Understanding cookie regulations and implementing effective consent management solutions has become critical for every website. This guide explores the differences between European and U.S. regulations, analyzes how Google Consent Mode works, and compares leading consent management solutions.

‍

Cookie legislation and consent management: updates 2025

Understanding cookie regulations and implementing effective consent management solutions has become critical for every website. This guide explores the differences between European and U.S. regulations, analyzes how Google Consent Mode works, and compares leading consent management solutions, with the latest updates to 2025.

‍

European regulations: GDPR and ePrivacy Directive

In Europe, data protection and online privacy are governed primarily by two pieces of legislation:

The GDPR (General Data Protection Regulation).

Entered into force in 2018, the GDPR imposes stringent requirements on the processing of personal data, establishing fundamental principles:

• Lawfulness and transparency: all processing must have a valid legal basis
• Data minimization: collect only necessary data
• Security: ensuring adequate protection measures

In order to collect and process personal data (including online identifiers such as cookies), it is necessary to have a valid legal basis such as explicit user consent, legitimate interest, or contractual obligation.

‍

GDPR violations can result in very high penalties, up to 4 percent of the company's global turnover.

The ePrivacy Directive

The ePrivacy Directive (2002/58/EC, amended 2009) focuses specifically on privacy in electronic communications, including the use of cookies and tracking technologies.

Article 5(3) of the Directive states that it is mandatory to obtain the user's prior consent before storing or accessing information on his or her device, with exceptions (such as strictly necessary technical cookies).

In practice, this means that European websites must:

• Clearly inform the user about the purpose of cookies
• Gather free, specific, and informed consent before setting nonessential cookies
• Allow the user to reject and change preferences at any time

European privacy authorities have actively sanctioned violations: for example, the French CNIL fined Google and Amazon between 2020 and 2022 for depositing tracking cookies without valid consent.

‍

Updates 2025

In March 2024, the EU's Digital Markets Act (DMA) went into effect, which further strengthened consent requirements for large technology platforms, significantly impacting cookie and tracking management. This has led companies such as Google to upgrade their consent management solutions.

‍

In February 2025, the EU Commission officially withdrew its proposal for a new ePrivacy Regulation, keeping the existing Directive in place. This means that consent requirements for cookies remain as they are today, still binding and subject to strict enforcement across Europe.

‍

The European Court of Justice issued a significant ruling in March 2024 regarding the IAB TCF case, with important implications for the implementation of the Transparency & Consent Framework, which companies are still assimilating.

‍

U.S. regulations: CCPA, CPRA, and state developments

In the United States, unlike the EU, there is no general federal privacy law comparable to the GDPR. Regulation occurs at the state and sectoral levels, with significant developments in recent years.

CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act).

The CCPA, which came into effect in 2020, was strengthened by the CPRA (effective from 2023), bringing it even closer to the European model.

CPRA has:

• Introduced the concept of data "sharing" in addition to "selling"
• Given consumers the right to opt-out even from sharing their personal data for cross-contextual advertising purposes
• Defined a category of Sensitive Personal Information with a dedicated right to restrict its use
• Expanded existing rights and created a dedicated agency, the California Privacy Protection Agency (CPPA)

Updates 2025

Between 2023 and 2025, the privacy landscape in the United States has evolved rapidly:

As of January 2025, as many as 20 U.S. states now have comprehensive data privacy laws, with eight new laws going into effect just in 2025. This means that about 40 percent of U.S. consumers now have digital privacy rights. However, regulatory fragmentation poses a significant challenge for companies, which must navigate often similar but not identical requirements.

‍

California remains at the forefront, with CPPA particularly active in 2024-2025. The agency issued several significant penalties, including a $6.75 million fine to a cloud software company in 2024. It also issued new proposed regulations on cybersecurity, risk assessments, and automated decision technologies (ADMT), with an open public comment period through June 2025.

‍

Among the most relevant developments in cookie management, California expanded the definition of "sensitive personal information" to include "neural data" (information generated by measuring nervous system activity) and clarified that personal information also includes digital and abstract formats, such as those generated by artificial intelligence.

‍

Delaware has passed a privacy law that, unlike others, does not exempt nonprofits and academic institutions from its coverage, significantly expanding its scope.

‍

Unlike the EU, the U.S. model remains primarily based on opt-out rather than prior consent. A U.S. site serving EU users will therefore have to adopt a GDPR-compliant banner for those users, while for U.S. users it might simply display a notice and an opt-out link without blocking cookies in advance.

‍

IAB TCF: The Transparency and Consent Framework.

The Interactive Advertising Bureau (IAB) Europe has developed the Transparency & Consent Framework (TCF) as an industry standard to help companies manage user consent in compliance with GDPR and the ePrivacy Directive, which is particularly relevant in the context of digital advertising.

Development and versions of TCF

TCF has had several iterations:

• TCF v1.1: launched in April 2018
• TCF v2.0: launched in August 2019
• TCF v2.1: launched in August 2020, aligned with the EU Court of Justice's Planet49 ruling
• TCF v2.2: launched in May 2023, implemented by November 2023, in response to an action plan agreed with the Belgian Data Protection Authority (DPA)

TCF v2.2: Main changes

TCF v2.2 introduced important changes:

1. Removal of legitimate interest as a legal basis for advertising and content personalization. For Purposes 3, 4, 5, and 6 (creation of personalized advertising profiles, selection of personalized ads, creation of personalized content profiles, and selection of personalized content), only explicit consent is now allowed.
2. More user-friendly descriptions that replace legal information for purposes and functionality, making communication with users clearer and more accessible.
3. Standardization and expansion of vendor information, including categories of data collected, retention periods, and guidance on the application of legitimate interest.
4. More stringent requirements for publishers, who must disclose the total number of vendors and Google Ad Tech Providers used as early as the first level of the CMP.
5. Improved enforcement mechanisms, with new audit processes and differentiated enforcement procedures.

TCF v2.3: The latest developments

In April 2025, IAB Tech Lab and IAB Europe opened for public comment the technical specifications for TCF v2.3, with a comment period until May 19, 2025. The update aims to provide more clarity for vendors in specific scenarios where it is unclear whether they have been disclosed to the user, particularly important when a vendor intends to process data for Special Purposes based on legitimate interest.

The timeline for TCF v2.3 includes:

• End of May 2025: Finalization of technical specifications
• February 1, 2026: Deadline for all CMPs and Vendors to upgrade their implementation to support v2.3

Google Consent Mode: what it is and how it works

To help sites and advertisers respect users' consent choices, Google has introduced Consent Mode, a technical solution that adjusts the behavior of Google tags based on the user's consent status.

Google Consent Mode V2

In November 2023, Google launched Consent Mode V2, with mandatory implementation by March 2024 for sites that use Google services and collect data from users in the European Economic Area (EEA). This update was designed specifically to align with the EU's Digital Markets Act (DMA).

Consent Mode V2 introduces two new parameters in addition to the original ones:

• ad_storage and analytics_storage (existing): control the storage of advertising and analytics cookies
• ad_user_data (new): manages consent to use personal data for advertising purposes
• ad_personalization (new): manages consent to use data for personalized remarketing

Unlike ad_storage and analytics_storage, these new parameters do not affect tag behavior on the site itself, but are additional parameters sent to Google services to indicate how user data may be used.

Methods of Implementation

Google Consent Mode V2 has two modes of implementation:

1. Basic Consent Mode: Google tags are completely blocked until the user interacts with the consent banner. If the user does not grant consent, no information is collected.
2. Advanced Consent Mode: Google tags are loaded before the user interacts with the banner. If the user does not grant consent, the tags operate in limited mode, sending "anonymous pings" (without user identifiers) that Google uses to statistically model the results.

It is important to note that some privacy experts have raised concerns about the advanced mode's compliance with data protection regulations, as "pings" could represent personal data processed without consent.

Impact on marketing and analytics

Without Google Consent Mode, advertising platforms cannot capture data on new SEE users, significantly limiting the ability to collect audience data, measure campaign effectiveness, and implement targeted advertising strategies.

‍

With Consent Mode V2, websites can continue to collect basic analytic data even when users have not consented to cookies, through advanced modeling techniques that respect consent preferences.

‍

‍

Consent management solutions (CMP)

To comply with all these regulations, websites use Consent Management Platforms (CMPs) that provide banners and interfaces for obtaining users' consent and mechanisms for respecting those choices.

The role of the IAB in CMPs

The IAB plays a key role in the certification of CMPs through the TCF framework. An IAB TCF v2.2 certified CMP must:

1. Display clear information about the purposes of data processing
2. Collect granular consents for different purposes
3. Allow users to easily change their preferences
4. Storing Consents Securely (TC String)
5. Communicate these preferences to all vendors in the standardized TCF format

In 2023-2024, Google introduced specific certification requirements for CMPs wishing to support Google Ads in the EU and UK, with the main requirement being updated compliance with the IAB TCF. CMPs certified by Google can use Google Ads products and are included in an official directory.

Comparison of major CMP solutions to 2025

Finweet (Finsweet Cookie Consent)

A solution geared specifically toward sites built with Webflow, with full support for IAB TCF v2.2 and Google Consent Mode v2.

Advantages:

• Gratuity (basic version)
• Total graphic customization (the banner is built directly into the Webflow designer)
• "No-code" approach for those using Webflow

Disadvantages:

• Requires technical skills for proper implementation
• The free version covers only the basic GDPR aspects
• Advanced features such as Google Consent Mode v2 require a subscription

Ideal for: developers or agencies working on Webflow, who want total control and tailored design.

CookieYes

A plug-and-play solution updated to support IAB TCF v2.2 and Google Consent Mode v2, now with a Gold certification as a Google CMP Partner.

Advantages:

• Ease of use (just copy/paste the code)
• Automatic scanning of site cookies
• Regular updates to stay compliant with regulations
• Support for troubleshooting the implementation of Google Consent Mode v2

Disadvantages:

• Limited customization options
• Recurring subscription model
• It may be too simplistic for discerning brands

Ideal for: small sites or owners who want to get up to speed quickly.

Iubenda Cookie Solution

Iubenda is an Italian company that offers a comprehensive suite of compliance tools, fully updated to support IAB TCF v2.2 and Google Consent Mode v2.

Advantages:

• Complete all-in-one solution (includes multilingual privacy and cookie policy generators)
• IAB TCF v2.2 Certified
• Google Partners for Consent Mode v2
• Keeps a record of consents per audit
• Support for geo-location of users and differentiated EU/US management

Disadvantages:

• Service fee (with annual plans based on services used)
• It may be oversized for very small sites
• For Webflow users, it is not "native" like Finsweet

Ideal for: business looking for a professional and comprehensive solution with minimal maintenance.

Cookiebot (Usercentrics CMP)

One of the first popular SaaS CMP solutions, now part of the Usercentrics platform.

Advantages:

• Cookie compliance automation
• Periodically scanning trackers and cookies, automatically classifying them
• Generation of an updated dynamic cookie policy
• Certified for TCF v2.2 and compatible with Google Consent Mode v2
• Support for multi-jurisdictional compliance (EU and US)

Disadvantages:

• Freemium business model with costs that grow with traffic
• Moderate banner customization
• Not completely drawable from scratch as with Finsweet

Ideal for: medium-sized sites and companies that want to delegate cookie management to automation.

UniConsent

An emerging CMP offering a complete solution for integration with Google Consent Mode V2 and IAB TCF v2.2.

Advantages:

• Easy integration with Google Consent Mode V2's two modes (Basic and Advanced)
• Support for IAB TCF v2.2 compliance
• Simplified configuration with Google Analytics 4 (GA4)
• Intuitive dashboard for consent management

Disadvantages:

• Brand less established than other solutions
• Availability of less extensive documentation

Ideal for: companies looking for a solution focused on integration with Google Consent Mode V2.

Enterprise Solutions

For large multinational organizations there are enterprise CMPs such as OneTrust, TrustArc, Didomi, Usercentrics, Osano, etc.

Advantages:

• Deep integrations with enterprise systems (CRM, etc.).
• Advanced customization
• Consent management across multiple channels (web, mobile app, connected TV)
• Compliance forms beyond cookies (handling stakeholder requests, impact assessments)
• Global support for multi-jurisdictional compliance

Disadvantages:

• High budgets
• Complex implementation
• Require specialized advice

Ideal for: large enterprises with global presence and complex consensus management needs.

Conclusions

Cookie/privacy compliance requires both a legal understanding of the various regulations and the implementation of appropriate technical solutions.

‍

A strict prior consent regime prevails in Europe, while in the U.S. the opt-out with transparency requirement prevails, although state laws are gradually evolving toward more stringent standards, moving closer to the European model.

‍

Tools such as Google Consent Mode V2 and IAB TCF v2.2/v2.3 help bridge the gap between marketing and privacy, allowing sites to use analytics and advertising services while complying with cookie laws.

‍

The choice of consent management platform depends on factors such as site size, available technical resources, budget, and the need for multinational compliance. The important thing is to give the user true control over their data and allow the site to operate transparently and in compliance with applicable laws.

‍

Companies operating in both Europe and the United States will need to continue to navigate a complex and evolving regulatory landscape, adapting their consent management solutions to different jurisdictions.

‍

FAQ on cookie regulation and consent management

What are the main differences between European and American cookie laws?

In Europe (GDPR and ePrivacy Directive), an opt-in model prevails: explicit user consent must be obtained before using nonessential cookies. In contrast, in the U.S. (CCPA/CPRA and other state laws) an opt-out model prevails: cookies can be used until the user explicitly objects, and companies must provide a clear way to opt out of the sale/sharing of data.

‍

What cookies can be used without requiring user consent in Europe?

Only "strictly necessary" (or "technical") cookies can be used without consent in Europe. These include cookies that are essential for the operation of the site, such as those for authentication, for storing items in an e-commerce shopping cart, or for site security.

‍

What is Google Consent Mode V2 and why is it important?

Google Consent Mode V2 is an interface that communicates user consent choices to Google. It introduces four consent parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization) that govern the behavior of Google tags. It is important because it allows sites to balance marketing performance measurement with privacy compliance, and it became mandatory from March 2024 for sites using Google services in Europe.

‍

How do I choose the right CMP solution for my site?

The choice depends on several factors: site size and traffic, available budget, in-house technical expertise, platform on which the site is built (e.g., Webflow, WordPress), and specific compliance requirements. It is also important to check whether the CMP is IAB TCF v2.2 certified and supports Google Consent Mode V2, especially if Google advertising services are used.

‍

Is the cookie banner required even for a site that does not use marketing or analytics cookies?

In Europe, technically yes. Even if the site uses only essential cookies, it is still necessary to inform users about what cookies are being used. However, in this case it is not necessary to request consent, so the banner can be simplified into an informational notice that does not require interaction.

‍

What are the penalties for non-compliance with cookie regulations?

In Europe, GDPR violations can result in penalties of up to 4 percent of annual global revenue or €20 million, whichever is greater. In California, violations of the CCPA/CPRA can result in civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation, as well as potential consumer lawsuits. Regulators have become more active in enforcement, with several significant fines issued in recent years.

‍

Does Google Consent Mode V2 replace the need for a cookie banner?

No, Google Consent Mode V2 does not replace the banner cookie, but works in tandem with it. It still requires a system to collect user consent (CMP), which will then communicate preferences to Google Consent Mode to adjust tag behavior.

‍

How to manage consents for a site that has users in both Europe and the US?

The best solution is to implement a system that recognizes the user's geographic location and displays the appropriate interface: a prior consent (opt-in) banner for European users and an opt-out notice for U.S. users. More advanced CMPs offer this geo-targeting functionality.

‍

What is the IAB TCF and why is it important?

The IAB Transparency & Consent Framework (TCF) is an industry standard that helps companies manage user consent in compliance with GDPR and the ePrivacy Directive, particularly in the context of digital advertising. It provides a standardized mechanism for collecting, storing, and sharing user consent preferences among publishers, advertisers, and ad technology providers. The latest version, TCF v2.2, is designed to improve transparency and accountability, and was developed in response to guidance from data protection authorities.

‍

What are the main new features introduced by TCF v2.3?

TCF v2.3, currently in public consultation until May 2025, aims to provide more clarity for vendors in specific scenarios where it is unclear whether they have been disclosed to the user. This distinction is particularly important when a vendor intends to process data for Special Purposes based on legitimate interest. The technical specifications are expected to be finalized by the end of May 2025, with an implementation deadline of February 1, 2026.

‍

Sources

1. IAB Europe (2025). "TCF v2.3 is open for public comment." IAB Tech Lab. https://iabtechlab.com/tcf-v2-3-is-open-for-public-comment/
2. IAB Europe (2025). "TCF 2.2 Launches! All You Need To Know." https://iabeurope.eu/tcf-2-2-launches-all-you-need-to-know/
3. IAB Europe (2025). "TCF Supporting Resources ." https://iabeurope.eu/tcf-supporting-resources/
4. Google (2025). "Updates to consent mode for traffic in European Economic Area (EEA)." Google Tag Manager Help. https://support.google.com/tagmanager/answer/13695607
5. Termly (2025). "What Is Google Consent Mode v2?" . https://termly.io/resources/articles/what-is-google-consent-mode-v2/.
6. Cookieyes (2024). "What is Google Consent Mode V2? How to Implement It?" . https://www.cookieyes.com/blog/google-consent-mode-v2/.
7. CookieFirst (2024). "Google Consent Mode V2 explained ." https://cookiefirst.com/google-consent-mode-v2-released/.
8. Bloomberg Law (2025). "Which States Have Consumer Data Privacy Laws?" . https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/.
9. IAPP (2025). "US State Privacy Legislation Tracker ." https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
10. California Privacy Protection Agency (2025). "Proposed Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies ." https://cppa.ca.gov/regulations/ccpa_updates.html
11. White & Case LLP (2025). "Data Privacy Update ." https://www.whitecase.com/insight-alert/data-privacy-update-2025
12. California Lawyers Association (2025). "State Privacy Law in 2025-What to Expect ." https://calawyers.org/privacy-law/state-privacy-law-in-2025-what-to-expect/