Cookie consent: setup and compliance

Set up Amabrik's GDPR cookie consent: declare your trackers to block them until consent, turn on Google Consent Mode v2, set region rules, and keep a consent log.

The Cookie consent widget is Amabrik’s flagship compliance tool. It shows a banner, holds your non-essential trackers until a visitor consents by category, and keeps proof of that choice. One widget covers GDPR, UK GDPR, the Swiss nLPD, CCPA and CPRA, and Brazil’s LGPD, and it signals Google Consent Mode v2 and honors Global Privacy Control.

What it does

  • Shows a consent banner with Accept all, Reject all, and Customize, where Reject sits at the same weight as Accept (what EU regulators ask for).
  • Holds the third-party scripts you declare (Google Analytics, Meta Pixel, any custom tag) and fires each one only after its category is consented.
  • Detects each visitor’s region and applies the right legal mode: opt-in for the EU and UK, opt-out for the US.
  • Sends Google Consent Mode v2 signals and reads the Global Privacy Control browser signal.
  • Keeps a 13-month consent log with CSV export, with no raw IP stored.
  • Works in many languages and is fully right-to-left compatible.

Use it on any site that loads analytics, ad pixels, chat, or any tracker that is not strictly necessary. If your site only loads essential cookies, you may not need a banner, but the widget still gives you a clean cookie policy table.

Turn it on

  1. In the dashboard, open Widgets and click the Cookie consent card.
  2. With no banner yet, you go straight into the editor on a fresh banner. The live preview shows it right away.
  3. Set it up tab by tab (below). Changes autosave; you’ll see a “Saved” indicator.
  4. If you haven’t already, add Amabrik’s one script to your site’s <head>. The banner appears on every page that loads the script.

The editor has five top-level tabs: Content, Style, Display, Compliance, and Advanced. Each tab holds accordion sections. The first section of a tab is open, the rest are collapsed.

Content tab

The text your visitors read, in your default language.

Text

  • Title and Message: the headline and short paragraph on the banner.
  • Accept button and Reject button: the two main button labels.
  • Customize button: opens the preferences popup where visitors pick categories one by one.

Translate every one of these into other languages in the Advanced tab’s Languages section.

The preferences popup that opens when a visitor clicks Customize. While this section is open, the live preview switches to show the popup.

  • Preferences title and Save choices button: the popup heading and its save action.
  • For each category (Necessary, Analytics, Marketing, Functional), set a Title and Description so visitors understand what each one covers.

Media & policy

  • Top media: optionally show an image or video at the top of the banner, or leave it as None.
  • Cookie policy URL and Policy link label: link to your cookie policy page.
  • Cookie declaration table: copy the snippet (a <div data-amabrik-cookie-declaration="..."> tag) and paste it on your cookie policy page. Amabrik renders your full, auto-generated cookie and script table there, always in sync with what you declare. The snippet carries this banner’s id, so the right table shows even if you run several banners.
  • Cookie page path: optional but recommended. Set the path of the page that holds the table (for example /cookie-policy). The widget then only looks for the table on that exact page, so there is zero extra DOM work on every other page. Leave it empty to look on every page.

Style tab

How the banner looks. It reuses Amabrik’s shared controls, so the typography, color, and size inputs match every other widget.

Illustration

Pick a cookie illustration (or None). When one is set, you can adjust its Width and pick an Effect (None, Float, Bounce).

Colors

  • Accent color: one click themes the widget’s primary color (the Accept button and the popup toggle). Pick a preset or open the pen for a custom hex.
  • Customize elements: set the Notice background (color, gradient, or image) and the Notice text color, each as a full-width row.
  • Corner radius: rounds the banner corners (not shown for a full-width bar, which spans edge to edge).

Buttons

Full styling for the Accept button and Reject button, each with a Normal and Hover state (background, text, border, border style, width, corner radius). The Customize link has its own color and hover color. The popup’s Save button uses the Accept style. Keep Reject at equal weight to Accept, since refusing must be as easy as accepting.

Colors for the preferences popup: Background, Heading, Body text, and the Toggle color. The popup buttons reuse the Accept and Reject styles from the Buttons section.

Typography

Set fonts for the Title, Body text, and Buttons with the shared typography control (font, weight, line height, letter spacing, transform).

Display tab

Where and how the banner shows up.

Layout & position

  • Layout & position: Bar (full), Bar (contained), Card left, Card right, or center Modal.
  • Dim the page behind the banner: a backdrop overlay. Always on for the Modal layout; a toggle for the others.
  • Entrance animation: None, Slide, or Fade.

Behavior

  • Floating reopen button: lets visitors change their choice anytime (recommended, and often legally expected).
  • Re-ask after (days): how long a choice lasts before the banner asks again. The choice is also re-asked automatically whenever you change your cookie setup (the banner tracks a policy version).

Compliance tab

This is the heart of the widget: what you declare, how it’s grouped, and the rules per region.

Cookies & scripts

This is where you declare the tags your site loads, and it is what drives the per-script blocking. See the dedicated section below on declaring trackers.

Necessary is always on. For Analytics, Marketing, and Functional you can:

  • Offer this category: show it in the preferences popup at all.
  • On by default (opt-out regions): in an opt-out region (like the US), this category loads by default and the visitor can switch it off. In an opt-in region (like the EU), nothing non-essential loads until the visitor accepts, regardless of this setting.

Region rules

  • Detect the visitor’s country: applies the right legal mode per region automatically. With it off, every visitor gets the same Default mode.
  • Default mode (unlisted countries): Opt-in (nothing loads until consent), Opt-out (loads by default, can be refused), or Notice (informational).
  • Opt-in countries (consent first): pre-filled with the EU/EEA, UK, Switzerland, and Brazil. Add or remove freely; you can also bulk-add all EU/EEA countries.
  • Opt-out countries (load by default, allow refusal): pre-filled with the United States. Remove it if you don’t serve the US.

Country detection happens on the edge from a coarse country code, never from a stored IP.

Signals

  • Google Consent Mode v2: sends a denied-by-default state early, then updates to granted or denied per category once the visitor chooses. Turn this on if you use Google Ads or GA4.
  • Honor Global Privacy Control: auto-applies an opt-out when the visitor’s browser sends the GPC signal, with no prompt needed.

Advanced tab

Languages

Add languages and translate every string. See the dedicated section below.

Custom CSS

Scoped CSS for fine-tuning, using selectors like .ac-box, .ac-btn, and .ac-panel. The banner lives in a Shadow DOM, so this CSS never leaks into your site and your site’s CSS never leaks into the banner.

Declaring your trackers (the important part)

A compliant banner is not just a notice. It has to actually stop non-essential scripts from running until the visitor agrees. Amabrik does this by having you declare your trackers, rather than trying to guess and auto-block them.

Why declaring beats auto-blocking

Some tools try to scan the page and automatically block anything that looks like a tracker. That is fragile:

  • A tag can load from a new or unusual URL the scanner doesn’t recognize, so it slips through and fires before consent.
  • A scanner can block something you actually need (a payment script, a form helper), which quietly breaks your site.
  • Tags injected later by other scripts, or by a tag manager, can dodge a pattern-based blocker entirely.

Declaring is reliable: you tell Amabrik exactly which tags you load and which category each belongs to. Amabrik holds those tags and injects each one only after its category is consented. Nothing fires early, and nothing you didn’t declare gets touched, so a working site stays working.

How to declare a tracker

In Compliance, open Cookies & scripts, then either:

  1. Add a known service: pick a provider from the list (Google Analytics 4, Google Tag Manager, Google Ads, Meta Pixel, Hotjar, Microsoft Clarity, LinkedIn Insight, TikTok Pixel). Amabrik fills in the right category and the cookies that provider usually sets, so you only paste the ID (for example a G-XXXXXXXXXX for GA4).

  2. Add custom script: paste the full <script> tag for any tracker not in the list. Choose its category and its placement (Head or End of body). It only runs after consent for that category.

For each tracker you can edit its name, category, the list of cookies it sets (name, duration, description), and toggle it on or off. The cookie list shows in the visitor preferences popup and in your auto-generated cookie policy table. When a visitor withdraws consent for a category, Amabrik deletes those declared cookies (use a trailing * for a prefix, for example _ga_*) and reloads, so a withdrawal actually takes effect.

Necessary scripts run by default and are never blocked. Everything else waits for consent.

Regions and behavior

Amabrik adapts to where each visitor is, so you run one widget instead of one tool per market.

  • EU, UK, Switzerland, Brazil (opt-in): nothing non-essential loads until the visitor accepts. Pre-ticked boxes are not used, and Reject is as easy as Accept. This is what GDPR, UK GDPR, the ePrivacy rules, the Swiss nLPD, and Brazil’s LGPD expect.
  • United States (opt-out): default-on categories load right away, and the visitor can opt out. Amabrik also reads Global Privacy Control, which California’s CCPA and CPRA treat as a valid opt-out signal.
  • Everywhere else: the Default mode you set applies.

You control the exact country lists in Region rules, so you can tighten or loosen the defaults for your audience.

Every choice writes one proof-of-consent record. The log lives in the dashboard, on the Consent page for your cookie banner.

Each record holds:

  • A pseudonymous consent id (not a user id), the same id stored in the visitor’s first-party cookie.
  • The per-category choices (analytics, marketing, functional).
  • A coarse country code (from the edge, never the raw IP).
  • The action (accept all, reject all, or custom) and a timestamp.
  • The policy version that was shown, so a record ties to exactly what was consented to.

There is no raw IP, no name, and no email. The record is private by design.

Export to CSV: click Export CSV in the consent log to download the full set, so you have an audit trail for a data request. Records are kept for 13 months.

Erasure: a visitor can ask you to delete their records using the id in their amabrik_consent_... cookie. Paste that id into “Erase by consent id” to delete every record for it. You can also delete a single record from the table.

A consent record is written only when a visitor makes a choice, never on a page view, so your visitor traffic never touches the database.

Translations and languages

Every banner can be multilingual. In Advanced, open Languages.

  1. Default language: the language shown by default and whenever auto-detect finds no match. Its text is edited in the Content tab’s Text and Cookie popup sections.
  2. Auto-detect the visitor’s language: when on, the banner shows in the visitor’s browser language if you’ve translated it, else the default.
  3. Add a language: pick a language from the list. It copies your default text as a starting point and opens an inline Translate editor.
  4. Translate: in the inline editor, fill in the title, message, every button label, the preferences title, the policy link label, and each category’s title and description. Use the Preview language select (or open a language’s Translate editor) to see that language in the live preview.

Remove a non-default language with its Remove button. The default language cannot be removed.

Every banner is also fully right-to-left. When the resolved language is Arabic, Hebrew, Persian, Urdu, Pashto, or Sindhi (or the host page is set to RTL), the layout mirrors automatically.

Tips

  • Keep Reject at the same visual weight as Accept. In the EU it’s expected, and it’s the safest default everywhere.
  • Declare every non-essential tag, including ones loaded by a tag manager. If GTM loads other tags, declare GTM under the category that fits its tags, or declare those tags individually for finer control.
  • Set the Cookie page path so the declaration table only renders on your policy page, not on every page.
  • Turn on the floating reopen button so visitors can change their mind, which several laws expect.
  • Paste the declaration table snippet on your cookie policy page so your policy stays in sync with what you declare, with no manual upkeep.
  • Turn on Google Consent Mode v2 if you run Google Ads or GA4 for EU or UK users.

FAQ

Is a cookie banner legally required?

In the EU and UK, yes for non-essential cookies: the ePrivacy rules ask for prior consent before storing or reading trackers, and the GDPR asks that consent be a clear opt-in choice. In the US, California’s CCPA and CPRA require an opt-out of sale and sharing. The rules differ by region, which is why Amabrik adapts the banner to where each visitor is.

How does it block trackers before consent?

You declare your third-party scripts and map each to a category. Amabrik holds those scripts and fires each one only after the matching category is consented. Necessary scripts run by default. Declaring is more reliable than auto-blocking, because a scanner can miss a tag or break a script you need.

Does it support Google Consent Mode v2?

Yes. Turn on Google Consent Mode v2 in the Compliance tab’s Signals section. Amabrik sends a denied-by-default state early, then updates the four signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) per category when the visitor chooses. Consent Mode v2 is required for measuring EEA and UK users in Google Ads and GA4.

What is Global Privacy Control, and does Amabrik honor it?

Global Privacy Control (GPC) is a browser-level opt-out signal. Under California’s CCPA and CPRA it’s a valid opt-out request that businesses must honor. Turn on “Honor Global Privacy Control” and Amabrik auto-applies an opt-out for visitors whose browser sends GPC, with no prompt.

Where are consent records stored, and can I export them?

They’re stored in your dashboard for 13 months, with CSV export. Each record holds a pseudonymous id, the category choices, a coarse country, the action, a timestamp, and the policy version. No raw IP, name, or email is stored.

What’s the difference between a cookie banner and a consent management platform?

A plain banner just shows a notice. A consent management platform also holds non-essential scripts until consent, records granular consent by category, keeps proof, and passes consent signals to tools like Google Ads and GA4. Amabrik is a consent management platform delivered as one widget.

Will it work on WordPress, Shopify, and custom sites?

Yes. It loads one light script and runs on WordPress, Shopify, Webflow, Squarespace, and any custom site. There’s no plugin and no rebuild.

Can I run more than one cookie banner?

Yes. Each banner instance keeps its own settings and its own declaration table. The declaration snippet carries the banner’s id, so the right table renders even on a site with several banners.

What happens when a visitor withdraws consent for a category whose scripts already ran?

A script that already ran can’t be un-run, so Amabrik deletes that category’s declared cookies and reloads the page. On reload, only the still-consented scripts inject and Consent Mode starts denied again.

Last updated June 22, 2026

Still stuck?

Open the widget's Help tab in your dashboard, or send us a message. We answer every one.

Contact support