file to validate the user with data through certain defined constants. The code creates a request, sends it to Google, and returns a score. Depending on the score received, you can perform actions relevant to your applications (1.0 is most likely a good interaction).

Important: This is a very simple example of server-side integration and response scoring. If you apply it to your properties, make sure to use strong client-side and server-side validation, as you would with any form. If you are looking for more complex validation, then it is worth taking a look at the PHP library.

4. reCAPTCHA privacy and cookie policy requirements

Using reCAPTCHA involves collecting and processing personal data from website visitors, so if you have visitors from the EU or elsewhere covered by a data privacy law, you need to comply with data protection laws like the GDPR.

Update your website’s privacy policy to disclose that you use Google reCAPTCHA and what data it collects (e.g., IP address, browser info, mouse movements, etc.)
Explain the purpose of using reCAPTCHA (e.g., preventing spam/abuse) and that the data is transferred to Google’s servers.
Mention that Google’s privacy policy applies to the data collected by reCAPTCHA.
Create or update your cookie policy, since reCAPTCHA uses cookies like _grecaptcha. Disclose the cookies used and their purposes.
For EU/EEA visitors, obtain prior consent before using reCAPTCHA by implementing a cookie banner or consent management platform. Provide options to decline, specify granular preferences, or revoke consent.

Google reCAPTCHA enables quality website traffic

Google’s reCAPTCHA v3 offers websites an innovative and user-friendly way to detect bots without intrusive CAPTCHA challenges.

However, its data collection practices demand careful privacy considerations. By being proactive and transparent — updating privacy policies, implementing a consent management platform to easily manage consent preferences, and closely following GDPR guidelines — website operators can leverage v3’s benefits while upholding user privacy.

Read about optimize cookie banners now

Discover key strategies to optimize consent rates and build user trust in the era of data privacy regulations.

Optimize your opt-in rates

What is a Data Protection Impact Assessment (DPIA) and why is it essential for GDPR compliance?

Who should implement a DPIA?

When is a DPIA required?

Exclusions from the DPIA requirements

At what stage should a DPIA be carried out?

What are the DPIA requirements under the GDPR?

DPIAs under US law

DPIA procedure

1. Identify if a DPIA is required

2. Consult the DPO, if appointed

3. Identify all parties to be consulted

4. Document the nature, scope, context, and purposes of the data processing

5. Assess the necessity and proportionality

6. Identify and assess potential risks

7. Validate and sign the DPIA

Conclusion and next steps

What is data minimization?

Data minimization and GDPR

Data minimization and CPRA

What is an example of data minimization?

Benefits of data minimization

The principles of data minimization

Data minimization and risk mitigation

How to implement data minimization measures

Collect less to build consumer trust

What is the Kentucky Consumer Data Protection Act?

Definitions under the Kentucky Consumer Data Protection Act

Personal data under the KCDPA

Sensitive data under the KCDPA

Consent under the KCDPA

Controller under the KCDPA

Processor under the KCDPA

Sale of personal data under the KCDPA

Targeted advertising under the KCDPA

Who must comply with the Kentucky Consumer Data Protection Act

Exemptions to compliance with the Kentucky Consumer Data Protection Act

Consumer rights under the Kentucky Consumer Data Protection Act

Controllers’ obligations under the Kentucky Consumer Data Protection Act

Privacy policy under the KCDPA

Consumer rights requests under the KCDPA

Purpose limitation under the KCDPA

Data security under the KCDPA

Data protection assessments under the KCDPA

Consent requirements under the KCDPA

Nondiscrimination under the KCDPA

Data processing agreement under the KCDPA

Enforcement of the Kentucky Consumer Data Protection Act

Fines and penalties under the KCDPA

Consent management and the Kentucky Consumer Data Protection Act

Updates to the Kentucky Consumer Data Protection Act

Preparing for the Kentucky Consumer Data Protection Act

What are the biggest challenges of the cookieless future for marketers?

Why do you need to be ready for a Google cookieless future?

1. Legal compliance with data protection and user privacy regulations

2. Google’s requirements for advertisers

3. Google’s requirements for publishers

Data privacy and marketing alignment

From third-party cookies to a cookieless world: embracing a privacy-first approach to marketing

Zero- and first-party data in a cookieless world

Zero-party data for marketing in a cookieless world

First-party data for marketing in a cookieless world

Preference management in a cookieless world

Server-side tagging in a cookieless world

Digital marketing in a cookieless world

Marketing measurement in a cookieless world

Marketing attribution in a cookieless world

Optimized targeting and retargeting in a cookieless world

Consent management in a cookieless world

What’s next for the marketing cookieless future?

CookieYes competitors

Why look for a CookieYes alternative?

Our picks of the 6 top CookieYes competitors

1. Usercentrics

Key features

Pricing

Usercentrics vs CookieYes

2. CookieFirst

Key features

Pricing

3. Osano