Understanding cookie regulations and implementing effective consent management solutions has become critical for every website. This guide explores the differences between European and U.S. regulations, analyzes how Google Consent Mode works, and compares leading consent management solutions.
Understanding cookie regulations and implementing effective consent management solutions has become critical for every website. This guide explores the differences between European and U.S. regulations, analyzes how Google Consent Mode works, and compares leading consent management solutions, with the latest updates to 2025.
In Europe, data protection and online privacy are governed primarily by two pieces of legislation:
Entered into force in 2018, the GDPR imposes stringent requirements on the processing of personal data, establishing fundamental principles:
In order to collect and process personal data (including online identifiers such as cookies), it is necessary to have a valid legal basis such as explicit user consent, legitimate interest, or contractual obligation.
GDPR violations can result in very high penalties, up to 4 percent of the company's global turnover.
The ePrivacy Directive (2002/58/EC, amended 2009) focuses specifically on privacy in electronic communications, including the use of cookies and tracking technologies.
Article 5(3) of the Directive states that it is mandatory to obtain the user's prior consent before storing or accessing information on his or her device, with exceptions (such as strictly necessary technical cookies).
In practice, this means that European websites must:
European privacy authorities have actively sanctioned violations: for example, the French CNIL fined Google and Amazon between 2020 and 2022 for depositing tracking cookies without valid consent.
In March 2024, the EU's Digital Markets Act (DMA) went into effect, which further strengthened consent requirements for large technology platforms, significantly impacting cookie and tracking management. This has led companies such as Google to upgrade their consent management solutions.
In February 2025, the EU Commission officially withdrew its proposal for a new ePrivacy Regulation, keeping the existing Directive in place. This means that consent requirements for cookies remain as they are today, still binding and subject to strict enforcement across Europe.
The European Court of Justice issued a significant ruling in March 2024 regarding the IAB TCF case, with important implications for the implementation of the Transparency & Consent Framework, which companies are still assimilating.
In the United States, unlike the EU, there is no general federal privacy law comparable to the GDPR. Regulation occurs at the state and sectoral levels, with significant developments in recent years.
The CCPA, which came into effect in 2020, was strengthened by the CPRA (effective from 2023), bringing it even closer to the European model.
CPRA has:
Between 2023 and 2025, the privacy landscape in the United States has evolved rapidly:
As of January 2025, as many as 20 U.S. states now have comprehensive data privacy laws, with eight new laws going into effect just in 2025. This means that about 40 percent of U.S. consumers now have digital privacy rights. However, regulatory fragmentation poses a significant challenge for companies, which must navigate often similar but not identical requirements.
California remains at the forefront, with CPPA particularly active in 2024-2025. The agency issued several significant penalties, including a $6.75 million fine to a cloud software company in 2024. It also issued new proposed regulations on cybersecurity, risk assessments, and automated decision technologies (ADMT), with an open public comment period through June 2025.
Among the most relevant developments in cookie management, California expanded the definition of "sensitive personal information" to include "neural data" (information generated by measuring nervous system activity) and clarified that personal information also includes digital and abstract formats, such as those generated by artificial intelligence.
Delaware has passed a privacy law that, unlike others, does not exempt nonprofits and academic institutions from its coverage, significantly expanding its scope.
Unlike the EU, the U.S. model remains primarily based on opt-out rather than prior consent. A U.S. site serving EU users will therefore have to adopt a GDPR-compliant banner for those users, while for U.S. users it might simply display a notice and an opt-out link without blocking cookies in advance.
The Interactive Advertising Bureau (IAB) Europe has developed the Transparency & Consent Framework (TCF) as an industry standard to help companies manage user consent in compliance with GDPR and the ePrivacy Directive, which is particularly relevant in the context of digital advertising.
TCF has had several iterations:
TCF v2.2 introduced important changes:
In April 2025, IAB Tech Lab and IAB Europe opened for public comment the technical specifications for TCF v2.3, with a comment period until May 19, 2025. The update aims to provide more clarity for vendors in specific scenarios where it is unclear whether they have been disclosed to the user, particularly important when a vendor intends to process data for Special Purposes based on legitimate interest.
The timeline for TCF v2.3 includes:
To help sites and advertisers respect users' consent choices, Google has introduced Consent Mode, a technical solution that adjusts the behavior of Google tags based on the user's consent status.
In November 2023, Google launched Consent Mode V2, with mandatory implementation by March 2024 for sites that use Google services and collect data from users in the European Economic Area (EEA). This update was designed specifically to align with the EU's Digital Markets Act (DMA).
Consent Mode V2 introduces two new parameters in addition to the original ones:
Unlike ad_storage and analytics_storage, these new parameters do not affect tag behavior on the site itself, but are additional parameters sent to Google services to indicate how user data may be used.
Google Consent Mode V2 has two modes of implementation:
It is important to note that some privacy experts have raised concerns about the advanced mode's compliance with data protection regulations, as "pings" could represent personal data processed without consent.
Without Google Consent Mode, advertising platforms cannot capture data on new SEE users, significantly limiting the ability to collect audience data, measure campaign effectiveness, and implement targeted advertising strategies.
With Consent Mode V2, websites can continue to collect basic analytic data even when users have not consented to cookies, through advanced modeling techniques that respect consent preferences.
.png)
To comply with all these regulations, websites use Consent Management Platforms (CMPs) that provide banners and interfaces for obtaining users' consent and mechanisms for respecting those choices.
The IAB plays a key role in the certification of CMPs through the TCF framework. An IAB TCF v2.2 certified CMP must:
In 2023-2024, Google introduced specific certification requirements for CMPs wishing to support Google Ads in the EU and UK, with the main requirement being updated compliance with the IAB TCF. CMPs certified by Google can use Google Ads products and are included in an official directory.
A solution geared specifically toward sites built with Webflow, with full support for IAB TCF v2.2 and Google Consent Mode v2.
Advantages:
Disadvantages:
Ideal for: developers or agencies working on Webflow, who want total control and tailored design.
A plug-and-play solution updated to support IAB TCF v2.2 and Google Consent Mode v2, now with a Gold certification as a Google CMP Partner.
Advantages:
Disadvantages:
Ideal for: small sites or owners who want to get up to speed quickly.
Iubenda is an Italian company that offers a comprehensive suite of compliance tools, fully updated to support IAB TCF v2.2 and Google Consent Mode v2.
Advantages:
Disadvantages:
Ideal for: business looking for a professional and comprehensive solution with minimal maintenance.
One of the first popular SaaS CMP solutions, now part of the Usercentrics platform.
Advantages:
Disadvantages:
Ideal for: medium-sized sites and companies that want to delegate cookie management to automation.
An emerging CMP offering a complete solution for integration with Google Consent Mode V2 and IAB TCF v2.2.
Advantages:
Disadvantages:
Ideal for: companies looking for a solution focused on integration with Google Consent Mode V2.
For large multinational organizations there are enterprise CMPs such as OneTrust, TrustArc, Didomi, Usercentrics, Osano, etc.
Advantages:
Disadvantages:
Ideal for: large enterprises with global presence and complex consensus management needs.
Cookie/privacy compliance requires both a legal understanding of the various regulations and the implementation of appropriate technical solutions.
A strict prior consent regime prevails in Europe, while in the U.S. the opt-out with transparency requirement prevails, although state laws are gradually evolving toward more stringent standards, moving closer to the European model.
Tools such as Google Consent Mode V2 and IAB TCF v2.2/v2.3 help bridge the gap between marketing and privacy, allowing sites to use analytics and advertising services while complying with cookie laws.
The choice of consent management platform depends on factors such as site size, available technical resources, budget, and the need for multinational compliance. The important thing is to give the user true control over their data and allow the site to operate transparently and in compliance with applicable laws.
Companies operating in both Europe and the United States will need to continue to navigate a complex and evolving regulatory landscape, adapting their consent management solutions to different jurisdictions.
In Europe (GDPR and ePrivacy Directive), an opt-in model prevails: explicit user consent must be obtained before using nonessential cookies. In contrast, in the U.S. (CCPA/CPRA and other state laws) an opt-out model prevails: cookies can be used until the user explicitly objects, and companies must provide a clear way to opt out of the sale/sharing of data.
Only "strictly necessary" (or "technical") cookies can be used without consent in Europe. These include cookies that are essential for the operation of the site, such as those for authentication, for storing items in an e-commerce shopping cart, or for site security.
Google Consent Mode V2 is an interface that communicates user consent choices to Google. It introduces four consent parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization) that govern the behavior of Google tags. It is important because it allows sites to balance marketing performance measurement with privacy compliance, and it became mandatory from March 2024 for sites using Google services in Europe.
The choice depends on several factors: site size and traffic, available budget, in-house technical expertise, platform on which the site is built (e.g., Webflow, WordPress), and specific compliance requirements. It is also important to check whether the CMP is IAB TCF v2.2 certified and supports Google Consent Mode V2, especially if Google advertising services are used.
In Europe, technically yes. Even if the site uses only essential cookies, it is still necessary to inform users about what cookies are being used. However, in this case it is not necessary to request consent, so the banner can be simplified into an informational notice that does not require interaction.
In Europe, GDPR violations can result in penalties of up to 4 percent of annual global revenue or €20 million, whichever is greater. In California, violations of the CCPA/CPRA can result in civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, as well as potential consumer lawsuits. Regulators have become more active in enforcement, with several significant fines issued in recent years.
No, Google Consent Mode V2 does not replace the banner cookie, but works in tandem with it. It still requires a system to collect user consent (CMP), which will then communicate preferences to Google Consent Mode to adjust tag behavior.
The best solution is to implement a system that recognizes the user's geographic location and displays the appropriate interface: a prior consent (opt-in) banner for European users and an opt-out notice for U.S. users. More advanced CMPs offer this geo-targeting functionality.
The IAB Transparency & Consent Framework (TCF) is an industry standard that helps companies manage user consent in compliance with GDPR and the ePrivacy Directive, particularly in the context of digital advertising. It provides a standardized mechanism for collecting, storing, and sharing user consent preferences among publishers, advertisers, and ad technology providers. The latest version, TCF v2.2, is designed to improve transparency and accountability, and was developed in response to guidance from data protection authorities.
TCF v2.3, currently in public consultation until May 2025, aims to provide more clarity for vendors in specific scenarios where it is unclear whether they have been disclosed to the user. This distinction is particularly important when a vendor intends to process data for Special Purposes based on legitimate interest. The technical specifications are expected to be finalized by the end of May 2025, with an implementation deadline of February 1, 2026.
.svg)
.svg)
.svg)
