What proper cookie consent setup looks like
A compliant Webflow cookie consent setup includes seven elements:
What's included in our cookie consent setup?
How we implement cookie consent on Webflow?
Webflow has no native cookie consent feature, which is why most setups are fragile. Our approach uses Webflow's Before </body> tag custom code field for the consent script, Webflow's CMS for cookie descriptions, and server-side geographic detection where needed. The implementation:
Script Installation & Pre-Consent Control
We install the Cookiebot script in your site's global custom code, scoped to fire before any tracking script.
Consent Mode Configuration
We rewrite your existing GTM container to use Google Consent Mode v2 and Microsoft UET Consent Mode, so tags only fire after consent and your ad platform data stays accurate.
Cookie Classification & Mapping
We map every cookie on your site to the correct category in the Cookiebot dashboard.
Regional Compliance Testing
We test the banner across regions using VPN simulation to verify GDPR, CCPA, and LGPD logic all trigger correctly.
Handover & Documentation
We hand over the entire setup with documentation, a 30-day support window, and a recorded training session.
Our process
Audit and planning
We scan your site, document every cookie, identify compliance gaps, and map out the Cookiebot configuration tailored to your stack and regional exposure.
Implementation
We design and build the banner, integrate the CMP, configure Google Consent Mode v2, and set up geographic logic.
Testing and handoff
We test across regions, deliver documentation, run a recorded training session with your team, and hand over all code and credentials.
GDPR, CCPA, and the regulations your cookie banner needs to cover
Different markets, different rules. A company selling globally needs a single banner that satisfies all of them.
GDPR (European Union and UK)
Applies to any company processing data from EU or UK residents, regardless of where the company is based. Requires explicit opt-in for non-essential cookies, clear language explaining what each cookie does, the ability to withdraw consent as easily as it was given, and a record of consent. Fines start at €10 million or 2% of global annual revenue, whichever is higher.
CCPA, CPRA, and VCDPA (California, Virginia, and other US states)
CCPA and CPRA apply to companies doing business in California with $25M+ revenue, 100K+ consumers, or 50%+ revenue from selling personal data. Requires a "Do Not Sell or Share My Personal Information" link and recognition of the Global Privacy Control signal. Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, and Texas's DPSA layer similar opt-out and disclosure requirements. Civil penalties under CCPA run up to $7,500 per intentional violation.
LGPD (Brazil)
Mirrors GDPR's structure with Brazilian enforcement. Required for any company processing data from Brazilian residents.
POPIA (South Africa)
Comparable consent and accountability requirements to GDPR, with administrative fines up to R10 million.
DMA (EU Digital Markets Act)
Affects how "gatekeeper" platforms like Google and Meta handle user data. Your CMP needs to send proper consent signals so your ad accounts continue to operate compliantly in the EU.
Working with us
As the only B2B marketer on my team, I'm responsible for a lot of things — and not having to worry about the website has made my life so much easier.
Instead of filling out a standard contact form, most clients now head straight to the calculator to get an instant estimate delivered to their inbox. From a commercial perspective, it's been absolutely invaluable.
Some of the best operators I've ever worked with — and I've been building websites for almost thirty years.
Hesitant to do this testimonial because I don't want anybody to fill up his calendar. But I can't recommend Hunor highly enough.
Frequently asked questions
Do I really need a cookie consent banner if I'm a US-only SaaS?
If you have any EU visitors at all, yes. GDPR applies based on the user's location, not your company's. If you're California-only and over the CCPA thresholds, you need at minimum a "Do Not Sell or Share" link and Global Privacy Control support.
Can't I just use a free Webflow cookie banner template?
Free templates almost always fire tracking scripts before consent, which is the exact behavior GDPR penalizes. They also rarely support granular consent or consent logging.
Will the banner slow down my site?
A properly implemented banner adds less than 50ms to page load. We host the consent script asynchronously and defer all non-essential scripts until consent is granted, which often improves overall page speed compared to firing all tracking on load.
What happens if regulations change?
We follow updates from the European Data Protection Board, the California Privacy Protection Agency, and other major regulators. For active clients, we flag material changes and quote the work needed to stay compliant. For past clients, we offer compliance refreshes as a separate engagement.
Will this affect my Google Ads or GA4 data?
The opposite, it protects it. Google now requires Consent Mode v2 for ads personalization, remarketing, and analytics in the EU, EEA, and Switzerland. Without it, your conversion tracking degrades and remarketing audiences shrink. Cookiebot is a Google-certified CMP with native Consent Mode v2 support, and we configure it during setup so your ad platforms keep receiving the modeled data they need.
Is the cookie banner accessible?
Yes. Cookiebot supports WCAG 2.2 and WAI-ARIA standards out of the box, which we verify during testing. This matters for enterprise procurement reviews and is increasingly a regulatory requirement in itself, the EU's European Accessibility Act took effect in June 2025.
Can you migrate an existing cookie consent setup to Cookiebot?
Yes. Migrations from Termly, OneTrust, Iubenda, and custom-built banners to Cookiebot are a common engagement, usually triggered by cost, compliance gaps, or a CMP that doesn't scale. We handle the full migration including consent log preservation where the source platform supports export.
Is cookie consent the same as a privacy policy?
No. A privacy policy is a written document explaining what data you collect and how you use it. Cookie consent is the technical mechanism that asks users to opt in to specific cookie categories before tracking begins. You need both.
