Frequently Asked Questions

The General Data Protection Regulation (GDPR) requires websites to obtain explicit, informed consent from EU/EEA visitors before setting non-essential cookies or processing personal data through tracking technologies. Consent must be freely given, specific, informed, and unambiguous — meaning pre-checked boxes or implied consent (like "by continuing to browse") don't qualify. Visitors must be told what data is being collected and why, and they must take a clear affirmative action to agree. Essential cookies required for basic site functionality are exempt from the consent requirement.

Opt-in consent means all non-essential scripts are blocked by default until the visitor explicitly agrees to them. This is required under the GDPR for EU/EEA visitors. Opt-out consent means scripts run by default, and the visitor has the option to stop them — typically through a "Do Not Sell" or preferences mechanism. Most US state privacy laws follow the opt-out model. ConsentStack automatically applies the correct consent model based on each visitor's location, so you don't need to configure geo-rules manually.

The list is long and growing. The EU/EEA (27 member states plus Iceland, Liechtenstein, and Norway) requires opt-in consent under the GDPR. The UK has equivalent requirements under UK GDPR. Brazil's LGPD, Japan's APPI, South Korea's PIPA, and Australia's Privacy Act all have consent or transparency requirements. In the US, over 20 states have enacted privacy laws including California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and many more. ConsentStack covers 195+ regulations automatically, applying the right rules for each visitor's jurisdiction.

Yes. The GDPR has extraterritorial scope, meaning it applies to any organization that processes personal data of individuals in the EU/EEA — regardless of where the organization is based. If your website is accessible to EU visitors and sets cookies or uses tracking technologies, the GDPR applies to you. Many non-EU companies have faced GDPR enforcement actions, and regulators actively investigate cross-border violations.

Under the GDPR, yes — rejecting consent must be as easy as giving it. Regulatory guidance from authorities like France's CNIL and the European Data Protection Board explicitly requires that refusing cookies should take no more effort than accepting them. This means a "Reject All" button must be as prominent and accessible as "Accept All." Under the CCPA, a "Do Not Sell or Share My Personal Information" link is required instead. Requirements vary by regulation — ConsentStack configures the correct buttons and options automatically based on each visitor's jurisdiction.

Yes. GDPR Article 7(1) states that the data controller must be able to demonstrate that consent was given. This means you need an auditable record of each consent event — including what the visitor consented to, when they consented, and what options were presented. Regulators can request these records during investigations. ConsentStack logs every consent event with timestamps, consent categories, and visitor actions. Consent logs are retained for 30 days on Pro plans and 1 year on Business plans, and are exportable as CSV for audit purposes.

GDPR fines can reach up to €20 million or 4% of global annual revenue, whichever is higher. These aren't theoretical — France's CNIL alone has issued over €100 million in cookie-related fines in recent years, targeting companies of all sizes. Under the CCPA, fines are $2,500 per unintentional violation and $7,500 per intentional violation. With each visitor potentially constituting a separate violation, penalties accumulate rapidly. Beyond fines, non-compliance can trigger class action lawsuits, mandatory audits, and reputational damage.

ConsentStack works in five steps:

(1) Add a single script tag to your website's HTML head. (2) ConsentStack automatically detects trackers from a database of 950+ known vendors and categorizes them as analytics, marketing, functional, or essential. (3) Non-essential scripts are blocked before they can execute or set cookies. (4) A customizable consent banner is displayed to visitors, adapted to their location and applicable regulations. (5) When visitors make their choices, scripts in the consented categories are activated in the correct execution order.

Every consent event is logged with timestamps and categories for compliance records.

Script blocking is ConsentStack's core technology. Scripts are intercepted at parse time — before they can execute, set cookies, or transmit data. This is fundamentally different from solutions that let scripts run and then try to delete cookies afterward, which still allows data to be sent to third parties before consent. When a visitor gives consent for specific categories, ConsentStack activates the corresponding scripts in the correct dependency order, ensuring your tracking and analytics tools initialize properly. Learn more about our consent experience.

ConsentStack maintains a curated database of 950+ known vendors — including Google Analytics, Meta Pixel, HubSpot, Hotjar, LinkedIn Insight Tag, and hundreds more — along with their associated tracker domains and cookie patterns. When a visitor loads your site, ConsentStack identifies which scripts are present by matching them against this database and automatically categorizes them into four groups: essential (never blocked), functional, analytics, and marketing. This happens without any manual tagging or script modification on your part.

ConsentStack detects each visitor's geographic location and applies the appropriate consent model automatically. Visitors from GDPR regions get opt-in consent — all non-essential scripts are blocked until they explicitly agree. Visitors from US states with privacy laws get opt-out consent — scripts run by default with a clear option to opt out. Visitors from regions without specific consent laws get a notice-only banner. See our regulations guide for the full list of supported jurisdictions.

Yes. ConsentStack includes a visual builder with live preview. You can choose from 5 banner positions (full-width top bar, full-width bottom bar, floating card bottom-left, floating card bottom-right, and centered modal) and 4 preferences panel layouts. Customize colors, fonts, and border radius to match your brand. For pixel-perfect control, add custom CSS. Brand removal is included on all paid plans — no "Powered by" badges on your site.

ConsentStack includes 7 languages with automatic translation. The banner and preferences panel content automatically adapts to match each visitor's browser language. This means a visitor browsing in French sees the consent banner in French, while a visitor browsing in German sees it in German — with no manual translation work required on your part.

A re-entry button is always visible on your site — a small, customizable icon that floats in a corner of the page. Clicking it reopens the preferences panel where visitors can update their consent choices at any time. When they change their preferences, ConsentStack immediately adjusts which scripts are active. This is a GDPR requirement: withdrawing consent must be as easy as giving it.

Consent typically expires after 6 to 12 months depending on the applicable regulation. When consent expires, ConsentStack automatically reshows the banner to collect fresh consent. This ensures your site maintains continuous compliance without any manual intervention. You don't need to track expiration dates or set up reminders — it's handled automatically.

Add one script tag to your HTML <head> section. No build tools, plugins, or package managers required. ConsentStack works with any website — static HTML, WordPress, Shopify, React, Next.js, or any other platform. The complete setup, including banner customization and configuration, typically takes about 20 minutes. See our getting started guide.

No. ConsentStack's auto-blocking intercepts scripts automatically — there's no need to add type="text/plain" attributes to your script tags or modify your Google Tag Manager configuration. Your existing code stays completely untouched. ConsentStack handles the blocking and reactivation behind the scenes.

No. Essential scripts — your framework, CDN resources, fonts, and core functionality — are never blocked. ConsentStack only manages non-essential tracking scripts like analytics, advertising pixels, and marketing tools. Before going live, you can use debug mode to verify exactly which scripts are being blocked and confirm that your site functions correctly with ConsentStack active.

Yes. ConsentStack includes native Google Consent Mode v2 integration, which automatically communicates consent state to Google Tag Manager. GTM reads the consent signals and adjusts tag behavior accordingly — no manual consent triggers, custom variables, or additional configuration required on the GTM side.

Yes. The ConsentStack dashboard supports multiple sites, each with independent configurations, banner designs, and consent analytics. Team members can be invited with access across all sites. Billing is unified across all your properties under a single account.

Yes. Headless mode provides API-only consent management for custom implementations. Use consentstack.getConsent() to check current consent state, consentstack.setConsent() to programmatically set consent choices, and consentstack.onConsentChange() to react to consent updates. This lets you build your own consent UI or integrate consent management into your existing interface while ConsentStack handles script blocking and compliance logic behind the scenes.

Google Consent Mode v2 is a framework that communicates visitor consent status to Google services — Analytics, Ads, and Tag Manager. It uses four consent signals: ad_storage, analytics_storage, ad_user_data, and ad_personalization. Google requires Consent Mode v2 for any website running Google Ads personalization features for EEA visitors. Without it, you lose conversion data, remarketing audiences, and attribution modeling in regulated regions. If you use Google Analytics or Google Ads and have European visitors, you need it.

Yes — it's a native, built-in integration, not a plugin or add-on. ConsentStack automatically sends the correct consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) to Google based on each visitor's consent choices. When a visitor accepts analytics cookies, analytics_storage is granted. When they accept marketing cookies, all four signals are granted. No manual tag configuration or Google Tag Manager adjustments needed.

ConsentStack includes native consent signaling for 6 major advertising platforms: Google Consent Mode v2, Meta Pixel, TikTok Pixel, Microsoft UET/Clarity, Pinterest Tag, and LinkedIn Insight Tag. Each platform automatically receives the appropriate consent signals when visitors make their choices. This means your ad platforms get accurate consent data without any manual integration work — maximizing your data recovery while maintaining compliance.

Some data reduction is inherent to consent-based privacy — that's the fundamental purpose of these regulations. However, the impact is minimized through platform-level data recovery features. Google's Consent Mode uses conversion modeling to estimate data from non-consenting visitors. Meta's cookieless tracking preserves some attribution. ConsentStack's native integrations with these platforms ensure you get the maximum data recovery each one offers. Most sites see 60–80% effective data coverage even with strict consent enforcement.

Google's CMP Partner Program certifies platforms that meet specific integration and compliance requirements. Certified CMPs appear in Google's partner directory and have been validated against Google's consent infrastructure standards. Certification matters most if you rely heavily on Google Ads — it ensures your consent signals are properly recognized by Google's systems. Check ConsentStack's current certification status on our integrations page.

No. ConsentStack handles everything in one platform — the consent banner, script blocking, consent record storage, and Google Consent Mode signaling are all built in. There's no need to layer a CMP plus a separate Consent Mode plugin plus manual GTM triggers. One script tag gives you the full stack: compliant consent collection, script management, and platform-specific consent signaling.

ConsentStack's script is approximately 18 KB compressed — for comparison, some competing CMPs are 100 KB or more, and a single analytics pixel is often larger than our entire SDK. The script loads asynchronously and does not block page rendering. Your site's content appears at the same speed with or without ConsentStack installed.

No. Google does not penalize websites for showing cookie consent banners — Google's own documentation acknowledges they're legally required in many regions. What can hurt SEO is non-compliance (regulatory fines lead to reputational damage) or a poorly implemented consent tool that causes layout shift, increases load time, or blocks search engine crawlers from accessing content. ConsentStack is designed to avoid all of these issues.

ConsentStack is designed to minimize Cumulative Layout Shift — a Core Web Vital that Google uses as a ranking factor. The banner reserves space predictably and doesn't reflow your page content. Your layout remains stable when the banner appears, keeping your CLS scores clean.

No. ConsentStack does not set tracking cookies, collect personal data, or build visitor profiles. The only data stored is the consent record itself — what the visitor chose, when they chose it, and which categories were selected. ConsentStack is a consent management tool, not an advertising or data platform.

Consent records are stored securely in ConsentStack's infrastructure. Consent logs are accessible from your dashboard with filtering by date range, consent status, and categories. Logs are exportable as CSV for compliance audits and regulatory inquiries.

Yes. ConsentStack practices what it preaches. We process only the minimum data necessary — consent records — and don't share data with third parties. We provide full data export and deletion capabilities. Our infrastructure is designed for compliance from the ground up, and we serve as a data processor under the GDPR, with a Data Processing Agreement available for all customers.

ConsentStack offers three plans: Free (1,000 visitors/month, 1 site), Pro at $29/month (30,000 visitors, 2 sites), and Business at $79/month (1,000,000 visitors, 3 sites). All plans include full banner customization, platform integrations, and unlimited team members. No long-term contracts, no enterprise sales calls — sign up and start in minutes. Cancel anytime. Annual billing saves 20%. See pricing details.