The report also tells us that, in response, European marketers have made customer retention their primary focus, above new customer acquisition.

Retaining an existing customer costs less than acquiring a new one, and in a period of constrained budgets, doubling down on loyalty makes economic sense.

As displayed on the chart below, 43% of marketers in Europe said customer retention was their top or second priority in 2025.

Apart from focusing on the visible mechanics (loyalty programs, re-engagement campaigns, personalized offers), we think transparency and trust are worth a much closer look to improve retention. Here’s why.

The trust gap is a retention problem

Here’s the uncomfortable truth: only 34% of consumers believe companies are honest about how they use their data (Deloitte, 2023).

When trust is that low, even the best retention strategy has a ceiling. Loyalty programs, personalized emails, exclusive offers: they all depend on people believing your intentions are good.

Transparent data practices close that gap because the way a company handles data is a visible signal of how it respects its customers.

In Europe, this matters more

With strong regulations like the General Data Protection Regulation (GDPR), awareness of data rights is higher in Europe than almost anywhere else.

A consent banner that buries the “reject” option, a privacy policy written in dense legal language, an email list with no real way to update preferences: these experiences reduce engagement and result in less willingness to share information voluntarily.

It’s also worth noting that the same Nielsen report found European marketers to be the only region globally to rank transparency, not accuracy, as their top priority for measurement technology. If you value transparency in the tools you use, it follows to ask whether you’re extending the same standard to the people you’re marketing to.

Where data experiences quietly erode trust

Most marketing teams genuinely care about trust, but compliance often stays on the back burner. Instead, it’s best to bring data process design into your customer experience strategy rather than treating it as a back-office concern.

Some of the most common patterns:

• Pre-ticked boxes: A legal issue in most European markets, and a trust issue. It signals that the default assumption is that customers will agree, rather than that they’re being given a genuine choice.
• No way to adjust preferences: Someone who consented to all marketing communications two years ago may now only want product updates. If the only option is a full unsubscribe, the company loses the contact entirely when a more granular preference would have kept the relationship alive.
• Cookie banners that obscure the reject option: Customers increasingly recognize dark patterns. When the “accept all” button is prominent and the alternative is buried, visitors get frustrated and attribute it to the brand.
• No straightforward way to unsubscribe: When it takes more than a few seconds to find the unsubscribe link, or when the process requires multiple confirmations, customers notice. Sometimes the link isn’t even present. The experience communicates that leaving is inconvenient by design.
• Consent language that explains nothing: When consent language is vague, people can’t make an informed choice, and over time they become more suspicious.

These accumulate into a picture of how a company treats customers, and that picture has a direct effect on retention.

What a more transparent approach looks like

Some easy fixes that can have a great impact on trust:

• Consent banners that offer a genuine choice: Both options equally accessible, with language that explains what’s actually being collected and why. This is the minimum standard under GDPR, but many implementations still fall short in practice.

• A privacy preference center: Rather than a binary opt-in or opt-out, a preference center lets customers decide what they want to receive and how. Someone who reduces their preferences is still a subscriber, on their own terms. That’s a stronger signal of intent than a passive opt-in from years ago. For marketers, it also means having customer lists that are more reliable.
• A privacy policy written to be read: Most companies draft privacy policies to satisfy legal requirements, not to communicate clearly. A policy in plain language, organized visiaully so a non-specialist can find what they’re looking for, functions as evidence of transparency rather than just a legal document.

Why giving people control tends to increase engagement, not reduce it

The “Privacy by design: the benefits of putting people in control” report by Google concludes that:

“There are strong privacy practices that brands can deploy to increase feelings of control, and the most effective combinations have a notable positive impact on more than just feelings of control (…) Our study suggests brands that can offer these experiences will, over time, see a positive snowball effect — people will feel in control, which increases brand trust and boosts brand preference. Brands that neglect privacy risk the opposite scenario.”

Trust is built through the cumulative experience of interactions with your brand:

Let’s admit it, it can sound counterintuitive, but giving people more control doesn’t reduce engagement, quite the opposite.

For example, having a clear preference center refines your audience into people who actually want to hear from you, and that audience converts better. This is essential to keep in mind for your retention strategy.

iubenda: built for global compliance, designed for trust

We built our professional tools around the idea that consent and privacy infrastructure should function as a brand asset, not just a compliance requirement.

In practice, that means:

• Consent banners built to meet legal requirements: Designed to give customers the right information and a genuine, understandable choice.
• Privacy widget: Meaningful control over what users have agreed to, with a straightforward way to adjust those choices at any time. Available as a small icon on all your pages to be paired with your accessibility widget.
• Privacy and Cookie Policy Generator: Clean and readable policies in plain language, updated to reflect changes in the law as they happen.

Inspire more trust in your brand and improve retention

The post European marketers are betting on retention. Privacy could be the edge they’re not using yet. appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Didomi is an enterprise-focused consent management platform (CMP) that comes with some solid cookie consent tools. But for some businesses, it also has a number of limitations which can make it worth exploring other options.

If you’re looking for an alternative, this guide breaks down the 5 strongest competitors in 2026. We’ll dive into the pros, cons and pricing of each platform to help you discover the best alternative to Didomi.

Let’s take a look at your options.

Compare the best alternatives to Didomi: at a glance

Scroll →

	iubenda	consentmanager	Enzuzo	Termly	Cookiebot
Ease of use	Intuitive interface	Takes time to master			Difficult to navigate
All-in-one digital compliance suite
Impact on web performance	Optimized for performance	Optimized for performance	Unclear	Can impact performance	Unclear
Customer satisfaction	4.7/5 (Capterra)	5/5 (G2)	3.6/5 (Trustpilot)	4.3/5 (G2)	2.3/5 (Trustpilot)
Pricing transparency	Paid plans from €4.99/month	Paid plans from €23/month	Paid plans from $9/month	Paid plans from $10/month	Paid plans from €7/month
Free plan available			Limited	Capped monthly pageviews	14-day trial
Recommended for	Businesses of all sizes	Enterprises	E-commerce businesses	Small to medium businesses, startups, and freelancers	Mid-sized businesses

Common reasons businesses explore alternatives to Didomi

Didomi offers cookie consent tools that help enterprises align with major privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). And it works across multiple devices, including mobile apps and connected TVs.

While that may be the case, after exploring hundreds of reviews and investigating the platform ourselves, we discovered the common reasons why businesses are looking for the best Didomi alternative:

Pricing concerns

Didomi isn’t transparent about its pricing; you won’t be able to find the costs of plans anywhere on its website. That might make you suspect that it’s on the more expensive side.

And you’d be right.

Didomi positions itself as an enterprise solution, and its pricing reflects that. Several users mention that plans can get expensive, especially as traffic scales. For growing businesses that aren’t yet operating at full enterprise level, that can put them in a difficult position.

Steep learning curve for non-technical teams

Some users report that setup and integrations require more technical involvement than they expected. Teams without dedicated developers or compliance specialists may find the interface less intuitive.

Businesses that want something that works out of the box with minimal configuration might be better off looking elsewhere.

Cookie consent focus

Didomi is able to handle cookie consent, but full compliance requires more than that.

Businesses that are looking for broader digital compliance coverage, such as privacy and cookie policy generation, whistleblowing channels, accessibility tools, or internal compliance monitoring, may need to combine Didomi with additional vendors.

That can increase costs as well as making workflows more complicated. This often motivates businesses to look for an all-in-one digital compliance platform as an alternative.

Potential impact on web performance

The scripts and banner configurations can affect page load speed without proper configuration. This can be an issue because even small delays can impact bounce rates and conversion performance.

What to keep in mind when looking for the best alternative to Didomi

With countless options out there, it can be hard to know what the best consent management platforms should feature. If you keep the following in mind, you’ll be able to recognize the best alternative to Didomi, a platform that excels where Didomi can fall short:

Price and transparency

If pricing feels unclear, that’s usually a sign that a platform will be just as expensive as Didomi.

Look for a platform that clearly explains:

• What each plan includes
• How pricing scales as traffic grows
• Whether advanced features require custom contracts

Transparent pricing helps you plan ahead. It also makes it easier to compare tools without jumping through sales calls just to understand basic costs.

Ease of use and setup for non-technical teams

Some CMPs require developer expertise to set up and integrate with your tech stack. Others are more straightforward for non-technical teams to work with.

When evaluating a Didomi alternative, ask yourself:

• Can you set the platform up without heavy developer involvement?
• Is the dashboard intuitive?
• Are integrations straightforward with platforms like WordPress, Shopify, or Google Tag Manager?

The right solution will make your workflow simpler.

Solid web performance

Some consent tools can slow website performance down, which can lead to poor user experience, high bounce rates, and lower conversions.

A strong Didomi alternative should:

• Load quickly
• Block and trigger scripts efficiently
• Work smoothly with Google Consent Mode

With strong web performance, your CMP will be contributing to stronger business performance too.

Contribution to business performance

Consent management affects more than compliance; it can have a big impact on your business performance too.

Look for features that help you:

• Optimize banner layouts
• Improve consent rates
• Preserve marketing data
• Maintain campaign performance

A platform that’s able to help you with the above is more likely to give you better analytics accuracy and stronger ad performance.

Coverage beyond cookie consent

This is where many businesses re-evaluate the platform they’re using. If you only need a cookie banner, a standalone cookie consent software or one of the many CMP platforms may be enough. But if you also need:

• Privacy and cookie policy generation
• Terms and conditions
• Data subject request handling
• Internal compliance monitoring
• Accessibility support

In these cases, relying only on a basic CMP may not be sufficient. Businesses conducting a consent management platform comparison often look for a broader solution that supports digital compliance beyond just cookie consent.

Then it’s better to look for a platform that supports broader digital compliance by doing all of the above and more. This will save you time and headaches, making it easier to keep your setup aligned as regulations evolve.

The 5 best alternatives to Didomi in 2026

1. iubenda

iubenda is a versatile digital compliance suite that doesn’t just handle cookie consent but brings multiple compliance tools together in one place. That way, you don’t need to stitch together different vendors to handle different compliance requirements.

You can create and customize your cookie banner, log user consent, and connect with Google Consent Mode v2 making iubenda a strong Google Consent Mode CMP. iubenda also comes with tools for generating privacy and cookie policies, terms and conditions, managing data subject requests, and much more.

Over 150,000 businesses of all sizes use the platform, from individual site owners to large enterprises, making it a flexible solution that scales with companies as their compliance needs grow.

Pros

• Transparent, affordable pricing
• Comes with legal backing
• Scalable, works well for individuals, large enterprises, and everything in between
• Easy to use
• Straightforward integrations (WordPress, Shopify, Webflow, Google Tag Manager, and more)
• Google-certified CMP compatible with Google Consent Mode v2
• Supports the IAB Transparency and Consent Framework (TCF) in line with industry standards
• Loads efficiently without disrupting website performance
• Generates legal documents, including privacy policies and terms and conditions
• Includes additional tools such as data subject request handling, whistleblowing channels, and accessibility support
• Its Compliance Monitor proactively scans your websites for compliance gaps

Cons

• iubenda’s Compliance Monitor is a standalone add-on

Pricing

• Free plan available with essential features
• Paid plans start from €4.99/month
• Flexible pricing based on which solutions you activate, so you never pay for more than you need

What people say

Users frequently mention excellent customer support and how the platform keeps up with regulatory changes. They also highlight the platform’s quick setup process, smooth integration, and the convenience of having multiple compliance tools in one platform.

How does iubenda compare to Didomi?

While Didomi offers enterprise tools for consent management, iubenda goes beyond cookie consent. As a full digital compliance suite, it connects a variety of compliance tools in one place, which means you get more value for money. iubenda sees compliance as a way to boost business growth and its tools reflect that, helping you get better consent rates, stronger conversions, and increased brand trust.

iubenda’s additional Compliance Monitor solution, for example, helps enterprise users to not only spot compliance risks, but improve SEO and protect ad revenue, making it more comprehensive than Didomi’s equivalent Advanced Compliance Monitoring feature.

2. consentmanager

consentmanager delivers strong consent management tools for enterprises that need a solution that scales, offers more control, and focuses on performance.

The platform gives teams the tools to test, refine, and improve consent experiences over time. Beyond consent collection, consentmanager also includes broader compliance capabilities, offering legal document generation and compliance monitoring.

Pros

• Built-in A/B testing and machine learning optimization help increase consent rates
• Extensive customization options, including 200+ design variations and targeting by country, device, browser, and more
• Strong performance focus, with tools designed to reduce bounce rates and display the highest-performing consent layout automatically
• Fully compatible with Google Consent Mode
• Works across multiple devices, including desktop, mobile, apps, and connected TVs
• Includes an in-depth Compliance Monitor
• Generates legal documents
• Clear pricing structure
• IAB TCF support for advertising consent management

Cons

• First-time users may need more time to feel comfortable with the interface

Pricing

• Free plan available
• Paid plans start from €23/month, with pricing based on the number of websites and monthly pageviews

What people say

Users consistently highlight responsive customer support and strong value for money. Many mention the platform’s speed, easy-to-follow instructions, and quick results.

How does consentmanager compare to Didomi?

consentmanager is comparable to Didomi in that it’s a solid enterprise level solution that supports multiple devices, from desktops to connected TVs. But it exceeds Didomi in its capabilities with a wider range of compliance tools.

3. Enzuzo

Enzuzo is a lightweight consent management platform (CMP) with a strong focus on e-commerce businesses. As one of the CMP platforms, it combines cookie consent tools with privacy management features and legal policy generation. The platform appeals to smaller online stores, particularly those operating within Shopify.

Pros

• Simple to use and set up
• Well suited for Shopify and e-commerce environments

Cons

• Like Didomi, plans can be expensive
• Restricts a lot of features to the most expensive plans
• E-commerce focus can be good if that’s your sector, but if not scaling can be difficult
• Customer support response times can be slow

Pricing

• Free plan comes with limited features
• Paid plans start from USD $9/month for basic compliance tools

What people say

Although users like Enzuzo’s user experience and simple setup process, many express their frustration with payment issues.

How does Enzuzo compare to Didomi?

Enzuzo may be a practical alternative to Didomi for e-commerce businesses. It offers data privacy management tools that extend beyond cookie consent, an area which Didomi focuses on narrowly.

But it’s worth keeping in mind that both platforms can become expensive as feature needs grow. And while Enzuzo can work well within Shopify, it doesn’t offer the same level of legal depth or customization that’s necessary for greater global compliance.

4. Termly

Termly combines consent management with legal policy generators. The platform focuses on simplicity, making it accessible for small teams that want to align with global privacy regulations, and looking for GDPR cookie consent tools, without needing technical or legal expertise.

Pros

• Includes built-in legal document generators
• Easier to use and set up

Cons

• Limited customization
• Lacks accessibility tools and whistleblowing management
• Some users report slow support response times
• Can slow web performance

Pricing

• Free plan available with capped monthly pageviews
• Paid plans start from USD $10/month

What people say

While users like the easy setup many are frustrated with the lack of customer support. Some users also feel Termly is overpriced.

How does Termly compare to Didomi?

Termly is better suited to small businesses and freelancers than the enterprise-focused Didomi. Termly does offer more tools than Didomi, including legal document generation, data subject requests, and cookie consent, but it’s not an all-in-one compliance platform. It doesn’t offer a range of compliance tools that other platforms have, such as accessibility features or whistleblowing management, which could require additional platforms.

5. Cookiebot

Cookiebot is a CMP that comes with basic tools for collecting and managing cookie consent, with a focus on preserving ad performance.

Pros

• Strong focus on cookie consent and tracking control
• Designed to help preserve marketing data and support ad performance

Cons

• Can be difficult to navigate, especially for users without a technical background
• Doesn’t offer broader digital compliance tools such as legal document generation
• Limited customization compared to more advanced CMPs

Pricing

• Offers 14-day trial
• Plans start from €7/month for basic features

What people say

While many users think it’s a solid tool for cookie consent, some feel frustrated with the outdated interface and lack of ongoing improvement.

How does Cookiebot compare to Didomi?

Cookiebot can serve as a practical alternative to Didomi for businesses that want a cookie consent tool focused on preserving marketing data and analyzing consent behavior.

But it doesn’t go much further than that. Like Didomi, it doesn’t provide legal document generation or broader digital compliance tools for accessibility or whistleblowing management.

Growing organizations looking to meet evolving regulations might need additional tools to plug compliance gaps.

Choosing the right alternative

Even though Didomi offers tools for consent management, it’s important to remember that regulations often require more than that.

Legal documentation, accessibility tools, data subject request channels, and whistleblowing management are also an important part of compliance. But managing each requirement through separate tools quickly gets complicated and expensive.

Choosing the best alternative to Didomi for your business depends on how far you want your compliance setup to go, and how much flexibility you’ll need as your business scales.

If you’re looking for more than a standalone CMP, it’s worth considering a solution that brings all the compliance tools you could need in one place, like iubenda for example.

That way, you won’t just be prepared for what your business needs today. You’ll have access to tools that help protect your business’ interests, as well as your users’ privacy, long into the future.

The post The 5 best alternatives to Didomi in 2026: Pros, cons, pricing, and comparison appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The challenge is that writing solid terms from scratch isn’t simple. You need legal expertise. And while you might avoid hiring a pricey lawyer by trying free templates or using AI, they often miss important clauses and nuances.

That’s why many businesses turn to a terms and conditions generator.

But not all generators are built the same.

In this guide, we’ll compare 6 of the best terms and conditions generators, so you can find one that’s right for you. And we’ll delve into the details of what you need to know about this important document along the way.

Terms and conditions generator comparison: at a glance

Scroll →

	iubenda	Complianz	Enzuzo	Termly	Shopify	TermsFeed
Tailored to your business model				Limited template-based		Limited template-based
Legal expert backing						Unclear
Updates as laws evolve				Updates templates but not your document		Notifications only
Unlimited edits without republishing				Limited customization	Unclear	Requires payment
Multi-language support					Limited	Limited
All-in-one digital compliance suite
Customer satisfaction	4.7/5 (Capterra)	4.9/5 (WordPress)	3.6/5 (Trustpilot)	4.3/5 (G2)	1/5 (Trustpilot)	4.5/5 (G2)
Recommended for	Businesses of all sizes and industries	WordPress users	E-commerce businesses	Businesses that need a basic document without deep customization	Shopify users	Businesses that need a basic template-driven document

What are terms and conditions?

Terms and conditions are a legal agreement between you and the people who use your website, app, or service. They outline how your service works, what you expect from users, and what happens if someone breaks the rules.

By using your website or service, users typically agree to these terms. That agreement forms a contract. And that contract helps protect your intellectual property, clarify responsibilities, and reduce the risk of disputes.

Terms and conditions exist to protect your business and its revenue while setting clear expectations for your users.

What’s the difference between terms and conditions, terms of use, and terms of service?

Terms and conditions, terms of use, and terms of service all refer to the same type of legal agreement between a business and its users. The names are interchangeable.

You might also see them referred to as:

• Terms of Service (ToS)
• Terms of Use
• End-User License Agreement (EULA)
• General Conditions
• Legal Notes

Why do you need terms and conditions?

Terms and conditions might not be a requirement, depending on where your business operates. But that doesn’t mean you should skip them.

Because terms and conditions form a legally binding contract that can reduce legal risk and protect your business and its revenue if disputes arise. Without clear terms in place, you leave room for confusion around payments, refunds, intellectual property, liability, and more.

What’s more, a proper terms and conditions document adds to your credibility, increasing brand trust. And it sets clear expectations which create a smooth customer journey, contributing to more conversions.

What should you include in terms and conditions?

Your terms and conditions should be easy to find and simple to understand. What you include will depend on your business model. A SaaS platform won’t need the same clauses as a blog, for example. But most businesses should cover the following:

• Your business details
• A description of your services
• Conditions of using your website and services
• Payment terms
• Refunds and cancellations
• Intellectual property
• Limitation of liability and disclaimers
• Service interruptions
• Applicable law

What to look for in a terms and conditions generator

A strong terms and conditions generator should:

Build terms and conditions around your business, not a generic template

The best terms and conditions generators will guide you through relevant questions and build your terms around your answers. Whether you run subscriptions, sell digital products, ship physical goods, or allow user-generated content, your document should reflect those nuances.

That’s why copying a generic template from the internet isn’t enough. Templates often miss important clauses or include provisions that don’t apply to your setup. And when your document doesn’t match your business model, you create gaps that can weaken your protection.

Include the essential clauses

Your generator should automatically cover the key areas most businesses need, such as payment terms, cancellation rules, limitation of liability, intellectual property, and applicable law.

The best terms and conditions generators come with legal backing, so you don’t have to wonder whether you’ve missed something important.

Create a living document

Your business will evolve. You may update pricing, launch new services, expand into new markets, or change internal policies. And regulations in your country may change too.

That’s why a reliable generator shouldn’t just produce a one-off PDF. It should help you manage a living document that you can revise and republish as your business and local regulations shift.

The best terms and conditions generators

1. iubenda

iubenda offers a Terms and Conditions Generator built to create a tailored, living document that matches your unique business setup.

Instead of relying on static templates, iubenda structures your terms around how your business actually operates. Whether you run an online store, SaaS platform, mobile app, or content website, you can generate a document that reflects your pricing model, service structure, and legal requirements.

And because iubenda forms part of a wider digital compliance suite, you can manage other legal documents, consent, and accessibility. All in one place.

Standout features

• 100+ lawyer-written clauses designed for a wide range of business models
• Available in 15+ languages
• Terms update as laws evolve, no need for manual edits
• Unlimited edits that refresh your terms and conditions in real time, without needing to republish
• Guided setup tailored to your business

Best for

Businesses, apps, and websites of all sizes and industries that want lawyer-backed terms that evolve as their operations grow.

Pros

• Intuitive, user-friendly interface
• Thorough customization based on how your business operates
• Quick to generate and easy to edit
• Scales smoothly from small websites to complex, multi-product businesses
• Flexible enough for e-commerce, SaaS providers, apps, and content platforms
• Works for apps as well as websites
• Includes access to a responsive live support team
• Forms part of a wider all-in-one digital compliance suite
• 150,000+ customers trust the platform including Lamborghini, UNICEF, and Sony Music

Cons

• Requires a paid subscription

Pricing

• Paid plans start at just €19.99/month

What people say

Users find iubenda easy to use and praise the excellent customer support. People also highlight that it’s quick and makes generating legal documents easier.

2. Complianz

Complianz offers a standalone terms and conditions generator designed for WordPress users. You can use it on its own or alongside the full Complianz Cookie Consent plugin, depending on what you need.

The generator guides you through relevant questions and helps you produce a document that reflects how your business operates.

Standout features

• Clauses that cover affiliate marketing, platforms like WooCommerce, digital and physical goods, and online services
• Multi-language support
• Simple, guided setup

Best for

WordPress users who want an easy way to generate tailored terms and conditions directly within their website environment.

Pros

• Allows you to create customized terms and conditions that reflect your business operations
• Quickly generates a thorough terms and conditions document
• Free to use
• Works independently or alongside the full Complianz Cookie Consent plugin
• Comes with backing from legal experts

Cons

• You need a paid subscription to their Cookie Consent plugin if you want access to more compliance tools

Pricing

• Free for the terms and conditions generator
• Paid plans for additional digital compliance tools start from €59/year (less than €5/month)

What people say

WordPress users have rated the plugin 4.9 stars, highlighting its speed, ease of use, and effectiveness. Many see it as a perfect companion to Complianz’s Cookie Consent plugin.

3. Enzuzo

Enzuzo offers a terms and conditions generator aimed at e-commerce businesses. The platform combines legal document templates with consent and privacy tools, positioning itself as a lightweight compliance solution for online stores.

Standout features

• Multi-language support
• Updates templates if regulations change
• Available on WordPress and Shopify

Best for

E-commerce businesses that want a template-based terms and conditions generator integrated with their website platform.

Pros

• Comes with the backing of legal professionals
• Works with major platforms and website builders

Cons

• Relies heavily on templates rather than fully tailored clauses
• Requires a paid plan to access important clauses such as payments, user submissions, and dispute handling
• Requires a paid plan to edit and customize your terms or add additional languages
• Can be difficult to edit generated legal documents
• Offers limited customization compared to more advanced generators
• Some users report slow support response times

Pricing

• Limited free plan available for basic terms and conditions
• Paid plans start from $9/month, with additional clauses and customization features only available on upgraded tiers

What people say

Some users feel the platform is intuitive to use, but others mention that it’s difficult to edit generated legal documents. Users also highlight problems with paid subscriptions and support.

4. Termly

Termly provides a terms and conditions generator built around predefined templates. The platform focuses on simplicity, offering a guided questionnaire that helps users produce a basic legal document quickly.

Standout features

• Multi-language support
• Works for websites, mobile apps, and online stores
• Includes clauses for niche scenarios such as SMS marketing and contests
• Supports platforms including WordPress, Shopify, Wix, WooCommerce, and GoDaddy

Best for

Businesses that need a basic, template-based terms and conditions document and don’t require deep customization.

Pros

• Step-by-step guided setup
• Clean and easy-to-navigate interface

Cons

• Policies rely heavily on templates which aren’t easily customizable
• Can negatively impact WordPress site performance
• Poor technical support
• Heavily template-based, with limited flexibility for nuanced business models
• Legal document customization options are limited

Pricing

• Terms and conditions generator is free to use

What people say

While some users like the practical interface, others have expressed their frustration with the technical support team, limited customization, and occasional unreliability of the platform.

5. Shopify

Shopify offers a built-in terms and conditions generator designed for merchants using its e-commerce platform. The tool provides a simple way to generate a policy quickly, particularly for store owners who want a starting point without leaving the Shopify ecosystem.

However, the generator functions primarily as a template tool rather than a fully tailored document builder.

Standout features

• Limited multi-language support for policy creation
• Legal experts have developed and reviewed the generator
• Includes suggestions to help you customize your terms

Best for

E-commerce businesses that already operate on Shopify and want a basic starting point for their terms and conditions.

Pros

• Quick to generate, with the document delivered to your inbox within minutes
• Targets e-commerce use cases
• Convenient for Shopify store owners who want a simple setup

Cons

• Poor customer support
• Relies on a generic template structure
• Requires manual editing to customize clauses
• Customization can be difficult without legal expertise
• Offers limited flexibility beyond standard e-commerce scenarios

Pricing

• Limited free trial with a duration that depends on your region
• Pricing starts from $5/month, though access to certain features depends on your subscription tier

What people say

While users like how the platform is easy to use, many have difficulties with in-depth customization and Shopify’s limited features. Shopify also has a 1 star rating on Trustpilot from over 1k reviews.

6. TermsFeed

TermsFeed offers a template-based terms and conditions generator designed for websites and apps. The platform guides users through a questionnaire and produces a downloadable legal document based on their answers.

Standout features

• Download your terms and conditions in multiple formats
• Update your document using a Live Editor
• Receive notifications when laws change that may affect your terms
• Free hosting page available for your terms and conditions

Best for

Websites and apps that need a basic, template-driven terms and conditions document.

Pros

• Quick to generate

Cons

• Places certain essential clauses behind a paywall, even when local regulations may require them
• Uses a pay-per-clause model that increases costs as you add necessary protections
• Can be unreliable, adding in information that may not be correct for your business
• Limited multi-language support
• Restricts editing unless you pay

Pricing

• Limited free plan available with option to purchase additional “premium” clauses at varying prices

What people say

Although the website suggests the generator is “100% free”, there are complaints about how that isn’t actually true. Users mention that it’s expensive for something they have to edit manually.

Choose terms that grow with your business

Clear terms and conditions protect revenue, reduce disputes, and give your business room to grow.

A basic terms and conditions template might help you publish something quickly. But as your products, pricing, and markets evolve, along with local regulations, your terms need to evolve too.

The best terms and conditions generators reflect how your business actually works, cover essential clauses without hidden gaps, and let you manage your document as a living agreement, rather than a one-off file.

If you want a solution built around real business models, backed by legal expertise, iubenda gives you that flexibility as part of an all-in-one digital compliance suite.

The bottom line? Start with terms that protect where your business is today and support where you’re going next.

The post Which is the best terms and conditions generator? 6 tools compared for 2026 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Fifteen years is a long time to build anything. It’s long enough to learn what works, what doesn’t, and what you wish someone had told you at the start.

We caught up with Andrea Giannangelo, iubenda’s founder, to talk about the journey: the moments that shaped the company, the advice he’d give his 2011 self, and the lessons that might help anyone starting out today.

A success story like you’ve seen before

You might think iubenda is just another startup success story. We won’t argue.

It follows the usual ingredients that decades of research have shown: that success is less about genius and more about timing, opportunity, and relentless consistency. Let’s take a look.

The bold idea

Andrea Giannangelo had just graduated from law school when he ran into the problem that would shape the next 10 years of his life.

He had a website. Getting it legally sorted was complicated, expensive, and slow. The only options were custom legal services that most small businesses couldn’t afford, or generic templates that didn’t really fit. So he built something better.

In 2011, online privacy was nearly non-existent. Social media had become the dominant force online, and the prevailing mindset was to connect and share, not to protect personal data.

Betting on privacy felt contrarian. When asked what he got surprisingly right, Andrea recalls: “That 15 years ago, privacy was going to be a thing.” But being right early isn’t always comfortable.

The tough start

The early days weren’t glamorous. “We applied to every single accelerator out there, sometimes multiple times. And nobody took us, nobody could see it really.”

Investors did eventually come knocking, but the terms on offer were bad. Andrea also felt like the market wasn’t ready yet, and so he turned them down. He kept building.

Things were hard. Growth was slow. Revenue wasn’t enough. “I really didn’t know if we were going to make it.”

Seizing the opportunity

Slow growth and rejection were tough. But they kept iubenda independent and ready for the right shift in the market.

In 2014, the Italian data protection authority (the Garante) was preparing detailed cookie guidelines enforcing the ePrivacy directive, or Cookie Law.

Rather than hand down rules from above, the Garante set up a roundtable with the main industry stakeholders like publishers and trade bodies, including the IAB.

The IAB brought in Andrea to advise on the technical side. His background spanning law, commercial practice, and the technical realities of cookies made him the rare person who could speak all three languages at once.

That working group helped shape the guidelines that would define how cookie consent worked in Italy.

In the right place at the right time

Enforcement followed in 2015. Then the General Data Protection Regulation (GDPR) arrived in 2018. Privacy stopped being a niche concern and became front-page news across Europe.

“I went from being nobody to literally having my phone jammed by all the large companies and publishers that wanted to get our product.”

Even though a chaotic moment, it was all happening now: preparation had met opportunity. “That changed everything. A few years later, we did 5x in revenue.” That combination of discipline and tenacity, repeated over years, is what got iubenda where it is today.

Asked how it feels to reach that milestone, Andrea’s answer is honest: “Completely unlikely.”

Founder to founder: 15 lessons from 15 years

Andrea also shared some simpler wisdom, like prioritizing sleep (seriously, he mentioned it twice).

But here are 15 pieces of advice for founders to celebrate 15 years of iubenda. And if you’re just starting out, we hope compliance is on your checklist. If not, well, you know where to find us.

Timing is everything

When asked what he’d tell his 2011 self, Andrea doesn’t hesitate: “Timing, it’s all about timing.”

You can have the right product, the right team, the right strategy. But if the market isn’t ready, none of it matters. iubenda bet on privacy in 2011, before privacy was mainstream with the Cookie Law in 2014, or even bigger, GDPR in 2018.

The bet paid off, and timing eventually caught up. But timing alone isn’t enough. You have to be ready to ride the wave when it comes.

Looking back, Andrea is still surprised: “I think that was one of those moments of clarity that I really look back to and think, how could I have such certainties?”

Protect your time to think

“If you are too busy, you’re compromising the time that you dedicate to thinking, and your capability to think is everything.”

There’s a myth that founders need to overwork themselves to succeed. Andrea disagrees. Busyness can be the enemy of clarity, and trying to do everything yourself only makes it worse.

Stay focused, even when nobody believes in you

“At the beginning, as nobody could see it, everyone was telling us to try and do other things, and I stayed on the same product, privacy, and ultimately that paid off.”

When things aren’t working, the temptation is to pivot, diversify, try something new. Sometimes the right move is to stay the course.

Consistency is underrated

Andrea’s secret superpower? “The combination of discipline and obstination.” One of his favorite quotes: “The more I train, the luckier I get.” Luck isn’t random. It’s what happens when preparation meets opportunity, over and over again.

You don’t need a stroke of genius

The myth of the visionary founder is just that: a myth. What looks like genius is usually persistence compounded over time.

Aim for top three, not top one

“It’s never about being the top one. It’s about consistently being in the top three.”

Sustainable success isn’t about being the best once. It’s about being consistently good over time.

Not everyone will grow with you

“As you grow, not all of your team will be able to grow with you and you’ll need to make some more choices there.”

This is one of the hardest lessons in leadership. The people who helped you start may not be the people who help you scale. Recognizing that, and acting on it, is painful but necessary.

Keep asking yourself what matters most

That’s Andrea’s go-to productivity trick: “What is the most important thing that I have to do right now? Literally over and over.” Relentless prioritization.

Customers will keep you going

During the hardest moment, when Andrea almost gave up, what kept him going? “The customers, speaking with them and getting their feedback. That was everything for me in that moment.”

When you’re lost, talk to customers. They’ll remind you why you started.

Funding is a means, not a goal

“Funding is not a goal. The goal is building a company. Have funding as a means. It comes with a lot of trade-offs and compromises that I think founders underestimate.”

The startup world celebrates fundraising like it’s the finish line. It’s not. Sometimes the best decision is to say no to funding and keep building on your own terms.

Learn to let go of perfection

You can’t scale if you need everything done your way. To delegate, you need to be ready to compromise on perfection and let it go.

Simplicity wins

What have customers taught him? One word: “Simplicity.”

It’s easy to overcomplicate. The best products, the best communication, the best decisions tend to be simple.

Own your mistakes

If Andrea could delete one moment from the journey? “None of it. Own it. Own your mistakes. Own the bad ones.”

The bad moments are part of the story. They’re what make the good ones meaningful.

Prioritize learning over reward

Short-term wins feel good. Long-term learning compounds. Choose accordingly.

Not everyone makes it

“What keeps you humble? The many founder friends that were great and didn’t make it.”

Not every great founder succeeds. Sometimes the timing doesn’t align, sometimes the market shifts, sometimes it just doesn’t work out.

Looking forward

Fifteen years in, we’re grateful. Grateful for our customers and the team that made it all possible.

Things move fast. Opportunities don’t wait. Andrea knew that in 2011. It’s still how we build today.

If you’re starting something now, we hope a few of these lessons land, or remind you why you started. And when you need a privacy compliance tool, we’ll be here.

The post Looking back on 15 years: what iubenda’s founder would tell his 2011 self appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

They’re those little data files that a user downloads when visiting your site. They enable shopping carts to remember items, users to save login details, and allow you to track user behavior, with consent, to improve your marketing.

And if you’re using cookies, you’ll need a cookie policy to help comply with international privacy regulations like the General Data Protection Regulation (GDPR) and ePrivacy Directive.

The good news is that you don’t need to write one from scratch yourself. A cookie policy generator can create one for you in minutes.

In this guide, we’ll help you find the best cookie policy generator for your website. Because there are a lot of them out there, and not all of them are the right solution for your site.

In a moment, you’ll discover what a cookie policy should include, what to look for in a generator, and how 6 of the most popular solutions compare.

That way you’ll easily find the best cookie policy generator for your site. One that fits your needs now and continues to support you as your setup evolves.

Cookie policy generator comparison: At a glance

Scroll →

	iubenda	Complianz	Termly	CookieYes	TermsFeed	Docue
Automatic cookie scanning
Legal expert backing				Unclear	Unclear
Notifies you as laws evolve				Unclear	Manual update required	Unclear, but updates template clauses as laws change
Multi-language support
All-in-one digital compliance suite
Scales across multiple sites & regions			Limited	Limited	Limited
Customer satisfaction	4.7/5 (Capterra)	4.8/5 (WordPress)	4.3/5 (G2)	4.6/5 (AppSumo)	4.5/5 (G2)	1.5/5 (Capterra)
Price	Free plan available. Paid plans from €4.99/month	Free plan available. Paid plans from €59/year (less than €5/month)	Free plan available. Paid plans from $10/month	Free plan available. Paid plans from €9/month per domain	Limited free plan available. Varied one-time clause pricing	Paid plans from £39/month
Recommended for	Businesses of all sizes	WordPress & Shopify users	Small businesses with simple websites	Small, static websites	Small, static websites	UK-based businesses

What is a cookie policy?

A cookie policy explains:

• What types of cookies and trackers your site uses
• Why you use them
• How a user can manage or refuse them

What’s the difference between a cookie policy and a privacy policy?

A privacy policy is a broader document covering all the ways your business handles personal data (like names, emails, and payments), while a cookie policy is a specialized document that focuses specifically on the cookies your website uses.

What’s the difference between a cookie policy and a cookie banner?

While a cookie policy provides a full explanation of the cookies on your site and their purpose, a cookie banner gives users a way to accept, reject, or manage cookies before non-essential tracking starts.

Why is a cookie policy important?

Privacy regulations like GDPR, the ePrivacy Directive, the California Consumer Privacy Act (CCPA), and others require websites to provide cookie policies in a clear and accessible way.

Beyond compliance, a cookie policy is good for business. It shows users that you take transparency and data privacy seriously, building trust in your brand which contributes to more sales in the long run. And with that trust, users are more likely to consent to your collection of data for better marketing insights.

What should a cookie policy include?

While it may vary slightly depending on what regions your website is active in, generally a cookie policy should include the below in clear, accessible language:

• The types of cookies you use – For example, essential cookies, analytics cookies, and advertising cookies.
• The purpose of each cookie category – Users should understand why each type of cookie exists and what it helps you do.
• Information about third parties – If external services place cookies on your site, the policy should clearly identify them and explain their role.
• Cookie duration – How long cookies remain active on a user’s device.
• How users can manage their choices – This includes instructions on changing preferences, withdrawing consent, or updating settings later on.

What should you look for in a cookie policy generator?

Here are the key features to consider when evaluating a cookie policy generator:

Accuracy based on real cookie usage

A reliable generator creates a policy that reflects the cookies and third-party services your site actually uses. A great feature to keep an eye out for is a powerful automatic cookie scanner; it’ll help you ensure your policy doesn’t miss a thing.

Legal reliability

The best cookie policy generators come with the backing of legal experts, so your policy is more likely to align with privacy regulations.

Updates as your site and laws evolve

Look for a generator that keeps your cookie policy in sync with your site. When you add new tools or services, your policy should reflect those changes. And as privacy requirements shift, you’ll get notified so you can review without starting from scratch.

Ability to scale with your site

What works for a single website might not work for multiple domains, regions, or languages. Generators built to scale make it easier to manage policies as your business grows internationally.

The best cookie policy generators

1. iubenda

iubenda’s cookie policy generator keeps your policies current as laws change. Its legal team monitors regulatory updates and refreshes available clauses, so when something changes, you add the update in a click without rebuilding from scratch.

It also connects policy generation with site scanning, keeping your disclosures accurate as your site evolves.

The generator is part of iubenda’s connected compliance solutions, giving you access to legal document generation, cookie banners, consent management, and more, all from one place.

Standout features

• Automated cookie scanner detects your website’s cookies and services, so you can quickly generate accurate cookie policies
• A team of legal experts write and update policy clauses
• Instant notifications when privacy regulations evolve
• Available in 27 languages and covers the world’s major privacy laws like GDPR, CCPA/CPRA and other US State Laws, FADP, and LGPD
• Centralized management across multiple websites and domains

Best for

Individuals and businesses that want easy, attorney-quality cookie policy generation and other digital compliance solutions in one place.

Pros

• Easy to generate accurate policies that reflect actual cookie usage
• Reduces manual updates as cookies, vendors or regulations change
• Scales easily from simple sites to complex, multi-domain setups
• Easy to use
• Part of a wider digital compliance suite, with solutions for creating cookie banners, improving accessibility and more
• Excellent customer support that stays with you until they resolve your issue
• Trusted by over 150,000 organizations including Honda, Sony Music, and UNICEF

Cons

• Access to some of the advanced solutions in the suite requires a paid plan

Pricing

• Free plan available with everything you need for low-traffic sites
• Paid plans start at just €4.99/month

What people say

Users consistently mention ease of use, excellent customer support, and how the platform simplifies complex compliance requirements. Users also highlight its affordability and value, given that it offers a full range of solutions for digital compliance.

2. Complianz

Complianz is a cookie policy and consent management plugin built for WordPress and Shopify. Install it directly from your CMS and it gets to work right away.

Its hybrid cookie scanner detects the trackers running on your site, so your policy reflects what’s actually there. As your site changes, rescan and update to match.

It also handles cookie banner setup and records visitor preferences, keeping your consent logs in order.

Standout features

• Built-in hybrid site scanner identifies active cookies and services
• Generates a thorough and accurate cookie policy based on scanner findings
• Synchronizes with cookiedatabase.org, allowing you to automatically populate your Cookie Policy with clear, up-to-date descriptions of what each cookie does, who the service provider is, and how long until the data expires
• Compatible with multiple regions and privacy laws, including GDPR and CCPA
• Legal documents available in 49 languages

Best for

WordPress and Shopify users who want a complete plugin to manage cookie policies and consent.

Pros

• Easy to install and configure
• Trusted by 1 million users
• Backed by legal experts
• 30-day money-back guarantee

Cons

• Advanced features require a paid plan

Pricing

• Free plan available
• Paid plans start from €59/year (less than €5 a month)

What people say

WordPress users highlight easy setup and an intuitive interface. And on Shopify, the plugin comes with top reviews for the support team. 

3. Termly

Termly offers a cookie policy generator combined with consent tools. The platform focuses on predefined templates for document generation and offers a guided setup process.

Standout features

• Cookie policy generator built around predefined templates
• Cookie scanner
• Coverage for common privacy frameworks such as GDPR and CCPA
• WordPress integration via plugin

Best for

Individuals and small businesses with simple websites that need to publish a cookie policy quickly.

Pros

• Guided setup
• Simple interface

Cons

• Policies rely heavily on templates which aren’t easily customizable and don’t update as the regulations evolve
• Limited flexibility, especially for multi-region setups
• Using it for multiple websites can get expensive
• Can negatively impact WordPress site performance

Pricing

• Free plan available with limited features
• Paid plans start from $10/month
• Costs increase based on pageviews and feature access

What people say

Users praise the easy setup process, but highlight Termly’s limitations with multi-region compliance and customization, as well as poor customer service. Many WordPress users complain about the tool slowing site performance.

4. CookieYes

CookieYes offers a cookie policy generator that allows you to create your own policy based on a template. It does have a cookie scanner to help with generating the policy, but it often requires manual oversight.

Standout features

• Cookie policy generator combined with a basic site scanner
• Monthly scan to update your list of cookies
• Available as a WordPress and Shopify plugin

Best for

Small websites that want to publish a cookie policy quickly and don’t expect frequent changes to their tracking setup.

Pros

• Quick setup
• Allows for more manual intervention

Cons

• Basic cookie scanning. The tool sometimes struggles to auto-detect and categorize cookies, requiring more manual oversight
• Can be expensive if you have multiple domains and high traffic
• Limited multi-language support
• Customization can sometimes be difficult

Pricing

• Free plan available with limited functionality
• Paid plans start at €9/month per domain

What people say

Reviews mention good customer support but limited features and issues with customization. Some users also mention poor website performance on mobile devices as a result of using CookieYes.

5. TermsFeed

TermsFeed is a lightweight legal document generator. It lets you build a customized cookie policy, privacy policy, and terms and conditions document through a template-based flow.

Standout features

• Cookie policy generator based on templates
• Support for multiple types of legal documents
• Customization through guided questions
• Supports 10 languages

Best for

TermsFeed works best for individuals and small businesses that want to generate basic legal documents for static sites where manual updates are manageable.

Pros

• Simple cookie policy generation
• Covers multiple legal document types in one place
• WordPress integration

Cons

• Doesn’t have a comprehensive cookie scanner to help you create an accurate cookie policy
• Notifies you when there are changes in regulations, but you need to update your policy manually
• Users must manually update documents as their sites change
• Limited scalability for multi-site or multi-region setups
• It’s marketed as free, but there are certain “premium clauses” that you have to purchase.

Pricing

• Offers a limited free policy option that isn’t tailored for compliance with GDPR and other privacy regulations
• One-time payments with varied pricing for specific clauses in legal documents

What people say

While users mention that it’s quick to generate a cookie policy, reviews also frequently mention difficulties with the payment process, with some highlighting that they find TermsFeed expensive for what it offers.

6. Docue

Docue is a British legal document generation tool that helps businesses create and manage contracts and legal documents, including privacy-related policies.

The platform’s focus is on legal contracts rather than on full digital compliance.

Standout features

• Cookie policy and other legal document creation
• Template-based policy generation
• Clauses written and updated by a team of lawyers

Best for

Businesses with relatively static websites that handle consent and cookie management elsewhere.

Pros

• Helps generate a cookie policy that’s compliant with UK GDPR
• Allows you to tailor the document to what you need by using templated clauses

Cons

• Isn’t designed specifically for cookie policies or consent management
• No built-in cookie scanning or consent tools
• While lawyers update templates based on regulation changes, you have to manually update your policy when there are changes to your website’s cookies
• Doesn’t support international privacy regulations besides United Kingdom GDPR
• No multi-language support

Pricing

• No free plan publicly available
• Pricing starts at £39/month with an annual subscription

What people say

Some users appreciate Docue’s ability to quickly and easily generate legal documents but many mention how they feel misled by the platform’s pricing.

Choose the best cookie policy generator for your website and your business

The best cookie policy generator is one that helps you create a policy that evolves with your site as well as changing regulations.

And, if it’s a part of a wider suite of digital compliance solutions, like iubenda, you’ll not only have the best value for money but greater support for your business’ growth.

Because when you show your users that you respect their privacy by providing a cookie policy, along with solutions for consent management, you’ll be positioning your brand as transparent and trustworthy.

That kind of trust is invaluable for building customer relationships that sustain your business for the long run.

The post The best cookie policy generator in 2026: compare features, pricing, and reviews appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB & EDPS Issue Joint Opinion on Digital Omnibus
The European Data Protection Board and the European Data Protection Supervisor published a Joint Opinion 2/2026 on the Digital Omnibus proposal (PDF), supporting simplification but warning that some amendments could weaken fundamental rights and fragment GDPR protection across the EU.

European Union – EDPB Adopts 2026–2027 GDPR Work Programme
The European Data Protection Board adopted its 2026–2027 GDPR work programme (PDF), prioritising practical enforcement, updated cooperation procedures, revised fine-setting guidance, SME support tools, coordinated transparency enforcement, and further work on generative AI scraping.

2) Notable Case Law

France – CNIL Reports €486.8 Million in GDPR Fines for 2025
France’s data protection authority published its 2025 enforcement report (in French), detailing 259 decisions and €486.8 million in fines, mainly linked to cookie violations, employee monitoring, security failures, and unlawful marketing practices.

United States – FTC Warns Data Brokers Over Foreign-Adversary Data Sharing
The U.S. Federal Trade Commission sent warning letters under the Protecting Americans’ Data from Foreign Adversaries Act, reminding 13 data brokers that sharing sensitive data with entities linked to China, Russia, Iran, or North Korea may trigger penalties of up to $53,088 per violation.

Spain – AEPD Orders Health Authority to Answer Access Request
The Spanish Data Protection Agency ordered the Balearic Health Service to comply with a GDPR access request within ten working days after missing the one-month deadline, as confirmed in its official resolution (PDF, in Spanish).

3) New and Upcoming Legislation

United Kingdom – ICO Sets Complaint Handling Standards Under New Data Act
The UK Information Commissioner’s Office published guidance on complaint handling under the Data (Use and Access) Act, which enters into force on 19 June 2026 and requires clear procedures, prompt investigations, and reasoned written outcomes.

4) Strong Impact Tech

European Union – EU Probes Google Over Search Ad Auction Pricing
EU antitrust regulators are assessing whether Google inflated search ad auction prices in breach of EU competition law, according to a Reuters report on the preliminary investigation.

European Union – Brussels Targets “Infinite Scroll” Under DSA
EU regulators are scrutinising addictive design features such as infinite scroll and autoplay under the Digital Services Act in the TikTok investigation, as reported by Politico on potential DSA enforcement measures.

Other key information from the past weeks

Canada – Ontario Releases Privacy-First AI Framework for Health Care
Ontario’s Information and Privacy Commissioner issued guidance on responsible AI use in health care (PDF), outlining governance expectations, vendor oversight, and safeguards for AI medical scribes.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #152) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

That’s why the European Commission’s “Digital Omnibus” proposal has been getting so much attention. The headlines can be dramatic (“cookie banners are going away”), but the real story is more practical: the Commission is trying to reduce consent fatigue by looking at how consent is usually collected and simplifying the legal requirements around it.

Below is what matters most for publishers, what the proposal promises, what’s still unclear, and why pay-or-ok models are likely to stay central either way.

The EU’s proposal in a nutshell

The Digital Omnibus proposal (published 19 November 2025) is the Commission’s attempt to simplify parts of the EU’s digital and privacy framework. One key shift: cookie-related rules, now part of the ePrivacy Directive, would move into the General Data Protection Regulation (GDPR), so businesses are not struggling to keep up with too many scattered legal requirements.

On cookie consent specifically, the proposal suggests:

• Consent still matters for marketing. Advertising, profiling, cross-site tracking, and most third-party analytics remain “opt-in” scenarios.
• Fewer repeated prompts. The proposal supports clearer banner standards (including making “Reject” as easy and visible as “Accept”) and limiting how often you can re-prompt after a refusal.
• A long-term push toward browser or OS-level choices. A new system was proposed: “machine-readable” consent signals, so a user could set preferences once at the browser level, and websites would need to read and apply them.

A lot of questions arose from the proposal and will probably find their answer in future publications by the European Commission around the topic. In the meantime, the proposal will continue its journey through the EU legislative process.

There will likely still be a series of legal and technical requirements for websites to handle, like informing users of their practices around data and privacy, blocking cookies when no consent is given, etc.

Why cookie consent is crucial for publishers

As a publisher, you sit in a different reality than many other website owners.

Your model is often some mix of ad-funded access, subscriptions (hard paywalls, freemium), or hybrids (memberships, logged-in experiences).

Cookie consent affects all of it, but the pressure point is usually advertising.

• If you can’t collect valid cookie consent where it’s required, you may lose the opportunity to serve ads altogether.
• If consent is partial, you may not be able to serve ads personalized to the user. It’s less probable for users to click.
• If the consent experience is too heavy, takes too much time to load, the user may go through your content before your high-value, above-the-fold ads display. It’s less probable for users to click.

All the above can have a high negative impact on your revenue.
That’s why, as a publisher, you should make sure to curate your cookie consent processes.

Consent processes are so important for you, and yet they’re a strong pain point for your visitors. The reality is that most people don’t want to decide about cookies. They want the article, the video, the recipe.

Repeating that same decision on every new site is a fast track to the frustration that the EU’s proposal targets: fewer repeat prompts, clearer UI expectations, and, eventually, more centralized preference signals.

A special exemption granted to media providers

Here’s the part you probably immediately noticed: a carve-out for “media service providers”.

In the proposal’s logic, if users are given the possibility to broadcast a global “reject tracking” signal from their browser, ad-funded media could take a hit.

In other words, if the user were to deny consent at the browser level to advertising, for instance, media providers would not be able to display ads, which is usually their main source of revenue.

So the proposal suggests that media service providers should not be obliged to respect those globally-transmitted signals (in view of the need to finance media through advertising) and could still ask for consent in the usual way, whether through a traditional banner, a pay-or-ok model, etc.

There’s a tricky nuance here to be aware of: media service providers would not have to respect global consent rejection signals set by users. This, of course, doesn’t mean that they would be exempt from general consent rules like informing users or letting them update their preferences through a banner. Only that the signal mechanism might not be binding the same way for that category.

Some publishing platforms may not be subject to this exemption.

At these early stages of the proposal, there is still some uncertainty around the boundaries and scope of the media service provider definition. Make sure to seek expert advice to understand if you wouldfall within the exemption.

Pay-or-ok model: why it won’t disappear

If you work in media, you already know the trend: pay-or-ok is everywhere. And the user behavior is predictable: “I’ll just consent, because I don’t want to pay.”

When the “free” option is funded by ads and tracking, many readers will choose it.

Paywall? Pay-or-ok? Here’s a quick refresher for those who are new to these terms.

A paywall controls access to content. Users must pay (or subscribe) to read, watch, or listen. In short: Pay to access content.

A pay-or-ok model links access to content directly to consent for tracking. Users can either pay (usually via subscription) or consent to advertising and tracking. Advertising revenue replaces subscription revenue for users who choose “ok.” In short: Pay with money, or pay with data.

We can argue that pay-or-ok doesn’t help reduce consent fatigue. The annoyance of the banner and making a choice is still there. In general, EU privacy discussions keep scrutinizing “consent or pay” models to make sure they are fair (consent is freely given).

Regulators pay attention to whether the user genuinely has a choice, how pricing and alternatives work, and whether pressure is applied.

So even if the Omnibus proposal would give media service providers room not to honor global reject signals, pay-or-ok design will still be under a microscope. The question shifts from “can you show a banner?” to “is the choice fair, clear, and defensible?”

Subject to future clarifications of the media service provider definition, Consent Management Platforms may remain central for publishers as they would still need a reliable and compliant infrastructure to manage cookie release, consent walls, and pay-or-ok logic if it’s not done in-house.

What the proposal means for publishers now

The best you can do now is the following:

• Stay informed and monitor further developments, as this is just a proposal. It’s not law yet.
• Keeping your consent flows, preference handling, and internal documentation practices in check could help reduce future implementation effort.

Existing legal obligations still apply, and you don’t need to change anything because of the headlines. It’s a multi-year transition, and publishers will likely operate in a hybrid world for a long time.

Even if adopted, this won’t be a “flip the switch” moment. The legislative path is long, and clarifications will come in time. Requirements would start to take effect several months after entry into force.

Parts of the proposal have sparked some debate and will have to be addressed. For publishers, the biggest uncertainty is also the most basic: who counts as a “media service provider”?

Early commentary has already pointed out that this carve-out may be challenging to apply in practice and could be open to misuse. The exemption shouldn’t create a blanket legal basis for tracking and other marketing activities.

iubenda is an all-in-one, scalable privacy compliance infrastructure that can help you improve your marketing performance and grow confidently.

Our team works by your side to help optimize your consent rate and processes, to support your revenue growth.

Disclaimer: This article discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of February 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.

The post What publishers should expect from the EU’s Digital Omnibus proposal appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Artificial intelligence is changing marketing. Teams are using AI for personalization, content creation, audience segmentation, predictive analytics, campaign optimization, you name it. The potential is clear, and adoption is accelerating. Yet somehow many marketers still struggle to move from experimentation to scale.

One of the biggest obstacles is often assumed to be regulation. But the more common issue is uncertainty. Uncertainty about data usage, consent requirements, and legal boundaries slows decision-making and creates friction between marketing, legal, and product teams.

When uncertainty exists, innovation stalls.

Why AI adoption in marketing slows down

Privacy regulations such as GDPR, ePrivacy, and US state privacy laws do not prevent marketers from using AI. What they require is clarity around how personal data is collected, processed, and used.

The challenge is that many organizations lack clear answers to fundamental questions:

• What data are we collecting?
• What did users consent to?
• Does that consent cover AI-driven personalization or analytics?
• Can we demonstrate compliance if asked?

Without clear data governance and consent management, every new AI initiative becomes a risk assessment rather than a growth opportunity. This is where momentum is lost.

First-party data is the safest foundation for AI marketing

As third-party data becomes less reliable and more restricted, first-party data has become the most valuable asset for AI-driven marketing.

First-party data collected with clear, informed consent offers several advantages: higher accuracy and relevance, stronger alignment with declared purposes, lower compliance risk, and greater user trust.

From an SEO and performance perspective, first-party data also supports better personalization and measurement without relying on opaque data sources.

For marketers, this means that AI initiatives are most effective when they start with data that the organization fully controls and understands. Clear consent turns first-party data into a strategic advantage rather than a legal risk.

Consent clarity enables faster AI experimentation

Many teams delay AI adoption because they fear crossing legal boundaries. In practice, those delays are often caused by unclear consent frameworks rather than strict regulatory limits.

When consent is specific, documented, and transparent, marketers gain clarity about what they can do. This reduces internal friction and shortens approval cycles.

Clear consent frameworks help teams define which AI use cases are permitted, align marketing and legal expectations, adapt quickly as AI applications evolve, and maintain compliance across regions and regulations.

Instead of slowing innovation, well-managed consent enables it. In other words, the best way to save time is to do it right from the beginning. Who would have thought!

Why involving legal teams early accelerates progress

Legal and privacy teams are often seen as blockers. If you’re a marketer, you probably don’t have enough fingers on your hand to count the times you avoided running a campaign that wasn’t straightforward when it came to compliance, simply because you thought that involving legal would slow things too much and… let’s face it, time isn’t something marketers have in abundance.

I believe legal teams become blockers mostly when they are involved too late in the process. When legal input comes after an AI project is already defined, the conversation becomes reactive. Bringing legal teams into AI planning early changes the dynamic. It allows organizations to establish clear boundaries from the start and identify real risks.

Most delays in AI marketing are caused by uncertainty about what is allowed. Early alignment removes that uncertainty and creates confidence across teams.

Compliance should be infrastructure, not friction

Not surprisingly, companies moving fastest with AI in marketing treat compliance as infrastructure rather than a constraint.

This includes purpose-based consent management, reliable consent records and documentation, transparency toward users, and systems that can adapt as regulations and AI use cases change.

When these foundations are in place, marketing teams can test, iterate, and scale AI initiatives without stopping to reassess risk at every step.

Compliance becomes part of how innovation happens, not a reason it stops. Doesn’t this sound lovely?

Trust is essential for scalable AI marketing

AI-driven marketing relies on trust. Trust from users who share their data, trust between internal teams, and trust in the data powering AI systems. As someone working for a compliance company, I can assure you that trust is everything.

Organizations that invest in clear consent, strong data governance, and privacy-first foundations reduce risk while increasing speed. They gain the confidence to use AI responsibly and effectively.

The future of AI in marketing is about removing uncertainty and building on data that users trust you with.

The post The real barrier to AI in marketing is uncertainty, not regulation appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

For indie hackers and non-technical founders, that’s a huge shift and a real advantage. There’s a gap, however, that most people don’t see until it becomes a problem.

If your app collects personal data (even something as simple as an email address or analytics), you’re expected to have certain legal basics in place. Privacy policies, terms and conditions, and, in many cases, cookie consent.

For the most part, vibecoders aren’t intentionally ignoring this, but it may not feel urgent when you’re focused on shipping, testing, and figuring out whether your product even has legs. The problem is that platforms, app stores, and ad networks often care much earlier than founders expect.

Now for the good news. You don’t need to navigate everything at once. Start by understanding which requirements apply to your app.

Vibecoding: what’s it all about?

Vibecoding is a newer approach to app development in which AI generates most of the code for you based on prompts. Instead of writing everything by hand, you guide the build and iterate as you go. In practice, the process usually looks like this:

• You describe what you want in plain language
• An AI tool generates the code
• You tweak things, prompt again, and ship

What makes this approach different is that it’s no longer limited to simple demos or landing pages. Many teams are using it to build fully functional apps with logins, payments, and active users. And it’s growing in popularity among early-stage startups, with 25% of YC’s latest startups letting AI write 95% of their code.

Where things can go wrong

Most issues don’t show up while you’re building, but once you start to grow. A few common examples:

• You submit your app to an app store and get asked for a privacy policy
• You try to run ads, and Google won’t approve your campaign
• Analytics isn’t tracking properly
• A user asks how their data is handled, and there’s nowhere to point them
• A platform flags missing legal pages

At that point, compliance will feel like a blocker that came out of nowhere, even though, from a legal perspective, the trigger was simple: the app began processing personal data.

This is where privacy laws apply in a very practical way, not as an abstract legal concept. For early-stage startups, it’s less about fines and more about delays, rejections, and lost momentum.

Useful links:

How compliance gets overlooked

Unlike security risks, legal compliance doesn’t receive much attention in AI circles. That’s because most vibecoding content focuses on speed, tooling, prompts, and shipping faster, and privacy and terms feel like something you “add later”, once the product is proven.

But as we now know, most platforms won’t let you get very far without them. App stores require a privacy policy, ad platforms check for compliant policies, and analytics and tracking need valid consent in many regions.

Can’t the AI just generate this for me?

It’s reasonable to assume that if AI can build your app, it can also generate your legal documents. And while you can technically build documents this way, AI-generated policies tend to be:

• Generic
• Incomplete or out of date
• Not aligned with the services you actually use
• Missing platform-specific requirements

Most importantly, from a legal standpoint, you’re still responsible for what’s there. If something goes wrong, it doesn’t matter how the text was generated; you’re still accountable for what’s published.

While AI can be great at generating code and features, legal compliance requires accuracy, context, and ongoing updates.

What your app actually needs to stay protected

For most vibecoded apps, the requirements are simpler than people expect. You don’t actually need a complex legal setup. Just a few basics in place, early.

• Privacy policy
  • If your app collects personal data (e.g., email addresses, logins, payments, analytics), you need a privacy policy. It’s what app stores, ad platforms, and users expect from you. It needs to clearly reflect how your app works, processes personal data and which third-party services you use.
• Terms and conditions
  • Terms protect you. They define how the app can be used, limit liability, and clarify responsibilities. If users sign up or pay, terms are essential.
• Cookie consent
  • If you use analytics, ads, or tracking, users often need real choices. Clear consent also helps ensure your analytics and ad tracking work as intended.
• Platform requirements
  • App stores, ad networks, and payment providers all check for compliant documentation. Missing or incorrect pages can delay launches or block growth.

Useful links:
https://www.iubenda.com/en/blog/how-to-write-terms-and-conditions/

https://www.iubenda.com/en/help/463-generate-privacy-policy/

How iubenda helps

If you’re building an app quickly, iubenda helps you get your compliance basics sorted so you don’t get hit with surprises when it’s time to launch.

Instead of writing policies yourself or relying on AI text that won’t pass platform checks, iubenda generates them based on the services your app actually uses. That includes your privacy policy, terms and conditions, and, if your app relies on analytics or tracking, your cookie and consent setup. Everything is maintained by our legal team and updated for you, so you don’t need to track changes or rewrite anything as your stack evolves.

The consent tools also handle the practical side of compliance: giving users real choices, respecting those choices across devices, and keeping proof of consent. This helps prevent analytics or ad tracking from breaking and keeps platforms like Meta and Google Ads happy.

iubenda integrates easily into most workflows, whether you’re using a CMS, a no-code tool, or a custom setup. You can embed everything with simple snippets, plugins, or via API.

All of this saves hours of work and reduces the risk of running into issues at the worst moment: an app store rejection, an ad campaign being paused, or users hesitating because they can’t see how their data is handled. It’s simple. We’ll help you stay aligned with the latest compliance requirements while you focus on shipping your product and growing.

Pre-launch checklist

Before you share your app publicly, it’s worth running through a quick check to make sure nothing important is missing. The basics are straightforward:

• Is your privacy policy live and easy to find?

Platforms expect this, and users look for it.

• Do you have terms in place if people need to sign up, log in, or pay?

This sets clear rules and protects you.

• If you use analytics or tracking, is consent handled properly?

Real choices, correct behaviour, and nothing firing before it should.

• Do you meet the requirements of any platform you depend on?

App stores, ad networks, and payment providers all check for this.

A solid foundation for smooth app growth

Vibecoding makes it easier than ever to ship quickly. Getting the privacy basics right makes it easier to grow.

When compliance is handled properly, it builds trust, keeps platforms happy, and removes the small obstacles that can slow your momentum. With iubenda, you can do all of this in minutes.

Get set up today.

The post Everything AI app builders need to know about vibecoding and privacy compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’re introducing 1-Click Embedding for Google Tag Manager, a guided way to embed your iubenda solutions without manually installing plugins or handling embed snippets.

What’s new

With 1-Click Embedding for Google Tag Manager, you can install your configured iubenda solutions through a guided flow that runs in a secure pop-up window.

This process brings everything together in one place and uses Google’s native login and authorization screens to guide you through the installation.

This experience is already available for WordPress and Shopify, and is now supported for teams using Google Tag Manager, too.

Which iubenda solutions can you embed via GTM?

The GTM 1-Click Embedding flow supports the iubenda solutions you’ve already configured, including:

• Privacy and Cookie Policy Generator
• Terms and Conditions Generator
• Privacy Controls and Cookie Solution (cookie banner)

A more guided setup, with more control

The new GTM embedding flow brings these decisions into a single, guided experience while keeping you in control of where the installation takes place. Now, you can: 

• Move through the installation step by step
• Select the exact account, container, and environment you want to use
• Complete the embedding automatically once confirmed
• Finish the setup without editing your site’s code

How 1-Click Embedding works with Google Tag Manager

Start by logging in with your Google account and approving the connection through Google’s native authorization screens. Select where the installation should take place by choosing the appropriate GTM account, container, and environment.

Once confirmed, iubenda automatically installs and embeds your configured solutions.

When the installation is complete, you’ll be prompted to publish the changes in Google Tag Manager to activate them. At the same time, a scan will automatically run inside your iubenda dashboard to verify that everything is in place.

For detailed, step-by-step instructions, you can refer to our help guide on using 1-Click Embedding with Google Tag Manager.

How to access 1-Click Embedding

If you’re using Google Tag Manager, you’ll see the simplified embedding option in two areas of your iubenda dashboard:

• In the configuration checklist, during the embedding step
• In the embedding section below the snippet boxes for supported solutions

In both cases, selecting Go to simplified embedding starts the guided GTM setup.

Before you publish

Publishing the installation in Google Tag Manager will include any other unpublished edits in your workspace. If you prefer to review those changes first, you can do so directly from your GTM dashboard before publishing.

If an issue occurs during installation, you’ll see a clear message with the option to try again. The system will restart the process.

A simpler way to set up iubenda with GTM

If you’re already using Google Tag Manager, 1-Click Embedding offers a clear, guided way to complete your setup, combining the flexibility of GTM with a simpler installation flow.

The post Introducing 1-Click Embedding for Google Tag Manager appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The latest version, TCF 2.3, was officially announced on June 19, 2025, with updates that clarify vendor disclosure and strengthen accountability across the digital advertising ecosystem.

Here’s what’s changing, what it means for you, and how to get ready.

What is TCF 2.3? 

TCF 2.3 is the latest version of the IAB Europe Transparency and Consent Framework.

It’s the industry standard that helps publishers and advertisers operationalize with the GDPR and the ePrivacy Directive when processing personal data for digital advertising:

• It gives Consent Management Platforms (CMPs) like iubenda a standardized way to inform users and capture consent (or objections) for advertising.
• It makes sure consent signals are communicated consistently across the advertising supply chain, from your site to every vendor you work with.

What changes from the previous version?

TCF 2.2 (launched in May 2023) focused on implementing changes required by the Belgian Data Protection Authority and improving user-friendly descriptions. TCF 2.3 now tackles a different challenge: vendor disclosure ambiguity.

Mandatory “Disclosed Vendors” segment

The main change in TCF 2.3 is that the “Disclosed Vendors” section is now mandatory in all TC strings. Previously, it was optional.

– Clear binary signal: The Disclosed Vendors segment provides a simple indicator (1 = disclosed, 0 = not disclosed) specifying whether a vendor was shown to the user.
– Updated TC string structure: The string format now follows the following pattern [Core segment].[disclosedVendors segment].[Publisher TC].
– No more ambiguity: Vendors can now confirm whether they were properly disclosed to users before processing data.

Why this change? 

Under TCF 2.2, some vendors faced uncertainty in scenarios where it wasn’t clear whether they’d been disclosed to the user.

For example, when a CMP registered a user objection under Legitimate Interest, a vendor couldn’t always tell whether they’d actually been shown to the user. This distinction matters because vendors must be disclosed to users as part of meeting transparency obligations before processing data, including for Special Purposes.

By making the Disclosed Vendors segment mandatory, TCF 2.3 removes this ambiguity. This means cleaner signals across your advertising stack and fewer issues with vendor data processing.

What’s the timeline for implementation?

Here are the key dates to keep in mind:

June 19, 2025: TCF 2.3 officially announced and technical specifications released.

October 2025: Google confirmed its systems can accept and process TCF 2.3 strings.

February 28, 2026: Mandatory deadline. All CMPs and vendors need to support TCF 2.3. Support for new TCF 2.2 strings ends on this date.

Good to know: TC strings generated on or after February 28, 2026 must follow TCF 2.3 specifications. TCF 2.2 strings created before that date will still be valid.

If you use Google AdSense, Ad Manager, or AdMob in the EEA, UK, or Switzerland, you’ll need TCF 2.3 support by February 28, 2026.

Google has confirmed its systems can accept and process TCF 2.3 strings. If you miss the deadline, your ad requests may default to Limited Ads serving, which can reduce demand/personalization and impact revenue. The good news? With iubenda, no need to worry. We’ve got you covered.

What does this mean for iubenda customers?

If you’re using iubenda’s Privacy Controls and Cookie Solution, you’re all set. Our CMP already handles TCF 2.3 requirements.

Here’s what’s next for you:

• If you’re ready now: Set tcfVersion = 2.3 in your configuration to start using TCF 2.3 signals immediately. This is a good choice if you want to test the new signals with your ad stack before the mandatory date.

• Prefer a hands-off approach? Let us handle it: We’ll automatically switch your signals to TCF 2.3 after the February 28, 2026 deadline. You don’t need to do anything.

No banner changes needed: TCF 2.3 is a technical update. Your consent banner interface stays exactly the same.

No new data collection: This update doesn’t introduce new categories of personal data or expand data processing purposes.

Your users won’t notice: The change happens behind the scenes. The new TC string automatically generates the next time someone interacts with your consent notice.

More on this topic:

• Mobile apps and CTV: for this type of implementation, you may need to update to the latest version of our SDK. We’ll share detailed guidance closer to the deadline.
• Make sure to review your vendor list and confirm your vendors are registered on the updated Global Vendor List.

Over to you

Questions about TCF 2.3 or your setup? Reach out to our support team at info@iubenda.com.

The post Transitioning to IAB’s TCF 2.3: what you need to know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In October 2025, the European Data Protection Board (EDPB) announced that transparency and information duties under the GDPR will be its top coordinated enforcement topic for 2026.

That’s a clear signal: regulators will be paying extra attention to how you explain your data use to people.

For businesses, that translates to a simple focus: your privacy and cookie policy should be accurate, clear, and easy to find.

If your policies are due for an update, 2026 is the year to stop postponing it. Let’s take a look.

What the year of transparency holds in store

During its October 2025 plenary, the EDPB picked the topic for its fifth coordinated enforcement action: compliance with the GDPR’s transparency and information obligations.

Here’s the core idea: the GDPR says people have the right to be informed about the collection and processing of their data, especially under Articles 12, 13, and 14. This “right to be informed” is one of the GDPR’s foundation stones, because it’s what gives people real control over their data.

If you’re collecting personal data, you must clearly explain that you’re doing it, what data it is, what you do with it, and why.

Coordinated enforcement: what does that mean? 1-The EDPB selects a topic (for 2026, transparency). 2-National Data Protection Authorities (DPAs) choose to participate voluntarily. 3-DPAs run checks or investigations at national level using a shared approach. 4-Results are aggregated and analyzed to spot patterns. 5-If needed, this can lead to targeted follow-up at national and/or EU level. The action will be launched over the course of 2026.

This is what regulators will be looking at:

• Article 12 is your “plain language” rule. Information must be concise, transparent, easy to access and to understand.
• Article 13 covers what you must tell people when you collect data from them (for example: contact forms, checkout, newsletter signup).
• Article 14 covers what you must tell people when you get their data from somewhere else (for example: lead lists, partners, data enrichment, certain advertising scenarios).

Why it matters to your business

If the GDPR applies to you, you must follow transparency requirements.

Most businesses will be affected by the EDPB’s 2026 focus on transparency because it applies whenever you collect or use personal data.

If your website has a contact form, a newsletter signup, account creation, checkout/payments, customer support chat, or even common tools like analytics and marketing pixels, you’re almost certainly processing personal data.

If a DPA looks at your site or app and doesn’t like what it sees, they can ask questions, require changes, order you to stop certain processing, and (in some cases) issue fines.

Who are DPAs? A quick reminder: DPAs (Data Protection Authorities) are the national regulators that enforce data protection law in each EU/EEA country. There’s a French one, an Italian one, and so on.

Beyond the legal obligations, transparency isn’t just a legal checkbox for SMBs. It’s a real business advantage.

When people understand what you’re doing, they’re less suspicious. They’re more likely to sign up, buy, and stick around.

They’re more willing to trust you with their data. Better data means better campaigns and a higher revenue!

Transparency can actually improve conversion and retention, because it reduces friction and surprises.

Make your privacy and cookie policy flawless

For most businesses, the practical translation of these obligations is having a privacy and cookie policy.

The key elements to include in your privacy policy are:

• Who you are: company name, contact details
• What personal data you collect and how: e.g., name, email, billing details, IP address, device info, order history + where it comes from: forms, checkout, cookies/trackers, third-party tools
• Why you use it (purposes): e.g., provide the service, process payments, customer support, analytics, marketing
• Your legal basis: consent, contract, legal obligation, legitimate interests
• Who receives the data: any third parties, like hosting or payment processors, vendors, service providers
• Any international transfers: if data goes outside the EU/EEA, explain where and what safeguards you rely on
• Retention: how long you keep data
• People’s rights: access, deletion, objection, etc., and how to exercise them
• Updates: how you notify users of changes, “last updated”, or effective date

Do’s	Don’ts
Article 12 is explicitly about clear and plain language and making information easy to access. Can I understand the main points in under two minutes?	This isn’t about writing longer legal documents. It’s about making sure anyone can quickly find and understand it.
Can I find your privacy policy in one click from any page? That’s why you typically see all privacy policies in the footer of the website.	A privacy policy that is technically “published” but buried in a submenu or written like a courtroom script is not the spirit of Article 12.
Does your policy match reality? Make sure it is complete and tailored to your business.	Here’s an easy mistake: if a service truly doesn’t involve personal data processing, you generally don’t need to describe it in your privacy policy. Including non-existent processing can be misleading.

Take a look at our GDPR privacy policy template for an example!

How iubenda helps you meet 2026 standards

As Giulia Stancampiano, our Director of Legal at iubenda, puts it:

“By focusing on information duties in 2026, the EDPB highlights something simple but often overlooked: data protection begins with explaining things clearly. The real work is translating principles into practical steps that people can understand.”

Transparency can sound like tedious work. It’s writing the policy, but also keeping it accurate as your business changes. Add a new analytics tool, chatbot, ad platform, or payment provider, and last year’s policy no longer reflects what you actually do.

That’s where iubenda helps: we empower SMBs to manage transparency and digital compliance easily, as their business evolves.

Our tools come with pre-drafted clauses that are updated when relevant legal changes occur. We alert you if something’s missing. We offer easy integration options with your site.

A privacy policy powered by iubenda is simple, effective, and meets transparency requirements. Learn more about our Privacy and Cookie Policy Generator.

Ultimately, the EDPB’s 2026 focus reinforces a simple point: compliance starts with clear communication. iubenda’s products are built for simplicity and for maintaining consistent and reliable communication as your business grows.

Need a transparent privacy policy?

The post What the EDPB’s 2026 focus on transparency means for online businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

United Kingdom – ICO Clarified Storage and Access Technology Rules
The ICO clarified that PECR rules apply to all information, not just personal data, and maintained that storage or access must be essential to provide requested services. Legitimate interest cannot be used for non-exempt technologies and consent is required.

Italy – Garante Approved IT-Wallet System Draft Decrees
The Italian data protection authority issued a favorable opinion on draft decrees for the Italian Digital Wallet System (in Italian), which incorporates Privacy by Design and by Default principles aligned with GDPR Article 25 requirements.

European Union – EDPB Published DSA-GDPR Guidelines
The European Data Protection Board adopted guidelines 3/2025 on the interplay between the Digital Services Act and GDPR, covering illegal content detection, advertising transparency, and systemic risk management amongst others. Public consultation runs until October 31, 2025.

USA (California) – Multi-State Privacy Enforcement Sweep Targets Opt-Out Compliance
The California Privacy Protection Agency and attorneys general from California, Colorado, and Connecticut launched an investigative sweep examining business compliance with consumers’ right to opt out of personal data sales. The enforcement action specifically focuses on adherence to Global Privacy Control signals and proper handling of consumer opt-out requests across participating states.

2) Notable Case Law

Finland – S-Bank Fined €1.8 Million for Security Breach
S-Bank received a €1.8 million fine for GDPR violations (in Finnish) after a security flaw allowed customers to log into online banking using other customers’ credentials between April and August 2022.

France – Google and SHEIN Fined
France’s CNIL imposed €325 million total penalties on Google entities for unauthorized advertising practices. Google LLC was fined €200 million while Google Ireland Limited faced €125 million for Gmail advertisement deployment without consent and improper cookie placement affecting over 74 million French users. Compliance requirements include practice cessation within six months or additional sanctions.

CNIL separately sanctioned SHEIN with a €150 million penalty for cookie compliance failures (in French). Violations encompassed unauthorized tracker deployment, incomplete consent banners lacking advertising purpose disclosure, insufficient third-party identification at secondary information levels, and faulty consent withdrawal mechanisms where trackers were not removed, as well as tracker operations that continued despite user refusal.

3) New and Upcoming Legislation

Poland – Data Act Implementation Framework Advanced
Poland’s Draft Act on Fair Access to and Use of Data (in Polish) progressed, designating the Office of Electronic Communications as the enforcement authority. The Council of Ministers expects adoption in Q4 2025.

USA (California) – Opt Me Out Act Passed Legislature
Assembly Bill 566 passed, requiring businesses to develop browsers with opt-out preference signal functionality and clearly disclose how these signals work and their intended effects on data processing.

USA (Colorado) – EPIC Submitted CPA Amendment Comments
The Electronic Privacy Information Center (EPIC) supported expanding sensitive data definitions and recommended opt-in consent for features extending minors’ engagement, while proposing clarifications on content moderation requirements.

USA (New Jersey) – Privacy Groups Urged Robust NJDPA Rules
EPIC and the Consumer Federation of America recommended that the Division of Consumer Affairs adopt strong privacy rules including data minimization provisions and stricter standards for minors’ data.

4) Strong Impact Tech

USA – FTC Launched AI Chatbot Inquiry
The Federal Trade Commission initiated an investigation into AI chatbots from seven companies including Alphabet, Meta, and OpenAI, examining COPPA compliance and impacts on children and teens.

European Union – ASML Invested €1.3 Billion in Mistral AI
Politico reported that Dutch chip tool-maker ASML announced a major investment in French AI company Mistral, supporting Europe’s technological sovereignty goals and helping compete with American AI companies like OpenAI and Anthropic.

Other key information from the past weeks

Austria – YouTube Data Access Request Decision
Austria’s data protection authority ordered Google’s YouTube to comply with the GDPR following complaint proceedings instituted by noyb (in German). The regulator determined that Google LLC provided inadequate access request responses by withholding processing purposes, retention periods, recipient information, and tracking cookie details. These resulted in the violation of transparency obligations under Articles 12 and 15 GDPR.

USA – Disney Children’s Privacy Settlement
Disney agreed to a $10 million COPPA settlement for unlawful YouTube data collection from children under 13. The US Federal Trade Commission alleged Disney mislabeled child-directed videos as “Not Made for Kids,” enabling targeted advertising without parental consent, violating federal privacy protections.

USA – YouTube Children’s Privacy Settlement
Google and YouTube agreed to $30 million COPPA settlement resolving California Federal Court children’s privacy litigation from October 2019. The agreement addresses unauthorized data collection from minors including persistent identifiers, IP addresses, device information, and location data without parental consent, establishing $30-$60 individual payment ranges for affected children.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #147) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Italy – AI Law Published in Official Gazette
Italy officially published its comprehensive artificial intelligence legislation (in Italian) in the Official Gazette, establishing a regulatory framework for AI systems operating within Italian jurisdiction.

Switzerland – Website Tracking Regulations
Swiss authorities announced revised digital privacy requirements mandating clear data collection disclosure and simple opt-out options. The framework allows some non-essential cookies without consent if justified by strong interests, while sensitive or high-risk data activities require explicit user approval.

EU – Digital Platform Compliance Framework
European regulators released collaborative guidance demonstrating how the Digital Markets Act and GDPR work together to safeguard user information and promote competitive fairness among large technology companies.

Austria – Microsoft 365 Education Victory
Austrian privacy advocates successfully challenged Microsoft 365 Education for tracking school children, with authorities ruling the platform violated student privacy protections.

2) Notable Case Law

Germany – Hamburg Financial Firm Penalty
Hamburg’s data protection authority fined a financial company €492,000 (in German) for failing to provide customers with adequate explanations about automatic credit card rejections, breaching transparency requirements.

California – Universal Privacy Controls
California enacted legislation requiring browsers to provide single-click tracking rejection capabilities by January 2027. The measure enables users to block data collection and commercial sharing across all websites simultaneously, eliminating individual site preferences.

3) New and Upcoming Legislation

USA (Maryland) – Data Privacy Law Effective
Maryland’s new data privacy law became effective on October 1, granting residents rights over personal data, setting business compliance rules, and establishing security standards with potential criminal penalties.

Norway – Digital Security Act Enforced
Norway’s Digital Security Act took effect (in Norwegian) on October 1, requiring critical sectors to meet strict cybersecurity standards and rapidly report incidents, aligning with European network security directives.

4) Strong Impact Tech

USA – AI LEAD Act Referred to Committee
The AI Leadership To Enable Accountable Deployment Act was referred to committee, creating a civil liability framework holding AI developers and deployers accountable for negligence and safety violations.

USA (California) – Frontier AI Transparency Act Signed
California’s Governor signed the Transparency in Frontier Artificial Intelligence Act on September 29, requiring large AI developers to publish risk assessment frameworks and detailed transparency reports.

Other key information from the past weeks

Brazil – Cybersecurity Legal Framework Pending
Brazil prepared to approve its first Cybersecurity Legal Framework, establishing a National Cybersecurity Authority to unify regulations and enforce national standards across sectors.

United Kingdom – Apple Cloud Data Access Attempt
UK authorities made renewed attempts to access Apple’s cloud data storage systems, intensifying ongoing disputes over law enforcement access to encrypted user information.

Germany – EU Child Abuse Scanning Bill Division
Germany remained divided on the EU’s proposed child abuse content scanning legislation, with mounting pressure from various stakeholders regarding privacy and security implications.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #148) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB Reviews Brazil’s Data Protection Adequacy
The European Data Protection Board shared its opinion on recognizing Brazil’s data protection laws as adequate under EU standards. While finding Brazil’s framework largely compliant with GDPR, the EDPB advised clarification on privacy assessments, transparency limits, and law enforcement applications.

Latvia – Guidance Issued on Cookie Opt-Out Simplification
Latvia’s Data Protection Authority published guidance urging websites to make cookie consent withdrawal easier (in Latvian). The authority emphasized that non-essential cookies require freely given consent and highlighted best practices for clear withdrawal tools.

European Union – AI Content Transparency Code Development Begins
The European Commission launched development of a Code of Practice for AI-generated content transparency. The seven-month process involves industry and civil society input to meet AI Act requirements for clearly marking AI-produced content by August 2026.

France – CNIL Surveys DPOs on AI Governance Role
France’s data protection authority launched a nationwide survey exploring how Data Protection Officers adapt to AI oversight responsibilities (in French). The initiative examines AI Act and GDPR interactions, with results expected in early 2026.

2) Notable Case Law

Spain – Carrefour Financial Services Fined €2.5 Million
Spain’s data protection authority fined Servicios Financieros Carrefour €2.5 million for data breach failures (in Spanish). The breach exposed customer ID numbers, contact information, and financial data due to weak security systems and poor monitoring practices.

Poland – Courts Approve UODO’s Data Communication Framework
Polish Courts of Appeal approved the national data protection authority’s standardized communication templates for personal data protection claims (in Polish). The decision supports streamlined information sharing under Poland’s Personal Data Protection Act.

3) New and Upcoming Legislation

USA (New York) – Final Cybersecurity Rules for Small Firms Active
New York’s amended cybersecurity rules final phase took effect, requiring small businesses to adopt multi-factor authentication and maintain detailed asset inventories. Class A companies must ensure universal MFA access and comprehensive IT asset records.

Hungary – National AI Law Enacted
Hungary enacted comprehensive AI legislation effective December 2025, creating the AI Market Surveillance Authority and Hungarian Artificial Intelligence Council. The law applies to all AI providers and users, with maximum fines reaching HUF 13.3 billion (approximately €33 million).

4) Strong Impact Tech

USA – OpenAI and Amazon Sign $38 Billion AI Infrastructure Deal
OpenAI secured a multi-year agreement with Amazon for AI infrastructure capacity, including hundreds of thousands of Nvidia processors through AWS. Full capacity deployment is expected by end of 2026, reflecting massive capital investment in next-generation AI systems.

USA – Meta Announces $600 Billion AI Infrastructure Investment
Meta committed to spending $600 billion over three years expanding US infrastructure and creating jobs through new data centers. CEO Mark Zuckerberg outlined the AI growth preparation plan, including recent investments in Louisiana and Texas facilities.

Other key information from the past weeks

Hong Kong – Privacy Commissioner Alerts LinkedIn Users on AI Data Use
Hong Kong’s Privacy Commissioner reminded users that LinkedIn began using personal data and public content to train generative AI models from November 3, 2025. The change affects Hong Kong, EU, and Canadian users under reviewed privacy settings.

APEC – Leaders Adopt Digital Transformation Declaration
APEC leaders adopted the Gyeongju Declaration committing to regional digital and AI transformation readiness. The joint commitment emphasizes collaboration in digital policy research, voluntary data sharing, and human-centered AI development approaches.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #149) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EU Explores Cloud and AI Act for Data Centre Sovereignty
Parliament analysts outlined how a forthcoming Cloud and AI Development Act could expand EU data-centre capacity, reduce reliance on US cloud providers, and foster secure EU-based services to strengthen digital sovereignty and competitiveness.

European Union – Meta to Offer Real Choice on Personalised Ads Under DMA
Under Digital Markets Act pressure, Meta agreed to give Facebook and Instagram users genuine choice between fully personalised ads and versions using significantly less personal data, starting January 2026.

2) Notable Case Law

South Korea – Coupang CEO Resigns After Breach Affecting 33.7 Million Users
South Korean e-commerce giant Coupang disclosed a breach affecting 33.7 million customers after attackers used active cryptographic keys to forge access tokens, exposing personal details for nearly five months.

United Kingdom – ICO Fines LastPass £1.2 Million Over Major Data Breach
The UK Information Commissioner’s Office fined LastPass £1.2 million after a cyberattack exposed data of up to 1.6 million UK users due to inadequate technical and organizational safeguards.

3) New and Upcoming Legislation

USA (Federal) – Trump Signs Order to Preempt State AI Laws
President Trump signed an executive order creating national AI policy to displace conflicting state laws, directing federal agencies to challenge state measures while exempting child safety and procurement rules.

Ireland – Government Approves Garda Facial Recognition Bill
The Irish Government approved publication of legislation enabling police to use facial recognition and biometric tools for serious crime investigations, subject to High Court judge oversight.

4) Strong Impact Tech

European Union – Commission Probes Google’s Use of Content for AI Training
The European Commission launched an investigation into whether Google abuses dominance by using publishers’ content and YouTube videos to train AI models without fair compensation or meaningful opt-out.

South Africa – WhatsApp Settles With Regulator Over Data Compliance
WhatsApp reached an out-of-court settlement with South Africa’s Information Regulator over alleged non-compliance with local data-processing conditions, with confidential corrective measures agreed.

Other key information from the past weeks

Vietnam – Vietnam Passes First Comprehensive AI Law
Vietnam’s National Assembly approved its first Law on Artificial Intelligence, effective March 2026, establishing core principles, prohibited practices, and risk-based framework with centralized oversight.

Australia – Reddit Challenges Social Media Age Ban in Court
Reddit initiated High Court proceedings to overturn Australia’s ban on social media access for minors, arguing the regulation infringes upon free political dialogue and poses privacy concerns.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #150) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

France – CNIL Publishes Guidance on Analyzing AI Models Under GDPR
France’s CNIL published guidance helping AI providers assess whether their models store personal data from training and are subject to GDPR, building on the EDPB’s opinion on AI development.

Denmark – Datatilsynet Announces 2026 Supervisory Focus on AI Monitoring Technologies
Denmark’s Data Protection Authority published 2026 priorities focusing on AI monitoring in care settings, patient devices, employee tracking, and website tracking, signaling heightened healthcare and workplace scrutiny (Danish).

European Union – European Commission Publishes DMA Review Consultation Summary with 450+ Responses
The European Commission published all contributions from its Digital Markets Act review consultation, with stakeholders supporting DMA objectives while calling for expanded AI and cloud scope. The review report is due May 3, 2026.

2) Notable Case Law

European Union – EU Commission Orders X to Preserve All Grok Documents Until End of 2026
The European Commission instructed X to retain all Grok-related records through December 31, 2026, as it examines Digital Services Act compliance following criticism over AI-generated harmful imagery.

United Kingdom – UK Prime Minister Starmer Seeks International Coalition Against X Over AI-Generated Abuse Images
UK Prime Minister Starmer is building an international “coalition of decency” after X’s Grok enabled non-consensual imagery creation, with the government supporting potential enforcement action under the Online Safety Act.

3) New and Upcoming Legislation

European Union – European Parliament Confirms Digital Omnibus as 2026 Priority with Potential AI Act Timeline Delays
The European Parliamentary Research Service confirmed the AI Act will fully apply from August 2, 2026, but the proposed Digital Omnibus could delay certain high-risk system deadlines to late 2027 and 2028.

Netherlands – Ministry Delays Cybersecurity Act Entry Into Force to Q2 2026
The Dutch Ministry confirmed NIS2 Directive transposition into the national Cybersecurity Act is delayed until Q2 2026, with the existing Security of Networks and Information Systems Act remaining in effect.

4) Strong Impact Tech

USA – Meta Strikes Nuclear Power Agreements Worth 6.6 GW to Support AI Infrastructure
Meta announced agreements with Vistra, TerraPower, and Oklo to secure up to 6.6 gigawatts of nuclear capacity by 2035, including 20-year deals and funding for eight new advanced reactors.

European Union – EU Antitrust Regulators Set February 10 Deadline for Google’s $32 Billion Wiz Acquisition
EU antitrust regulators will decide by February 10, 2026, whether to approve Alphabet’s $32 billion Wiz acquisition, Google’s largest deal ever, or open a full investigation.

France – Macron Calls for Deepening EU’s Digital Rules in Face of US Pushback
French President Macron urged Europe to defend its Digital Services Act and Digital Markets Act, emphasizing European digital sovereignty as Washington criticized EU tech regulations.

Other key information from the past weeks

Brazil – ANPD Extends Digital ECA Compliance Deadline to February 13
Brazil’s ANPD extended the deadline for 37 tech companies to submit compliance information on the Digital Child and Adolescent Statute, including Amazon, Apple, and Google Brazil (Portuguese).

New Zealand – Privacy Commissioner Confirms Manage My Health Cyber Breach Notification
New Zealand’s Privacy Commissioner confirmed Manage My Health reported a ransomware incident on January 1, 2026, affecting thousands of users’ sensitive health information including discharge summaries and referral letters.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #151) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On March 19, 2025, the German Administrative Court of Hanover (VG Hannover) issued a decision that has big implications for anyone using Google Tag Manager (GTM). The court ruled that GTM requires explicit user consent before it can load — even if GTM itself doesn’t use cookies.

This ruling has caused understandable concern for website owners and marketers across the EU. Let’s break down what the court decided, what it means in practice, and how iubenda is approaching this development.

What the court decided

The court looked at how GTM works in practice and concluded that it is not just a neutral tool. Here’s why:

• Connection to Google servers: GTM contacts Google servers as soon as a page loads.
• Personal data transfer: IP addresses, device details, and referrer URLs are sent to Google automatically.
• Local storage: The GTM script (gtm.js) is stored on the user’s device.
• Hidden execution: GTM enables other third-party scripts to run, often before consent.

Because this happens before a user can give consent, the court found it violates both the GDPR and the German Telemedia Act (TTDSG).

The ruling also criticized invalid consent banners — for example, banners that make “Reject All” harder to find or use misleading symbols like “X” to imply consent. According to the court, these designs don’t count as genuine consent.

What this means for website owners

The main takeaway is simple:

• GTM requires explicit consent before loading.
• Consent must be informed and easy to refuse — no dark patterns.
• A Consent Management Platform (CMP) is not enough if GTM runs before the user makes a choice.
• Google’s Consent Mode 2.0 may not fully solve the compliance issue.

In short, GTM is not “just technical.” It’s a data processing tool, and that means it falls under EU consent rules.

iubenda’s approach

At iubenda, our Privacy Controls and Cookie Solution already give you two clear options for managing GTM in line with consent requirements:

1. Block tags inside GTM (granular approach)
   • In GTM, you can configure triggers to fire only after iubenda’s consent signals are received.
   • This means you can decide which tags are allowed for each consented purpose (e.g., analytics, marketing).
2. Block the GTM script itself (non-granular approach)
   • You can assign GTM to a specific purpose in iubenda.
   • With this setup, the entire GTM container will only load once a user gives consent for that purpose.

By default, our generator currently categorizes GTM as a strictly necessary service, which means it is not blocked automatically. This choice was made because blocking GTM at the script level can cause technical issues for many websites.

However, if you prefer to apply the strictest interpretation of the German court ruling, you can switch to one of the two blocking methods above to ensure GTM only runs after user consent is collected.

Will iubenda block GTM automatically?

Not at this time. Here’s why:

• The VG Hannover decision is regional and not yet binding across the entire EU.
• Automatically blocking GTM would disrupt many websites, and it’s not yet clear whether this will become the EU-wide standard.
• Our users already have the tools to choose stricter compliance and manage GTM accordingly.

We’re closely monitoring the situation, and we’ll update our recommendations if the legal landscape changes.

What you can do today

If you want to apply the strictest standard immediately, you have two options with iubenda’s Privacy Controls and Cookie Solution:

1. Block the GTM script until consent is given
   • Assign GTM to a specific purpose in iubenda (for example, “Marketing”).
   • The GTM container will only load after the user consents to that purpose.
   • This option is simpler but less flexible, because all tags wait for consent together.

   

2. Control tags inside GTM (granular consent)
   • Set up GTM triggers to listen for iubenda’s consent signals.
   • Allow or block each tag depending on the purposes the user has agreed to (e.g., Analytics, Remarketing).
   • This option takes a bit more configuration, but it gives you full control and aligns closely with GDPR requirements.

Both methods are supported by iubenda. Which one you choose depends on your compliance strategy and the level of risk tolerance you want to adopt.

The German court’s decision is a reminder that even tools considered “technical” — like Google Tag Manager — can have significant data protection implications. For now, we are not enforcing automatic GTM blocking in our products, but we give you the flexibility to decide how to configure GTM for your business.

As always, we recommend keeping a close eye on legal developments and ensuring your consent banner offers users a real, transparent choice.

The post Google Tag Manager and GDPR: What a Recent German Court Decision Means appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The pricing of the iubenda WayWidget product is based on the number of pageviews your website receives. What do we mean by that?

What is a pageview?

One pageview is counted when a user visits any page on which the WayWidget is active.

How are pageviews calculated?

In more technical terms, pageviews are calculated following the number of executions of the WayWidget script. Whenever the WayWidget code runs, our software records a pageview.

Pageviews are not recorded only at the first visit of each user, but also during all subsequent visits. The reason is that our WayWidget must keep being active, and its script keeps running continuously.

In fact, the parameters selected on the WayWidget (e.g., aligning all text to the right) are instantly applied as well as saved for future visits, so users don’t need to select them again.

Why is the iubenda pageview count different from other analytics tools?

The number of pageviews calculated by our software may differ from those calculated using other software such as Google Analytics, ShinyStat, or Matomo/Piwik.

This difference is because other tools typically use different metrics, like the number of visitors or the number of sessions.

The post How Are the WayWidget Pageviews Calculated? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On this page, you can find information about which data from the products you use can be exported, in which formats, as well as known restrictions, technical limitations, and details on international governmental access and jurisdiction.

• Dataset: team admin details, activated and installed products, timestamp of the user’s takeout request, email addresses of team members and their roles, payment history and subscription plan details for each website, owner information, site business and service preferences, metadata about Cookie Banner installation (color, positioning, etc.), CS analytics (page views, consent percentage, etc.), custom clauses, CPL, metadata about widget installation, export of Whistleblowing Management Tool requests and related data (text, email, phone number, etc.), export of Data Subject Rights Management Tool data (user consents, etc.), and export of Newsletter Opt-in Booster subscriptions (creation date, subject, source).
• Formats: JSON
• Standards/specs: UTF-8
• Notes: clauses protected by intellectual property rights are non-exportable; the dataset above includes data relating to all products, therefore some of the listed data may apply only to specific products.

Jurisdiction to which the ICT infrastructure deployed for data processing of services is subject: Italy.

To ensure the lawful and secure handling of EU-held non-personal data, we have established the following technical, organisational, and legal safeguards to prevent international governmental access or transfers that would conflict with EU or Member State law:

• Technical measures: cryptography; EU Cloud; EU-only key management; access management with admin access from EEA only; yearly audits; ISO 27001 certification.
• Organisational and legal measures: business continuity and incident management procedures; cloud security procedures; designated legal team to assess any government requests; employees' training; suppliers' qualification and monitoring procedure; data deletion policy; records of requests maintained; notice to customers.

If you would like to know more about the measures in place, please refer to Annex I of the DPA at this link.

The post Data Export Register – Dataset, Formats, Standards, Jurisdiction appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The European Commission published its Digital Omnibus Regulation proposal on November 19, 2025. For anyone working in digital compliance, this is worth paying attention to.

The proposal aims to simplify and modernize Europe’s regulatory framework by amending several key laws, including the GDPR, ePrivacy Directive, Data Act, NIS2, eIDAS, DORA, and CER.

The text will evolve as it moves through the EU legislative process. But the trajectory is promising, and we’re committed to helping you understand what’s ahead.

Before we dive in, here’s what you need to know: this is a proposal, not law. The text is at an early stage and may change substantially as it moves through the EU legislative process. The principles and obligations outlined aren’t yet in force or enforceable. Until the Regulation is formally adopted, the existing legal framework (including the GDPR and other relevant laws) continues to govern data processing activities.

View timeline: From proposal to law (click to expand)

Cookie consent gets a refresh

The proposal moves the ePrivacy cookie rule into the GDPR as new Article 88a. Consent remains the general rule for storing or reading information on devices, but with important updates.

Here’s what’s changing:

• No-consent exceptions added: A closed list now covers transmission, strictly-necessary cookies, first-party audience measurement for your own services, and security of the service or device.
• One-click accept and reject required: Cookie banners must make both options equally easy to choose.
• Six-month cooling-off period: Sites can’t keep re-asking users after they refuse consent for at least six months, unless something relevant changes in your processing activities.

What’s not changing:

• Consent stays central: You’ll still need consent for advertising, profiling, cross-site tracking, and third-party analytics. The proposal doesn’t weaken these requirements.

Machine-readable preference signals

Article 88b introduces something new: machine-readable preference signals. Think browser settings that communicate consent or objection automatically. Controllers will need to honor these signals, and browser vendors will gradually need to support them.

This could fundamentally change how consent flows across the web, moving some choices upstream to the browser level while maintaining user control.

GDPR updates worth noting

The proposal brings several practical changes to the GDPR:

Personal data and pseudonymization

The definition of personal data is narrowed. The key question becomes whether a given controller or recipient has the means to “reasonably ” identify someone. Just because someone else can identify a person doesn’t automatically make that data personal for everyone.

What this means: The Commission, working with the European Data Protection Board (EDPB), can adopt criteria for when pseudonymized data no longer counts as personal data for specific entities.

Right of access gets anti-abuse protections

Article 12 is amended so controllers may refuse access requests or charge a reasonable fee where requests are clearly abusive. This covers scenarios like:

• Harassment campaigns
• Speculative compensation claims
• “Pay me and I’ll withdraw the request” schemes

The burden of proof stays with the controller.

Transparency exceptions for low-risk situations

For low-risk, obvious situations (like local craftspeople or small clubs), controllers may rely on a wider exception where there are reasonable grounds to assume people already have the necessary information.

Standardizing DPIAs and breach notifications

The EDPB must propose EU-wide lists of processing that does or doesn’t require a Data Protection Impact Assessment (DPIA), plus a common template and methodology. The same goes for high-risk data breach notifications: a standard template and criteria that the Commission will turn into implementing acts.

Why this matters: This standardization could reduce compliance complexity, especially for organizations operating across multiple EU member states.

AI and personal data

The proposal’s recitals clarify that using personal data to train, test, and validate AI systems can rely on legitimate interest under Article 6(1)(f). The catch: you need a strict balancing test and safeguards in place.

Required safeguards include:

• Transparency about AI training use
• Unconditional right to object
• Privacy-preserving techniques
• Additional protections based on risk level

A narrow derogation is added for incidental special-category data in AI training sets where removal would be disproportionate. In those cases, the data must be strongly protected and not used to infer or disclose sensitive information. The usual Article 9(2) grounds still apply where special-category processing is actually needed.

Other changes to note

Single EU entry point for incident reporting

A single EU entry point is created for cybersecurity and personal data incident reporting. GDPR controllers will use it for breach notifications, cutting duplicate reporting under NIS2, GDPR, eIDAS, DORA, and CER.

The benefit: This consolidation addresses a real pain point for organizations juggling multiple reporting obligations.

Data Act adjustments

The Data Act gets several updates:

• Stronger trade-secret safeguards
• Business-to-government (B2G) data sharing is limited to public emergencies
• Lighter regime for some cloud contracts
• Open Data Directive and Data Governance Act folded into it

The Platform-to-Business Regulation (P2B) is repealed as largely superseded by newer platform rules.

What this means for your business

This proposal points to where EU privacy regulation is going, and it’s a future we welcome.

Greater user control. Streamlined requirements. Standardization that actually helps. These aren’t just policy goals; they’re the foundation of what we’ve been building at iubenda since the beginning.

“The Digital Omnibus is not law, yet. And until it is, GDPR and ePrivacy compliance remains exactly as you know it. What will not change, even under the future regime, is the need for a robust operational layer translating legal requirements into technical enforcement. That’s still your CMP. Global signals and automation don’t replace CMPs; they make them indispensable, because someone still needs to bridge abstract rights and concrete code.”

Giulia Stancampiano, Product Legal Manager Privacy, iubenda

We’re committed to playing an active role as this proposal takes shape, helping ensure it works in practice for businesses and their customers alike.

The legislative process takes time, but we’ll be with you every step of the way, turning regulatory change into clear, actionable guidance.

Frequently asked questions

What is the Digital Omnibus Regulation?

The Digital Omnibus is a proposal from the European Commission that amends and harmonizes multiple EU digital laws, most notably the GDPR and the ePrivacy Directive, to reduce complexity, improve coherence, and modernize outdated provisions.

Is the Digital Omnibus Regulation in force?

No. The Digital Omnibus is still a proposal at an early stage of the EU legislative process. It may be substantially amended before adoption. Until it becomes law, existing regulations like the GDPR continue to apply.

When will the Digital Omnibus become law?

 There’s no fixed timeline.  EU legislative procedures typically take 12–30 months. Once adopted, the Regulation enters into force 20 days after publication. Its new obligations apply in stages (e.g., 6 months for the new cookie rules, 24 months for machine-readable signals).

Does the Digital Omnibus replace the GDPR?

No. The Digital Omnibus amends and updates the GDPR rather than replacing it. It proposes changes to specific articles, such as cookie consent rules and data breach notification procedures.

What changes to cookie consent does the Digital Omnibus propose?

The proposal would require one-click accept and reject options, preventing repeated consent prompts for at least six months after a refusal, and introducing machine-readable preference signals. It also moves the cookie rules into the GDPR (new Article 88a) and clarifies which limited purposes may rely on non-consent exceptions, such as first-party aggregated audience measurement and security.

Will I still need a cookie banner under the Digital Omnibus?

Yes. Consent management systems remain essential for handling user choices, managing proof of consent, and applying preferences correctly. What would change is that some users who set browser-level preferences may not see a banner, as the system would read their existing preference instead. However, media service providers may still request consent even when a global ‘reject’ signal is present.

How does the Digital Omnibus affect AI and personal data?

The proposal clarifies that using personal data to train AI systems can rely on legitimate interest under Article 6(1)(f), provided strict safeguards are in place: transparency, unconditional right to object, and privacy-preserving techniques. It creates a new Article 88c GDPR.

Do I need to do anything right now?

No immediate action is required. Your compliance obligations under GDPR and other existing laws remain unchanged. We recommend staying informed as the proposal evolves, and we’ll keep you updated on any developments that affect your compliance work.

The post Understanding the Digital Omnibus Regulation proposal: what it means for privacy and compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

As an app developer, you must comply with several requirements before publishing your apps and games on the main platforms like Google Play.

The Developer Policy Center is the central hub where Google Play outlines all these rules. It’s divided into sections that you can easily navigate to understand your requirements across various categories.

We’ve put together an overview of these requirements below, with links to the corresponding sections in Google’s policy.

Restricted content

Before submitting an app to Google Play, ensure it complies with content policies and local laws. Restricted content can take many forms, which we have outlined below.

Child endangerment

Google Play’s Child Endangerment policy bans any app that allows child sexual abuse material (CSAM) or enables exploitation, grooming, sextortion, trafficking, or sexualisation of minors.

Apps that target or appeal to children cannot include adult themes like violence, harmful activities, or body-shaming cosmetic features.

Social and dating apps must follow strict child safety standards. They need to:

• Clearly prohibit child sexual abuse and exploitation in their Terms of Service or community guidelines
• Offer in-app reporting mechanisms
• Act quickly to remove CSAM
• Comply with child safety laws
• Appoint a dedicated child safety contact

These rules are designed to protect children and hold developers accountable. Read more about the Child Safety Standards policy here.

Inappropriate content

Google Play’s Inappropriate Content policy bans apps that promote or include:

• Sexual content or explicit material
• Profanity or hate speech
• Gratuitous violence or violent extremism
• Bullying, harassment, or other harmful behavior

Apps cannot:

• Exploit sensitive events like disasters or deaths
• Sell or promote dangerous products such as firearms or explosives
• Sell marijuana, THC products, or unregulated tobacco and alcohol products, especially when targeting or encouraging minors

Some limited exceptions apply to content with educational, documentary, scientific, or artistic (EDSA) value, but it must not be gratuitous or exploitative.

Financial services

Google Play’s Financial Services policy aims to stop deceptive or harmful financial products.

The policy:

• Bans short-term personal loans that must be repaid in 60 days or less
• Bans high-APR loans in the U.S. with an APR of 36% or more
• Requires lenders to provide proof of licensing where needed

Personal loan and earned wage access (EWA) apps must:

• Clearly disclose repayment terms, APR, fees, and privacy practices
• Avoid requesting sensitive permissions like contacts or location

Real-money gambling and illegal activity

Real-money gambling apps like daily fantasy sports and gamified loyalty programs are allowed, but only under strict rules.

Other real-money games or contests involving wagers or real-world prizes are generally not allowed, unless they are part of approved pilot programs.

Gambling apps must:

• Be free to download
• Hold valid licenses in every jurisdiction where they operate
• Prevent underage access
• Display clear responsible gambling information
• Not use Google Play Billing for gambling transactions

Loyalty programs are allowed if they:

• Are tied to real transactions
• Follow fixed, transparent rules
• In non-game apps, disclose odds or selection methods for chance-based rewards

Gambling ads are permitted only if they follow local laws, do not target minors, and meet responsible gambling standards.

User-generated content

User-generated content (UGC) is any content users create and share inside your app that other users can see (including apps that act as browsers/clients for UGC platforms).

Apps with UGC must:

• Require users to accept Terms of Use before creating or uploading UGC
• Clearly define and ban objectionable content and behaviors in their policies
• Have ongoing, effective moderation suited to the type of UGC (with stricter controls for things like DMs, augmented reality, or public feeds)
• Offer in-app tools to report and block content and users, and act on reports
• Include safeguards so monetization does not encourage bad or harmful user behavior

Health content and services

Google Play’s Health Content and Services policy bans apps that expose users to harmful or misleading health information, unsafe medical claims, or unapproved substances.

Health and medical apps must:

• Provide accurate information and clear disclosures
• Include a privacy policy and use permissions responsibly
• Clearly state any required hardware or devices
• If providing regulated or research functions, give proof of approvals, affiliations, or ethics compliance when required

Apps may not:

• Sell prescription drugs without a valid prescription
• Promote unapproved health products
• Spread health misinformation

Blockchain-based content

Blockchain‑based content includes tokenised digital assets stored on a blockchain. Apps that offer these must follow strict rules. In particular:

• Cryptocurrency exchanges and wallets must use certified services and operate in regulated jurisdictions
• Apps must clearly declare any tokenised assets in the Play Console

• Cryptomining on user devices is not allowed
• NFT features must avoid gambling-like mechanics and should enhance gameplay, not act as wagers or purely speculative assets

AI-generated content

AI-generated content is material created by generative AI, such as chatbots or AI-made images and videos.

Apps using AI must:

• Follow all Google Play policies
• Prevent harmful or restricted content, including child exploitation and deceptive behavior
• Provide in-app reporting tools so users can flag offensive content, and use these reports to improve moderation and filters

Intellectual property

Apps and developer accounts may not infringe on others’ intellectual property rights (such as trademark, copyright, patent, trade secret, or other proprietary rights), or encourage users to do so.

Common violations include using:

• Cover art from music albums, video games, or books
• Marketing images from movies, TV shows, or video games
• Photos taken from a public figure’s social media
• Full reproductions or translations of books that are not in the public domain

Other requirements

You’ll find below other sections from Google Play’s policy that might be of interest to you.

Targeting children

Before submitting an app that targets children to the Google Play Store, you are responsible for ensuring your app is appropriate for children and compliant with all relevant laws.

SDKs

Third-party software development kits have several requirements and restrictions. If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices do not cause your app to violate Google Play Developer Program Policies.

Monetization and ads

Google Play supports a variety of monetization strategies to help developers and users, including paid distribution, in-app products, subscriptions, and ad-based models. It requires you to comply with policies on payments, subscriptions, ads, and the Families Ads Program.

Store listing and promotion

Some additional guidelines relate to app promotion, metadata, user reviews and installs, user and content ratings, and news‑related apps.

Main restrictions

Dive deeper and find all details in the Google Play Developer Policy Center and the full Developer Program Policy

The post An overview of Google Play’s requirements and restrictions for app submission appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Change was in the air. On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal. You can think of it as an update of Europe’s privacy rulebook, including laws like the GDPR and ePrivacy Directive, to make them easier to apply without lowering protection for people.

Simplification, but without weakening privacy rights

It’s no secret. Everyone knows today’s cookie banners can be frustrating. Repeatedly clicking on a banner for every new site you visit is not valuable. The Commission wants to change this.

The Digital Omnibus proposal aims to simplify and modernize several key existing privacy laws. The idea is to reduce friction, improve user experience, while keeping strong user rights.

The proposal suggests:

• One-click “accept” and “reject” options at the same level on cookie banners (no multiple layers), and not asking again as long as consent is valid, or for at least six months after a refusal. This reduces repetitive consent requests that build “consent fatigue.”
• Smarter “central cookie management mechanisms”, so users can set their privacy preferences once, in a simple interface. This could mean browser- or OS-level “privacy switches”. A user might choose “reject tracking” or “only essential cookies” once, and websites would read and respect that preference automatically.
• Cookie rules to be moved into the GDPR, and a review of which situations can rely on exceptions (no consent needed), for example for security purposes, or basic, first-party, aggregated audience measurement.

What this means in practice

If you run a website, app, or online campaigns, there’s no need to panic. Quite the opposite. Compliance processes will become simpler for you and your users. Plus, this is still a proposal, not a final law:

• You do not need to change anything yet because of the Digital Omnibus.
• Your current obligations under the GDPR and other laws remain unchanged for now.
• You still need your cookie banner and CMP now and under the new rules, even if they may operate differently.

Realistically, most people won’t adopt browser-level settings immediately.

Over the years, users who have set global preferences may not see a banner at all, except when it needs to be displayed for specific purposes. Others, who haven’t set anything, will interact with banners as usual.

The proposal mentions that if you’re a media service provider, you will not be required to respect global preferences since you rely heavily on advertising to remain financially sustainable.

We recommend staying informed as the proposal moves through the EU legislative process. It’s currently expected to start applying sometime between 2026 and 2027. Here’s the European Commission’s announcement.

iubenda is ready and remains your trusted partner to keep privacy central but simple

At iubenda, we’re all about making compliance simpler for digital professionals. We keep both your business goals and your users’ privacy in mind in everything we do.

Rest assured, as privacy experts, we’re here to handle both the technical and legal details so you don’t have to. We’ll keep supporting you with all aspects of digital compliance, not just cookies.

Stay tuned. We’ll inform you of any updates and help you implement them quickly and confidently.

The post The European Commission’s proposal for new cookie rules: our first look at potential implications appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal as part of its wider Digital Package.

By amending cornerstone laws such as the GDPR, the ePrivacy Directive, the Data Act, and the AI Act, the proposal targets practical issues around things like cookies and consent, personal data, and AI. The purpose is clear: simplify and modernize the EU’s digital framework.

At the same time, the proposal has triggered intense public debate. Some view it as a necessary update to keep Europe competitive and reduce friction for users and businesses; others warn against any perceived “rollback” of fundamental rights.

In this context, the voices of those who build and operate digital compliance every day are crucial.

As a Consent Management Platform (CMP), we sit at the intersection of regulation, technology, and user experience. That’s why we are actively contributing to the discussions shaping the Digital Omnibus.

Why the Omnibus matters

The Commission frames the Digital Omnibus as a competitiveness and simplification initiative, intended to cut red tape and give organisations clearer, more coherent obligations across the digital landscape.

For privacy and cookies in particular, the proposal is designed to:

• Limit consent fatigue and limit repetitive, confusing banner requests.
• Reduce compliance costs by simplifying time-consuming and costly legal requirements.
• Align overlapping laws, especially where the GDPR and ePrivacy Directive currently interact in complex ways.
• Provide legal clarity on areas that have proven vague or outdated in practice.

Engaging in discussions with the European Commission

Speaking with a united CMP voice: our joint submission to the Commission

When the Commission opened its call for evidence and public feedback on its initiative, it explicitly invited stakeholders to share concrete ideas for simplifying rules without weakening protection.

As a leading European CMP, we joined forces with other CMP providers to submit a joint response to the Commission. Our goal was to ensure that the practical reality of consent management on the ground is reflected in the future legal framework.

In our joint feedback, we stress a core point:

It must be recognised that online consent goes beyond cookies. CMPs play a key role in obtaining consent for all non-essential treatment of data, for all types of technologies.

We argue that the conversation must move from “cookie banners” to “consent infrastructure”. If the EU goes toward central consent management inside browser mechanisms, it should promote an interoperable model.

Users should be able to choose trusted tools that can communicate seamlessly with browsers and apps to provide a transparent user experience.

European CMPs stand ready to support the Commission in designing practical, future-proof solutions that combine ease of compliance for businesses with genuine control for users, creating a model of European digital trust by design.

Concretely, we recommend that any future rules:

• Require browsers that offer central consent features to expose open APIs that CMPs can use. CMPs will still be needed to determine whether cookies and tracking technologies can be installed, to manage proof of consent, and to apply consent or refusal correctly.
• Protect genuine, granular consent. GDPR consent must remain specific, contextual, and be collected in a transparent way by neutral, independent tools.
• Simplify without centralising power. As reinforced in the Digital Markets Act, simplification must not mean concentrating control of the consent layer in a handful of browsers, which would risk gatekeeper issues.

Bringing real-world insights: our technical contribution

Following our joint feedback, key contributors, including our CPTO and Head of Frontend Engineering, took part in a dedicated roundtable with European Commission policymakers.

Matteo Colucci, our Head of Frontend Engineering, says that “the main purpose of the meeting was to open a dialogue between the European Commission and CMPs”, to ensure that all perspectives were taken into account.

He describes that participants brought hands-on implementation experience into the room, clarifying:

• The essential role of banners and CMPs in enabling users to exercise their rights.
• What really drives consent fatigue and how it could be improved (accessing user preferences across multiple contexts).
• That any new model must keep transparency central and make sure users are aware of and know how to exercise their privacy rights.

The Commission is meeting with a broad range of stakeholders, like advertisers and publishers, and we expect further discussions.

In the words of our CPTO Filippo Barra, “the Commission demonstrated its willingness to leverage industry expertise and collaborate with CMP counterparts.”

The post Inside the Digital Omnibus: our experts’ contributions appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is the Digital Omnibus?

The Digital Omnibus proposal is the European Commission’s plan to simplify and modernize several key EU digital laws, including the GDPR and the ePrivacy Directive.

The goal is to reduce friction and improve user experience, without weakening people’s rights.

It touches a wide range of topics: cookies and consent, use of personal data and AI, pseudonymization, and GDPR rights.

A big focus is on fixing today’s consent experience. The Commission knows that constantly clicking through cookie banners on every new site is quite tedious. The Omnibus proposal tries to ease that pain while keeping a robust privacy framework in place.

What practical changes should marketers expect?

The main changes you should be aware of concern cookie banners and consent, as well as how preferences are expressed.

1. Central consent mechanisms and signals

To reduce being prompted with the banner repeatedly, the proposal looks at “central cookie management mechanisms”, such as browser or OS-level privacy settings. Think of a simple switch like:

• “Reject tracking”
• “Only essential cookies”

Users could set this once, and websites would then read and respect that choice automatically via machine-readable signals.

2. Cookie rules moving into the GDPR and clarifying consent exceptions

The rules on storing or accessing information on a user’s device (cookies and similar tech) are expected to be moved into the GDPR and paired with clearer exceptions where no consent is needed. Key examples:

• Strictly necessary cookies, for the transmission of a communication or to provide a service the user explicitly requested.
• First-party, aggregated audience measurement, when you measure your own audience for your own use only, without sharing or selling the data, and without using it for other unrelated purposes.

3. Updated banner rules to reduce consent fatigue

Here’s what The Omnibus suggests:

• When a banner is needed, a single-click “Reject” option must be as visible and easy as “Accept” (this requirement was already commonly enforced at a member-state level).
• You can’t re-ask for consent while it remains valid.
• If a user refuses, you can’t re-prompt them for the same purpose for at least 6 months.

Will cookie banners disappear?

No. The European Commission wants to avoid users being prompted with banners again and again, not to remove consent or banners altogether.

In practice:

• Banners will still be the main way most users give consent, especially those who never touch browser/OS privacy settings. Some users will set global preferences; in those cases, your CMP can read the signal and skip the banner.
• You will still need a Consent Management Platform or equivalent system to enforce whether tracking can run, keep proof of consent, and let users review and update their choices.

What should marketers do now?

No action is needed now. The Digital Omnibus is still a proposal, not a final law. Until it’s adopted and the application dates arrive:

• Your current obligations under the GDPR and ePrivacy remain unchanged.
• You do not need to change your setup because of the Omnibus.

When will the proposal take effect?

The proposal was published on 19 November 2025, but it is not yet law. The text can change substantially at any stage during European Parliament and Council negotiations.

If and when it is adopted, it will apply in stages. Each requirement will apply months after entry into force (from 6 to 48 months).

The Omnibus is intended to be an EU Regulation, meaning it will apply directly and uniformly across all Member States.

So this is a multi-year transition, not an overnight change. You’ll have time to adapt, and your digital compliance tool, including iubenda, will guide you through the practical steps.

The post Your questions answered: what the EU Omnibus proposal means for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But GDPR compliance is about more than avoiding fines. It’s about building trust with your customers – showing them that their personal data is safe in your hands. In a time when data breaches and privacy scandals can seriously damage a brand’s reputation, being compliant gives you a competitive edge.

What Does GDPR Mean for E-Commerce Businesses?

The GDPR applies to any business that processes personal data of individuals in the EU and that includes nearly every e-commerce shop. Whether you’re running a small online store or managing a large retail platform, if you’re collecting names, email addresses, payment details, or tracking customer behavior through cookies, the regulation affects you.

But what exactly does “processing personal data” mean?

According to the GDPR, personal data is any information that can identify an individual directly or indirectly. This includes obvious identifiers like names and email addresses, but also IP addresses, location data, purchase history, and even behavioral data gathered through analytics tools.

Your responsibilities as a shop owner

As an e-commerce business, you are considered the data controller, meaning you determine the “why” and “how” of processing personal data. That comes with legal responsibilities:

• You must have a lawful basis for every data processing activity, from sending newsletters to handling payments.
  
  
• You need to inform users transparently about what data you collect and why – typically through a clear and accessible privacy policy.
  
  
• You are required to protect that data through technical and organizational measures.
  
  
• And you must enable your customers to exercise their rights, including the right to access, delete, or correct their data.
  
  

Non-compliance can be costly: regulators can impose fines of up to €20 million or 4% of your global annual revenue whichever is higher. But more importantly, failing to comply can undermine customer trust, damage your brand, and cause irreversible harm to your business.

The good news? GDPR compliance is manageable especially if you understand the core principles and build a privacy-first infrastructure.

What does GDPR compliance require in practice?

For e-commerce businesses, GDPR compliance isn’t just about adding a checkbox or updating a privacy policy. It’s about building a transparent, secure, and user-centric data ecosystem across your entire online shop from checkout to backend infrastructure.

Transparency starts with clear communication

Every online shop processes personal data, whether it’s a shipping address, email, or even a behavioral profile for product recommendations. According to the GDPR, you must clearly explain what data you collect, why, and on what legal basis. That information needs to be presented in a privacy policy that’s easy to understand and easy to find.

For example, if you use behavioral analytics to improve your shop, you need to state that explicitly, including who provides the tool (like Google Analytics or Hotjar), whether data is transferred internationally, and how long it’s stored. Tools like Privacy and Cookie Policy Generator make it easier to generate legally accurate, tailored policies that evolve with your tech stack.

Consent is more than a popup

Under GDPR and the ePrivacy Directive, you can’t simply notify users about tracking — you need active, informed consent for non-essential cookies. That includes analytics, A/B testing, marketing pixels, and embedded third-party content.

What does that look like in practice? A compliant cookie banner that doesn’t pre-tick boxes, provides granular choices (e.g., marketing vs. functional), and stores consent logs for audit purposes. It also needs to be revocable at any time, with just one click.

The same applies to email marketing: opt-in must be voluntary and documented. No soft opt-ins. No bundled checkboxes. No tricks.

Only collect what you need

GDPR is built on the idea of data minimization: collect only the personal data necessary for a specific purpose. That means reviewing all data fields on your forms and checkout pages.

Do you really need a customer’s phone number for a downloadable product? Do you store newsletter sign-ups indefinitely, even if a user never confirms?

Limiting data collection reduces your legal risk and increases user trust. It also makes compliance with other GDPR requirements (like data access or erasure) much easier in the long run.

Security isn’t optional

Article 32 of the GDPR requires businesses to implement “appropriate technical and organizational measures” to protect personal data. That’s not just a legal obligation; it’s also essential for brand trust and customer retention.

These measures include:

• Encrypting all data in transit with SSL/TLS certificates,
  
  
• Strong access controls with role-based permissions,
  
  
• Regular updates and patching of your shop system and plugins,
  
  
• Protection against attacks, such as firewalls and malware scanners,
  
  
• Secure backups and recovery strategies in case of data loss.
  
  

The challenge for many businesses is that these technical safeguards often depend on their infrastructure partner.

Empowering your users

Finally, GDPR gives users clear rights, including the right to access their personal data, correct inaccuracies, request deletion, or receive a copy in a portable format. As a shop owner, you must ensure these rights can be exercised easily and efficiently.

This means:

• Establishing internal workflows to process requests within the 30-day GDPR deadline;
• Mapping how data flows through your shop and third-party tools;
• Clearly listing user rights in your privacy policy, ideally with a direct contact form or DPO email address.

Example: If a customer requests deletion of their account, your system should trigger a checklist — remove order history from the frontend, anonymize transactional data where legally required, and confirm completion via email.

These steps not only fulfill your legal obligations but also demonstrate transparency, strengthening user trust and reducing the risk of formal complaints or supervisory intervention.

Why your hosting infrastructure matters more than you think

When we talk about GDPR compliance in e-commerce, most businesses immediately think of cookie banners, privacy policies and email opt-ins. All of that is important, but there’s a deeper layer that’s often overlooked: your technical infrastructure.

GDPR doesn’t just regulate what data you collect, it also regulates how you store, protect, and process that data. And much of that happens on the server level.

A secure online shop starts with the foundation — hosting. According to the GDPR, hosting providers are generally considered processors because they process personal data on behalf of others, regardless of whether they actively access it.

That means:

• You must conclude a data processing agreement (DPA) in accordance with Art. 28 GDPR.
• The provider should host in compliance with GDPR, ideally within the EU.
• Certifications such as ISO 27001 or SOC 2 provide additional security and transparency.

If your server is located outside the EU, if backups aren’t encrypted, or if your shop shares resources with unknown third parties, you may be exposed to compliance risks without realizing it.

That’s why the choice of hosting provider is not just about performance or price, it’s about trust, transparency, and legal accountability.

Questions you should ask:

• Where are the servers physically located?
  
  
• Who has access to customer data and how is it logged?
  
  
• Are security updates handled proactively?
  
  
• Can you get audit logs or proof of data protection measures if needed?
  
  

If your hosting provider can’t answer these questions clearly, it’s time to reconsider.

maxcluster: GDPR-ready infrastructure for e-commerce

For high-performance shops that need legal certainty, maxcluster offers an e-commerce-focused hosting platform. Here’s how they support your GDPR compliance:

• 100% EU hosting: All servers are located in ISO 27001–certified data centers in Germany. No hidden third-country transfers.
  
  
• 24/7 proactive monitoring: Security issues are identified and resolved before they become a problem with real-time alerting and patch management.
  
  
• Differentiated authorization management ensures that only authorized individuals can access specific types of data.

More than 1,500 online shops trust maxcluster to keep their data and their customers’ data secure. Whether you run on Magento, Shopware, WooCommerce or a custom stack, they tailor your infrastructure to meet legal, technical, and business requirements.

Hosting is the foundation of compliance

The most polished privacy policy or elegant cookie banner won’t protect your customers if your server is compromised. True compliance starts with the infrastructure that powers your shop.

Choosing the right hosting provider is one of the most impactful and often overlooked steps toward GDPR compliance. And it’s one of the few that directly supports both your legal duties and your business resilience.

Conclusion

Let’s face it: GDPR compliance isn’t always simple. It requires attention to detail, technical expertise, and ongoing effort. But it’s also a chance to strengthen your business by building trust, reducing risk, and ensuring that your operations are future-proof.

As an e-commerce business, your responsibility goes beyond just installing a cookie banner or copying a privacy policy template. You’re expected to actively protect personal data through secure processes, transparent communication, and reliable infrastructure.

Here’s what you can start doing today:

• Review your privacy policy and data collection workflows
  
  
• Make sure all tools and processors are GDPR-compliant
  
  
• Implement robust data security practices (incl. 2FA, access control, backups)
  
  
• Choose a hosting provider that supports your compliance goals, not just your performance needs
  
  

And if you’re looking for a hosting partner that understands both e-commerce and compliance, maxcluster is here to support you. Our infrastructure is built for high-performing online shops with high standards both technical and legal.

With the right foundation, GDPR isn’t a roadblock. It’s your competitive advantage.

The post GDPR Compliance in E-Commerce: What Online Shops Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Ready? Let’s jump straight into what’s changed.

New plan for our accessibility widget

Our AI-powered accessibility widget now has a Standard Plan, ideal for high-traffic websites or advanced needs like preset accessibility profiles.

• Up to 1 million monthly pageviews
• Preset profiles (vision impairment, ADHD, and more)
• 10% discount with annual payment

See the difference between Lite and Standard

The Standard Plan is available on new subscriptions and coming soon to pre-2023 legacy ones.

Clauses update for mobile apps and e-commerce

Two important updates in our Terms and Conditions Generator:

Mobile apps

A new Google Play clause on child abuse prevention was added for social and dating apps. You can include it in the generator under “Acceptable Use” and “Mobile App”.

E-commerce

The EU’s ODR platform for online shopping disputes was shut down on July 20, 2025. This clause will be fixed the next time you update your Terms and is no longer available for new projects.

Access your dashboard

Coming soon: Custom position and style in our WayWidget

We’re putting the final touches on two major updates coming in the next few weeks:

• Custom positioning & styling. Match the widget’s appearance to your site’s look and feel.

• Enhanced iubenda widgetLet users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,200+ users.

In case you’ve missed it

Google is enforcing Consent Mode

Avoid losing data in Google Ads and Analytics with our certified solution.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Read the guide for more details.

1-Click Shopify Installation

Bring iubenda’s cookie banner to your Shopify store in seconds. Just one click, no manual coding. Check our guide for more information.

The post New plan for the WayWidget and updated clauses in our T&C Generator (August-September 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Germany – BfDI Updates GDPR and BDSG Guidance Brochure
The Federal Commissioner for Data Protection updated comprehensive guidance (in German) covering GDPR-BDSG relationships, lawful processing bases, data protection principles, DPO requirements, and data subject rights with practical implementation examples.

Luxembourg – CNPD Publishes AI Literacy Guidance Under EU AI Act
The authority provided a framework for Article 4 AI literacy requirements, emphasizing tailored employee training based on experience levels, risk assessment for AI-affected individuals, and development of appropriate oversight mechanisms.

Norway – NSM Releases National Cyber Incident Response Framework
The National Security Authority established a collaborative approach between businesses and National Cyber Security Center (in Norwegian), requiring compliance with ICT security principles, third-party supplier reviews, and systematic incident handling processes.

Canada – OPC Launches Children’s Privacy Code Consultation
Privacy Commissioner initiated stakeholder consultation to clarify PIPEDA obligations for children’s data until August 19, 2025. The consultation covers privacy by default and privacy rights, transparency requirements and deceptive practice avoidance.

2) Notable Case Law

USA – FTC Fines Companies $145 Million for Telemarketing Violations
Assurance IQ fined $100 million and MediaAlpha $45 million for deceptive healthcare plan marketing. In addition, MediaAlpha also carried out unauthorized robocalls to Do Not Call Registry numbers, and misled consumers about coverage benefits.

3) New and Upcoming Legislation

Greece – ADAE Issues Electronic Communications Privacy Regulations
Decision 304/2025 requires providers to establish security policies, conduct risk assessments, implement incident reporting procedures to ADAE, and maintain employee training and encryption standards for network protection (in Greek).

USA (Federal) – Senate Introduces Trustworthy AI Validation Act
Legislation mandates NIST Director develop voluntary AI assurance guidelines within one year, addressing harm mitigation, consumer privacy, governance controls, and dataset quality with biennial reviews.

4) Strong Impact Tech

USA – State Attorneys General Challenge Instagram Location-Sharing Feature
Multiple AGs expressed concerns about Meta’s Instagram location feature risks to vulnerable populations, recommending minor access restrictions, adult user risk alerts, and simplified disable controls for enhanced safety.

United Kingdom – Law Commission Examines AI Legal Personality Framework
Discussion paper explores AI autonomy, adaptiveness, and potential legal personality grants, emphasizing need for legal evolution amid rapid AI advancement while considering implications of non-personality scenarios.

Other key information from the past weeks

France/Netherlands – Air France and KLM Third-Party Data Breach
Forbes reported that a breach in a third-party customer support tool exposed passenger names, contact details, and loyalty numbers, linked to a phishing campaign targeting Salesforce platforms. Authorities have been notified.

Switzerland – PostFinance Voice Recognition Violation
The Swiss Federal Data Protection and Information Commissioner (FDPIC)  ruled against PostFinance AG for unlawful biometric voice recognition collection in violation of proportionality principles. The bank used opt-out rather than express consent and was ordered to obtain proper consent and delete existing voiceprints. However, it has appealed the FDPIC’s decision to the Federal Administrative Court.

USA – GameStop Settles Facebook Data Sharing Case for $4.5 Million
Settlement covers unauthorized customer data sharing via Facebook tracking pixels between August 2020-April 2025 without proper consent. Claims deadline was August 15, 2025.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #146) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

1-Click Shopify Installation

Privacy Controls and Cookie Solution

Adding iubenda’s cookie banner to your Shopify store is now easier than ever:

• One click – Connect Shopify in one click.
• Automatic app installation – The system installs our app and embeds all necessary code for you.
• No code – No more multiple code snippets or manual integrations: just configure your cookie banner.

Already installed your cookie banner? No action needed—this update is for new and ongoing installations.

Try 1-Click Shopify Installation

Coming soon: More powerful, customizable accessibility widget

WayWidget

We’re putting the final touches on major updates to WayWidget (formerly Accessibility Solution), your AI-powered tool for making websites more accessible with ease.

Here’s what’s coming in the next few weeks:

• Custom positioning & styling: Match the widget’s appearance to your site’s look and feel.
• Enhanced iubenda widget: Let users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,000+ users.

In case you’ve missed it

Control access with teams

We’ve updated our Teams feature, allowing you to create teams to organize your projects and easily move sites between teams.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Try it now or read the guide.

The post 1-Click Shopify Installation, improved WayWidget, and more (July 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What’s the true cost of ignoring email marketing compliance?

For noicompriamoauto.it, one of Italy’s well-known online car dealers, it was €45,000.

That’s the amount the Garante (the Italian data protection authority) fined a business for failing to comply with key privacy rules around email marketing.

The case serves as a cautionary tale for any organization using email to promote products (especially if your opt-in flows aren’t airtight).

But here’s the good news: this kind of penalty is completely avoidable.

Let’s take a closer look at what went wrong, what the Garante expects, and how iubenda can help you stay on the right side of compliance.

Firstly, what happened?

The Garante’s investigation was triggered by a user complaint.

They said they’d received unsolicited promotional emails from multiple unknown third-party senders – all partners of noicompriamoauto.it. Worse still, when the user submitted a data subject rights request, it was ignored.

The Garante’s recommendation: Double opt-in is a minimum safeguard

Although Italian law doesn’t explicitly require double opt-in for promotional emails (DEM), the Garante made its stance clear in this case:

Double opt-in is a best-practice safeguard that protects both users and businesses.

Here’s why double opt-in matters:

• It asks users to confirm their subscription via a second step, usually an email link
• It provides strong evidence that consent was freely and clearly given
• It reduces the risk of spam complaints and misuse

That makes it one of the most effective tools for compliant email marketing.

How iubenda keeps your email marketing legally covered

Our Newsletter Opt-in Booster has double opt-in built in by default – so you don’t have to think twice.

With it, you can:

• Embed GDPR-compliant opt-in forms with pre-configured legal language
• Automatically log consent for full audit readiness
• Seamlessly integrate with your favorite email marketing platforms – from Mailchimp to HubSpot

It’s ideal for marketers, developers, and compliance professionals who want to grow their email list while staying compliant.

What about user rights?

The Garante case wasn’t just about consent – it also involved a delayed data subject request.

Under GDPR, users have the right to:

• Request access to their personal data
• Ask for that data to be deleted
• Object to how their data is being used

And companies are required to respond within strict deadlines.

The Data Subject Requests Management Tool from iubenda helps you:

• Receive and process user rights requests easily
• Track all actions taken for compliance logs
• Automate responses and task assignments within your team

The takeaway: Prevention is better than a €45,000 fine

This fine wasn’t the result of malicious intent. It was a lack of process, oversight, and the right tools.

About us

GDPR compliance for your site, app and organization

www.iubenda.com

The post Why the Garante’s €45K fine should be a wake-up call for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Server-side tracking is emerging as a more effective solution. Introduced in 2020, it gained popularity over the past years due to higher transparency and the ability to address these problems.

How data loss and privacy regulations affect the performance of marketing campaigns

Browser restrictions, such as ITP in Safari, ad blockers, and privacy regulations, can result in a significant loss of data when running marketing campaigns. In the long run, it can have such consequences:

• Worse targeting and personalization. Highly personalized ad campaigns are becoming more challenging with restricted access to data on user behaviour and interactions with your website.
• Less precise conversion attribution. The restrictions on data tracking affect the accurate measurement of campaign performance and conversion attribution across different channels. Missing attribution data often leads to unassigned traffic in Google Analytics 4. 
• Inefficient campaign optimization. Inaccurate data prevents marketing platforms from optimizing ad campaigns effectively. It results in a decrease in key marketing metrics such as return on ad spend (ROAS) and conversion rates (CR).
• Insufficient marketing budget management. Business owners may waste a lot of money on campaigns that don’t bring the expected results, and the lack of reliable data makes it harder to spot such campaigns and optimize them.

Why server-side tracking is a game-changer for agencies 

To improve data quality and comply with privacy regulations, agencies use server-side tracking. Server-side tracking allows collecting data (user interactions or website events) directly from the user’s device to the server. This tracking method eliminates the need to rely on third-party services, offering more control over the data.

User data is gathered once consent is granted. Data from the website is transmitted to a cloud server, which then forwards it to third-party vendors and analytics platforms. The server acts as an intermediary, serving as a proxy between the website (or other data sources) and external tracking tools.

How server-side tracking works

Server-side tracking provides agencies with accurate information about user behavior. In this way, Farmasave, with the help of Tag Manager Italia, could reduce the gap between backend data and Google Analytics 4, cutting the discrepancy from 20% to just 6%. This improvement raised the accuracy of the data displayed and analyzed in GA4 to 94%.

Agencies can improve campaign cost-efficiency by using server-side tracking. For instance, this tracking method implementation helped increase the conversion rate of Decathlon Italia’s Facebook Ads campaigns while lowering the cost per click.

Consent management configuration on the server side allows tracking user consent more effectively. For example, by optimizing the layout of the cookie banner and configuring server-side tracking, MecShopping was able to double user consent rates from 24% to 50%.

Server-side tracking implementation path 

Implementing server-side tracking includes the following steps:

1. Choose a tag management system. The most versatile and popular is Google Tag Manager (GTM). It provides a wide range of tags, clients, and variables for the server GTM container, making it easier to implement server-side tracking for third-party platforms. With GTM, you get full control over your data.
2. Decide on a hosting platform for a server GTM container. There are a few options. The first platform that comes to mind for GTM users is Google Cloud Platform (GCP). However, the hosting price on platforms like GCP is higher compared to third-party platforms like Stape. In addition, this hosting platform offers other benefits, such as a Demo account to pitch clients, an  Agency account to manage clients’ containers in one place, or built-in Analytics to measure the impact of server-side tracking setup.
3. Configure server-side tracking for the required platform. The configuration process will depend on the platforms your client uses (Meta, Google Ads, GA4, TikTok, etc.). Setting up tracking via a server GTM container requires more effort, but gives full flexibility. You’ll need to create a server container, configure clients and tags, and set up the connection to the web container. For agencies, this type of setup is ideal when you want to standardize tracking across multiple clients or build custom logic tailored to specific use cases. To get the most out of server-side tracking, it’s important to also add a protection layer for tracking scripts. For example, Stape provides additional features like Custom Loader (to increase resistance to ad blockers) and Cookie Keeper (to extend cookie lifetime in browsers like Safari). In combination with a custom tracking domain setup, you can improve data accuracy and conversion attribution for your clients.
4. Set up a server-side consent management. That’s an essential step, as server-side tracking still requires asking for the user’s consent before data collection. One of the most popular server-side Consent Management Platforms is iubenda. It is an easy-to-use platform that prioritizes privacy in its approach to collecting and processing user data. In addition, it is a highly customizable solution, so you can create an appealing design while staying compliant with data regulations.

Conclusion 

Data regulations such as GDPR and CCPA, the rise of ad blockers, and browser restrictions on cookie lifetime change the way the data is collected. Server-side tracking is a solution that lets agencies track data accurately. 

With the proper configuration, clients can get precise data and stay compliant with regulations. Explore how to configure server-side consent management using iubenda and GTM in Stape’s blog post and start benefiting from complete control over the data collection process.

The post How agencies can grow with server-side tracking: drive better ROAS without compromising privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s CNIL established comprehensive standards for analytics providers seeking consent exemptions under GDPR. The framework mandates exclusive use for anonymous traffic measurement without cross-domain tracking or profile matching. Key requirements include transparent user notifications, 13-month tracking limits, 25-month data retention periods, and regular assessment cycles. Third-party vendors may conduct comparative studies when maintaining isolated data collection systems per publisher client. Read the guidance here (in French) →
• The UK’s Information Commissioner’s Office has launched two public consultations on digital privacy. The first covers revised storage and access technology guidance incorporating Data (Use and Access) Act 2025 amendments, specifying five consent exceptions under PECR including transmission facilitation and essential services. Organizations must align activities with specified purposes and obtain consent for expanded usage. Access the storage guidance here → The second consultation reviews online advertising enforcement, examining when low privacy-risk advertising might proceed without consent, though behavioral profiling will still require explicit consent. Consultation periods end August 29 and September 26, 2025 respectively. Learn more about advertising enforcement here →
• The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the Commission’s GDPR amendment proposal within the fourth simplification Omnibus package. The proposal extends small-medium enterprise provisions to small mid-cap enterprises while introducing additional administrative burden reductions. Notably, the amendment would modify Article 30(5) GDPR record-keeping obligations, providing expanded derogations for processing documentation requirements. View the opinion here →
• Germany’s Federal Network Agency established an AI service desk providing practical implementation guidance for EU Artificial Intelligence Act compliance. The platform features an interactive assessment tool helping organizations determine AI Act applicability, transparency requirements, and risk categorization for their systems. The service includes comprehensive FAQ resources supporting the Agency’s enforcement responsibilities under the new regulation. Check it out (in German) →

2) Notable Case Law

• Italy’s Garante imposed a €45,000 penalty on Noi Compriamo Auto.it S.r.l. for unlawful marketing and data processing following a consumer complaint regarding unwanted communications and delayed rights response. The investigation identified several GDPR violations including insufficient technical safeguards, absent legal basis for processing, and inadequate data subject rights facilitation. The Garante also referred to the acquisition of consent in double opt-in mode for direct email marketing, to better confirm the subscriber’s intention of the receipt of same. Get the details (in Italian) →
• Connecticut’s Attorney General secured USD 85,000 (approximately €78,000) settlement with TicketNetwork, Inc. for alleged Connecticut Data Privacy Act violations. The enforcement action followed the company’s failure to remedy deficient privacy notices featuring unreadable content and malfunctioning data subject rights mechanisms despite receiving November 2023 cure notice. The settlement mandates CTDPA compliance including data subject request metrics maintenance and regular reporting to the Attorney General. Read the details here →

3) New and Upcoming Legislation

• California’s Assembly reintroduced Assembly Bill 566 (formerly AB 3048) mandating mobile operating systems integrate opt-out preference signal settings for consumer privacy protection. The legislation defines browser, mobile operating system, and opt-out preference signal parameters under California Consumer Privacy Act amendments. The bill advanced through Privacy and Consumer Protection, Appropriations, and Judiciary committee stages, receiving Senate Judiciary recommendation for passage. Track the Bill →
• Pennsylvania introduced House Bill 1559 requiring employers provide advance written notification for electronic employee monitoring activities, excluding security surveillance in shared spaces. The legislation defines electronic monitoring as information collection through non-direct observation methods, with exceptions for suspected legal violations or hostile workplace situations. Violations carry USD 500-5,000 (approximately €460-4,600) penalties alongside private enforcement options, effective 60 days post-enactment. Follow the Bill here →

4) Strong Impact Tech

• Missouri Attorney General Andrew Bailey initiated investigation into AI chatbot bias and misinformation by Google, Microsoft, OpenAI, and Meta platforms. The inquiry examines ChatGPT, Meta AI, Microsoft Copilot, and Gemini for alleged historical inaccuracies and misleading responses under Missouri Merchandising Practices Act provisions. Companies must explain algorithmic bias mechanisms, provide internal input selection records, and clarify founding-era inaccuracies while ensuring accurate, unbiased information delivery. Read more →
• European corporate leaders from 40+ companies including ASML, Philips, Siemens, and Mistral petitioned Commission President von der Leyen for two-year AI Act implementation delay. The executives requested postponement of August 2026 high-risk AI system obligations and August 2025 general-purpose AI model requirements, citing implementation complexity and rule simplification needs. However, Commission spokesperson Thomas Regnier confirmed no grace period extensions, maintaining August 2026 deadlines while discussing voluntary code initiatives and administrative burden reductions. View the report here →

Other key information from the past weeks

• European privacy advocacy group noyb filed a complaint against dating platform Bumble with Austria’s Data Protection Authority regarding AI-powered conversation features. The challenge targets Bumble’s “Opening Moves” functionality for processing user profiles, photographs, and personal information through artificial intelligence without adequate GDPR legal basis. The complaint alleges transparency violations and inadequate user consent mechanisms for automated decision-making processes. See the full story →
• CNIL has opened a public consultation on draft guidelines for email tracking pixels, highlighting that the GDPR requires recipient consent for purposes like marketing and personalization. The draft clarifies that senders act as data controllers, while email service providers function as processors or sub-processors. CNIL recommends the use of clear, purpose-specific consent that can be withdrawn anytime, and stresses the importance of retaining proof of consent. Consultation period ends July 24, 2025. Read the guidance here (in French) →
• Denmark implemented facial copyright protections enabling individuals to claim copyright over their likeness as deepfake countermeasure. The legislation grants people legal ownership of their facial features for protection against unauthorized artificial intelligence manipulation and synthetic media creation. The framework establishes precedent for personal biometric data ownership within European privacy law contexts. Explore more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #145) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Below, we break down the key provisions of the Act and how you can prepare. 

Key Features of the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 brings a wide range of updates, not just to data protection law but also to emerging areas like smart data and digital verification services. The Act covers the following key areas:

1. Amendments to UK Data Protection and ePrivacy Laws

The Act updates the UK GDPR and the Data Protection Act 2018, including:

• More Special Category Data: Whilst additional categories have not been added yet, the Act provides for a new mechanism to introduce further classes of special category data by the secretary of state.
• Purpose Limitation: The Act extends the purpose limitation principle when processing is carried out for the public interest. A list of derogations deemed compatible with the original purpose or processing are introduced in the Act which range from protecting vital interests to complying with legal obligations.
• Data Subject Requests: The Act codifies ICO’s “stopping the clock” approach, where the clock on responding to reasonable and proportionate data subject requests within the set time frame, only starts to run once the identity of the requestor has been verified. 
• Complaints Process: The Act introduces a new right to complain directly to the controller pursuant to measures such as an electronic form. The controller is to acknowledge complaints within 30 days and have a clear process for handling data subject complaints. This right to complain should also be included in privacy notices.
• Automated Decision Making: The Act narrows the scope of the current restrictions on automated decision-making, since they will now be limited to decisions involving special category data. This is a major shift from the existing rules.
• Legitimate Interests: The Act whitelists certain activities, such as direct marketing, intra-group data transfers, and network security as legitimate interests. This facilitates the process for controllers to determine whether their data processing purpose will be considered as legitimate.
• International Transfers: The Act retains a risk-based approach to assessing adequacy for international data transfers, focusing on whether the data protection standards in another jurisdiction are “materially lower” than those in the U.K. with the introduction of a “data protection test“.
• Public Task: The Act clarifies that the public task condition applies only to tasks performed by the controller in the public interest and does not extend to tasks carried out by third parties.
• Research Clarifications: The Act clarifies how personal data can be used for research purposes, explicitly including “scientific research” and genealogical research. It opens up new opportunities for technological development and fundamental research that can reasonably be described as scientific.

2. Amendments to ePrivacy Laws

The DUA Act also introduces some changes to the ePrivacy Regulations:

• Charity Soft Opt-in: The soft opt-in for electronic marketing is extended to charities, enabling them to contact individuals for marketing purposes related to furthering their charitable objectives.
• Cookie and Tracking Technologies: Cookies used for analytics or website optimization are exempt from the requirement to obtain prior consent, as long as users are clearly informed beforehand about the use of such cookies and have a simple, free method to opt out. This may still mean that cookie consent pop-ups remain in use.
• Fines Alignment: The fines for ePrivacy breaches are now aligned with those under the UK GDPR, allowing for substantial penalties for violations.

3. Smart Data Framework

One of the most innovative aspects of the DUA Act is its establishment of a smart data framework. This framework aims to enable consumers and businesses to grant third parties access to their data, encouraging competition and the development of new products and services.

Key points include:

• Smart Data Schemes: Building on the Open Banking model, the Act facilitates schemes across various sectors, with the energy sector as an early target. These schemes will enable customers to share data (such as consumption patterns) for price comparisons or carbon reporting, spurring innovation.
• Obligations for Traders: Businesses that supply goods or services will be subject to new obligations under these schemes, including investment in IT infrastructure to support data sharing.

4. Digital Verification Services (DVS)

The Act introduces a framework for digital verification services (DVS), including electronic signatures and eID. This will enable a trust framework for DVS providers, ensuring they meet the required standards and can be certified and included in a statutory register.

• Public Authority Gateways: DVS providers will be able to interact with public authorities via secure information gateways, allowing for the use of certified DVS for tasks such as right-to-work or right-to-rent checks.
• Reduced Personal Data Collection: DVS will help reduce the need for businesses to collect personal data, minimizing risks for both businesses and individuals.

5. The Future of AI and Automated Decision-Making

With the amendments to research definitions and automated decision-making restrictions, the U.K. is positioning itself as a more flexible environment for AI development. These changes make the U.K. an attractive destination for AI innovation, especially given that the EU has introduced specific AI regulations that U.K.-based businesses will not need to adhere to. However, multinational businesses must remain mindful of the differences between U.K. and EU data protection laws when developing or deploying AI technologies.

The Act’s Impact on Business Operations

The Data (Use and Access) Act 2025 will require businesses to:

• Review Data Governance Practices: Businesses will need to reassess their data collection, processing, and sharing policies, particularly for research and AI development.
• Prepare for Digital Verification Services: Businesses relying on identity verification will need to familiarize themselves with the new DVS framework and adjust their systems accordingly.
• Monitor Smart Data Schemes: Traders in sectors like energy and finance should prepare for the potential obligations that will come with smart data schemes.
• Adapt to ePrivacy Changes: Businesses will need to review their cookie consent practices and ensure they comply with the new exemptions and requirements for clear information.

Penalties and Enforcement

As with GDPR, the Data (Use and Access) Act 2025 establishes significant penalties for non-compliance. Penalties for breaches of electronic marketing regulations and placement ofcookies are currently capped at £500,000. However, ePrivacy breaches will soon be subject to the Data Protection Act 2018 leading to severe fines up to 4% of global turnover or £17.5 million, whichever is higher.

Preparing for the DUA Act

Organizations should begin preparing for the full implementation of the Act by:

• Familiarizing themselves with the new rules on automated decision-making and research to better align with evolving AI development.
• Reviewing their data processing practices, particularly around smart data schemes and digital verification.
• Ensuring compliance with ePrivacy laws and data subject rights.

While substantial changes to data protection frameworks are not required immediately, organizations should stay informed and proactive to take full advantage of the Act’s provisions and ensure continued compliance.

Conclusion

The Data (Use and Access) Act 2025 marks a major step forward in the U.K.’s data protection and digital verification landscape. It aligns with international standards like the GDPR but also opens new avenues for innovation, particularly in AI, smart data, and digital verification services. Businesses should remain vigilant, staying up to date with secondary regulations and prepare for the upcoming changes that will impact their data handling practices.

The post The U.K. Data (Use and Access) Act 2025: What you need to know  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

If you run a website or app, handling privacy isn’t optional; it’s the baseline. Between the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the incoming wave of global regulations, staying on top of consent isn’t just about ticking boxes or avoiding legal headaches. It’s about building trust, protecting your business’ revenue, and even improving marketing performance.

But with so many tools out there, from free WordPress plugins to full-blown enterprise suites, how do you know which one’s right for you?

In this post, we’ve rounded up 9 of the most popular consent management platforms and broken them down in plain English.

We’ll cover everything including features, ease of use, pricing, and overall function. And you’ll also find a table below to compare the different platforms at a glance, so you can see which one might be best.

Consent management platform comparison: At a glance

Scroll →

	iubenda	consentmanager	Complianz	Cookiebot	Usercentrics	Piwik PRO	Termly	Didomi	Enzuzo
Legal policy generator included
Built-in banner & consent records
Notifies you as laws evolve
Multi-language support
Integration options	WordPress, Shopify, Google Tag Manager, Wix, Webflow, Squarespace, Joomla, PrestaShop, Magento, Drupal, Zapier, and more	WordPress, Joomla, Typo3, Drupal, eZ Publish, Magento, phpWiki, PrestaShop, osCommerce, OXID eShop, WooCommerce, and more	WordPress and Shopify	WordPress, Google Tag Manager, Wix, Squarespace, Shopify, custom websites	WordPress, Shopify, Google Tag Manager, Adobe Experience Platform, custom websites, enterprise-level platforms	Google Tag Manager, Google Analytics, custom websites (primarily focused on analytics integration)	WordPress, Google Tag Manager, Shopify, Squarespace, Wix, Webflow, custom websites	WordPress, Shopify, Google Tag Manager, custom APIs, etc.	Shopify, Webflow, Wix, WordPress, etc.
Ease of use	Very easy (quick setup and configuration)	Moderate (but very powerful)	Easy for WordPress and Shopify users	Simple setup, difficult to use interface	Complex	Less intuitive to use	Very easy	Requires custom setup	Moderate
Lawyer-backed policies	Written and maintained by legal experts	Recommended by lawyers and data protection experts	Written and maintained by legal experts	Unclear		Unclear		Unclear
All-in-one digital compliance suite
Consent rate optimization
Customer satisfaction	4.7/5 (Capterra)	5/5 (G2)	4.8/5 (WordPress)	2.3/5 (Trustpilot)	3.1/5 (Trustpilot)	4.6/5 (G2)	4.3/5 (G2)	4.6/5 (G2)	3.6/5 (Trustpilot)
Price	Free plan available. Paid plans from €4.99/month	Free plan available. Paid plans from €23/month	Free plan available. Paid plans from €59/year (less than €5/month)	Limited free plan available. Paid plans from €7/month	Paid plans from €7/month	Paid plans from €35/month	Free plan available. Paid plans from $10/month	Call for custom quote	Limited free plan available. Paid plans from USD $9/month
Recommended for	Businesses of all sizes	Enterprise businesses	WordPress and Shopify users	Mid-sized businesses	Large websites and enterprise businesses	Organizations in regulated sectors like finance, government, and healthcare	Small to medium businesses, startups, and freelancers	Enterprise businesses	E-commerce businesses of all sizes

What is a consent management platform (CMP), and how does it work?

A consent management platform (CMP) helps website and app owners collect, manage, and document user consent in line with privacy regulations like the GDPR, CCPA, and more. In a nutshell, it’s what powers the cookie banner you see when you first land on a site. But the best ones go much deeper than that, providing tools that help you improve consent rates and boost conversions to help you grow your business.

At a basic level, a CMP lets users decide what data they’re comfortable sharing. But behind the scenes, it also needs to:

• Block cookies and tracking scripts until a user gives consent
• Store and log consent preferences
• Provide options for users to withdraw or update consent
• Stay aligned with legal requirements that change over time

What should you look for in a consent management platform?

Not all tools are built the same. Here’s what actually matters when choosing the right consent management platform:

• Ease of setup – Are you comfortable spending hours tweaking code or bringing in developers to do so?
• Regulation coverage – Does it support GDPR, CCPA, and other privacy laws?
• Customization – Can you adapt the look and feel to your brand?
• Legal reliability – Are the policies and mechanics backed by actual legal experts?
• Automatic notifications – Does it automatically notify you of evolving laws or will you have to scramble last minute to manually check them yourself?
• Performance impact – Does it run smoothly without slowing your site down?
• Integrations – Does it integrate with CMS systems like WordPress or online stores like Shopify?
• Built-in Google Consent Mode – Does it help you recover marketing data when users reject cookies, especially for Google Ads and Analytics?
• IAB’s TCF – Does it share user consent with ad partners so you can run ads easily and get closer to compliance?
• Customer support – When you run into issues, can you reach a real person who helps quickly? Or will you wait weeks for a response? Check review sites like Trustpilot and G2 to see how each platform treats customers when things go wrong.

The best platforms for cookie consent and data compliance

1. iubenda

Unlike standalone CMPs, iubenda offers a complete digital compliance suite in one connected platform: cookie banners, privacy policies, terms and conditions, consent records, internal compliance solutions, accessibility solutions, and more.

It’s a solution that real legal experts back. And over 150,000 companies worldwide use it, from solopreneurs to giant enterprises, to help them get closer to compliance. And it goes beyond compliance too. With iubenda, you have access to solutions that help you improve user experience and increase consent rates, ultimately boosting conversions, trust and customer loyalty over the long run.

Standout features

• The auto-scan feature automatically scans your website for cookies, trackers, and third-party services to identify which disclosures you need in just a few minutes
• Customizable cookie banners integrate with Google Consent Mode v2
• Consent database and logs store records in a compliant format
• Easily manage and store consent across multiple platforms, handle data subject requests and whistleblowing reports, optimize newsletter opt-ins for better marketing, and more
• Easy plugin integrations for WordPress, Shopify, and more
• Up to 27 languages and coverage for global privacy laws (GDPR, CCPA/CPRA and other US State Laws, LGPD, and more)
• Notifies you as laws evolve

Best for

Businesses of all sizes looking for an easy-to-use, attorney-quality solution that offers everything they need to set up for compliance.

Pros

• Offers a full suite of compliance solutions in one place
• Real lawyers build and maintain the entire suite
• Easy setup. Simply copy and paste one line of code and tweak what you need
• Creates a simpler, faster consent experience that helps reduce bounce rates and increase conversions
• Great customer support that stays with you until your issue is resolved

Cons

• You’ll need a paid plan to access multiple languages and the Terms and Conditions Generator

Pricing

• Free plan available with everything you need for low-traffic sites
• Paid plans start around €4.99/month, depending on your needs
• Flexible pricing based on which solutions you activate, so you never pay for more than what you actually need

What people say

Users consistently highlight responsive customer support and ease of use. Reviewers mention that support agents stay with them until issues are resolved, and praise how the platform simplifies compliance without requiring legal expertise.

2. consentmanager

consentmanager is a consent management platform built for compliance and performance, offering customizable cookie banners, reporting tools, and optimization features to help businesses manage consent while improving user experience.

Standout features

• Highly customizable: 200+ design options, flexible targeting by country, browser, device, and more
• Detailed reporting: Analyze consent behavior by region, device, design variant, and other dimensions
• A/B testing and machine learning optimization to improve consent rates over time
• Auto-blocking and integrated crawler for compliance monitoring
• Predefined texts in over 35 languages
• Fully compatible with IAB’s Transparency and Consent Framework
• Google certified and Google Consent Mode v2 integrated
• EU-only data storage

Best for

Enterprise companies with complex digital portfolios, publishers, and e-commerce teams looking for detailed consent analytics.

Pros

• Flexible customization options (design, targeting, variants)
• Strong reporting for marketing and growth teams
• Compatibility mode makes switching from other CMPs easier

Cons

• The interface can be a bit tricky for first-time users

Pricing

• Free plan available
• Paid plans start from €23/month, depending on number of websites and views per month

What people say

Users appreciate the responsive customer support and highlight the A/B testing capabilities. Some report the interface has a learning curve.

3. Complianz

Complianz is a WordPress and Shopify plugin designed to make privacy compliance more manageable. It covers cookie consent, legal documents, and regional compliance rules (GDPR, CCPA, and more).

Standout features

• Designed specifically for WordPress and Shopify
• Research team regularly updates clause library to reflect the latest law changes
• Flexible banner designs
• Smart site scanner that automatically detects and handles cookies in use before visitors see them
• Region-specific banner behavior (e.g., GDPR vs. CCPA)
• Legal documents in multiple languages

Best for

WordPress and Shopify users who want privacy features that work smoothly out of the box.

Pros

• Trusted by 1 million users
• Quick and easy setup
• Helps build brand transparency and trust
• 30-day money-back guarantee

Cons

• You need a paid plan for the more advanced features

Pricing

• Free plan available
• Paid plans start from €59/year (less than €5 a month)

What people say

Reviewers report easy installation, a user-friendly interface, and solid compliance features. A go-to choice for WordPress and Shopify users who want privacy tools that just work.

4. Cookiebot

Cookiebot scans your site for cookies, categorizes them, and helps you display a compliant cookie banner.

Standout features

• Automatic cookie scanning and categorization
• Multi-language support
• Compatible with Google Tag Manager and Consent Mode
• Cookie banner creation

Best for

Mid-sized businesses that want consent features with a focus on automation.

Pros

• Simple setup

Cons

• Can’t create legal documents
• The interface isn’t intuitive and can be difficult to use
• Banners aren’t easily customizable

Pricing

• Free plan with limited features available
• Paid plans start from €7/month and increase in price if you have more than a certain number of subpages

What people say

While some users find initial setup straightforward, many report frustration with unexpected price increases, billing disputes, and difficulty reaching customer support.

5. Usercentrics

Usercentrics is a consent management platform with a focus on marketing, offering analytics tools that give users insights into their web audiences.

Standout features

• Data control and user segmentation
• Analytics and consent audit tools
• Affiliate and partner programs
• Customizable banners
• Multilingual support

Best for

Enterprise-level businesses looking for detailed control and integrations.

Pros

• Offers tools for consent rate optimization
• Fully customizable

Cons

• Difficult setup, especially if you need more complex integrations
• The cookie management tools and user interface are trickier to navigate if you’re less tech-savvy

Pricing

• Plans start from €7/month for basic features
• No free plans but there is a 14-day trial

What people say

Users value the compliance tools and customization options. However, many report confusion around pricing, with unexpected plan upgrades based on session counts that can lead to billing spikes. Support response times are also frequently cited as slow.

6. Piwik PRO

Piwik PRO offers analytics software built with privacy in mind, along with consent management features to help align with regulations. It positions itself as a more compliant alternative to Google Analytics.

Standout features

• Full analytics suite with consent tracking built in
• Server location controls

Best for

Businesses in regulated sectors like finances, government, and healthcare.

Pros

• Clear documentation and onboarding support

Cons

• Its interface is less intuitive than other platforms
• Overall features can be limited, depending on what you need
• Lacks flexibility with third-party integrations

Pricing

• No free plans but it does offer a 30-day free trial
• Paid plans start at €35/month
• Scaling is pricier, with Enterprise plans starting at €366/month

What people say

Users on G2 praise the analytics, but many report integration issues and limited CMP-specific features.

7. Termly

Termly is a lightweight tool that combines consent management with policy generators. It’s aimed at small businesses and freelancers who want basic compliance tools.

Standout features

• Automatic cookie scanning and script blocking
• Built-in policy generators
• Google Consent Mode v2 compatible

Best for

Small businesses, bloggers, and freelancers with basic compliance needs.

Pros

• Simple setup process
• Free plan available

Cons

• Limited to one domain per license (costs add up for multiple sites)
• Customization options are limited
• Some users report slow customer support response times

Pricing

• Free plan available with capped monthly pageviews
• Paid plans start from $10/month

What people say

Users find the setup straightforward. Some report limitations with the free plan when accessing certain features.

8. Didomi

Didomi provides consent management along with real-time data tools to help enterprise businesses understand and optimize user experiences.

Standout features

• Real-time consent data dashboards
• Customizable banners and forms
• CRM and ad tech integration

Best for

Large, global enterprise businesses.

Pros

• Solutions are scalable for large organizations
• Fully customizable

Cons

• Users find it hard to use at first
• It requires a lot of customer support to implement and response times can be slow

Pricing

• It doesn’t offer a free plan
• Didomi doesn’t seem to publish their pricing online, so you need to call for a custom quote

What people say

Users praise integration options but report frustration with the interface, steep learning curve, and slow support response times.

9. Enzuzo

Enzuzo is a lightweight tool that helps you manage cookie consent, handle data subject requests, and create legal policies. Its focus is on providing support in the e-commerce space, with solutions for Shopify and mobile apps.

Standout features

• Multi-language support
• Real-time consent analytics
• Supports mobile apps

Best for

Businesses in the e-commerce space.

Pros

• Simple installation
• Easy to understand and use

Cons

• Isn’t as customizable as other options
• Customer support can be limited

Pricing

• Free plan comes with limited features
• Paid plans start from USD $9/month for basic compliance tools

What people say

Users like the smooth Shopify integration and ease-of-use, but many express frustration with billing issues and limited customer support availability.

The best consent management platform

Your consent management platform shouldn’t just help you meet today’s legal standards, but help you boost consent rates to grow your business, while keeping you ready for what’s next. The right tool makes compliance easier, not harder; it works in the background, keeps you aware of regulation changes, and protects your users’ trust at every touchpoint.

When evaluating your options, prioritize platforms that offer lawyer-backed policies, auto-scanning, and Google Consent Mode v2 support. iubenda is one example that checks these boxes.

With the right CMP, you won’t just be well on your way to greater compliance, but have a powerful tool to grow your business.

The post A guide to choosing the best consent management platform: Features, pros & pricing appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Make your site more accessible with no extra code needed!

Our AI-powered widget (formerly known as Accessibility Solution), designed to make your website more accessible with just a few clicks, is now WayWidget with a big update!

We’ve simplified the embedding process—now there’s just one script for both the cookie banner and the accessibility widget. That means that making your site more accessible is really easy: If you’re already using our cookie banner, no extra code or code edits are required to install the accessibility widget.

Improve your website’s accessibility

Over 2,200 users have already trusted WayWidget to enhance their website’s accessibility.

In case you’ve missed it

Control access with teams

We’ve updated our Teams feature, and now you can create teams to organize your projects and move sites between teams with ease.

1-Click WordPress installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Read the guide for more details.

Easy cookie banner setup for Shopify

Adding iubenda’s cookie banner to your Shopify store is now a breeze. Just install our new Shopify app, paste your Privacy Controls and Cookie Solution code, and you’re done. No coding needed! Read the guide for more information.

The post WayWidget upgrade, improved teams, and a brand new Shopify app (June 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Your Website Accessibility Checklist

Does the European Accessibility Act Apply to You?

Answer these questions to determine if your business needs to comply:

• Do you sell products or services to consumers in the EU?
• Does your business employ at least 10 people OR have an annual turnover or balance sheet exceeding 2 million euros?
• Do you provide any of these services: e-commerce, banking, media services, e-books, or passenger transport services?

If you answered yes to all three questions, it is very likely that your website needs to comply with the EAA.

Do You Have the Required Documentation?

Check if you’ve prepared the necessary accessibility documentation. Have you published an accessibility statement that includes:

• A description of the accessibility measures you’ve implemented
• Any known limitations and your plans for improvement
• Information about your monitoring processes to ensure ongoing compliance

How an Accessibility Widget Can Help You

Accessibility widgets provide quick improvements to make your website more accessible to users with disabilities. These tools can help with:

• Text adjustments (size, spacing, fonts) for better readability
• Color and contrast enhancements for visual impairments
• Navigation and keyboard improvements for motor disabilities
• Content display options (control over animations, reading aids)

iubenda’s WayWidget offers all these features with just one line of code added to your website. It provides real-time accessibility adjustments based on individual user needs while helping you move toward EAA readiness.

Improve your website’s accessibility in a few clicks

Add an AI-powered accessibility widget to your site to automatically optimize for users with disabilities and help meet EAA requirements with just one line of code.

Discover iubenda’s WayWidget

The post Accessibility checklist appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Effective Date: July 31, 2025

The Minnesota Consumer Data Privacy Act (MCDPA) establishes new data privacy requirements for businesses operating in Minnesota or targeting residents of the state. This Act is designed to empower consumers with rights over their personal data while imposing specific obligations on entities handling such data.

Sensitive Data Definition

The MCDPA outlines specific types of personal data considered sensitive, including:

A “known child” refers to an individual under 13, where the data controller has actual knowledge or willfully disregards the fact that the individual is a child.

Applicability

The MCDPA applies to businesses that meet the following thresholds:

1. Control or process personal data of 100,000 consumers or more annually (excluding data processed solely for payment transactions).
2. Derive over 25% of their gross revenue from the sale of personal data and process/control personal data of 25,000 consumers or more.

Non-profits are generally subject to the MCDPA unless they are focused on detecting and preventing fraudulent insurance activities.

Other applicability exceptions include state entities, federally recognized tribes, and certain compliance activities related to legal or regulatory requirements.

Consumers’ Rights

The MCDPA grants Minnesota residents several rights related to their personal data:

Access Personal Data: Consumers can confirm whether their data is being processed and access it.

Correction of Data: Consumers can request the correction of inaccurate data.

Deletion of Data: Consumers can request deletion of their personal data.

Data Portability: Consumers can request their data in a portable format, especially when automated processing is involved.

Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, data sales, and profiling used for decisions with legal or significant effects.

Rights in relation to Profiling activities: Consumers subject to profiling may:

• Challenge the profiling results.
• Request information on the reason behind profiling decisions.
• Review the data used in profiling and have it corrected if inaccurate.

Third-Party Disclosure: Consumers can request a list of third parties to whom their data has been disclosed.

Non-Discrimination: Consumers are protected from discrimination when exercising their rights.

Consumers can exercise their rights through a request submission without the need to create an account (although an existing account may be used). Parents or legal guardians can act on behalf of minors under 13. Consumers may also designate an authorized agent to opt out of targeted advertising and data sales on their behalf.

Requests must be fulfilled within 45 days, with an option for a 45-day extension. If a request is deemed excessive or unfounded, a reasonable fee may be charged.

Controllers’ Obligations

To comply with the MCDPA, businesses must:

Small businesses must obtain prior consent before selling sensitive data. Additionally, businesses must notify consumers of any material changes to privacy practices and give them an opportunity to withdraw consent.

Enforcement and Compliance

In case of disputes, controllers must provide instructions on how consumers can contact the Minnesota Attorney General to file complaints. Controllers must also maintain records of all consumer requests and responses.

To ensure compliance, businesses should regularly conduct data privacy assessments, especially for high-risk processing activities, and maintain documentation of their data protection measures.

The post Minnesota – Consumer Data Privacy Act (MCDPA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Effective Date: July 1, 2025

The Tennessee Information Protection Act (TIPA) is a comprehensive state-level privacy law designed to provide consumers with greater control over their personal data. The law establishes specific rights for consumers and imposes certain obligations on businesses that handle personal data of Tennessee residents. Below is an overview of the Act’s key provisions and requirements.

Definition of Sensitive Data

TIPA defines “sensitive data” as a category of personal information that includes the following:

Applicability of the Act

TIPA applies to individuals or entities conducting business in Tennessee or offering products or services targeting Tennessee residents that meet the following criteria:

1. They exceed \$25,000,000 in revenue; and
2. They:

• Control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data; or
• Control or process personal information of at least 175,000 consumers during a calendar year.

It is important to note that the Act does not apply to non-profit organizations.

Other limitations on applicability exist, including:

Consumers’ Rights

TIPA grants consumers the following rights:

1. The right to confirm whether a controller is processing their personal data and access it;
2. The right to obtain a copy of their personal data in a portable, readily usable format, allowing them to transmit the data to another controller;
3. The right to request the correction of inaccurate personal data;
4. The right to request the deletion of their personal data;
5. The right to opt out of the processing of their personal data for targeted advertising, sale of personal data, and profiling activities with legal or similarly significant effects;
6. The right not to be discriminated against for exercising opt-out rights.

Exercise of Rights

To exercise their rights, consumers may submit requests to controllers through the means described in the privacy notice. No account creation is required for submitting requests, although if the consumer has an existing account with the controller, the request may be submitted through that account. If the request is made on behalf of a child, the parent or legal guardian may submit the request.

Follow-Up by Controllers

Controllers are required to respond to consumer requests within 45 days. They must provide the requested information free of charge, up to twice per consumer within any 12-month period. In cases where requests are deemed manifestly unfounded, excessive, or repetitive, controllers may charge a reasonable fee to cover administrative costs.

Controllers must be able to authenticate consumer requests using commercially reasonable efforts and may request additional information from the consumer to verify the request. Controllers must also establish an appeal process, which should be clearly available, free of charge, and similar to the process for submitting consumer rights requests.

In the event an appeal is denied, controllers must provide an online mechanism or another contact method for consumers to submit complaints to the Tennessee Attorney General.

Controllers’ Obligations

TIPA imposes the following obligations on controllers:

Limit the collection of personal data: Controllers must limit the collection of personal data to what is adequate, relevant, and necessary in relation to the processing purposes disclosed to consumers;

Obtain consumer consent: Controllers must obtain consumer consent to:

• Process personal data for purposes that are not reasonably necessary or compatible with the purposes disclosed in the privacy policy;
• Process sensitive data, including sensitive data of a known child (which must comply with the Children’s Online Privacy Protection Act, COPPA);

Privacy notice requirements: Controllers must provide a clear, accessible, and meaningful privacy notice that includes:

• Categories of personal data processed;
• Purposes for processing personal data;
• Categories of personal data sold to third parties, if applicable, and the relevant categories of third parties;
• How consumers may exercise their rights, including the right to appeal;
• A clear disclosure of any sale of personal data or processing for targeted advertising, with an opt-out procedure;

Contract with processors: Controllers must enter into contracts with processors, ensuring compliance with the TIPA requirements.

Data protection assessments: Controllers must conduct and document data protection assessments for each processing activity that poses a heightened risk of harm to consumers, such as processing for targeted advertising or the sale of personal data.

Data security practices: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Universal Opt-Out Signals

The Act does not regulate the use of universal opt-out signals, meaning that businesses are not required to comply with such signals under TIPA.

The post Tennessee Information Protection Act (TIPA) Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s data protection authority, CNIL, has released new guidance addressing the relationships between data controllers, processors, and joint processing arrangements. The documentation provides clarity on how entities can determine their respective roles when processing personal data. Joint arrangements require formal agreements detailing shared obligations including data subject requests and security management. Learn more here (in French) →
• The European Data Protection Board published guidance on cross-border data transfers to foreign government authorities under GDPR Article 48. The framework establishes that foreign court decisions lack automatic recognition within European jurisdictions. Where formal agreements are absent, organizations must evaluate alternative legal grounds on an individual basis. Access it here →
• The European Data Protection Board announced dual expert initiatives focusing on artificial intelligence and data protection compliance. One initiative targets legal practitioners with analysis of regulatory frameworks including GDPR and AI Act compliance. The companion initiative addresses technical specialists with guidance on secure AI development and privacy-preserving audit procedures.
• Poland’s EU Council leadership proposed a regulatory harmonization initiative to address fragmentation across digital governance frameworks. The proposal targets overlapping requirements and inconsistent terminology across AI, data protection, and cybersecurity domains. Recommendations include establishing unified terminology resources and implementing consolidated reporting mechanisms. Access it here →

2) Notable Case Law

• German privacy regulators issued penalties totaling €45 million against telecommunications provider Vodafone GmbH for GDPR compliance failures. The enforcement action addressed inadequate oversight of third-party partnerships and authentication security vulnerabilities. The company has implemented remedial measures including enhanced partner auditing and separation from fraudulent partners. Access the press release here →
• Swedish appellate courts upheld financial penalties against streaming platform Spotify, imposing SEK 58 million (approximately €5.2 million) in fines for data subject rights violations. The ruling followed regulatory findings that the platform failed to provide adequate transparency regarding individual rights and data retention policies. The court highlighted the platform’s shortcomings in handling data subject rights and GDPR compliance. Learn more here (in Swedish) →

3) New and Upcoming Legislation

• Oregon: Recent legislative developments strengthened consumer privacy protections through amendments to state privacy law. The framework restricts targeted advertising and data sales involving individuals under 16 years of age and establishes location-based privacy protections within 1,750-foot proximity zones. The legislation emphasizes enhanced safeguards for minors and location tracking. Follow the Bill here →
• California: New workplace transparency requirements mandate annual reporting of employee surveillance technologies to state labor authorities. The legislation requires detailed disclosures about technology providers, capabilities, and data handling practices. Regulatory authorities must publish submitted reports within 30 days. Access the Bill here →
• Nebraska: Child safety legislation established age-appropriate design requirements for major online platforms operating within the state. Services with annual revenues exceeding $25 million must implement protective mechanisms for users under 13. The framework mandates opt-out capabilities for engagement features, taking effect January 1, 2026. Follow the Bill here →
  

4) Strong Impact Tech

• UK cybersecurity authorities published cultural guidance for organizations seeking to strengthen security behaviors across their operations. The framework emphasizes positioning security as a business enabler and promoting psychological safety for incident reporting. Implementation strategies address various organizational contexts with practical scenarios and visual assessment tools. Access it here →
• British telecommunications regulator Ofcom outlined its strategic vision for artificial intelligence oversight spanning multiple sectors through 2025-26. The approach encompasses innovation support through technical sandboxes and specialized risk management across telecommunications and broadcasting. The strategy emphasizes balancing technological advancement with consumer protection. Learn more here →

Other key information from the past weeks

• Texas lawmakers overwhelmingly passed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), establishing AI guardrails including discrimination prohibitions and biometric data protections starting January 1, 2026. More details →
• Reddit filed lawsuit against Anthropic alleging unauthorized scraping of user-generated content to train Claude AI chatbot without proper licensing agreements. Learn more here →
• AI researchers suspect Chinese company DeepSeek may have used Google’s Gemini model outputs to train its latest R1 reasoning model, highlighting ongoing concerns about unauthorized model distillation practices. Learn more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #144) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Dispute resolution refers to the process through which two or more parties find a peaceful solution to a disagreement or conflict. Instead of letting disputes escalate into costly and time-consuming legal battles, dispute resolution methods aim to resolve issues efficiently and fairly. These methods can be formal or informal and focus on helping parties reach an agreement or understanding.

Dispute resolution is important because it offers alternatives to traditional litigation, which can be expensive, slow, and stressful. By using dispute resolution, parties can often preserve relationships and come to mutually satisfactory outcomes without involving courts.

What are examples of dispute resolution?

There are several common types of dispute resolution, including:

• Negotiation: the parties communicate directly to try to reach a voluntary agreement without third-party involvement.
• Mediation: a neutral third party, called a mediator, helps the disputing parties discuss their issues and work toward a mutually acceptable solution.
• Arbitration: an impartial arbitrator listens to both sides and then makes a decision that is usually binding on the parties.
• Conciliation: similar to mediation, a conciliator meets with the parties separately to ease tensions and suggest possible solutions.

For example, in a workplace conflict, mediation might be used to help employees and management find common ground. In commercial disputes, arbitration can provide a quicker alternative to going to court.

Read also

• Third Party Definition & Meaning
• Disclaimer Definition & Meaning
• No Guarantee Meaning & Definition

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Dispute Resolution: Definition & Meaning appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Cookie preferences typically include options such as:

• Accepting all cookies
• Rejecting all cookies
• Selecting specific categories of cookies to allow or block, such as:
  • Strictly necessary cookies, essential for website functionality.
  • Functional cookies, which store user settings like language or location.
  • Statistics cookies, which collect anonymized data on website usage.
  • Marketing or targeting cookies, which track user data for personalized ads.

How to change cookie preferences on a website

You can change cookie preferences in two main ways: using the website’s cookie banner or via your browser. 

1. Using the website’s cookie banner 

If a website uses cookies, it should have a cookie banner in place for consent management. Usually, consent management solutions allow you to edit your cookie preferences at any time. 

If you want to change your preferences after initially giving consent, you should look for the button that reopens the cookie banner. It is often located at the bottom of the page or in the footer, near the privacy policy section. 

Clicking this will reopen the cookie consent banner, allowing you to update your choices. 

2. Changing cookie preferences via your browser settings

You can also control cookies through your web browser settings, either globally or for specific sites. This method varies by browser but generally involves:

• Opening your browser’s settings or preferences menu.
• Navigating to the privacy or security section.
• Finding the cookies or site permissions settings.
• Choosing to allow, block, or clear cookies, including options to block third-party cookies or all cookies.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post What are cookie preferences? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we’ll explore what an accessibility statement is, how it differs from tools like accessibility widgets, and why your website likely needs both. We’ll also walk through the legal requirements across different jurisdictions and offer a breakdown of the EAA’s Annex V.

What is an Accessibility Statement?

An accessibility statement is a formal, public document explaining how a website, product, or service complies with accessibility standards. It serves as a communication tool for users with disabilities and as evidence of legal compliance with accessibility laws such as the European Accessibility Act (EAA), Americans with Disabilities Act (ADA), Web Accessibility Directive (WAD), and, for the UK, the Accessibility Regulations and the Equality Act.

Comparison of requirements across key frameworks

While accessibility statements are a critical part of compliance in multiple regions, the exact requirements vary depending on the legal framework under which the service operates.

Accessibility statement vs widget: What’s the difference

Our Widget and Accessibility Statement: A Two-Part Approach to Digital Inclusivity

Our widget is designed to help make services more accessible to all users, offering real-time accessibility improvements for website visitors. However, it is important to understand that the accessibility statement and the widget serve different purposes and should both be part of your overall accessibility strategy.

The Accessibility Statement: A Legal Requirement

An accessibility statement is a legally required document in certain circumstances, such as when a website is publicly accessible and falls under specific regulations like the Web Accessibility Directive (WAD) and the European Accessibility Act (EAA). This statement communicates your company’s commitment to accessibility and outlines how your website meets or will meet accessibility standards.

It’s important to note that while we refer to this document as an “accessibility statement,” it may be known by different names in various legal contexts. For instance, the European Accessibility Act (EAA) does not explicitly refer to it as an “accessibility statement,” but states that <<The service provider shall include the information assessing how the service meets the accessibility requirements… in the general terms and conditions, or equivalent document>>.

This statement not only ensures compliance with laws but also builds trust by demonstrating your company’s commitment to accessibility.

The iubenda WayWidget: A Tool for Real-Time Improvements

The iubenda WayWidget, on the other hand, is a technical tool designed to enhance the usability of your website in real time. While the accessibility statement might be required by law, the widget is not, it’s simply a tool that helps make your website more accessible by providing features such as:

In short, the widget is a tool that helps users customize the website to meet their specific needs, improving accessibility on the fly.

Why Both Are Important

While the accessibility statement informs users of your commitment to digital inclusivity and ensures compliance with legal requirements, the widget offers a practical solution for enhancing accessibility in real-time. Both are used to address different needs and requirements, Without a statement, your website may not meet legal requirements, and without a widget, users might not have an optimal experience.

Key Accessibility Statement requirements according to the EAA (Annex V)

Annex V of the European Accessibility Act outlines specific requirements that service providers must include in their accessibility statements. These requirements help ensure consistency and clarity in how services communicate their accessibility efforts. Here’s a summary of the key points:

Service Description:

• A general description of the service, ensuring it is accessible and understandable to a wide audience, including those with disabilities.

Accessibility Features:

• This section should be clear and provide specific explanations of how the service meets the needs of users with disabilities.

Compliance with Relevant Accessibility Requirements:

• An explanation of how the service meets the specific accessibility requirements outlined in Annex I of the EAA.

Monitoring and Compliance:

• Information on how the service monitors accessibility over time to ensure ongoing compliance. This may include periodic accessibility audits, feedback mechanisms, and updates as needed to address new challenges or regulations.

Country-Specific guidelines on accessibility statements

The European Accessibility Act (EAA) mandates the adoption of accessibility requirements for products and services within the EU. Below is a summary of how different countries have transposed the provisions of Article 13(2) and Annex V of the EAA into national law.

Conclusion

The accessibility statement serves as an overview of the importance of accessibility for digital services. Ensuring that these services are accessible to everyone, including individuals with disabilities, is crucial. By following the EAA guidelines and clearly communicating compliance, businesses and public entities alike can demonstrate their commitment to accessibility while adhering to legal requirements. As we move forward, we anticipate new patterns and standards emerging, particularly in response to the evolving EAA framework, which will continue to shape accessibility practices and regulations in the future.

The post Understanding the Accessibility Statement appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

European Accessibility Act (EAA) Accessibility Statement Guide & Template

Introduction & Purpose

One important part of the law, Article 13(2), requires businesses and service providers to explain how they make their services accessible. This information needs to be shared publicly and in a way that everyone, including people with disabilities, can understand. This is typically done through an Accessibility Statement, which follows the rules in Annex V of the EAA.

Service providers must create and share information about how their services meet accessibility requirements. This information must be available both in writing and verbally, and it should be easy for people with disabilities to access. The information should also stay available for as long as the service is running.

The purpose of this provision is to ensure that service providers are transparent about the accessibility of their services, outline the specific accessibility requirements that must be met, and provide clear information to users and regulators about how accessibility is being addressed.

Core Requirements for an Accessibility Statement: Detailed Breakdown and Guidance

1. General Description of the Service in Accessible Formats

Legal Requirement (Annex V, 1(a)):

a general description of the service in accessible formats;

Directive Requirements:

The law requires that service providers give a plain, clear description of what their service is about and make sure that description is available in accessible formats. This means that everyone, including people with disabilities, should be able to understand what the service is and how it works. For example, a visually impaired person should be able to access this description through a screen reader.

Practical Meaning for Organizations:

You should prepare a simple, concise description of your service, written in clear language. This description should be available in a format accessible to people with different needs, such as text that works well with screen readers or alternatives like audio or large print on request. This section is similar to an “About” section on your website, explaining what your service does and who it is for.

Compliance Guidance:

Create a section in your accessibility statement titled “Service Overview.” In this section, describe what your service is and what it offers in clear and simple language. Make sure the description is available in formats like audio or braille on request.

2. Descriptions of How to Use the Service

Legal Requirement (Annex V, 1(b)):

“descriptions and explanations necessary for the understanding of the operation of the service;”

Directive Requirements:

The service must provide instructions on how to use it, especially for people with disabilities. This could include explaining how to navigate your website or app, how to use accessibility features, or how to complete tasks like making a purchase. The goal is to make sure users know how to operate the service in an accessible way.

Practical Meaning for Organizations:

Include a simple guide in your accessibility statement explaining how to use your service. This might include instructions on how to navigate the site, use accessibility features like captions or text resizing, and complete tasks like creating an account or making a purchase.

Compliance Guidance:

Create a section titled “How to Use the Service” and describe how to navigate the service and use any special accessibility features, including a description of what deviates from common navigation behavior. For example, “The service provides detailed instructions on how to use it. You can access the full guide at this link…”, “You can use the ‘Tab’ key to navigate our website and press ‘Enter’ to activate links.” or “The service is designed to work with standard browser and assistive technology commands, except…”. Keep the explanations simple and make sure they are in an accessible format.

3. Description of Compliance with Accessibility Requirements

Legal Requirement (Annex V, 1(c)):

“a description of how the relevant accessibility requirements set out in Annex I are met by the service.”

Directive Requirements:

You need to explain how your service meets the accessibility requirements listed in Annex I (Section III and IV) of the EAA (functional requirements and technical outcomes that the service should achieve, such as perceivability, operability, compatibility with assistive tech, etc.). This is a way to demonstrate that your service is accessible and follows the law’s standards. It’s essentially a compliance statement or self-assessment summary: rather than just saying “we comply,” the provider should give an informative account of the measures taken to fulfill each relevant requirement. This transparency is intended both for users (to know the service’s accessibility features/levels) and for regulators who might review the statement to verify compliance claims.

Practical Meaning for Organizations:

In your accessibility statement, describe how your service meets the EAA’s accessibility criteria. This could include explaining how you follow standards like WCAG 2.x AA (latest) for web content or EN 301 549 for ICT services.

Compliance Guidance:

Structure this part as an “Accessibility Compliance” or “How We Meet Requirements” section. One practical way is to group by category of requirements or by standard. For example, you could write a short paragraph for each of the WCAG/EN 301 549 principles:

If you follow a recognized standard, you can simply state your conformity to it. For example, you might say, “We comply with WCAG 2.x AA (latest) at Level AA for our web content,” which covers many Annex I requirements. Be accurate: if your service fully meets all requirements, this is a claim of full compliance, so be prepared to back it up with evidence. If only some requirements are met or if some issues are still being addressed, be transparent about it here. You may also need to mention limitations or derogations in a later section (e.g., disproportionate burden).

Keep this section user-friendly, even if it’s about technical compliance. Avoid listing raw WCAG criteria codes and instead describe features in simple terms, such as, “All images have alt text,” “All functions are keyboard-accessible,” or “Our text meets recommended contrast ratios.” Strive for a balance: detailed enough to cover requirements, but clear enough for non-experts to understand.

4. Use of Harmonised Standards or Technical Specifications

Legal Provision (Annex V, Point 2):

“To comply with point 1 of this Annex the service provider may apply in full or in part the harmonised standards and technical specifications, for which references have been published in the Official Journal of the European Union.”

Directive Requirements:

This clause is not a content to include in the statement per se, but a method of compliance. It states that a service provider may rely on harmonised standards (in whole or part) to meet the obligations in point 1 (i.e. the requirements we listed above for content of the statement).

In EU law, using a harmonised standard whose reference is published in the Official Journal gives a “presumption of conformity”. The key standard for digital accessibility is EN 301 549, which aligns with WCAG for web/mobile content and includes other ICT accessibility criteria. By following such standards, a provider can more easily demonstrate that they meet the EAA requirements.

Practical Meaning for Organizations:

In your statement’s compliance section, you might explicitly say “This website conforms to EN 301 549 and WCAG 2.x AA (latest).” This gives readers and regulators a clear benchmark. Using the standard doesn’t replace the need to provide the info in Annex V (you still need the descriptions, etc.), but it can be referenced as a shorthand for compliance level. Essentially, it’s telling you how to comply: by following harmonised standards you both actually make your service accessible and you have a ready-made way to describe your compliance.

Compliance Guidance:

In your statement, mention any standards followed in the “Conformance status” or Introduction. For example, you could say, “We aim to comply with WCAG 2.x AA (latest)” or “This service follows EN 301 549 v3.2.1 (the European ICT accessibility standard).” Be honest about your conformance, if only part of a standard applies, say so (e.g., “We have applied standard X in part”). The relevant harmonised standards for EAA services include EN 301 549 (for ICT services like websites and apps) and EN 17161 (which is more for organizational processes). Referencing these not only adds credibility to your statement but also invokes the “presumption of conformity,” where regulators assume compliance if the standard is met. In short, clearly state the standards you’re using as the basis for accessibility.

5. Accessibility in the Service Delivery Process & Ongoing Monitoring

Legal Requirement (Annex V, Point 3):

“The service provider shall provide information demonstrating that the service delivery process and its monitoring ensure compliance of the service with point 1 of this Annex and with the applicable requirements of this Directive.”

Legal Interpretation & Purpose:

This requirement ensures that accessibility is not just a one-time effort but is maintained throughout the service’s lifecycle. You must show that you have processes in place to keep accessibility up to date as your service evolves.

Practical Meaning for Organizations:

You need to have a clear workflow for maintaining accessibility, including policies, roles, and daily activities. This could involve staff training, integrating accessibility checks into development, using tools to scan for issues, responding to user feedback, and conducting regular reviews or audits. Essentially, document your accessibility program. For example, you might have an accessibility officer or team, a schedule for re-testing the site, and processes for monitoring user reports. The EAA expects providers to adapt to changes, such as new standards or features, to maintain compliance. Make sure your statement reflects that accessibility is actively managed, showing that compliance is ongoing, not static.

Compliance Guidance:

Include a section in your accessibility statement, such as “Maintenance and Monitoring of Accessibility,” where you outline how your organization ensures ongoing accessibility. Be specific about processes, like developer training or regular use of auditing tools.

For example, mention steps like, “We conduct quarterly accessibility audits,” “We have an accessibility champion on the product team,” or “All new content is checked for accessibility.” Include any feedback mechanisms, like “We monitor and respond to accessibility issues reported by users.”

You might also note that accessibility is reviewed at the executive level or that the company follows an official policy aligning with accessibility standards (such as EN 17161, which is about integrating accessibility into organizational processes). This section should show that accessibility is a continuous priority, reassuring users and demonstrating compliance with the requirement for ongoing conformity.

6. Known Limitations and Alternatives (if applicable)

Why Include This Section?

While not explicitly required by Annex V, disclosing known limitations aligns with best practices outlined in the Web Accessibility Directive (EU Directive 2016/2102) and reflects a proactive approach to compliance management.

If there are limitations, disclose any parts of the service that are not fully accessible, with reasons and alternatives.

7. Disproportionate Burden Claim (if applicable)

Legal Requirement (Article 14):

The accessibility requirements referred to in Article 4 shall apply only to the extent that compliance: (a) does not require a significant change in a product or service that results in the fundamental alteration of its basic nature; and (b) does not result in the imposition of a disproportionate burden on the economic operators concerned.

Why Include This?

This section should be included only if you are claiming a specific exception under Article 14 of the EAA for any requirement that is not met due to a disproportionate burden. If applicable, state which requirement cannot be met, why (costs, etc.), and any timelines to review that decision.

8. (Optional) Feedback Mechanisms and Contact Information (Best Practice)

Why Include Feedback?

Although not explicitly listed in Annex V, providing a way for users to report accessibility issues is good practice. It shows you are open to feedback and willing to improve. Include clear contact information, like an email address and phone number, and make it easy for users to reach out if they have problems.

Compliance Guidance:

We recommend adding a “Feedback and Contact Information” section, providing multiple contact methods for users to report accessibility issues.

Also, if applicable, inform users of their rights to escalate complaints to an authority if they are not satisfied with your response. For example, you might mention that in [Country], the regulatory authority is XYZ, with a link, per national implementation. Even if not strictly mandated by Annex V, this is in line with best practices and demonstrates good faith compliance and customer care.

National Implementations of the EAA by Country

This section outlines how different countries have implemented the EAA into their national laws. Each country has tailored its regulations to meet the EAA’s core requirements while considering local needs and frameworks.

Below, you’ll find an overview of each nation’s specific approach to accessibility standards and enforcement.