We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB Publishes 2025 Annual Report
The EDPB’s 2025 Annual Report says national DPAs issued a record €1.15 billion in fines last year. It also highlights the Helsinki Statement and the Board’s first joint DMA/GDPR guidance.

France – CNIL Publishes HR Data Retention Guide
France’s CNIL published a practical guide (in French) on how long employers should keep HR data, covering recruitment, payroll, workplace accidents, disciplinary files, and more. It’s a useful reference for DPOs and HR teams working under French law.

United Kingdom – ICO Opens Consultation on Automated Decision-Making Guidance
The ICO launched a consultation on updated guidance on automated decision-making and profiling, with feedback open until 29 May 2026. The draft matters for employers and any business using AI or algorithmic decision tools.

2) Notable Case Law

European Union – CJEU Says a First GDPR Access Request Can Still Be Abusive
The CJEU ruled (PDF) that even a first access request can be refused if it is abusive and made mainly to build a damages claim, not to check whether data is being processed lawfully. The ruling also confirms that unjustified refusals can themselves create compensation risk.

Italy – Garante Fines Intesa Sanpaolo €31.8 Million
Italy’s Garante fined Intesa Sanpaolo after finding that a single employee repeatedly accessed thousands of customers’ banking data over more than two years, while internal systems failed to detect it. The authority also criticized the bank’s late and incomplete breach notification in its decision (in Italian).

United States – FTC Settles with OkCupid and Match Over Secret Data Sharing
The FTC announced a settlement with OkCupid and Match after finding that user photos, location data, and other personal data were shared with a third party despite privacy promises. The companies are now barred from misrepresenting their data-sharing practices.

3) New and Upcoming Legislation

European Union – AI Act Omnibus Enters Negotiation Phase
The European Parliament adopted its position on the Digital Omnibus on AI, opening the way for interinstitutional negotiations. One key proposal is replacing the fixed August 2026 deadline for high-risk AI obligations with a standards-readiness trigger.

United States – Oklahoma Enacts a Comprehensive State Privacy Law
Oklahoma signed SB 546 into law, becoming the 20th U.S. state to enact a comprehensive privacy law. It grants consumers rights to access, correct, delete, and opt out of certain processing, with enforcement led by the Attorney General.

4) Strong Impact Tech

European Union – NOYB Signals More Collective Actions After Cyber Incidents
At the IAPP Global Summit, Max Schrems said in an IAPP discussion that NOYB’s new qualified-entity status could be used to bring collective actions, with cyber incidents and data breaches likely to be an early focus.

Switzerland – Swiss Finance Minister Files Complaint Over Grok Output
Swiss Finance Minister Karin Keller-Sutter filed a criminal complaint after Grok generated abusive content about her, asking prosecutors to assess potential liability in the new report.

Other key information from the past weeks

EU-U.S. Data Privacy Framework – Adoption Continues, but Legal Uncertainty Remains
At the IAPP Global Summit, speakers noted in an IAPP update that more companies are joining the DPF, while many larger businesses continue using SCCs in parallel as a safeguard.

European Union – EDPB Launches 2026 Transparency Enforcement Action
The EDPB launched its 2026 coordinated enforcement action on GDPR transparency and information obligations, with 25 DPAs set to contact organizations across sectors and consolidate findings into a final report.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #154) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

And when you’re in early-stage mode, “website compliance” is probably somewhere near the bottom of your priority list. We get it. It’s technical and tedious.

But the reality is that managing a website requires complying with a set of legal requirements to protect user data. Various privacy laws like the GDPR in the EU or the CCPA (California) in the US may apply to you from day one.

Getting them in place early means you won’t have to circle back mid-growth, when fixing things is harder and more disruptive.

Key takeaway: it’s not just about the rules

There’s a version of compliance that’s purely defensive: do the minimum, stay out of trouble, move on. We see it differently.

A clear privacy policy, a well-configured banner that gives control and respects choices, and an accessible website are all signals. They tell your users something about how you operate. In an environment where data scandals make headlines and dark patterns are still common, transparency has real commercial value. Users are more likely to trust and buy from businesses that are upfront about how they handle data.

When it comes to accessibility, an inaccessible website can create legal exposure and actively excludes part of your market. Building for everyone from the start is smarter than patching it later.

The companies that treat compliance as a competitive advantage rather than a formality tend to reap the benefits of a strong setup and improved image.

A checklist of what you need for your website compliance

1. A privacy policy

This is the one document most websites need. If your site collects any kind of personal data (which covers contact forms, Google Analytics, newsletter signups, and more), you should have a privacy policy in place.

Learn more about why you need this document and check out our guide on how to write it.

• Your privacy policy needs to explain what data you collect, why you collect it, who has access to it, how long you keep it, and what rights users have over it.
• Write it in plain language and link it from every page of your site, typically in the footer.

If you use third-party tools that process your users’ data (Google Analytics, Mailchimp, Stripe, a CRM), the GDPR requires a Data Processing Agreement (DPA) in place with each of them. Most major providers already include one in their terms or account settings. You often just need to find it and accept it. The gap is usually smaller or less common tools, so it’s worth doing a quick audit of every service connected to your site. Here’s more on what DPAs are and when you need one.

2. A cookie banner and consent mechanism

Under the GDPR and the EU ePrivacy Directive (commonly known as the “cookie law”), you need to get explicit consent from users before running any non-essential cookies on their devices.

That means analytics, advertising, social widgets, and most third-party tracking tools can’t fire until the user has actively agreed to the use of cookies.

• A cookie banner that meets legal requirements gives users a clear choice to accept or decline, blocks non-essential scripts until consent is given, and lets users change their preferences at any time.
• Pre-ticked boxes or banners that only offer an “accept” option don’t meet the standard.

You also need to keep records of that consent. The burden of proof sits with you as the data controller, meaning that if a regulator or user ever questions whether consent was properly collected, you need to be able to show when it was given, by whom, under which version of your notices, and whether it was later withdrawn.

A consent management platform (CMP) can handle all the above automatically.

3. A cookie policy

A cookie policy covers the specific information users need about your use of cookies: which ones your site uses, what each one does, and how users can manage or remove them.

It can live as a dedicated section within your privacy policy or as a standalone document. Either way, the disclosures are legally required under the GDPR and the EU ePrivacy Directive.

4. Terms and conditions

Terms and conditions aren’t always a legal requirement for informational websites, but they’re strongly recommended for any business. They define the rules for using your site, limit your liability, and set clear expectations for your users.

If you run an e-commerce site, EU consumer protection law requires you to clearly disclose your conditions of sale, accepted payment methods, delivery information, and the 14-day withdrawal (“cooling-off”) right that every EU consumer is entitled to. Missing these disclosures can create real problems if a dispute ever arises.

Even if you’re not selling online, having terms and conditions in place from day one protects you and sets a professional tone.

5. A process for handling user rights requests

The GDPR gives users a set of rights over their personal data: the right to access it, correct it, delete it, and in some cases, export it. As a business, you need to be ready to respond to these requests, typically within 30 days.

This doesn’t need to be complex at launch, but you do need a clear process. Know where your user data lives, who handles these requests, and how users can submit them (usually through your privacy policy or a dedicated contact form).

6. Web accessibility

Since June 2025, the European Accessibility Act (EAA) requires most businesses selling digital products or services in the EU to make their websites accessible to people with disabilities. If your business has at least 10 employees or a turnover of more than €2 million annually, this applies to you.

In practice, accessibility means your site works for users with visual, hearing, motor, or cognitive disabilities. The benchmark is WCAG 2.1 Level AA: things like sufficient color contrast, keyboard navigation, alt text on images, and captions on video content.

You’ll also need to publish an accessibility statement on your site, explaining your current level of accessibility and how users can flag any issues.

A note on scope

This checklist is based on the requirements of the General Data Protection Regulation (GDPR), one of the strictest privacy frameworks in the world. We’ve used it as a baseline because it applies broadly: to any business with users in the EU, regardless of where the business itself is based.

That said, the specific rules that apply to your website depend on factors like who can access it, and what type of business you run. Other regulations or sector-specific rules for e-commerce or children’s services may add further requirements. If you’re unsure which regulations apply to your situation, it’s worth getting specific legal advice before starting.

How to get it done

There’s no single way to handle all of this, and the right approach depends on your stage, budget, and how much legal complexity your business involves. Here’s an overview of your main options.

Building your site with AI?

AI tools can put a functional website together faster than ever. But they can’t handle consent management and present a high risk for generating legal documents. And there’s a specific trap worth knowing about: some AI site builders will generate what looks like a cookie banner, but it’s just a display element. It shows up on screen, but nothing is happening in the background. Scripts still run, consent isn’t collected, and no records are kept. Visually, it looks fine. Legally, it doesn’t exist.

Cookie banners, script blocking, and consent records need a proper infrastructure. If you’ve used an AI site builder, the checklist above still applies in full, and you’ll need to layer the compliance pieces on top separately.

Getting it all set up

Working through each of these separately takes time, especially when you’re also building a product, finding customers, and managing everything else that comes with launching a business.

iubenda gives you the professional tools to handle all of it: a Privacy and Cookie Policy Generator, a Consent Management Platform with consent records, a Terms and Conditions Generator, and a widget for accessibility.

Our legal documents are drafted by lawyers. We’ll notify you when regulations change, so your documents stay current without you having to track every development yourself.

iubenda’s solutions are exactly for this situation: founders who want to do things properly without making compliance a second job.

Get website compliance off your to-do list

The post Launch with confidence: a quick website compliance checklist when starting your business appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But building a website and having a banner display are different from managing consent on that website in a compliant way. AI tools, as capable as they are at the first, don’t do the second.

What consent management actually involves

When people think of consent management, they usually picture a cookie banner. That’s just the visible part. Behind it, there’s a technical system that handles what regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive actually require:

• Script control: blocking analytics, advertising, and social trackers from running until the visitor makes a choice. Under the GDPR and ePrivacy Directive, no tracking cookies can fire before consent is given.
• Consent records: storing each visitor’s choice with a timestamp, so you can prove what was consented to and when. This is what you show during an audit or when a regulator asks.
• Vendor signaling: transmitting consent status to ad platforms through the IAB Transparency & Consent Framework (TCF) and Google Consent Mode, so they know whether they can serve personalized ads, run retargeting, or hold off.
• Jurisdiction adaptation: serving different consent flows based on where the visitor is. A visitor from Germany needs a GDPR-aligned experience. A visitor from California needs CCPA. The banner, the options, and the legal basis change depending on the jurisdiction.
• Preference management: giving visitors a way to revisit and change their choices after the initial interaction, not just a one-time prompt.
• Cookie scanning: identifying which cookies and trackers are active on your site, categorizing them, and keeping that inventory current as you add new tools and services.

AI coding tools don’t generate any of this. They produce a banner component: a UI element that displays a message and maybe stores a simple cookie. The infrastructure behind consent management (script blocking, record keeping, signaling, adaptation) isn’t part of what these tools build.

The technical implementation of all the legal requirements above is complex. That’s why providers called Consent Management Platforms (CMPs) exist and do just that. They specialize in and keep track of privacy rules globally and how to easily apply them on your website, providing you with the full consent setup. Website creation through AI doesn’t do that.

Why this gap matters

This goes beyond a compliance technicality. It affects your legal exposure, your ad performance, and your customers’ trust in your brand.

Compliance risk

If scripts fire before consent, you’re collecting data you aren’t authorized to use. If consent isn’t recorded with timestamps, you can’t demonstrate that your data was collected with permission. That’s a problem for audits.

Regulators don’t distinguish between “no banner” and “a banner that doesn’t block anything”; neither is compliant. If tracking scripts run before consent, that’s a violation.

And the scrutiny is growing.

Forrester reports that they “initially hypothesized for 2026 that consumers would use genAI in low-risk use cases such as translation tools or chatbots. Those who consider themselves knowledgeable about AI are aware of both the risks and the opportunities and mitigate risks by cross-referencing AI outputs, validating sources, and consulting professionals after using AI tools.”

They had predicted that by 2026, 30% of consumers would use generative AI tools for high-risk decisions such as personal finance and healthcare.

For many, building a website with AI feels like a low-risk move. But online privacy requirements don’t change based on how a site was built. The tools that make building faster can create liability in places most teams don’t think to check.

Marketing performance

Then there’s the marketing side. If you run Google Ads or programmatic advertising, your consent setup needs to send signals through TCF and Google Consent Mode. Without those signals in the EU, ad platforms restrict your campaign targeting and measurement.

You also miss out on more accurate data through conversion modeling, which recovers more than 70% of ad-click-to-conversion journeys lost to cookie refusals.

That directly affects ROI, and it’s one of the most common things teams miss when they build with AI tools and assume the banner covers it.

Trust

When visitors see a consent prompt, they assume you’re handling their data responsibly. When that assumption turns out to be wrong, it’s a brand problem that goes beyond compliance. Your reputation and customer retention take a hit if users’ privacy choices aren’t respected.

Cisco’s 2026 Data and Privacy Benchmark Study found that 93% of organizations plan to allocate more resources into privacy and data governance over the next two years. 90% report their privacy programs have expanded as a direct result of AI adoption.

A quick check for AI-built sites

If you’ve built or rebuilt your site recently with AI tools, you can check your consent setup in a few minutes:

1. Are scripts blocked before consent?

Open your site in incognito. Before interacting with any consent prompt, check your browser’s dev tools (Network tab). If analytics or ad scripts are already running, nothing is being blocked.

2. Does rejecting consent change anything?

Click “Reject” or close the prompt. Check again. If the same scripts are still running, the consent flow is cosmetic.

3. Are consent records stored?

After making a choice, check whether a timestamped record exists beyond a simple cookie. A consent management platform stores retrievable records. A UI component doesn’t.

4. Are vendor signals being sent?

If you use Google Ads, check for Consent Mode signals. If you use programmatic advertising, check for TCF strings. Without these, your ad platforms are operating blind.

What AI handles vs. what a CMP handles

AI tools are great at building websites. Consent management platforms are built for managing consent. They’re different categories of tool, and you need both.

What to do about it

If your site was built with AI and your consent setup is just a banner component, you don’t need to start over. You need to add the infrastructure layer.

A CMP integrates with your existing site (typically a few lines of code or a plugin) and handles the infrastructure behind the consent prompt.

iubenda’s Privacy Controls & Cookie Solution is built for this:

• It scans your site for cookies and trackers, blocks scripts until consent is given, adapts by jurisdiction, and stores audit-ready consent records.
• It sends TCF and Google Consent Mode signals to your ad platforms.
• It works with any site, including ones built with AI tools, and you can start for free.

The post AI can build your website. It can’t manage your consent. appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The EU’s Digital Omnibus proposal, published on 19 November 2025, wants to simplify this experience. At the center of the discussion are machine-readable consent signals: a model where users could define their privacy preferences once, at browser or device level, and have them automatically applied across websites.

This marks a potential shift in how consent is expressed and managed. One that could reduce friction, but that also introduces new considerations around interoperability, control, and implementation in practice.

Here’s what digital professionals need to know about how it works, what the proposal says, and what it means for your stack.

What are browser consent signals?

A browser consent signal is a standardized, automated way for a browser or operating system to communicate a user’s privacy preferences to a website.

Think of it as a technical instruction rather than a visual prompt: instead of relying only on banners and clicks, a site could read a previously-expressed preference and act on it automatically.

This concept isn’t entirely new.

Would consent signals under the Digital Omnibus be similar to the Global Privacy Control (GPC)?

Browser signals like Global Privacy Control (GPC) already exist and are recognized under legislations such as the US’s California Consumer Privacy Act (CCPA), where users can express certain privacy choices at the browser level.

However, GPC operates within a different legal framework (primarily opt-out systems) and is typically limited to specific types of processing, such as the sale or sharing of personal data.

Applying a similar approach in the EU raises additional complexity. Under the GDPR, consent must be specific, informed, and tied to particular purposes and controllers. Translating these requirements into a standardized, machine-readable signal that works consistently across websites, vendors, and use cases is significantly more complex than existing opt-out signals.

Article 88b: what the Digital Omnibus proposes

The Digital Omnibus proposal introduces the idea of browser consent signals into the EU regulatory framework through a new Article 88b:

• Article 88b would require data controllers to support automated mechanisms that allow users to give or refuse consent, as well as exercise their right to object. Websites would need to respect these signals once expressed, rather than repeatedly prompting users through individual banner interfaces.

“Data subjects shall be able to provide consent / exercise the right to object through automated and machine-readable means. Standards are foreseen to be drafted by one or more European standardisation organisations.” – Digital Omnibus legal text

• The proposal also places obligations on browser providers (other than SMEs) to enable the technical infrastructure needed for these automated signals.
• The European Commission would mandate standardization bodies to develop the necessary technical standards, and controllers who follow those standards would benefit from a presumption of compliance.
• Users could also express preferences through tools like the EU Digital Identity Wallet.

How would browser signals work on a technical level?

If adopted, browser consent signals would introduce a new layer in how user preferences are communicated and enforced across the digital ecosystem.

While the exact specifications are still to be defined, the overall architecture would likely involve several components working together:

What’s not changing

Consent isn’t going away. The Digital Omnibus doesn’t remove the consent requirement. It changes how preferences get expressed and transmitted.

Here’s what stays the same:

• Consent is still required for advertising, profiling, cross-site tracking, and most third-party analytics.
• The core opt-in model remains intact.
• Users who haven’t configured browser-level preferences will still see and interact with banners as usual.
• CMPs are still needed to trigger banners when no signal is detected, let users manage granular preferences for a particular site, store proof of consent, and enforce scripts based on preferences.

What’s the timeline for Digital Omnibus requirements?

The Digital Omnibus was published by the European Commission on 19 November 2025. It is a proposal, not law, and the text may change substantially during negotiations between the European Parliament and the Council.

Your current obligations under the GDPR and ePrivacy Directive remain fully in force, and no action is required until the text is finalized and adopted.

If adopted as proposed, the phased rollout would look like this:

What this means for iubenda users

At iubenda, we support the direction of simplifying consent experiences and reducing consent fatigue, without compromising user control. These are principles we’ve been building toward from the start.

At the same time, the shift toward browser signals introduces new layers of complexity. For this model to work in practice, user preferences from different sources need to be interpreted, reconciled, and enforced consistently.

This is where consent infrastructure matters. Our products are designed to handle multiple types of consent signals, enforce preferences across vendors and technologies, and adapt as standards evolve.

Disclaimer: This post discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of March 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.

The post Browser signals and machine-readable consent: what they are and what the EU’s Digital Omnibus could change appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The California Consumer Privacy Act (CCPA) is a privacy law that gives California residents more control over how businesses collect and use their personal information. Today, the CCPA law is one of the most important privacy frameworks in the United States.

At its core, the law is about transparency and choice, and gives people the right to ask businesses:

• What personal data they collect
• Why they collect it
• Who they share it with
• Whether it can be deleted

The law was signed in 2018 and came into effect in 2020. It applies to many businesses that collect data from people in California, even if those businesses are based somewhere else.

It was one of the first major privacy laws of its kind in the United States, often referred to as the California CCPA, and helped change how businesses think about consumer data.

In 2020, California voters approved an update to the law, the California Privacy Rights Act (CPRA). This strengthened the original law and introduced additional privacy protections.

Together, the CCPA and CPRA now form California’s main privacy framework. You might also see this referred to more broadly as the California Privacy Act.

In this in-depth guide, we’ll walk through what these laws cover, who they apply to, and what they mean in practice. For a shorter overview, take a look at our CCPA explainer post.

How the CPRA expanded the CCPA

The California Privacy Rights Act builds on the original California Consumer Privacy Act and strengthens it in a few crucial ways.

It introduced new consumer rights, added stronger protections for sensitive personal information, and created a dedicated privacy regulator.

Because of these changes, many businesses now refer to the framework as CCPA/CPRA. Here’s a quick look at how the two compare.

Key differences between CCPA and CPRA

Note: the CPRA did not replace the original law. It expanded it and added more protections for consumers. For a detailed breakdown of how the two laws differ in practice, this guide to CCPA vs CPRA is a good place to start.

What counts as personal information under the California Consumer Privacy Act?

Under the California Consumer Privacy Act, personal information includes any data that identifies, relates to, or could reasonably be linked to a person or household.

Examples include:

The CPRA also introduced a new category called sensitive personal information. Consumers have additional rights when it comes to this type of data, including:

• Social security numbers
• Financial account details
• Precise location data
• Health information
• Racial or ethnic origin

Note: If it can’t reasonably be linked back to an individual, it’s generally not considered personal information.

Consumer rights under the California Consumer Privacy Act and CPRA

The CCPA gives California residents several rights over their personal data.

These rights are designed to give people more visibility and more control over how their information is used.

Right to know

Consumers can ask what personal information a business has collected about them, how it is used, and who it is shared with.

Right to delete

Consumers can ask businesses to delete personal information collected about them, although some exceptions apply.

Right to opt out of data sales or sharing

Consumers can tell a business to stop selling or sharing their personal information with third parties.

Right to correct inaccurate information

The CPRA introduced the right to request corrections if a business holds inaccurate personal data.

Right to limit the use of sensitive personal information

Consumers can also limit how businesses use sensitive personal information.

Right to non-discrimination

Businesses cannot penalize consumers for exercising their privacy rights.

How consumers exercise these rights

Consumers usually exercise these rights by submitting a request directly to the business.

Businesses typically provide ways to do this through:

• Online request forms
• Support email addresses
• Toll-free phone numbers

They also need to verify who is making the request and respond within the timeframes set by law.

Does the CCPA apply to your business?

The CCPA applies ot your business if it operates in California and meets at least one of the following conditions:

• Earns more than 25 million dollars in annual revenue
• Processes personal data from 100,000 or more California residents or households per year
• Generates 50% or more of its revenue from selling personal data

Even if a company is based outside the state, it may still need to comply if it collects personal data from California residents.

The California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) was created by the CPRA to oversee and enforce the state’s privacy laws.

The agency can:

• Investigate privacy violations
• Issue regulations and guidance
• Conduct audits
• Enforce penalties

In practice, that means privacy enforcement in California now has a dedicated regulator.

CCPA compliance checklist for businesses

If your business falls under the CCPA, compliance usually involves a few practical steps. If you want a more detailed walkthrough, this CCPA compliance guide breaks the process down step by step.

Map the personal data you collect

Start by identifying what personal information your business collects, where it comes from, and how it is used.

Update your privacy policy

Your privacy policy should clearly explain what data you collect, why you collect it, and how consumers can exercise their rights. If you’re updating your notice for Californian users, this guide to creating a CCPA privacy policy can help.

Provide consumer request mechanisms

Consumers need a clear way to submit requests to access, delete, or opt out of data sharing.

Review vendor relationships

If third parties process personal data on your behalf, your contracts should reflect the relevant privacy obligations.

Train employees

Teams that handle customer data or respond to privacy requests should understand the law and know how to respond.

Monitor compliance regularly

Privacy rules change often, so it is worth reviewing your setup regularly.

Frequently asked questions about penalties and enforcement

Who enforces the CCPA and CPRA?

The CCPA and CPRA can be enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA).

The Attorney General handled enforcement when the CCPA first came into effect.

The CPRA later introduced the CPPA, which now plays a central role in enforcing California privacy law and investigating potential violations.

What happens if a business does not comply?

If a business fails to meet its obligations under the law, it can face regulatory action, financial penalties, and, in some cases, legal claims from consumers.

Civil penalties can reach:

• $2,500 per violation
• $7,500 per intentional violation

That can add up quickly, especially when large volumes of user data are involved.

Can consumers sue businesses under the CCPA?

In some cases, yes.

The CCPA includes a private right of action for certain data breaches. This means consumers may be able to take legal action if their personal information is exposed because a business failed to implement reasonable security measures.

Has the law already been enforced in practice?

Yes. California regulators have already taken action against businesses that failed to meet privacy requirements.

Enforcement has focused on issues such as:

• Missing or incomplete privacy disclosures
• Failure to provide clear opt-out options
• Poor handling of consumer rights requests
• Non-compliant cookie and tracking practices

What are the real risks beyond fines?

For many businesses, the bigger risk is losing trust.

If customers feel their personal data is being collected without transparency or handled carelessly, that can affect brand reputation, customer loyalty, conversion rates, and long-term growth.

Employee and B2B data: special considerations

Privacy compliance doesn’t stop with customers and website visitors.

The CCPA and CPRA can also affect how businesses handle data related to employees, job applicants, contractors, and business contacts.

Does CCPA/CPRA apply to employee data?

In many cases, yes.

When the CCPA first took effect, some employee and HR-related data were temporarily exempt from certain parts of the law. Over time, that has changed.

Under the CPRA, many of those exemptions have expired, meaning employee-related personal data is now more clearly within scope.

This can include information collected during:

• Hiring and recruitment
• Onboarding
• Payroll and HR processes
• Performance management
• Internal communications

If your business collects personal information from employees or job applicants in California, that data may now fall under the same broader privacy framework.

What about B2B data?

Business-to-business data was also treated differently under the original CCPA for a period of time, but those exemptions didn’t last forever.

Today, many businesses need to think more carefully about how they collect and manage data from suppliers, partners, contractors, business contacts, leads, and sales prospects.

If your business handles contact details or personal information in a professional context, that doesn’t automatically place it outside the law.

What does this mean for HR and internal teams?

It means privacy compliance needs to go beyond the marketing team or website setup. HR and people operations teams should consider what employee data is being collected, where it is stored, who has access to it, how long it is kept, and how employees can exercise their rights where applicable

This is especially important for businesses using multiple internal tools or third-party HR systems.

CCPA/CPRA vs GDPR: how California compares to Europe

If your business operates internationally, there’s a good chance you’ve also come across the General Data Protection Regulation (GDPR), but where and how do the CCPA and GDPR differ?

The GDPR is the European Union’s main privacy law, and while it shares some goals with the CCPA and CPRA, the two frameworks are not the same.

Both are designed to give people more control over their personal data, but they take different approaches to rights, consent, and business obligations.

CCPA/CPRA vs GDPR

Which law is stricter?

In general, the GDPR is broader and more demanding when it comes to legal basis, consent, and documentation.

The CCPA and CPRA, on the other hand, focus more heavily on transparency, user rights, and control over the sale or sharing of personal data.

While the GDPR is often seen as stricter overall, California’s privacy framework still imposes significant obligations on businesses.

What does this mean for international businesses?

If your business serves users in both California and Europe, you may need to comply with both frameworks.

That usually means putting processes in place to support clear privacy notices, valid consent where needed, rights request handling, vendor oversight, and ongoing legal updates

For many businesses, the challenge is in building a privacy setup that works across different rules without becoming difficult to manage internally. This is where having the right digital tools in place can make a real difference.

This is where iubenda can help. Instead of managing privacy requirements manually across different tools, businesses use iubenda to generate and maintain privacy documents, manage consent, and support user rights requests in one place.

Final thoughts on the CCPA and CPRA

The California Consumer Privacy Act and the California Privacy Rights Act have raised the bar for how businesses handle personal data.

For businesses, the takeaway is clear: privacy can no longer be treated as a one-off legal task. It needs to be built into how data is collected, managed, and communicated over time.

The good news is that compliance becomes much more manageable once the basics are in place, from clear privacy disclosures to simple processes for handling user rights and keeping documents up to date. iubenda can help by bringing those moving parts together in one place, automated and with room to grow. Create a new project to get a free website compliance report.

Privacy laws will continue to evolve, but the underlying expectation is unlikely to change: businesses should be transparent, responsible, and clear about how they use personal data.

The post Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is my cookie banner opt-in rate, and why does it matter?

Your opt-in rate is the percentage of visitors who consent to cookies when they land on your site. It’s the share of people who click “Accept.”

Why does it matter? Because without consent, most of your analytics, advertising, and personalization tools don’t fire. This negatively impacts your retargeting, attribution, and conversion tracking data.

A low opt-in rate means a less complete picture of your users and less effective campaigns. Getting more people to say yes, genuinely and legally, is worth the effort.

Here are five mistakes that may be keeping your rate low.

1. Your cookie banner loads too slowly

A banner that appears after the rest of your page has loaded, or causes content to jump as it slides in, creates a poor first impression. Some visitors may leave before they even see it.

A slow or disruptive banner signals low quality before the user has read a single word. It also makes the consent interaction feel like an afterthought rather than something you take seriously. That perception matters.

Fix it: Make sure your banner loads quickly and doesn’t shift the page as it appears. Choose an overlay banner that sits on top of your content rather than pushing it down. Test on mobile too, where performance issues tend to be more noticeable. Use a trusted CMP provider that performs well in terms of speed.

2. You’re making it too hard to choose

Consent is only valid when it’s freely given. That means accepting and rejecting cookies needs to feel equally straightforward. The most obvious form of friction is visual: a bold “Accept” button paired with a barely visible “Reject” link.

Friction shows up in other ways, too:

• Too many steps to manage preferences.
• A preference center that buries options behind layers of clicks.
• Category names that are vague or confusing.
• A layout that guides users toward one outcome while making the other feel deliberately difficult.

The CNIL has issued formal compliance notices to websites where rejecting cookies was harder than accepting. noyb found that 81% of the 500+ banners it examined had no visible reject option on the first layer.

Beyond the legal risk, a frustrating experience damages trust.

Fix it: Give “Accept” and “Reject” equal visual weight on the first layer. Keep your preference center simple and easy to navigate for anyone who wants to customize. If a user can manage their choices quickly and confidently, you’ve done it right.

3. You’re not explaining why

“We use cookies. Accept or decline.” gives visitors no reason to say yes.

People are more likely to consent when they understand what their data is used for and feel it’s a fair exchange. A single plain-language sentence changes the dynamic entirely. “We use analytics to understand how visitors use this site” is clearer and more trustworthy than a generic legal blurb.

Fix it: Add one short sentence to your banner explaining what consenting to analytics or marketing cookies actually means for the user. Don’t use legal jargon.

4. You’re not using your CMP’s built-in features

Most CMPs come with tools designed specifically to improve consent rates. Two worth using right away:

• Rejection recovery re-engages users who declined. Instead of losing them entirely, it displays a notice where blocked content would appear and invites them to revisit their preferences. It’s not manipulative: it shows users what they’re missing and gives them a genuine second chance to choose.
• A/B testing lets you compare banner designs, button labels, and copy to see what earns more genuine opt-ins. Small changes can make a meaningful difference over time.

Fix it: Open your CMP dashboard and explore what’s available. iubenda’s Privacy Controls & Cookie Solution includes rejection recovery. iubenda by consentmanager has a great A/B testing feature.

5. Your banner doesn’t look right on your site

A generic banner can undermine trust before a user reads a single word. If it doesn’t match your brand, it feels like a third-party interruption rather than a natural part of the experience. That affects whether people engage with it at all.

Design and placement both play a role here. On the design side, use your brand colors, fonts, and visual style, and add your logo if your CMP supports it. A banner that looks like it belongs builds confidence and signals care. For placement, bottom-right performs particularly well on desktop: it sits within the natural reading flow without blocking content.

Fix it: Customize your banner to match your brand. Test different positions, starting with bottom-right on desktop. Track changes in your consent rate through your CMP analytics and adjust from there.

A note on doing this right

Higher cookie banner opt-in rates only count if they reflect genuine consent. Under the General Data Protection Regulation (GDPR), nudging users into clicking “Accept” through deceptive design (also called dark patterns) doesn’t create valid consent and exposes you to legal risk.

These fixes aren’t tricks. They’re improvements to speed, transparency, clarity, and user experience. When your banner works well, users understand what they’re agreeing to. The ones who say yes mean it. That’s better data, more effective marketing, and valid consent.

The post How to increase your cookie banner opt-in rates: 5 mistakes to fix today appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Italy – AgID Publishes Accessibility Guidelines Under the European Accessibility Act
Italy’s Agency for Digital Italy adopted new guidelines to help businesses meet accessibility requirements for digital services (Italian, PDF) under the EAA. Read the AgID news article (Italian).

European Union – Parliament Advances AI Omnibus Under Digital Omnibus Package
MEPs reached a preliminary agreement on AI Act amendments, extending high-risk compliance deadlines to 2027–2028, introducing a ban on non-consensual deepfakes, and strengthening AI Office oversight powers.

United Kingdom – ICO and Ofcom Push Platforms for Stronger Age Checks
The ICO and Ofcom called on major platforms to improve age verification, warning that children under minimum-age thresholds cannot be lawfully processed as regular users. Read the ICO press release.

2) Notable Case Law

France – Court Upholds Criteo’s €40 Million GDPR Fine
France’s highest administrative court confirmed CNIL’s fine against Criteo over consent, transparency, and erasure violations affecting millions of users. Read the Conseil d’État’s decision.

Italy – Garante Fines Intesa Sanpaolo €17.6 Million Over Unlawful Profiling
Italy’s privacy authority fined the bank for profiling 2.4 million customers during a restructuring and shifting them to a digital subsidiary without a valid legal basis. Read the Garante press release (Italian).​​​

Spain – AEPD Fines Yoti €950,000 Over Biometric Age Verification
Spain’s data protection authority sanctioned Yoti for unlawful biometric processing, invalid consent collection, and excessive retention of personal data. Read the AEPD Resolution (Spanish, PDF)

3) New and Upcoming Legislation

United States – California’s CalPrivacy Opens Consultation on Privacy Rights and Opt-Out Signals
California’s privacy agency launched consultations on reducing friction in privacy rights requests and improving opt-out preference signals, with comments open until 6 April 2026. Read the CalPrivacy notice on reducing friction.

4) Strong Impact Tech

United States – Anthropic Sues Pentagon Over AI Military Use Restrictions
Anthropic challenged a Pentagon designation that followed its refusal to allow certain military uses of Claude, including mass surveillance and autonomous weapons without human oversight. Read the Anthropic’s civil compliant here (PDF)

European Union – X Submits Blue Check Compliance Plan After DSA Fine
X submitted proposed changes to its verification system following the European Commission’s enforcement action under the DSA.

Other key information from the past weeks

European Union – EDPB Publishes First Data Brokers Market Study
The EDPB mapped over 40 data broker actors, highlighting re-identification risks and offering a framework for regulators to better assess third-party data ecosystems. Read more here.

United States – OpenAI Tests Ads in ChatGPT, Raising Privacy Concerns
OpenAI began testing ads in ChatGPT, potentially personalised based on user interactions, prompting concerns about influence in highly sensitive contexts. Read more here.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #153) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

That’s why the evolution of privacy regulations, or rules governing the protection of personal data, has reshaped how marketing teams operate.

According to IAB’s State of Data 2024 report, 82% of organizations say the makeup and structure of their teams have been impacted by legislation and changing data rules.

The default response is typically to focus more resources on legal teams or consultants. In this article, find out why consent management should matter more to marketers and how it can help boost their marketing performance.

Is your compliance tech stack holding your marketing team back?

That’s a problem worth examining.

The tools you use for consent management, generating privacy policies, and monitoring your setup don’t just affect your legal exposure but also your opt-in rates, analytics accuracy, brand trust, and your ability to run campaigns with reliable data. Those are marketing outcomes. And they deserve a marketing approach to what is seen as “compliance tools”.

Most marketing teams didn’t deliberately build their compliance stack. They assembled it piece by piece in response to regulation:
– an outdated privacy policy, drafted by a legal professional once or through an online template,
– a cookie banner and cookie policy when the ePrivacy came into force,
– legal text that hasn’t been updated or optimized with your processes in mind.

This is the patchwork stack, and it creates friction at every turn.

The hidden cost of a fragmented compliance setup

Think about consent rate as a marketing metric, because that’s what it is. Every percentage point of missed opt-in is a user you lose insight into.

On top of that, if you don’t properly comply with industry best practices such as the IAB’s Transparency and Consent Framework, your ability to attribute campaign performance or track conversions is affected. A poorly configured or underperforming consent banner makes that worse, and it’s a problem that sits squarely in the marketing team’s lap.

Lastly, the privacy landscape continues to evolve. With a fragmented stack, each change triggers a manual chain: understand the regulation, assess the impact across tools, update each separately, and verify consistency across environments. That’s time your team isn’t spending on core marketing activities.

Manual coordination between tools means:

• slower response when something changes,
• duplicated work: your marketing team builds a consent flow, your legal team checks it against the policy doc, your development team deploys it, and then the cycle repeats every time a regulation shifts or a new market comes into scope.

Invest in all-in-one compliance tools for your marketing growth

IAB’s research states that one of its four key focus areas for adapting to a privacy-aware ecosystem is to optimize your company technology stack for efficiency by identifying overlapping functionality and evaluating whether tools can be consolidated and simplified.

Meanwhile, Think with Google research on privacy-forward marketing makes the commercial stakes clear: people are willing to share their data when they can see the value and trust the company. Your ability to deliver that experience depends on the tools for managing consent and transparency.

Tanneasha Gordon, Data & Digital Trust Leader at Deloitte, declares for Think with Google:

“Today’s digital privacy landscape offers a tapestry of opportunities and technologies to those willing to adapt […]. Marketing leaders should consider empowering their teams to invest in privacy-first solutions and experiment with technologies […]. Find the right partners, establish processes, and innovate with privacy-preserving technology.“

Reduced complexity as a competitive edge

One connected platform means one configuration, one dashboard, one update when laws change. Your marketing and legal teams share the same source of truth, cutting the back-and-forth that delays launches.

Fewer tools mean fewer failure points and no risk of a touchpoint being out of sync with another.

Reallocate resources into your compliance infrastructure

When privacy is managed in one place, every hour recovered is an hour your team can spend building core marketing activities.

Andreea Mandeal, our Chief Marketing Officer at iubenda, has seen this play out firsthand:

“Speed comes from handling compliance early. Teams that ‘stay agile and fix it later’ almost always end up slowing themselves down with rework, blocked launches, or emergency legal reviews, and that’s coming from experience. When consent, privacy, and compliance are built in from day one, product, marketing, and growth teams can move faster with confidence. You test more, ship more, and scale without hitting invisible walls. Getting it right upfront saves time, money, and rework later.”

The companies adapting fastest are investing in training, not just tools. According to IAB, 63% of organizations are now training staff on first-party data collection, and 54% on privacy compliance and privacy-preserving technology.

Marketing teams that build this literacy internally move faster. Knowing how consent works, which data you can use, and how regulations affect your measurement setup reduces the dependency on legal review cycles. You also get to understand what you can test or improve to get a better consent rate, for instance.

Use compliance tools that offer performance-related features

Regulation isn’t settling down. A platform that handles it well also comes with marketing features most teams overlook. Your banner is a legal obligation, but also a conversion surface.

Compliance tech comes with features that directly impact your performance, for example:

• Consent rate analytics: Track opt-in rates by page, geography, and device. Understand where you’re losing users before they even engage with your content.
• Banner A/B testing: Test copy, layout, and timing to improve opt-in rates. A better-performing banner means a larger measurable audience.
• Geo-targeted consent flows: Serve different banner experiences and languages by region based on local regulations, without rebuilding your setup each time.
• Regulatory updates without the sprint: When laws change, the platform updates. Your team moves on.

Trusted solutions built for the long term

Not all privacy tools are built the same way. When evaluating options, look for signals that a platform is complete and designed for durability, not just current requirements. The platform should:

• stay ahead of where the market is going, not just where it is today. E.g., a provider with IAB’s Transparency and Consent Framework (TCF) is on top of requirements for advertising in Europe and building to stay there,
• cover what marketing teams need to manage in one place, like consent and preferences management or records, related analytics, legal document management like privacy policies or terms. These tools work together, which means updates are consistent and your team manages everything from one dashboard.

For marketing teams that want to move fast, improve opt-ins, and measure in a reliable and privacy-friendly way, the right compliance infrastructure is the foundation.

Consent management is a marketing performance question because the compliance tools that manage data practices and user consent to marketing activities like content personalization or tracking play a key role in your opt-in rate, ad serving, brand trust, or first-party data strategy. These aren’t only compliance outputs but marketing metrics.

See how iubenda’s connected set of digital compliance solutions helps your marketing team move faster as you scale

The post Why your consent management setup is a marketing performance question appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

GDPR stands for General Data Protection Regulation, a European Union law that regulates how organizations collect, use, and protect personal data. It applies to many businesses worldwide and requires transparency, security, and accountability when handling personal information.

If your website or app collects personal data, you’ve probably heard of the GDPR.

The General Data Protection Regulation is one of the most important privacy laws in the world.

It sets the rules for how organizations collect, use, and protect personal data. It came into force in May 2018 and applies to many companies both inside and outside the European Union.

If you offer services to people in Europe, track website visitors, or collect personal information such as email addresses or IP addresses, the GDPR may apply to you.

In this guide, we explain what the GDPR is, why it was introduced, and who it applies to. We also cover the key principles, legal requirements, user rights, and practical steps organizations can take to stay compliant.

An overview of GDPR

GDPR stands for General Data Protection Regulation.

It’s a European Union law that regulates how organizations handle personal data. The regulation sets clear expectations for how companies collect, process, store, and protect information about individuals.

The goal is simple: people should understand how their data is used and have control over it.

For organizations, this means being transparent about data practices, collecting only the information that is necessary, and protecting it properly.

What is the purpose of GDPR?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives:

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Who does GDPR apply to?

Many organizations assume that GDPR applies only to companies based in Europe. In reality, the scope is broader. GDPR applies in the following situations:

For example, a company in the United States that sells products to EU customers or tracks EU website visitors may still need to comply with GDPR.

What counts as personal data?

Under the GDPR, personal data is any information that can identify a person, either on its own or when combined with other data. That includes obvious identifiers such as names, email addresses, and phone numbers, as well as less-obvious identifiers such as IP addresses, location data, or device IDs. In simple terms, if a piece of information could reasonably be used to figure out who someone is, it likely counts as personal data under the GDPR.

The seven principles of GDPR

The regulation is built around seven core principles that guide how organizations handle personal data.

Lawfulness, fairness, and transparency

Personal data must be processed legally, and users must understand how it is used.

Purpose limitation

Data must be collected for specific and legitimate purposes.

Data minimization

Organizations should collect only the data that is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Data should not be kept longer than necessary.

Integrity and confidentiality

Personal data must be protected against unauthorized access or loss.

Accountability

Organizations must be able to demonstrate compliance with these principles.

These principles form the foundation of GDPR compliance.

Legal bases for processing personal data

GDPR requires organizations to have a valid legal reason for processing personal data.

The regulation defines six possible legal bases.

• Consent from the user
• Performance of a contract
• Compliance with a legal obligation
• Protection of vital interests
• Public interest or official authority
• Legitimate interests of the organization

Consent is commonly used for marketing activities and cookie tracking, but it is not always required if another legal basis applies.

Key GDPR requirements for businesses

Organizations must implement several practical measures to meet GDPR obligations. These measures help organizations demonstrate accountability.

User rights under GDPR

One of the central goals of GDPR is to give individuals greater control over their personal data.

The regulation grants several rights to users.

• Right to be informed about how their data is used
• Right of access to the personal data that an organization holds about them
• Right to rectification of inaccurate data
• Right to erasure, also known as the right to be forgotten
• Right to restrict processing in certain situations
• Right to data portability between services
• Right to object to certain types of data processing
• Rights related to automated decision-making and profiling

Organizations must provide ways for individuals to exercise these rights.

Cross-border data transfers

GDPR also regulates the transfer of personal data outside the European Economic Area.

Data transfers are allowed only when certain safeguards are in place.

Examples:

• Countries recognized as providing adequate data protection
• Standard Contractual Clauses
• Binding Corporate Rules

These mechanisms ensure that personal data remains protected even when transferred internationally.

GDPR compliance strategies

Staying compliant with the GDPR isn’t bout ticking a single box. It requires clear processes for how your organization collects, uses, and protects personal data. While every business is different, most GDPR compliance strategies start with a few fundamental steps.

Organizations should focus on:

• Understanding what data you collect. Map the personal data your business collects, where it comes from, and how it is used.
• Identifying a legal basis for processing. Make sure every data processing activity has a valid legal basis under the GDPR, such as consent, contract, or legitimate interest.
• Being transparent with users. Clearly explain your data practices in an accessible privacy policy and provide users with meaningful information about how their data is handled.
• Managing consent properly. When consent is required, collect it in a clear and verifiable way and keep records of it.
• Respecting user rights. Put processes in place to respond to requests such as access, deletion, correction, or data portability.
• Protecting personal data. Implement appropriate technical and organizational security measures to safeguard the data you process.
• Keeping internal documentation. Maintain records of processing activities and review them regularly to ensure they stay accurate as your business evolves.

Together, these steps create a solid foundation for maintaining GDPR compliance as your organization grows.

A practical GDPR compliance framework

For many organizations, GDPR compliance becomes easier when it is approached through a structured framework. Instead of treating privacy as a one-time task, businesses should build processes that guide how personal data is collected, documented, and protected across the organization.

A practical GDPR framework typically includes the following steps:

• Understand what personal data you collect. Identify the types of personal data your organization collects, where it comes from, and how it is used.
• Define a legal basis for processing. Ensure each processing activity has a valid legal basis under the GDPR, such as consent, contractual necessity, or legitimate interest.
• Provide clear privacy information. Make your data practices transparent through accessible privacy policies and clear disclosures to users.
• Manage consent where required. Collect and store consent in a way that is verifiable, easy to withdraw, and properly documented.
• Keep records of processing activities. Maintain internal documentation that describes what data you process, why it is processed, and who it is shared with.
• Protect personal data. Implement appropriate technical and organizational measures to safeguard personal data.
• Review and update regularly. As your services, tools, and partners change, review your compliance setup to ensure it remains accurate and up to date.

Together, these steps help organizations build a practical and sustainable foundation for GDPR compliance.

GDPR fines and consequences of non-compliance

GDPR introduced significant penalties for organizations that fail to comply with the regulation.

In addition to financial penalties, authorities may issue warnings, conduct audits, or restrict certain data processing activities.

GDPR compliance checklist

Here’s a simplified checklist organizations can use as a starting point.

• Publish a clear and accessible privacy policy
• Identify the legal basis for all data processing activities
• Obtain consent when required
• Implement a compliant cookie banner if cookies are used
• Maintain records of consent and data processing
• Enable users to exercise their data rights
• Protect personal data with appropriate security measures
• Regularly review and update compliance practices

Why was the GDPR introduced?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives.

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Frequently asked questions about GDPR

Does GDPR apply to businesses outside the EU?

Yes. GDPR can apply to organizations outside the EU if they offer goods or services to people in the EU or monitor their behavior, such as through website tracking or analytics.

Do small businesses need to comply with GDPR?

Yes. Business size does not automatically exempt you from GDPR. If you process personal data from people in the EU, the regulation may apply regardless of company size.

Do I need a Data Protection Officer (DPO)?

Only some organizations must appoint a DPO. This usually applies to public authorities or companies that process large amounts of sensitive data or monitor individuals at scale.

How long can personal data be stored under GDPR?

Personal data should only be kept for as long as it is necessary for the purpose it was collected. Organizations must define retention periods and delete or anonymize data when it is no longer needed.

Start simplifying GDPR compliance today

Aligning with GDPR compliance involves many moving parts. Understanding what data you collect, being transparent with users, managing consent, and keeping proper records all take time and attention. The good news is you don’t have to handle everything manually.

iubenda helps you simplify the process, from generating privacy and cookie policies to managing consent and documenting your data processing activities in one place. Start simplifying your GDPR compliance today, and spend less time worrying about regulations and more time building your business. Create a new project to get a free website compliance audit and recommendations for how to build your compliance setup.

Useful links

• Smart compliance for UK GDPR
• GDPR compliance for e-commerce (what online shops need to know)

The post Everything you need to know about GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This update is about making consent easier for visitors to give and for you to manage. Website owners, developers, agencies, and compliance teams all interact with consent in different ways, and this refresh aligns the public-facing banner and the admin-facing configurator.

The result is a clearer experience for visitors and a smoother setup behind the scenes.

If you’re already using iubenda, everything you rely on is still there. The change is in how it looks, how it feels, and how easy it is to configure.

A clearer banner for visitors

The new banner layout is cleaner, more structured, and easier to navigate.

It’s organized into three clear sections (header, body, and footer), with tabs that separate the notice from consent preferences. This helps make consent easier to understand and use, especially on mobile.

Purpose categories are shown with clear, pill-style indicators for Marketing, Functionality, Measurement, and Experience. Branding has also been refined, with logo colors that automatically adapt to your chosen theme.

Accessibility was a core focus. The new banner is designed to meet AAA contrast standards and improves touch targets and scrolling behavior, making it easier to interact across devices.

A configurator that’s easier to work with

The configurator has been redesigned to match the new banner, both visually and functionally.

As you customize settings, a live preview updates in real time. Color options are streamlined, settings are easier to navigate, and visual feedback is clearer as you make changes.

Each editable section also includes accessibility feedback to help you understand how design choices affect readability and contrast as you configure the banner.

Color customization is simpler now, too. Choose a primary color, and the banner automatically generates a balanced color scheme. All existing positioning and sizing options remain available.

A note on banner branding

For new websites created with the updated Privacy Controls & Cookie Solution, iubenda branding is visible by default and can be disabled from the Essential plan and above.

What hasn’t changed

All existing functionality remains intact. Integrations like TCF and Google Consent Mode continue to work as before. Pricing and plan features stay the same. Existing configurations are preserved.

What to expect 

New users started seeing the redesigned banner and configurator in December. Since then, we’ve been gradually expanding availability.

Selected users can switch existing websites to the new design via a manual toggle in the configurator, with gradual rollout to all users. Before any automatic migrations begin, we’ll first collect feedback from new users using the updated Cookie Solution to ensure everything runs smoothly. Automatic migrations will then roll out throughout 2026, starting with free websites in multiple phases.

All users will be notified well in advance via email before any changes take place, giving them ample time to review the update and prepare accordingly.

This phased approach helps us roll out improvements safely, without disrupting live sites. This update reflects how we think about consent: clear, accessible, and practical for real teams managing real websites. We’re excited for you to explore what’s new.

The post The redesigned cookie banner and configurator appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a recent episode of Growth Sessions by iubenda, CEO Manuel Heilmann and founder Andrea Giannangelo sit down to discuss the things most startup conversations skip: the emotional complexity of letting go, the structural moves that make scale possible, or the decisions that determine whether a company survives its own success.

Make the strategic move before you need to

The decision to join team.blue in 2022 was not made under pressure. When it joined the digital solutions group, iubenda was profitable, growing, and ranked among the top three in its market despite being bootstrapped in a space where competitors had raised tens of millions.

Andrea made the move because the timing was right, not because it was necessary.

The window for a strategic move (whether that’s raising funding, joining a group, or bringing in a successor) is open for a limited period. Founders who wait for certainty tend to wait too long, and by the time a move feels truly necessary, they’re negotiating from weakness. Those who miss that window often end up in a fire sale and pay the price.

On the operational side, team.blue took on activities like IT infrastructure that had a smaller impact on growth, so iubenda could focus on what mattered more and move faster than independent competitors.

The decoupling process: when founders must let go

The handover from founder to successor is rarely the clean event it looks like on a slide. Andrea describes it as a “decoupling process,” similar to a family member leaving home. He emphasizes the importance of knowing when to step back and appreciating that this change is for the best.

“If you’re constantly questioning and sabotaging… the company is going to continue to depend on you… and it just doesn’t go in a way that you should want.” Andrea Giannangelo, iubenda’s founder

During this transition, the founder can add real value, such as:

• Historical context. The reasoning behind past decisions that might otherwise look arbitrary to anyone stepping in fresh.
• Vision under uncertainty. “The art is making a decision where you don’t have all of the data,” Andrea says. “That’s the art of making business. It’s in that span of uncertainty.” This is a capability that comes from years of lived experience, and it’s difficult to replicate from metrics alone.

From intuition to structure

A founder begins with almost no data and relies on instinct built up over the years. This can make the handover genuinely difficult, because instinct doesn’t transfer.

Manuel’s response was to build structures that allow data to replace what intuition once provided. The two most significant changes:

• Business units with clear ownership. Rather than decisions flowing through one central point, each unit had defined leadership and decision rights, making gaps and strengths visible across the organization.
• Product and engineering under one roof. Bringing these teams together improved execution speed and alignment not just between them, but with the broader go-to-market function.

Manuel is candid that this is still a work in progress. “You come in, and you expect people to make decisions,” he says. “Please make decisions. And then you look around and nobody’s making decisions and you say, what’s wrong?” Decision-making processes and getting people to step into that authority were among the first things he tackled when it came to scaling iubenda.

Preserving the soul of a remote-first company

Andrea describes iubenda’s culture across a fully remote team of 150 people not as a set of policies but as something closer to a living organism.

What makes iubenda unusual is that colleagues who have never met in person tend to feel genuine friendship and chemistry when they finally do. This didn’t happen by design, but it wasn’t accidental either. It emerged from thousands of small decisions, most of them about people.

The culture at iubenda became self-replicating, and it’s one of the most durable things a founder can build.

“A new CEO should not come in and just change the culture… it’s about preserving all the good aspects and developing it to the next level.” Manuel Heilmann, CEO of iubenda

Three things every founder should hear

Before the conversation ends, both Andrea and Manuel keep returning to the same practical themes:

• Invest in HR early. Andrea hired a head of HR earlier than almost any founder he knows. Most treat it as a discretionary cost. He treated it as one of the highest-return investments available, because better hiring and stronger culture compound in ways that are invisible at first and irreversible later.
• Protect your thinking time. The deeper you get into operational detail, the harder it becomes to see clearly. “Fight back on being too busy,” Andrea says simply. Strategic judgment requires space.
• Cut process before it cuts you. “If you feel that things are just becoming a process for the sake of having a process, get rid of it,” Manuel says. One of his most deliberate moves was slashing the number of meetings after recognizing they had become a symptom of bureaucracy, not a driver of alignment.

In short

Every major decision made, including joining team.blue and bringing in a successor, came down to one priority: building something that lasts.
Mutual respect is what made the iubenda transition work. Manuel (CEO) could rely on Andrea (founder)’s fifteen years of experience building iubenda. Andrea left space for Manuel to quickly bring a fresh perspective to the organization.

PODCAST AND VIDEO SHOT AT STELLA33

Stella33 reimagines and manages workspaces designed around people and performance. They transform office buildings into curated, activity-based work ecosystems, where design, hospitality and integrated services enhance business performance. Their offering includes serviced offices, coworking desks, meeting rooms, as well as a dedicated media and podcast studio.

The post What nobody tells you about handing over the company you built appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The report also tells us that, in response, European marketers have made customer retention their primary focus, above new customer acquisition.

Retaining an existing customer costs less than acquiring a new one, and in a period of constrained budgets, doubling down on loyalty makes economic sense.

As displayed on the chart below, 43% of marketers in Europe said customer retention was their top or second priority in 2025.

Apart from focusing on the visible mechanics (loyalty programs, re-engagement campaigns, personalized offers), we think transparency and trust are worth a much closer look to improve retention. Here’s why.

The trust gap is a retention problem

Here’s the uncomfortable truth: only 34% of consumers believe companies are honest about how they use their data (Deloitte, 2023).

When trust is that low, even the best retention strategy has a ceiling. Loyalty programs, personalized emails, exclusive offers: they all depend on people believing your intentions are good.

Transparent data practices close that gap because the way a company handles data is a visible signal of how it respects its customers.

In Europe, this matters more

With strong regulations like the General Data Protection Regulation (GDPR), awareness of data rights is higher in Europe than almost anywhere else.

A consent banner that buries the “reject” option, a privacy policy written in dense legal language, an email list with no real way to update preferences: these experiences reduce engagement and result in less willingness to share information voluntarily.

It’s also worth noting that the same Nielsen report found European marketers to be the only region globally to rank transparency, not accuracy, as their top priority for measurement technology. If you value transparency in the tools you use, it follows to ask whether you’re extending the same standard to the people you’re marketing to.

Where data experiences quietly erode trust

Most marketing teams genuinely care about trust, but compliance often stays on the back burner. Instead, it’s best to bring data process design into your customer experience strategy rather than treating it as a back-office concern.

Some of the most common patterns:

• Pre-ticked boxes: A legal issue in most European markets, and a trust issue. It signals that the default assumption is that customers will agree, rather than that they’re being given a genuine choice.
• No way to adjust preferences: Someone who consented to all marketing communications two years ago may now only want product updates. If the only option is a full unsubscribe, the company loses the contact entirely when a more granular preference would have kept the relationship alive.
• Cookie banners that obscure the reject option: Customers increasingly recognize dark patterns. When the “accept all” button is prominent and the alternative is buried, visitors get frustrated and attribute it to the brand.
• No straightforward way to unsubscribe: When it takes more than a few seconds to find the unsubscribe link, or when the process requires multiple confirmations, customers notice. Sometimes the link isn’t even present. The experience communicates that leaving is inconvenient by design.
• Consent language that explains nothing: When consent language is vague, people can’t make an informed choice, and over time they become more suspicious.

These accumulate into a picture of how a company treats customers, and that picture has a direct effect on retention.

What a more transparent approach looks like

Some easy fixes that can have a great impact on trust:

• Consent banners that offer a genuine choice: Both options equally accessible, with language that explains what’s actually being collected and why. This is the minimum standard under GDPR, but many implementations still fall short in practice.

• A privacy preference center: Rather than a binary opt-in or opt-out, a preference center lets customers decide what they want to receive and how. Someone who reduces their preferences is still a subscriber, on their own terms. That’s a stronger signal of intent than a passive opt-in from years ago. For marketers, it also means having customer lists that are more reliable.
• A privacy policy written to be read: Most companies draft privacy policies to satisfy legal requirements, not to communicate clearly. A policy in plain language, organized visiaully so a non-specialist can find what they’re looking for, functions as evidence of transparency rather than just a legal document.

Why giving people control tends to increase engagement, not reduce it

The “Privacy by design: the benefits of putting people in control” report by Google concludes that:

“There are strong privacy practices that brands can deploy to increase feelings of control, and the most effective combinations have a notable positive impact on more than just feelings of control (…) Our study suggests brands that can offer these experiences will, over time, see a positive snowball effect — people will feel in control, which increases brand trust and boosts brand preference. Brands that neglect privacy risk the opposite scenario.”

Trust is built through the cumulative experience of interactions with your brand:

Let’s admit it, it can sound counterintuitive, but giving people more control doesn’t reduce engagement, quite the opposite.

For example, having a clear preference center refines your audience into people who actually want to hear from you, and that audience converts better. This is essential to keep in mind for your retention strategy.

iubenda: built for global compliance, designed for trust

We built our professional tools around the idea that consent and privacy infrastructure should function as a brand asset, not just a compliance requirement.

In practice, that means:

• Consent banners built to meet legal requirements: Designed to give customers the right information and a genuine, understandable choice.
• Privacy widget: Meaningful control over what users have agreed to, with a straightforward way to adjust those choices at any time. Available as a small icon on all your pages to be paired with your accessibility widget.
• Privacy and Cookie Policy Generator: Clean and readable policies in plain language, updated to reflect changes in the law as they happen.

Inspire more trust in your brand and improve retention

The post European marketers are betting on retention. Privacy could be the edge they’re not using yet. appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Didomi is an enterprise-focused consent management platform (CMP) that comes with solid cookie consent tools. But depending on your business size, budget, and compliance needs, other platforms may be a better fit.

This guide walks through 5 strong alternatives to Didomi in 2026. For each platform, we cover key features, considerations, and pricing so you can find the best alternative to Didomi for your setup.

Compare the best alternatives to Didomi: at a glance

Common reasons businesses explore alternatives to Didomi

Didomi offers cookie consent tools that help enterprises align with major privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). And it also works across multiple devices, including mobile apps and connected TVs.

While that may be the case, after exploring hundreds of reviews, we identified the common reasons businesses start looking for the best alternatives to Didomi and greater flexibility.

Pricing concerns

Didomi doesn’t publish pricing on its website, which can make it harder for teams to evaluate costs upfront.

The platform positions itself as an enterprise solution, and its pricing reflects that. Several users mention that plans can get expensive, especially as traffic scales. For growing businesses that aren’t yet operating at full enterprise level, that can put them in a difficult position.

Steep learning curve for non-technical teams

Some users report that setup and integrations require more technical involvement than they expected. Teams without dedicated developers or compliance specialists may find the interface less intuitive.

Businesses that want something ready to use from day one may prefer a platform that requires less initial configuration.

Cookie consent focus

Didomi handles cookie consent well, but meeting regulatory requirements often requires more than that.

Businesses looking for broader digital compliance coverage, such as privacy and cookie policy generation, whistleblowing channels, accessibility tools, or internal compliance monitoring, may need to combine Didomi with additional vendors.

That can add to costs and complexity over time. This often motivates businesses to explore an all-in-one digital compliance platform as an alternative.

Potential impact on web performance

The scripts and banner configurations can affect page load speed without proper configuration. This can be an issue because even small delays can impact bounce rates and conversion performance.

What to keep in mind when looking for the best alternative to Didomi

With many options out there, it can be difficult to know what to prioritize when evaluating the best consent management platforms. Keep the following in mind as you review the best alternatives to Didomi:

Price and transparency

Look for platforms that clearly outline pricing tiers, included features, and potential additional costs. Transparent pricing makes it easier to compare options and avoid unexpected fees.

A platform with clear pricing should explain:

• What each plan includes
• How pricing scales as traffic grows
• Whether advanced features require custom contracts

Transparent pricing helps you plan ahead. It also makes it easier to compare tools without jumping through sales calls just to understand basic costs.

Ease of use and setup for non-technical teams

Some CMPs require developer expertise to set up and integrate with your tech stack. Others are more straightforward for non-technical teams to work with.

When evaluating a Didomi alternative, ask yourself:

• Can you set the platform up without heavy developer involvement?
• Is the dashboard intuitive?
• Are integrations straightforward with platforms like WordPress, Shopify, or Google Tag Manager?

The right solution will make your workflow simpler.

Solid web performance

Some consent tools can slow website performance down, which can lead to poor user experience, high bounce rates, and lower conversions.

A strong Didomi alternative should:

• Load quickly
• Block and trigger scripts efficiently
• Work smoothly with Google Consent Mode

With strong web performance, your CMP will be contributing to stronger business performance too.

Contribution to business performance

Consent management affects more than compliance; it can have a big impact on your business performance too.

Look for features that help you:

• Optimize banner layouts
• Improve consent rates
• Preserve marketing data
• Maintain campaign performance

A platform that’s able to help you with the above is more likely to give you better analytics accuracy and stronger ad performance.

Coverage beyond cookie consent

This is where many businesses re-evaluate the platform they’re using. If you only need a cookie banner, a standalone cookie consent software or one of the many CMP platforms may be enough. But if you also need:

• Privacy and cookie policy generation
• Terms and conditions
• Data subject request handling
• Internal compliance monitoring
• Accessibility support

In these cases, relying only on a basic CMP may not be sufficient. Businesses conducting a consent management platform comparison often look for a broader solution that supports digital compliance beyond just cookie consent.

An integrated platform that covers multiple compliance areas can save you time and reduce overhead as regulations evolve.

The 5 best alternatives to Didomi in 2026

1. iubenda

Rated 4.7/5 on Capterra and trusted by over 150,000 businesses, iubenda is a digital compliance suite that brings multiple compliance solutions together in one place. Rather than stitching together different vendors for different requirements, you get cookie consent, legal document generation, accessibility support, and more under a single subscription.

You can create and customize your cookie banner, log user consent, and integrate with Google Consent Mode v2, helping you recover marketing data from users who decline cookies and keep your ad campaigns running effectively. iubenda also comes with solutions for generating privacy and cookie policies, terms and conditions, managing data subject requests, and much more. The platform is ISO 27001 certified, and all legal documents are drafted and maintained by an international legal team.

Businesses of all sizes use the platform, from individual site owners to large enterprises, making it a flexible solution that scales as compliance needs grow.

Pros

• Transparent, affordable pricing
• Legal backing from an international legal team
• Scalable, works well for individuals, large enterprises, and everything in between
• Intuitive interface designed for non-technical teams
• Straightforward integrations (WordPress, Shopify, Webflow, Google Tag Manager, and more)
• Google-certified CMP compatible with Google Consent Mode v2
• Supports the IAB Transparency and Consent Framework (TCF) in line with industry standards
• Loads efficiently without disrupting website performance
• Generates legal documents, including privacy policies and terms and conditions
• Includes additional solutions such as data subject request handling, whistleblowing channels, and accessibility support

Cons

• Terms and Conditions Generator is only available on paid plans

Pricing

• Free plan available with everything you need to get started on a basic site
• Paid plans start from €4.99/month
• Flexible pricing based on which solutions you activate, so you never pay for more than you need

What users say

Users frequently highlight excellent customer support and how the platform keeps pace with regulatory changes. Quick setup, smooth integrations, and the convenience of having multiple compliance solutions in one platform are common themes in reviews.

How does iubenda compare to Didomi?

While Didomi focuses on enterprise consent management, iubenda takes a broader approach as a full digital compliance suite, connecting cookie consent, legal document generation, accessibility, and monitoring solutions under one roof. For businesses that need more than consent management alone, this integrated approach can simplify workflows and reduce the need for additional vendors.

2. consentmanager

consentmanager delivers strong consent management solutions designed for enterprises that need a solution that scales, offers deep control, and performance optimization. The platform gives teams the ability to test, refine, and improve consent experiences over time. Beyond consent collection, consentmanager also includes broader compliance capabilities, offering legal document generation and compliance monitoring.

Pros

• Built-in A/B testing and machine learning optimization help increase consent rates
• Extensive customization options, including 200+ design variations and targeting by country, device, browser, and more
• Strong performance focus, with tools designed to reduce bounce rates and display the highest-performing consent layout automatically
• Fully compatible with Google Consent Mode
• Works across multiple devices, including desktop, mobile, apps, and connected TVs
• Includes an in-depth Compliance Monitor
• Generates legal documents
• Clear pricing structure
• IAB TCF support for advertising consent management
• Its Compliance Monitor proactively scans your websites for compliance gaps

Cons

• The platform offers extensive customization, which means first-time users may need more time to feel comfortable with the interface

Pricing

• Free plan available
• Paid plans start from €23/month, with pricing based on the number of websites and monthly pageviews

What users say

Users consistently highlight responsive customer support and strong value for money. Many mention the platform’s speed, easy-to-follow instructions, and quick results. The platform holds a 5/5 rating on G2.

How does consentmanager compare to Didomi?

consentmanager matches Didomi on enterprise-level consent management across multiple devices, from desktops to connected TVs. Where it goes further is in performance optimization: built-in A/B testing and machine learning automatically surface the highest-converting consent layout, helping teams improve consent rates over time without manual testing. It also includes legal document generation and built-in compliance monitoring, giving teams broader coverage than Didomi offers.

3. Enzuzo

Enzuzo is a lightweight consent management platform (CMP) with a strong focus on e-commerce businesses. As one of the CMP platforms, it combines cookie consent tools with privacy management features and legal policy generation. The platform works well for smaller online stores, particularly those operating within Shopify.

Pros

• Simple to use and set up
• Well suited for Shopify and e-commerce environments

Cons

• As feature needs grow, pricing can increase, particularly for businesses that need tools beyond the base plan
• Some advanced features are restricted to higher-tier plans
• The platform works best within e-commerce and Shopify environments. Businesses outside this space may find fewer tailored features
• Some users have noted longer response times from the support team

Pricing

• Free plan comes with limited features
• Paid plans start from USD $9/month for basic compliance tools

What users say

Users appreciate Enzuzo’s user experience and simple setup process. Some have noted frustration with billing and payment workflows. On Trustpilot, the platform currently holds a 3.6/5 rating.

How does Enzuzo compare to Didomi?

Enzuzo may be a practical alternative to Didomi for e-commerce businesses, offering data privacy management tools that extend beyond cookie consent. It’s designed for teams that operate primarily within Shopify and need a focused, accessible toolset.

But it’s worth keeping in mind that both platforms can become more expensive as feature needs grow. Enzuzo works well within its core e-commerce environment, but businesses that need deeper legal customization or broader global compliance coverage may want to explore additional options.

4. Termly

Termly combines consent management with legal policy generators. The platform focuses on simplicity, making it accessible for small teams that want to align with global privacy regulations and looking for GDPR cookie consent tools, without needing technical or legal expertise.

Pros

• Includes built-in legal document generators
• Easier to use and set up

Cons

• Customization options are more limited compared to enterprise-level platforms
• Doesn’t include accessibility tools or whistleblowing management, so businesses with those needs will require additional solutions
• Some users report slow support response times
• Some users have noted that the consent widget can affect page load times

Pricing

• Free plan available with capped monthly pageviews
• Paid plans start from USD $10/month

What users say

Users appreciate Termly’s easy setup. Some have mentioned that customer support could be more responsive, and a few feel that pricing doesn’t always match the feature set. On G2, the platform holds a 4.3/5 rating.

How does Termly compare to Didomi?

Termly is designed for a different audience than Didomi. Where Didomi targets enterprises, Termly focuses on small businesses and freelancers who need a straightforward starting point. It includes legal document generation and data subject request handling alongside consent management, giving it slightly broader coverage than Didomi.

That said, Termly doesn’t cover areas like accessibility or whistleblowing management, so businesses with expanding compliance needs may eventually need to supplement it with other tools.

5. Cookiebot

Cookiebot is a CMP that focuses on cookie scanning and basic consent management features designed to help preserve ad performance and marketing data.

Pros

• Strong focus on cookie consent and tracking control
• Designed to help preserve marketing data and support ad performance

Cons

• Teams without a dedicated developer may need more time to configure and manage the platform
• Cookiebot focuses on cookie consent and scanning. Teams that need broader digital compliance tools such as policy generation, data subject requests, or accessibility support will need to look elsewhere
• Customization options are more limited than some enterprise-level alternatives

Pricing

• Offers 14-day trial
• Plans start from €7/month for basic features

What users say

Many users consider Cookiebot a solid tool for cookie consent. However, some users have noted that the interface could benefit from updates. User satisfaction on Trustpilot currently sits at 2.3/5.

How does Cookiebot compare to Didomi?

Cookiebot can serve as a practical alternative to Didomi for businesses that want a cookie consent tool focused on preserving marketing data and analyzing consent behavior.

Like Didomi, Cookiebot doesn’t provide legal document generation or broader digital compliance tools for accessibility or whistleblowing management. Organizations with growing compliance requirements may need additional tools to fill those gaps.

Frequently asked questions

What is the best alternative to Didomi?

The best alternative depends on your business size, compliance needs, and budget. For full digital compliance coverage in one place, iubenda offers the broadest range of solutions. For enterprise-level consent customization, consentmanager provides deep control. For e-commerce, Enzuzo is built around Shopify. The key is matching the platform to how your business operates.

Is Didomi expensive?

Didomi doesn’t publish pricing on its website, which makes direct comparison difficult. The platform is designed for enterprise use, and several users have noted that costs can increase as traffic scales. If transparent, predictable pricing matters to you, consider platforms that publish their plans openly.

Can I use a Didomi alternative for GDPR and CCPA?

Yes. All five alternatives covered in this guide support compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The difference is in how much they cover beyond consent management, such as policy generation, data subject requests, and monitoring.

Choosing the right alternative to Didomi

The right alternative to Didomi depends on where your compliance needs are today and where they’ll be as your business grows.

Here are a few questions to help you decide:

• Do you need legal document generation alongside consent management? If so, a standalone CMP won’t cover it
• Do you want clear pricing without a sales call? Some platforms on this list require custom quotes
• Do you need a single platform that scales from startup to enterprise? Most tools above serve one segment or the other
• Do you need coverage beyond cookie consent, including accessibility, data subject requests, or whistleblowing? Only a complete digital compliance platform can handle that

Whatever you decide, look for a platform that supports where your business is headed, not just where it is today.

The post The 5 best alternatives to Didomi in 2026: Pros, cons, pricing, and comparison appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The challenge is that writing solid terms from scratch isn’t simple. You need legal expertise. And while you might avoid hiring a pricey lawyer by trying free templates or using AI, they often miss important clauses and nuances.

That’s why many businesses turn to a terms and conditions generator.

But not all generators are built the same.

In this guide, we’ll compare 6 of the best terms and conditions generators, so you can find one that’s right for you. And we’ll delve into the details of what you need to know about this important document along the way.

Terms and conditions generator comparison: at a glance

What are terms and conditions?

Terms and conditions are a legal agreement between you and the people who use your website, app, or service. They outline how your service works, what you expect from users, and what happens if someone breaks the rules.

By using your website or service, users typically agree to these terms. That agreement forms a contract. And that contract helps protect your intellectual property, clarify responsibilities, and reduce the risk of disputes.

Terms and conditions exist to protect your business and its revenue while setting clear expectations for your users.

What’s the difference between terms and conditions, terms of use, and terms of service?

Terms and conditions, terms of use, and terms of service all refer to the same type of legal agreement between a business and its users. The names are interchangeable.

You might also see them referred to as:

• Terms of Service (ToS)
• Terms of Use
• End-User License Agreement (EULA)
• General Conditions
• Legal Notes

Why do you need terms and conditions?

Terms and conditions might not be a requirement, depending on where your business operates. But that doesn’t mean you should skip them.

Because terms and conditions form a legally binding contract that can reduce legal risk and protect your business and its revenue if disputes arise. Without clear terms in place, you leave room for confusion around payments, refunds, intellectual property, liability, and more.

What’s more, a proper terms and conditions document adds to your credibility, increasing brand trust. And it sets clear expectations which create a smooth customer journey, contributing to more conversions.

What should you include in terms and conditions?

Your terms and conditions should be easy to find and simple to understand. What you include will depend on your business model. A SaaS platform won’t need the same clauses as a blog, for example. But most businesses should cover the following:

• Your business details
• A description of your services
• Conditions of using your website and services
• Payment terms
• Refunds and cancellations
• Intellectual property
• Limitation of liability and disclaimers
• Service interruptions
• Applicable law

What to look for in a terms and conditions generator

A strong terms and conditions generator should:

Build terms and conditions around your business, not a generic template

The best terms and conditions generators will guide you through relevant questions and build your terms around your answers. Whether you run subscriptions, sell digital products, ship physical goods, or allow user-generated content, your document should reflect those nuances.

That’s why copying a generic template from the internet isn’t enough. Templates often miss important clauses or include provisions that don’t apply to your setup. And when your document doesn’t match your business model, you create gaps that can weaken your protection.

Include the essential clauses

Your generator should automatically cover the key areas most businesses need, such as payment terms, cancellation rules, limitation of liability, intellectual property, and applicable law.

The best terms and conditions generators come with legal backing, so you don’t have to wonder whether you’ve missed something important.

Create a living document

Your business will evolve. You may update pricing, launch new services, expand into new markets, or change internal policies. And regulations in your country may change too.

That’s why a reliable generator shouldn’t just produce a one-off PDF. It should help you manage a living document that you can revise and republish as your business and local regulations shift.

The best terms and conditions generators

1. iubenda

iubenda offers a Terms and Conditions Generator built to create a tailored, living document that matches your unique business setup.

Instead of relying on static templates, iubenda structures your terms around how your business actually operates. Whether you run an online store, SaaS platform, mobile app, or content website, you can generate a document that reflects your pricing model, service structure, and legal requirements.

And because iubenda forms part of a wider digital compliance suite, you can manage other legal documents, consent, and accessibility. All in one place.

Best for

Businesses, apps, and websites of all sizes and industries that want lawyer-backed terms that evolve as their operations grow.

Pros

• 100+ lawyer-written clauses designed for a wide range of business models
• Available in 15+ languages
• Terms update as laws evolve, no need for manual edits
• Unlimited edits that refresh your terms and conditions in real time, without needing to republish
• Guided setup tailored to your business
• Intuitive, user-friendly interface
• Thorough customization based on how your business operates
• Quick to generate and easy to edit
• Scales smoothly from small websites to complex, multi-product businesses
• Flexible enough for e-commerce, SaaS providers, apps, and content platforms
• Works for apps as well as websites
• Includes access to a responsive live support team
• Forms part of a wider all-in-one digital compliance suite
• 150,000+ customers trust the platform including Lamborghini, UNICEF, and Sony Music

Cons

• Requires a paid subscription

Pricing

• Paid plans start at just €19.99/month

What people say

Users find iubenda easy to use and praise the excellent customer support. People also highlight that it’s quick and makes generating legal documents easier.

2. Complianz

Complianz offers a standalone terms and conditions generator designed for WordPress users. You can use it on its own or alongside the full Complianz Cookie Consent plugin, depending on what you need.

The generator guides you through relevant questions and helps you produce a document that reflects how your business operates.

Best for

WordPress users who want an easy way to generate tailored terms and conditions directly within their website environment.

Pros

• Clauses that cover affiliate marketing, platforms like WooCommerce, digital and physical goods, and online services
• Multi-language support
• Simple, guided setup
• Allows you to create customized terms and conditions that reflect your business operations
• Quickly generates a thorough terms and conditions document
• Free to use
• Works independently or alongside the full Complianz Cookie Consent plugin
• Comes with backing from legal experts

Cons

• You need a paid subscription to their Cookie Consent plugin if you want access to more compliance tools

Pricing

• Free for the terms and conditions generator
• Paid plans for additional digital compliance tools start from €59/year (less than €5/month)

What people say

WordPress users have rated the plugin 4.9 stars, highlighting its speed, ease of use, and effectiveness. Many see it as a perfect companion to Complianz’s Cookie Consent plugin.

3. Enzuzo

Enzuzo offers a terms and conditions generator aimed at e-commerce businesses. The platform combines legal document templates with consent and privacy tools, positioning itself as a lightweight compliance solution for online stores.

Best for

E-commerce businesses that want a template-based terms and conditions generator integrated with their website platform.

Pros

• Multi-language support
• Updates templates if regulations change
• Available on WordPress and Shopify
• Comes with the backing of legal professionals
• Works with major platforms and website builders

Cons

• Relies heavily on templates rather than fully tailored clauses
• Requires a paid plan to access important clauses such as payments, user submissions, and dispute handling
• Requires a paid plan to edit and customize your terms or add additional languages
• Editing generated legal documents may require additional steps
• Offers limited customization compared to more advanced generators
• Some users report slow support response times

Pricing

• Limited free plan available for basic terms and conditions
• Paid plans start from $9/month, with additional clauses and customization features only available on upgraded tiers

What people say

Some users feel the platform is intuitive to use, but others mention that editing generated documents can require extra steps. Users also highlight problems with paid subscriptions and support.

4. Termly

Termly provides a terms and conditions generator built around predefined templates. The platform focuses on simplicity, offering a guided questionnaire that helps users produce a basic legal document quickly.

Best for

Businesses that need a basic, template-based terms and conditions document and don’t require deep customization.

Pros

• Multi-language support
• Works for websites, mobile apps, and online stores
• Includes clauses for niche scenarios such as SMS marketing and contests
• Supports platforms including WordPress, Shopify, Wix, WooCommerce, and GoDaddy
• Step-by-step guided setup
• Clean and easy-to-navigate interface

Cons

• Policies rely heavily on templates which aren’t easily customizable
• Can negatively impact WordPress site performance
• Some users report slower support response times
• Heavily template-based, with limited flexibility for nuanced business models
• Legal document customization options are limited

Pricing

• Terms and conditions generator is free to use

What people say

While some users like the practical interface, others have expressed their frustration with the technical support team, limited customization, and occasional unreliability of the platform.

5. Shopify

Shopify offers a built-in terms and conditions generator designed for merchants using its e-commerce platform. The tool provides a simple way to generate a policy quickly, particularly for store owners who want a starting point without leaving the Shopify ecosystem.

However, the generator functions primarily as a template tool rather than a fully tailored document builder.

Best for

E-commerce businesses that already operate on Shopify and want a basic starting point for their terms and conditions.

Pros

• Limited multi-language support for policy creation
• Legal experts have developed and reviewed the generator
• Includes suggestions to help you customize your terms
• Quick to generate, with the document delivered to your inbox within minutes
• Targets e-commerce use cases
• Convenient for Shopify store owners who want a simple setup

Cons

• Some users report slower support response times
• Relies on a generic template structure
• Requires manual editing to customize clauses
• Customization options may require legal expertise to use effectively
• Offers limited flexibility beyond standard e-commerce scenarios

Pricing

• Limited free trial with a duration that depends on your region
• Pricing starts from $5/month, though access to certain features depends on your subscription tier

What people say

While users like how the platform is easy to use, many have difficulties with in-depth customization and Shopify’s limited features. Shopify also has a 1 star rating on Trustpilot from over 1k reviews.

6. TermsFeed

TermsFeed offers a template-based terms and conditions generator designed for websites and apps. The platform guides users through a questionnaire and produces a downloadable legal document based on their answers.

Best for

Websites and apps that need a basic, template-driven terms and conditions document.

Pros

• Download your terms and conditions in multiple formats
• Update your document using a Live Editor
• Receive notifications when laws change that may affect your terms
• Free hosting page available for your terms and conditions
• Quick to generate

Cons

• Places certain essential clauses behind a paywall, even when local regulations may require them
• Uses a pay-per-clause model that increases costs as you add necessary protections
• Some users have noted that generated content may not always match their specific business context
• Limited multi-language support
• Restricts editing unless you pay

Pricing

• Limited free plan available with option to purchase additional “premium” clauses at varying prices

What people say

Although the website suggests the generator is “100% free”, there are complaints about how that isn’t actually true. Users mention that it’s expensive for something they have to edit manually.

Frequently asked questions

What is the best terms and conditions generator?

The best generator depends on your business type and how much customization you need. Look for a solution that adapts to your business model, is backed by legal experts, and updates your documents as laws change. Transparent pricing and coverage beyond just T&Cs are also worth considering.

Do I really need terms and conditions?

Terms and conditions help protect your business by setting clear rules for how users interact with your website, app, or service. While not legally required in every jurisdiction, they can limit liability, protect intellectual property, and set expectations around payments, refunds, and disputes.

Can I use a free terms and conditions generator?

Several generators offer free plans, but they often come with limitations like fewer clauses, documents that don’t update as laws change, or restricted customization. For businesses that need a document tailored to their operations, a paid plan typically offers better coverage and ongoing legal support.

Choose terms that grow with your business

Clear terms and conditions protect revenue, reduce disputes, and give your business room to grow.

A basic terms and conditions template might help you publish something quickly. But as your products, pricing, and markets evolve, along with local regulations, your terms need to evolve too.

The best terms and conditions generators reflect how your business actually works, cover essential clauses without hidden gaps, and let you manage your document as a living agreement, rather than a one-off file.

If you want a solution built around real business models, backed by legal expertise, iubenda gives you that flexibility as part of an all-in-one digital compliance suite.

The bottom line? Start with terms that protect where your business is today and support where you’re going next.

The post Which is the best terms and conditions generator? 6 tools compared for 2026 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Fifteen years is a long time to build anything. It’s long enough to learn what works, what doesn’t, and what you wish someone had told you at the start.

We caught up with Andrea Giannangelo, iubenda’s founder, to talk about the journey: the moments that shaped the company, the advice he’d give his 2011 self, and the lessons that might help anyone starting out today.

A success story like you’ve seen before

You might think iubenda is just another startup success story. We won’t argue.

It follows the usual ingredients that decades of research have shown: that success is less about genius and more about timing, opportunity, and relentless consistency. Let’s take a look.

The bold idea

Andrea Giannangelo had just graduated from law school when he ran into the problem that would shape the next 10 years of his life.

He had a website. Getting it legally sorted was complicated, expensive, and slow. The only options were custom legal services that most small businesses couldn’t afford, or generic templates that didn’t really fit. So he built something better.

In 2011, online privacy was nearly non-existent. Social media had become the dominant force online, and the prevailing mindset was to connect and share, not to protect personal data.

Betting on privacy felt contrarian. When asked what he got surprisingly right, Andrea recalls: “That 15 years ago, privacy was going to be a thing.” But being right early isn’t always comfortable.

The tough start

The early days weren’t glamorous. “We applied to every single accelerator out there, sometimes multiple times. And nobody took us, nobody could see it really.”

Investors did eventually come knocking, but the terms on offer were bad. Andrea also felt like the market wasn’t ready yet, and so he turned them down. He kept building.

Things were hard. Growth was slow. Revenue wasn’t enough. “I really didn’t know if we were going to make it.”

Seizing the opportunity

Slow growth and rejection were tough. But they kept iubenda independent and ready for the right shift in the market.

In 2014, the Italian data protection authority (the Garante) was preparing detailed cookie guidelines enforcing the ePrivacy directive, or Cookie Law.

Rather than hand down rules from above, the Garante set up a roundtable with the main industry stakeholders like publishers and trade bodies, including the IAB.

The IAB brought in Andrea to advise on the technical side. His background spanning law, commercial practice, and the technical realities of cookies made him the rare person who could speak all three languages at once.

That working group helped shape the guidelines that would define how cookie consent worked in Italy.

In the right place at the right time

Enforcement followed in 2015. Then the General Data Protection Regulation (GDPR) arrived in 2018. Privacy stopped being a niche concern and became front-page news across Europe.

“I went from being nobody to literally having my phone jammed by all the large companies and publishers that wanted to get our product.”

Even though a chaotic moment, it was all happening now: preparation had met opportunity. “That changed everything. A few years later, we did 5x in revenue.” That combination of discipline and tenacity, repeated over years, is what got iubenda where it is today.

Asked how it feels to reach that milestone, Andrea’s answer is honest: “Completely unlikely.”

Founder to founder: 15 lessons from 15 years

Andrea also shared some simpler wisdom, like prioritizing sleep (seriously, he mentioned it twice).

But here are 15 pieces of advice for founders to celebrate 15 years of iubenda. And if you’re just starting out, we hope compliance is on your checklist. If not, well, you know where to find us.

Timing is everything

When asked what he’d tell his 2011 self, Andrea doesn’t hesitate: “Timing, it’s all about timing.”

You can have the right product, the right team, the right strategy. But if the market isn’t ready, none of it matters. iubenda bet on privacy in 2011, before privacy was mainstream with the Cookie Law in 2014, or even bigger, GDPR in 2018.

The bet paid off, and timing eventually caught up. But timing alone isn’t enough. You have to be ready to ride the wave when it comes.

Looking back, Andrea is still surprised: “I think that was one of those moments of clarity that I really look back to and think, how could I have such certainties?”

Protect your time to think

“If you are too busy, you’re compromising the time that you dedicate to thinking, and your capability to think is everything.”

There’s a myth that founders need to overwork themselves to succeed. Andrea disagrees. Busyness can be the enemy of clarity, and trying to do everything yourself only makes it worse.

Stay focused, even when nobody believes in you

“At the beginning, as nobody could see it, everyone was telling us to try and do other things, and I stayed on the same product, privacy, and ultimately that paid off.”

When things aren’t working, the temptation is to pivot, diversify, try something new. Sometimes the right move is to stay the course.

Consistency is underrated

Andrea’s secret superpower? “The combination of discipline and obstination.” One of his favorite quotes: “The more I train, the luckier I get.” Luck isn’t random. It’s what happens when preparation meets opportunity, over and over again.

You don’t need a stroke of genius

The myth of the visionary founder is just that: a myth. What looks like genius is usually persistence compounded over time.

Aim for top three, not top one

“It’s never about being the top one. It’s about consistently being in the top three.”

Sustainable success isn’t about being the best once. It’s about being consistently good over time.

Not everyone will grow with you

“As you grow, not all of your team will be able to grow with you and you’ll need to make some more choices there.”

This is one of the hardest lessons in leadership. The people who helped you start may not be the people who help you scale. Recognizing that, and acting on it, is painful but necessary.

Keep asking yourself what matters most

That’s Andrea’s go-to productivity trick: “What is the most important thing that I have to do right now? Literally over and over.” Relentless prioritization.

Customers will keep you going

During the hardest moment, when Andrea almost gave up, what kept him going? “The customers, speaking with them and getting their feedback. That was everything for me in that moment.”

When you’re lost, talk to customers. They’ll remind you why you started.

Funding is a means, not a goal

“Funding is not a goal. The goal is building a company. Have funding as a means. It comes with a lot of trade-offs and compromises that I think founders underestimate.”

The startup world celebrates fundraising like it’s the finish line. It’s not. Sometimes the best decision is to say no to funding and keep building on your own terms.

Learn to let go of perfection

You can’t scale if you need everything done your way. To delegate, you need to be ready to compromise on perfection and let it go.

Simplicity wins

What have customers taught him? One word: “Simplicity.”

It’s easy to overcomplicate. The best products, the best communication, the best decisions tend to be simple.

Own your mistakes

If Andrea could delete one moment from the journey? “None of it. Own it. Own your mistakes. Own the bad ones.”

The bad moments are part of the story. They’re what make the good ones meaningful.

Prioritize learning over reward

Short-term wins feel good. Long-term learning compounds. Choose accordingly.

Not everyone makes it

“What keeps you humble? The many founder friends that were great and didn’t make it.”

Not every great founder succeeds. Sometimes the timing doesn’t align, sometimes the market shifts, sometimes it just doesn’t work out.

Looking forward

Fifteen years in, we’re grateful. Grateful for our customers and the team that made it all possible.

Things move fast. Opportunities don’t wait. Andrea knew that in 2011. It’s still how we build today.

If you’re starting something now, we hope a few of these lessons land, or remind you why you started. And when you need a privacy compliance tool, we’ll be here.

The post Looking back on 15 years: what iubenda’s founder would tell his 2011 self appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

They’re those little data files that a user downloads when visiting your site. They enable shopping carts to remember items, users to save login details, and allow you to track user behavior, with consent, to improve your marketing.

And if you’re using cookies, you’ll need a cookie policy to help comply with international privacy regulations like the General Data Protection Regulation (GDPR) and ePrivacy Directive.

The good news is that you don’t need to write one from scratch yourself. A cookie policy generator can create one for you in minutes.

In this guide, we’ll help you find the best cookie policy generator for your website. Because there are a lot of them out there, and not all of them are the right solution for your site.

In a moment, you’ll discover what a cookie policy should include, what to look for in a generator, and how 6 of the most popular solutions compare.

That way you’ll easily find the best cookie policy generator for your site. One that fits your needs now and continues to support you as your setup grows.

Cookie policy generator comparison: At a glance

What is a cookie policy?

A cookie policy explains:

• What types of cookies and trackers your site uses
• Why you use them
• How a user can manage or refuse them

What’s the difference between a cookie policy and a privacy policy?

A privacy policy is a broader document covering all the ways your business handles personal data (like names, emails, and payments), while a cookie policy is a specialized document that focuses specifically on the cookies your website uses.

What’s the difference between a cookie policy and a cookie banner?

While a cookie policy provides a full explanation of the cookies on your site and their purpose, a cookie banner gives users a way to accept, reject, or manage cookies before non-essential tracking starts.

Why is a cookie policy important?

Privacy regulations like GDPR, the ePrivacy Directive, the California Consumer Privacy Act (CCPA), and others require websites to provide cookie policies in a clear and accessible way.

Beyond compliance, a cookie policy is good for business. It shows users that you take transparency and data privacy seriously, building trust in your brand which contributes to more sales in the long run. And with that trust, users are more likely to consent to your collection of data for better marketing insights.

What should a cookie policy include?

While it may vary slightly depending on what regions your website is active in, generally a cookie policy should include the below in clear, accessible language:

• The types of cookies you use – For example, essential cookies, analytics cookies, and advertising cookies.
• The purpose of each cookie category – Users should understand why each type of cookie exists and what it helps you do.
• Information about third parties – If external services place cookies on your site, the policy should clearly identify them and explain their role.
• Cookie duration – How long cookies remain active on a user’s device.
• How users can manage their choices – This includes instructions on changing preferences, withdrawing consent, or updating settings later on.

What should you look for in a cookie policy generator?

Here are the key features to consider when evaluating a cookie policy generator:

Accuracy based on real cookie usage

A reliable generator creates a policy that reflects the cookies and third-party services your site actually uses. A great feature to keep an eye out for is a powerful automatic cookie scanner; it’ll help you ensure your policy doesn’t miss a thing.

Legal reliability

The best cookie policy generators come with the backing of legal experts, so your policy is more likely to align with privacy regulations.

Updates as your site and laws evolve

Look for a generator that keeps your cookie policy in sync with your site. When you add new tools or services, your policy should reflect those changes. And as privacy requirements shift, you’ll get notified so you can review without starting from scratch.

Ability to scale with your site

What works for a single website might not work for multiple domains, regions, or languages. Generators built to scale make it easier to manage policies as your business grows internationally.

The best cookie policy generators

1. iubenda

iubenda’s cookie policy generator keeps your policies current as laws change. Its legal team monitors regulatory updates and refreshes available clauses, so when something changes, you add the update in a click without rebuilding from scratch.

It also connects policy generation with site scanning, keeping your disclosures accurate as your site changes.

The generator is part of iubenda’s connected compliance solutions, giving you access to legal document generation, cookie banners, consent management, and more, all from one place.

Best for

Individuals and businesses that want easy, attorney-quality cookie policy generation and other digital compliance solutions in one place.

Pros

• Automated cookie scanner detects your website’s cookies and services, so you can quickly generate accurate cookie policies
• A team of legal experts write and update policy clauses
• Instant notifications when privacy regulations evolve
• Available in 27 languages and covers the world’s major privacy laws like GDPR, CCPA/CPRA and other US State Laws, FADP, and LGPD
• Centralized management across multiple websites and domains
• Easy to generate accurate policies that reflect actual cookie usage
• Reduces manual updates as cookies, vendors or regulations change
• Scales easily from simple sites to complex, multi-domain setups
• Easy to use
• Part of a wider digital compliance suite, with solutions for creating cookie banners, improving accessibility and more
• Excellent customer support that stays with you until they resolve your issue
• Trusted by over 150,000 organizations including Honda, Sony Music, and UNICEF

Cons

• Access to some of the advanced solutions in the suite requires a paid plan

Pricing

• Free plan available with everything you need for low-traffic sites
• Paid plans start at just €4.99/month

What people say

Users consistently mention ease of use, excellent customer support, and how the platform simplifies complex compliance requirements. Users also highlight its affordability and value, given that it offers a full range of solutions for digital compliance.

2. Complianz

Complianz is a cookie policy and consent management plugin built for WordPress and Shopify. Install it directly from your CMS and it gets to work right away.

Its hybrid cookie scanner detects the trackers running on your site, so your policy reflects what’s actually there. As your site changes, rescan and update to match.

It also handles cookie banner setup and records visitor preferences, keeping your consent logs in order.

Best for

WordPress and Shopify users who want a complete plugin to manage cookie policies and consent.

Pros

• Built-in hybrid site scanner identifies active cookies and services
• Generates a thorough and accurate cookie policy based on scanner findings
• Synchronizes with cookiedatabase.org, allowing you to automatically populate your Cookie Policy with clear, up-to-date descriptions of what each cookie does, who the service provider is, and how long until the data expires
• Compatible with multiple regions and privacy laws, including GDPR and CCPA
• Legal documents available in 49 languages
• Easy to install and configure
• Trusted by 1 million users
• Backed by legal experts
• 30-day money-back guarantee

Cons

• Advanced features require a paid plan

Pricing

• Free plan available
• Paid plans start from €59/year (less than €5 a month)

What people say

WordPress users highlight easy setup and an intuitive interface. And on Shopify, the plugin comes with top reviews for the support team. 

3. Termly

Termly offers a cookie policy generator combined with consent tools. The platform focuses on predefined templates for document generation and offers a guided setup process.

Best for

Individuals and small businesses with simple websites that need to publish a cookie policy quickly.

Pros

• Cookie policy generator built around predefined templates
• Cookie scanner
• Coverage for common privacy frameworks such as GDPR and CCPA
• WordPress integration via plugin
• Guided setup
• Simple interface

Cons

• Policies rely heavily on templates which aren’t easily customizable and don’t update as regulations change
• Limited flexibility, especially for multi-region setups
• Using it for multiple websites can get expensive
• Can negatively impact WordPress site performance

Pricing

• Free plan available with limited features
• Paid plans start from $10/month
• Costs increase based on pageviews and feature access

What people say

Users praise the easy setup process, but highlight Termly’s limitations with multi-region compliance and customization, as well as poor customer service. Many WordPress users complain about the tool slowing site performance.

4. CookieYes

CookieYes offers a cookie policy generator that allows you to create your own policy based on a template. It does have a cookie scanner to help with generating the policy, but it often requires manual oversight.

Best for

Small websites that want to publish a cookie policy quickly and don’t expect frequent changes to their tracking setup.

Pros

• Cookie policy generator combined with a basic site scanner
• Monthly scan to update your list of cookies
• Available as a WordPress and Shopify plugin
• Quick setup
• Allows for more manual intervention

Cons

• Cookie scanning may require manual oversight in some cases to verify detection and categorization
• Can be expensive if you have multiple domains and high traffic
• Limited multi-language support
• Customization options are more limited compared to some alternatives

Pricing

• Free plan available with limited functionality
• Paid plans start at €9/month per domain

What people say

Reviews mention good customer support but limited features and issues with customization. Some users also mention poor website performance on mobile devices as a result of using CookieYes.

5. TermsFeed

TermsFeed is a lightweight legal document generator. It lets you build a customized cookie policy, privacy policy, and terms and conditions document through a template-based flow.

Best for

TermsFeed works best for individuals and small businesses that want to generate basic legal documents for static sites where manual updates are manageable.

Pros

• Cookie policy generator based on templates
• Support for multiple types of legal documents
• Customization through guided questions
• Supports 10 languages
• Simple cookie policy generation
• Covers multiple legal document types in one place
• WordPress integration

Cons

• Doesn’t have a comprehensive cookie scanner to help you create an accurate cookie policy
• Notifies you when there are changes in regulations, but you need to update your policy manually
• Users must manually update documents as their sites change
• Limited scalability for multi-site or multi-region setups
• It’s marketed as free, but there are certain “premium clauses” that you have to purchase.

Pricing

• Offers a limited free policy option that isn’t tailored for compliance with GDPR and other privacy regulations
• One-time payments with varied pricing for specific clauses in legal documents

What people say

While users mention that it’s quick to generate a cookie policy, reviews also frequently mention difficulties with the payment process, with some highlighting that they find TermsFeed expensive for what it offers.

6. Docue

Docue is a British legal document generation tool that helps businesses create and manage contracts and legal documents, including privacy-related policies.

The platform’s focus is on legal contracts rather than on full digital compliance.

Best for

Businesses with relatively static websites that handle consent and cookie management elsewhere.

Pros

• Cookie policy and other legal document creation
• Template-based policy generation
• Clauses written and updated by a team of lawyers
• Helps generate a cookie policy aligned with UK GDPR requirements
• Allows you to tailor the document to what you need by using templated clauses

Cons

• Isn’t designed specifically for cookie policies or consent management
• No built-in cookie scanning or consent tools
• While lawyers update templates based on regulation changes, you have to manually update your policy when there are changes to your website’s cookies
• Doesn’t support international privacy regulations besides United Kingdom GDPR
• No multi-language support

Pricing

• No free plan publicly available
• Pricing starts at £39/month with an annual subscription

What people say

Some users appreciate Docue’s ability to quickly and easily generate legal documents but many mention how they feel misled by the platform’s pricing.

Frequently asked questions

What is the best cookie policy generator?

The best generator depends on your site’s complexity and compliance needs. Look for a solution that offers automatic cookie scanning, legal expert backing, and policies that update as regulations change. Integration with your existing platform and transparent pricing are also important factors.

Do I need a cookie policy?

If your website uses cookies, regulations like the GDPR and ePrivacy Directive require you to inform users about what cookies you use, why, and how they can manage their preferences. A cookie policy is the standard way to provide this information.

What’s the difference between a cookie policy and a cookie banner?

A cookie banner is the pop-up that asks for consent when someone visits your site. A cookie policy is the full document that explains which cookies you use, what data they collect, and how users can control them. You typically need both.

Choose the best cookie policy generator for your website and your business

The best cookie policy generator is one that helps you create a policy that evolves with your site as well as changing regulations.

And, if it’s a part of a wider suite of digital compliance solutions, like iubenda, you’ll not only have the best value for money but greater support for your business’ growth.

Because when you show your users that you respect their privacy by providing a cookie policy, along with solutions for consent management, you’ll be positioning your brand as transparent and trustworthy.

That kind of trust is invaluable for building customer relationships that sustain your business for the long run.

The post The best cookie policy generator in 2026: compare features, pricing, and reviews appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB & EDPS Issue Joint Opinion on Digital Omnibus
The European Data Protection Board and the European Data Protection Supervisor published a Joint Opinion 2/2026 on the Digital Omnibus proposal (PDF), supporting simplification but warning that some amendments could weaken fundamental rights and fragment GDPR protection across the EU.

European Union – EDPB Adopts 2026–2027 GDPR Work Programme
The European Data Protection Board adopted its 2026–2027 GDPR work programme (PDF), prioritising practical enforcement, updated cooperation procedures, revised fine-setting guidance, SME support tools, coordinated transparency enforcement, and further work on generative AI scraping.

2) Notable Case Law

France – CNIL Reports €486.8 Million in GDPR Fines for 2025
France’s data protection authority published its 2025 enforcement report (in French), detailing 259 decisions and €486.8 million in fines, mainly linked to cookie violations, employee monitoring, security failures, and unlawful marketing practices.

United States – FTC Warns Data Brokers Over Foreign-Adversary Data Sharing
The U.S. Federal Trade Commission sent warning letters under the Protecting Americans’ Data from Foreign Adversaries Act, reminding 13 data brokers that sharing sensitive data with entities linked to China, Russia, Iran, or North Korea may trigger penalties of up to $53,088 per violation.

Spain – AEPD Orders Health Authority to Answer Access Request
The Spanish Data Protection Agency ordered the Balearic Health Service to comply with a GDPR access request within ten working days after missing the one-month deadline, as confirmed in its official resolution (PDF, in Spanish).

3) New and Upcoming Legislation

United Kingdom – ICO Sets Complaint Handling Standards Under New Data Act
The UK Information Commissioner’s Office published guidance on complaint handling under the Data (Use and Access) Act, which enters into force on 19 June 2026 and requires clear procedures, prompt investigations, and reasoned written outcomes.

4) Strong Impact Tech

European Union – EU Probes Google Over Search Ad Auction Pricing
EU antitrust regulators are assessing whether Google inflated search ad auction prices in breach of EU competition law, according to a Reuters report on the preliminary investigation.

European Union – Brussels Targets “Infinite Scroll” Under DSA
EU regulators are scrutinising addictive design features such as infinite scroll and autoplay under the Digital Services Act in the TikTok investigation, as reported by Politico on potential DSA enforcement measures.

Other key information from the past weeks

Canada – Ontario Releases Privacy-First AI Framework for Health Care
Ontario’s Information and Privacy Commissioner issued guidance on responsible AI use in health care (PDF), outlining governance expectations, vendor oversight, and safeguards for AI medical scribes.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #152) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

That’s why the European Commission’s “Digital Omnibus” proposal has been getting so much attention. The headlines can be dramatic (“cookie banners are going away”), but the real story is more practical: the Commission is trying to reduce consent fatigue by looking at how consent is usually collected and simplifying the legal requirements around it.

Below is what matters most for publishers, what the proposal promises, what’s still unclear, and why pay-or-ok models are likely to stay central either way.

The EU’s proposal in a nutshell

The Digital Omnibus proposal (published 19 November 2025) is the Commission’s attempt to simplify parts of the EU’s digital and privacy framework. One key shift: cookie-related rules, now part of the ePrivacy Directive, would move into the General Data Protection Regulation (GDPR), so businesses are not struggling to keep up with too many scattered legal requirements.

On cookie consent specifically, the proposal suggests:

• Consent still matters for marketing. Advertising, profiling, cross-site tracking, and most third-party analytics remain “opt-in” scenarios.
• Fewer repeated prompts. The proposal supports clearer banner standards (including making “Reject” as easy and visible as “Accept”) and limiting how often you can re-prompt after a refusal.
• A long-term push toward browser or OS-level choices. A new system was proposed: “machine-readable” consent signals, so a user could set preferences once at the browser level, and websites would need to read and apply them.

A lot of questions arose from the proposal and will probably find their answer in future publications by the European Commission around the topic. In the meantime, the proposal will continue its journey through the EU legislative process.

There will likely still be a series of legal and technical requirements for websites to handle, like informing users of their practices around data and privacy, blocking cookies when no consent is given, etc.

Why cookie consent is crucial for publishers

As a publisher, you sit in a different reality than many other website owners.

Your model is often some mix of ad-funded access, subscriptions (hard paywalls, freemium), or hybrids (memberships, logged-in experiences).

Cookie consent affects all of it, but the pressure point is usually advertising.

• If you can’t collect valid cookie consent where it’s required, you may lose the opportunity to serve ads altogether.
• If consent is partial, you may not be able to serve ads personalized to the user. It’s less probable for users to click.
• If the consent experience is too heavy, takes too much time to load, the user may go through your content before your high-value, above-the-fold ads display. It’s less probable for users to click.

All the above can have a high negative impact on your revenue.
That’s why, as a publisher, you should make sure to curate your cookie consent processes.

Consent processes are so important for you, and yet they’re a strong pain point for your visitors. The reality is that most people don’t want to decide about cookies. They want the article, the video, the recipe.

Repeating that same decision on every new site is a fast track to the frustration that the EU’s proposal targets: fewer repeat prompts, clearer UI expectations, and, eventually, more centralized preference signals.

A special exemption granted to media providers

Here’s the part you probably immediately noticed: a carve-out for “media service providers”.

In the proposal’s logic, if users are given the possibility to broadcast a global “reject tracking” signal from their browser, ad-funded media could take a hit.

In other words, if the user were to deny consent at the browser level to advertising, for instance, media providers would not be able to display ads, which is usually their main source of revenue.

So the proposal suggests that media service providers should not be obliged to respect those globally-transmitted signals (in view of the need to finance media through advertising) and could still ask for consent in the usual way, whether through a traditional banner, a pay-or-ok model, etc.

There’s a tricky nuance here to be aware of: media service providers would not have to respect global consent rejection signals set by users. This, of course, doesn’t mean that they would be exempt from general consent rules like informing users or letting them update their preferences through a banner. Only that the signal mechanism might not be binding the same way for that category.

Some publishing platforms may not be subject to this exemption.

At these early stages of the proposal, there is still some uncertainty around the boundaries and scope of the media service provider definition. Make sure to seek expert advice to understand if you wouldfall within the exemption.

Pay-or-ok model: why it won’t disappear

If you work in media, you already know the trend: pay-or-ok is everywhere. And the user behavior is predictable: “I’ll just consent, because I don’t want to pay.”

When the “free” option is funded by ads and tracking, many readers will choose it.

Paywall? Pay-or-ok? Here’s a quick refresher for those who are new to these terms.

A paywall controls access to content. Users must pay (or subscribe) to read, watch, or listen. In short: Pay to access content.

A pay-or-ok model links access to content directly to consent for tracking. Users can either pay (usually via subscription) or consent to advertising and tracking. Advertising revenue replaces subscription revenue for users who choose “ok.” In short: Pay with money, or pay with data.

We can argue that pay-or-ok doesn’t help reduce consent fatigue. The annoyance of the banner and making a choice is still there. In general, EU privacy discussions keep scrutinizing “consent or pay” models to make sure they are fair (consent is freely given).

Regulators pay attention to whether the user genuinely has a choice, how pricing and alternatives work, and whether pressure is applied.

So even if the Omnibus proposal would give media service providers room not to honor global reject signals, pay-or-ok design will still be under a microscope. The question shifts from “can you show a banner?” to “is the choice fair, clear, and defensible?”

Subject to future clarifications of the media service provider definition, Consent Management Platforms may remain central for publishers as they would still need a reliable and compliant infrastructure to manage cookie release, consent walls, and pay-or-ok logic if it’s not done in-house.

What the proposal means for publishers now

The best you can do now is the following:

• Stay informed and monitor further developments, as this is just a proposal. It’s not law yet.
• Keeping your consent flows, preference handling, and internal documentation practices in check could help reduce future implementation effort.

Existing legal obligations still apply, and you don’t need to change anything because of the headlines. It’s a multi-year transition, and publishers will likely operate in a hybrid world for a long time.

Even if adopted, this won’t be a “flip the switch” moment. The legislative path is long, and clarifications will come in time. Requirements would start to take effect several months after entry into force.

Parts of the proposal have sparked some debate and will have to be addressed. For publishers, the biggest uncertainty is also the most basic: who counts as a “media service provider”?

Early commentary has already pointed out that this carve-out may be challenging to apply in practice and could be open to misuse. The exemption shouldn’t create a blanket legal basis for tracking and other marketing activities.

iubenda is an all-in-one, scalable privacy compliance infrastructure that can help you improve your marketing performance and grow confidently.

Our team works by your side to help optimize your consent rate and processes, to support your revenue growth.

Disclaimer: This article discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of February 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.

The post What publishers should expect from the EU’s Digital Omnibus proposal appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Artificial intelligence is changing marketing. Teams are using AI for personalization, content creation, audience segmentation, predictive analytics, campaign optimization, you name it. The potential is clear, and adoption is accelerating. Yet somehow many marketers still struggle to move from experimentation to scale.

One of the biggest obstacles is often assumed to be regulation. But the more common issue is uncertainty. Uncertainty about data usage, consent requirements, and legal boundaries slows decision-making and creates friction between marketing, legal, and product teams.

When uncertainty exists, innovation stalls.

Why AI adoption in marketing slows down

Privacy regulations such as GDPR, ePrivacy, and US state privacy laws do not prevent marketers from using AI. What they require is clarity around how personal data is collected, processed, and used.

The challenge is that many organizations lack clear answers to fundamental questions:

• What data are we collecting?
• What did users consent to?
• Does that consent cover AI-driven personalization or analytics?
• Can we demonstrate compliance if asked?

Without clear data governance and consent management, every new AI initiative becomes a risk assessment rather than a growth opportunity. This is where momentum is lost.

First-party data is the safest foundation for AI marketing

As third-party data becomes less reliable and more restricted, first-party data has become the most valuable asset for AI-driven marketing.

First-party data collected with clear, informed consent offers several advantages: higher accuracy and relevance, stronger alignment with declared purposes, lower compliance risk, and greater user trust.

From an SEO and performance perspective, first-party data also supports better personalization and measurement without relying on opaque data sources.

For marketers, this means that AI initiatives are most effective when they start with data that the organization fully controls and understands. Clear consent turns first-party data into a strategic advantage rather than a legal risk.

Consent clarity enables faster AI experimentation

Many teams delay AI adoption because they fear crossing legal boundaries. In practice, those delays are often caused by unclear consent frameworks rather than strict regulatory limits.

When consent is specific, documented, and transparent, marketers gain clarity about what they can do. This reduces internal friction and shortens approval cycles.

Clear consent frameworks help teams define which AI use cases are permitted, align marketing and legal expectations, adapt quickly as AI applications evolve, and maintain compliance across regions and regulations.

Instead of slowing innovation, well-managed consent enables it. In other words, the best way to save time is to do it right from the beginning. Who would have thought!

Why involving legal teams early accelerates progress

Legal and privacy teams are often seen as blockers. If you’re a marketer, you probably don’t have enough fingers on your hand to count the times you avoided running a campaign that wasn’t straightforward when it came to compliance, simply because you thought that involving legal would slow things too much and… let’s face it, time isn’t something marketers have in abundance.

I believe legal teams become blockers mostly when they are involved too late in the process. When legal input comes after an AI project is already defined, the conversation becomes reactive. Bringing legal teams into AI planning early changes the dynamic. It allows organizations to establish clear boundaries from the start and identify real risks.

Most delays in AI marketing are caused by uncertainty about what is allowed. Early alignment removes that uncertainty and creates confidence across teams.

Compliance should be infrastructure, not friction

Not surprisingly, companies moving fastest with AI in marketing treat compliance as infrastructure rather than a constraint.

This includes purpose-based consent management, reliable consent records and documentation, transparency toward users, and systems that can adapt as regulations and AI use cases change.

When these foundations are in place, marketing teams can test, iterate, and scale AI initiatives without stopping to reassess risk at every step.

Compliance becomes part of how innovation happens. Doesn’t this sound lovely?

Trust is essential for scalable AI marketing

AI-driven marketing relies on trust. Trust from users who share their data, trust between internal teams, and trust in the data powering AI systems. As someone working for a compliance company, I can assure you that trust is everything.

Organizations that invest in clear consent, strong data governance, and privacy-first foundations reduce risk while increasing speed. They gain the confidence to use AI responsibly and effectively.

The future of AI in marketing is about removing uncertainty and building on data that users trust you with.

The post Uncertainty is the biggest blocker to AI adoption in marketing appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

For indie hackers and non-technical founders, that’s a huge shift and a real advantage. There’s a gap, however, that most people don’t see until it becomes a problem.

If your app collects personal data (even something as simple as an email address or analytics), you’re expected to have certain legal basics in place. Privacy policies, terms and conditions, and, in many cases, cookie consent.

For the most part, vibecoders aren’t intentionally ignoring this, but it may not feel urgent when you’re focused on shipping, testing, and figuring out whether your product even has legs. The problem is that platforms, app stores, and ad networks often care much earlier than founders expect.

Now for the good news. You don’t need to navigate everything at once. Start by understanding which requirements apply to your app.

Vibecoding: what’s it all about?

Vibecoding is a newer approach to app development in which AI generates most of the code for you based on prompts. Instead of writing everything by hand, you guide the build and iterate as you go. In practice, the process usually looks like this:

• You describe what you want in plain language
• An AI tool generates the code
• You tweak things, prompt again, and ship

What makes this approach different is that it’s no longer limited to simple demos or landing pages. Many teams are using it to build fully functional apps with logins, payments, and active users. And it’s growing in popularity among early-stage startups, with 25% of YC’s latest startups letting AI write 95% of their code.

Where things can go wrong

Most issues don’t show up while you’re building, but once you start to grow. A few common examples:

• You submit your app to an app store and get asked for a privacy policy
• You try to run ads, and Google won’t approve your campaign
• Analytics isn’t tracking properly
• A user asks how their data is handled, and there’s nowhere to point them
• A platform flags missing legal pages

At that point, compliance will feel like a blocker that came out of nowhere, even though, from a legal perspective, the trigger was simple: the app began processing personal data.

This is where privacy laws apply in a very practical way, not as an abstract legal concept. For early-stage startups, it’s less about fines and more about delays, rejections, and lost momentum.

How compliance gets overlooked

Unlike security risks, legal compliance doesn’t receive much attention in AI circles. That’s because most vibecoding content focuses on speed, tooling, prompts, and shipping faster, and privacy and terms feel like something you “add later”, once the product is proven.

But as we now know, most platforms won’t let you get very far without them. App stores require a privacy policy, ad platforms check for compliant policies, and analytics and tracking need valid consent in many regions.

Can’t the AI just generate this for me?

It’s reasonable to assume that if AI can build your app, it can also generate your legal documents. And while you can technically build documents this way, AI-generated policies tend to be:

• Generic
• Incomplete or out of date
• Not aligned with the services you actually use
• Missing platform-specific requirements

Most importantly, from a legal standpoint, you’re still responsible for what’s there. If something goes wrong, it doesn’t matter how the text was generated; you’re still accountable for what’s published.

While AI can be great at generating code and features, legal compliance requires accuracy, context, and ongoing updates.

What your app actually needs to stay protected

For most vibecoded apps, the requirements are simpler than people expect. You don’t actually need a complex legal setup. Just a few basics in place, early.

Privacy policy

If your app collects personal data (e.g., email addresses, logins, payments, analytics), you need a privacy policy. It’s what app stores, ad platforms, and users expect from you. It needs to clearly reflect how your app works, processes personal data and which third-party services you use.

Terms and conditions

Terms protect you. They define how the app can be used, limit liability, and clarify responsibilities. If users sign up or pay, terms are essential.

Cookie consent

If you use analytics, ads, or tracking, users often need real choices. Clear consent also helps ensure your analytics and ad tracking work as intended.

Platform requirements

App stores, ad networks, and payment providers all check for compliant documentation. Missing or incorrect pages can delay launches or block growth.

How iubenda helps

If you’re building an app quickly, iubenda helps you get your compliance basics sorted so you don’t get hit with surprises when it’s time to launch.

Instead of writing policies yourself or relying on AI text that won’t pass platform checks, iubenda generates them based on the services your app actually uses. That includes your privacy policy, terms and conditions, and, if your app relies on analytics or tracking, your cookie and consent setup. Everything is maintained by our legal team and updated for you, so you don’t need to track changes or rewrite anything as your stack evolves.

The consent tools also handle the practical side of compliance: giving users real choices, respecting those choices across devices, and keeping proof of consent. This helps prevent analytics or ad tracking from breaking and keeps platforms like Meta and Google Ads happy.

iubenda integrates easily into most workflows, whether you’re using a CMS, a no-code tool, or a custom setup. You can embed everything with simple snippets, plugins, or via API.

All of this saves hours of work and reduces the risk of running into issues at the worst moment: an app store rejection, an ad campaign being paused, or users hesitating because they can’t see how their data is handled. It’s simple. We’ll help you stay aligned with the latest compliance requirements while you focus on shipping your product and growing.

Pre-launch checklist

Before you share your app publicly, it’s worth running through a quick check to make sure nothing important is missing. The basics are straightforward:

Is your privacy policy live and easy to find? Platforms expect this, and users look for it.

Do you have terms in place if people sign up, log in, or pay? This sets clear rules and protects you.

If you use analytics or tracking, is consent handled properly? Real choices, correct behaviour, and nothing firing before it should.

Do you meet the requirements of any platform you depend on? App stores, ad networks, and payment providers all check for this.

A solid foundation for smooth app growth

Vibecoding makes it easier than ever to ship quickly. Getting the privacy basics right makes it easier to grow.

When compliance is handled properly, it builds trust, keeps platforms happy, and removes the small obstacles that can slow your momentum. With iubenda, you can do all of this in minutes.

The post Everything AI app builders need to know about vibecoding and privacy compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’re introducing 1-Click Embedding for Google Tag Manager, a guided way to embed your iubenda solutions without manually installing plugins or handling embed snippets.

What’s new

With 1-Click Embedding for Google Tag Manager, you can install your configured iubenda solutions through a guided flow that runs in a secure pop-up window.

This process brings everything together in one place and uses Google’s native login and authorization screens to guide you through the installation.

This experience is already available for WordPress and Shopify, and is now supported for teams using Google Tag Manager, too.

Which iubenda solutions can you embed via GTM?

The GTM 1-Click Embedding flow supports the iubenda solutions you’ve already configured, including:

• Privacy and Cookie Policy Generator
• Terms and Conditions Generator
• Privacy Controls and Cookie Solution (cookie banner)

A more guided setup, with more control

The new GTM embedding flow brings these decisions into a single, guided experience while keeping you in control of where the installation takes place. Now, you can: 

• Move through the installation step by step
• Select the exact account, container, and environment you want to use
• Complete the embedding automatically once confirmed
• Finish the setup without editing your site’s code

How 1-Click Embedding works with Google Tag Manager

Start by logging in with your Google account and approving the connection through Google’s native authorization screens. Select where the installation should take place by choosing the appropriate GTM account, container, and environment.

Once confirmed, iubenda automatically installs and embeds your configured solutions.

When the installation is complete, you’ll be prompted to publish the changes in Google Tag Manager to activate them. At the same time, a scan will automatically run inside your iubenda dashboard to verify that everything is in place.

For detailed, step-by-step instructions, you can refer to our help guide on using 1-Click Embedding with Google Tag Manager.

How to access 1-Click Embedding

If you’re using Google Tag Manager, you’ll see the simplified embedding option in two areas of your iubenda dashboard:

• In the configuration checklist, during the embedding step
• In the embedding section below the snippet boxes for supported solutions

In both cases, selecting Go to simplified embedding starts the guided GTM setup.

Before you publish

Publishing the installation in Google Tag Manager will include any other unpublished edits in your workspace. If you prefer to review those changes first, you can do so directly from your GTM dashboard before publishing.

If an issue occurs during installation, you’ll see a clear message with the option to try again. The system will restart the process.

A simpler way to set up iubenda with GTM

If you’re already using Google Tag Manager, 1-Click Embedding offers a clear, guided way to complete your setup, combining the flexibility of GTM with a simpler installation flow.

The post Introducing 1-Click Embedding for Google Tag Manager appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The latest version, TCF 2.3, was officially announced on June 19, 2025, with updates that clarify vendor disclosure and strengthen accountability across the digital advertising ecosystem.

Here’s what’s changing, what it means for you, and how to get ready.

What is TCF 2.3? 

TCF 2.3 is the latest version of the IAB Europe Transparency and Consent Framework.

It’s the industry standard that helps publishers and advertisers operationalize with the GDPR and the ePrivacy Directive when processing personal data for digital advertising:

• It gives Consent Management Platforms (CMPs) like iubenda a standardized way to inform users and capture consent (or objections) for advertising.
• It makes sure consent signals are communicated consistently across the advertising supply chain, from your site to every vendor you work with.

What changes from the previous version?

TCF 2.2 (launched in May 2023) focused on implementing changes required by the Belgian Data Protection Authority and improving user-friendly descriptions. TCF 2.3 now tackles a different challenge: vendor disclosure ambiguity.

Mandatory “Disclosed Vendors” segment

The main change in TCF 2.3 is that the “Disclosed Vendors” section is now mandatory in all TC strings. Previously, it was optional.

– Clear binary signal: The Disclosed Vendors segment provides a simple indicator (1 = disclosed, 0 = not disclosed) specifying whether a vendor was shown to the user.
– Updated TC string structure: The string format now follows the following pattern [Core segment].[disclosedVendors segment].[Publisher TC].
– No more ambiguity: Vendors can now confirm whether they were properly disclosed to users before processing data.

Why this change? 

Under TCF 2.2, some vendors faced uncertainty in scenarios where it wasn’t clear whether they’d been disclosed to the user.

For example, when a CMP registered a user objection under Legitimate Interest, a vendor couldn’t always tell whether they’d actually been shown to the user. This distinction matters because vendors must be disclosed to users as part of meeting transparency obligations before processing data, including for Special Purposes.

By making the Disclosed Vendors segment mandatory, TCF 2.3 removes this ambiguity. This means cleaner signals across your advertising stack and fewer issues with vendor data processing.

What’s the timeline for implementation?

Here are the key dates to keep in mind:

June 19, 2025: TCF 2.3 officially announced and technical specifications released.

October 2025: Google confirmed its systems can accept and process TCF 2.3 strings.

February 28, 2026: Mandatory deadline. All CMPs and vendors need to support TCF 2.3. Support for new TCF 2.2 strings ends on this date.

Good to know: TC strings generated on or after February 28, 2026 must follow TCF 2.3 specifications. TCF 2.2 strings created before that date will still be valid.

If you use Google AdSense, Ad Manager, or AdMob in the EEA, UK, or Switzerland, you’ll need TCF 2.3 support by February 28, 2026.

Google has confirmed its systems can accept and process TCF 2.3 strings. If you miss the deadline, your ad requests may default to Limited Ads serving, which can reduce demand/personalization and impact revenue. The good news? With iubenda, no need to worry. We’ve got you covered.

What does this mean for iubenda customers?

If you’re using iubenda’s Privacy Controls and Cookie Solution, you’re all set. Our CMP already handles TCF 2.3 requirements.

Here’s what’s next for you:

• If you’re ready now: Set tcfVersion = 2.3 in your configuration to start using TCF 2.3 signals immediately. This is a good choice if you want to test the new signals with your ad stack before the mandatory date.

• Prefer a hands-off approach? Let us handle it: We’ll automatically switch your signals to TCF 2.3 after the February 28, 2026 deadline. You don’t need to do anything.

No banner changes needed: TCF 2.3 is a technical update. Your consent banner interface stays exactly the same.

No new data collection: This update doesn’t introduce new categories of personal data or expand data processing purposes.

Your users won’t notice: The change happens behind the scenes. The new TC string automatically generates the next time someone interacts with your consent notice.

More on this topic:

• Mobile apps and CTV: for this type of implementation, you may need to update to the latest version of our SDK. We’ll share detailed guidance closer to the deadline.
• Make sure to review your vendor list and confirm your vendors are registered on the updated Global Vendor List.

Over to you

Questions about TCF 2.3 or your setup? Reach out to our support team at info@iubenda.com.

The post Transitioning to IAB’s TCF 2.3: what you need to know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In October 2025, the European Data Protection Board (EDPB) announced that transparency and information duties under the GDPR will be its top coordinated enforcement topic for 2026.

That’s a clear signal: regulators will be paying extra attention to how you explain your data use to people.

For businesses, that translates to a simple focus: your privacy and cookie policy should be accurate, clear, and easy to find.

If your policies are due for an update, 2026 is the year to stop postponing it. Let’s take a look.

What the year of transparency holds in store

During its October 2025 plenary, the EDPB picked the topic for its fifth coordinated enforcement action: compliance with the GDPR’s transparency and information obligations.

Here’s the core idea: the GDPR says people have the right to be informed about the collection and processing of their data, especially under Articles 12, 13, and 14. This “right to be informed” is one of the GDPR’s foundation stones, because it’s what gives people real control over their data.

If you’re collecting personal data, you must clearly explain that you’re doing it, what data it is, what you do with it, and why.

Coordinated enforcement: what does that mean? 1-The EDPB selects a topic (for 2026, transparency). 2-National Data Protection Authorities (DPAs) choose to participate voluntarily. 3-DPAs run checks or investigations at national level using a shared approach. 4-Results are aggregated and analyzed to spot patterns. 5-If needed, this can lead to targeted follow-up at national and/or EU level. The action will be launched over the course of 2026.

This is what regulators will be looking at:

• Article 12 is your “plain language” rule. Information must be concise, transparent, easy to access and to understand.
• Article 13 covers what you must tell people when you collect data from them (for example: contact forms, checkout, newsletter signup).
• Article 14 covers what you must tell people when you get their data from somewhere else (for example: lead lists, partners, data enrichment, certain advertising scenarios).

Why it matters to your business

If the GDPR applies to you, you must follow transparency requirements.

Most businesses will be affected by the EDPB’s 2026 focus on transparency because it applies whenever you collect or use personal data.

If your website has a contact form, a newsletter signup, account creation, checkout/payments, customer support chat, or even common tools like analytics and marketing pixels, you’re almost certainly processing personal data.

If a DPA looks at your site or app and doesn’t like what it sees, they can ask questions, require changes, order you to stop certain processing, and (in some cases) issue fines.

Who are DPAs? A quick reminder: DPAs (Data Protection Authorities) are the national regulators that enforce data protection law in each EU/EEA country. There’s a French one, an Italian one, and so on.

Beyond the legal obligations, transparency isn’t just a legal checkbox for SMBs. It’s a real business advantage.

When people understand what you’re doing, they’re less suspicious. They’re more likely to sign up, buy, and stick around.

They’re more willing to trust you with their data. Better data means better campaigns and a higher revenue!

Transparency can actually improve conversion and retention, because it reduces friction and surprises.

Make your privacy and cookie policy flawless

For most businesses, the practical translation of these obligations is having a privacy and cookie policy.

The key elements to include in your privacy policy are:

• Who you are: company name, contact details
• What personal data you collect and how: e.g., name, email, billing details, IP address, device info, order history + where it comes from: forms, checkout, cookies/trackers, third-party tools
• Why you use it (purposes): e.g., provide the service, process payments, customer support, analytics, marketing
• Your legal basis: consent, contract, legal obligation, legitimate interests
• Who receives the data: any third parties, like hosting or payment processors, vendors, service providers
• Any international transfers: if data goes outside the EU/EEA, explain where and what safeguards you rely on
• Retention: how long you keep data
• People’s rights: access, deletion, objection, etc., and how to exercise them
• Updates: how you notify users of changes, “last updated”, or effective date

Do’s	Don’ts
Article 12 is explicitly about clear and plain language and making information easy to access. Can I understand the main points in under two minutes?	This isn’t about writing longer legal documents. It’s about making sure anyone can quickly find and understand it.
Can I find your privacy policy in one click from any page? That’s why you typically see all privacy policies in the footer of the website.	A privacy policy that is technically “published” but buried in a submenu or written like a courtroom script is not the spirit of Article 12.
Does your policy match reality? Make sure it is complete and tailored to your business.	Here’s an easy mistake: if a service truly doesn’t involve personal data processing, you generally don’t need to describe it in your privacy policy. Including non-existent processing can be misleading.

Take a look at our GDPR privacy policy template for an example!

How iubenda helps you meet 2026 standards

As Giulia Stancampiano, our Director of Legal at iubenda, puts it:

“By focusing on information duties in 2026, the EDPB highlights something simple but often overlooked: data protection begins with explaining things clearly. The real work is translating principles into practical steps that people can understand.”

Transparency can sound like tedious work. It’s writing the policy, but also keeping it accurate as your business changes. Add a new analytics tool, chatbot, ad platform, or payment provider, and last year’s policy no longer reflects what you actually do.

That’s where iubenda helps: we empower SMBs to manage transparency and digital compliance easily, as their business evolves.

Our tools come with pre-drafted clauses that are updated when relevant legal changes occur. We alert you if something’s missing. We offer easy integration options with your site.

A privacy policy powered by iubenda is simple, effective, and meets transparency requirements. Learn more about our Privacy and Cookie Policy Generator.

Ultimately, the EDPB’s 2026 focus reinforces a simple point: compliance starts with clear communication. iubenda’s products are built for simplicity and for maintaining consistent and reliable communication as your business grows.

Need a transparent privacy policy?

The post What the EDPB’s 2026 focus on transparency means for online businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

United Kingdom – ICO Clarified Storage and Access Technology Rules
The ICO clarified that PECR rules apply to all information, not just personal data, and maintained that storage or access must be essential to provide requested services. Legitimate interest cannot be used for non-exempt technologies and consent is required.

Italy – Garante Approved IT-Wallet System Draft Decrees
The Italian data protection authority issued a favorable opinion on draft decrees for the Italian Digital Wallet System (in Italian), which incorporates Privacy by Design and by Default principles aligned with GDPR Article 25 requirements.

European Union – EDPB Published DSA-GDPR Guidelines
The European Data Protection Board adopted guidelines 3/2025 on the interplay between the Digital Services Act and GDPR, covering illegal content detection, advertising transparency, and systemic risk management amongst others. Public consultation runs until October 31, 2025.

USA (California) – Multi-State Privacy Enforcement Sweep Targets Opt-Out Compliance
The California Privacy Protection Agency and attorneys general from California, Colorado, and Connecticut launched an investigative sweep examining business compliance with consumers’ right to opt out of personal data sales. The enforcement action specifically focuses on adherence to Global Privacy Control signals and proper handling of consumer opt-out requests across participating states.

2) Notable Case Law

Finland – S-Bank Fined €1.8 Million for Security Breach
S-Bank received a €1.8 million fine for GDPR violations (in Finnish) after a security flaw allowed customers to log into online banking using other customers’ credentials between April and August 2022.

France – Google and SHEIN Fined
France’s CNIL imposed €325 million total penalties on Google entities for unauthorized advertising practices. Google LLC was fined €200 million while Google Ireland Limited faced €125 million for Gmail advertisement deployment without consent and improper cookie placement affecting over 74 million French users. Compliance requirements include practice cessation within six months or additional sanctions.

CNIL separately sanctioned SHEIN with a €150 million penalty for cookie compliance failures (in French). Violations encompassed unauthorized tracker deployment, incomplete consent banners lacking advertising purpose disclosure, insufficient third-party identification at secondary information levels, and faulty consent withdrawal mechanisms where trackers were not removed, as well as tracker operations that continued despite user refusal.

3) New and Upcoming Legislation

Poland – Data Act Implementation Framework Advanced
Poland’s Draft Act on Fair Access to and Use of Data (in Polish) progressed, designating the Office of Electronic Communications as the enforcement authority. The Council of Ministers expects adoption in Q4 2025.

USA (California) – Opt Me Out Act Passed Legislature
Assembly Bill 566 passed, requiring businesses to develop browsers with opt-out preference signal functionality and clearly disclose how these signals work and their intended effects on data processing.

USA (Colorado) – EPIC Submitted CPA Amendment Comments
The Electronic Privacy Information Center (EPIC) supported expanding sensitive data definitions and recommended opt-in consent for features extending minors’ engagement, while proposing clarifications on content moderation requirements.

USA (New Jersey) – Privacy Groups Urged Robust NJDPA Rules
EPIC and the Consumer Federation of America recommended that the Division of Consumer Affairs adopt strong privacy rules including data minimization provisions and stricter standards for minors’ data.

4) Strong Impact Tech

USA – FTC Launched AI Chatbot Inquiry
The Federal Trade Commission initiated an investigation into AI chatbots from seven companies including Alphabet, Meta, and OpenAI, examining COPPA compliance and impacts on children and teens.

European Union – ASML Invested €1.3 Billion in Mistral AI
Politico reported that Dutch chip tool-maker ASML announced a major investment in French AI company Mistral, supporting Europe’s technological sovereignty goals and helping compete with American AI companies like OpenAI and Anthropic.

Other key information from the past weeks

Austria – YouTube Data Access Request Decision
Austria’s data protection authority ordered Google’s YouTube to comply with the GDPR following complaint proceedings instituted by noyb (in German). The regulator determined that Google LLC provided inadequate access request responses by withholding processing purposes, retention periods, recipient information, and tracking cookie details. These resulted in the violation of transparency obligations under Articles 12 and 15 GDPR.

USA – Disney Children’s Privacy Settlement
Disney agreed to a $10 million COPPA settlement for unlawful YouTube data collection from children under 13. The US Federal Trade Commission alleged Disney mislabeled child-directed videos as “Not Made for Kids,” enabling targeted advertising without parental consent, violating federal privacy protections.

USA – YouTube Children’s Privacy Settlement
Google and YouTube agreed to $30 million COPPA settlement resolving California Federal Court children’s privacy litigation from October 2019. The agreement addresses unauthorized data collection from minors including persistent identifiers, IP addresses, device information, and location data without parental consent, establishing $30-$60 individual payment ranges for affected children.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #147) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Italy – AI Law Published in Official Gazette
Italy officially published its comprehensive artificial intelligence legislation (in Italian) in the Official Gazette, establishing a regulatory framework for AI systems operating within Italian jurisdiction.

Switzerland – Website Tracking Regulations
Swiss authorities announced revised digital privacy requirements mandating clear data collection disclosure and simple opt-out options. The framework allows some non-essential cookies without consent if justified by strong interests, while sensitive or high-risk data activities require explicit user approval.

EU – Digital Platform Compliance Framework
European regulators released collaborative guidance demonstrating how the Digital Markets Act and GDPR work together to safeguard user information and promote competitive fairness among large technology companies.

Austria – Microsoft 365 Education Victory
Austrian privacy advocates successfully challenged Microsoft 365 Education for tracking school children, with authorities ruling the platform violated student privacy protections.

2) Notable Case Law

Germany – Hamburg Financial Firm Penalty
Hamburg’s data protection authority fined a financial company €492,000 (in German) for failing to provide customers with adequate explanations about automatic credit card rejections, breaching transparency requirements.

California – Universal Privacy Controls
California enacted legislation requiring browsers to provide single-click tracking rejection capabilities by January 2027. The measure enables users to block data collection and commercial sharing across all websites simultaneously, eliminating individual site preferences.

3) New and Upcoming Legislation

USA (Maryland) – Data Privacy Law Effective
Maryland’s new data privacy law became effective on October 1, granting residents rights over personal data, setting business compliance rules, and establishing security standards with potential criminal penalties.

Norway – Digital Security Act Enforced
Norway’s Digital Security Act took effect (in Norwegian) on October 1, requiring critical sectors to meet strict cybersecurity standards and rapidly report incidents, aligning with European network security directives.

4) Strong Impact Tech

USA – AI LEAD Act Referred to Committee
The AI Leadership To Enable Accountable Deployment Act was referred to committee, creating a civil liability framework holding AI developers and deployers accountable for negligence and safety violations.

USA (California) – Frontier AI Transparency Act Signed
California’s Governor signed the Transparency in Frontier Artificial Intelligence Act on September 29, requiring large AI developers to publish risk assessment frameworks and detailed transparency reports.

Other key information from the past weeks

Brazil – Cybersecurity Legal Framework Pending
Brazil prepared to approve its first Cybersecurity Legal Framework, establishing a National Cybersecurity Authority to unify regulations and enforce national standards across sectors.

United Kingdom – Apple Cloud Data Access Attempt
UK authorities made renewed attempts to access Apple’s cloud data storage systems, intensifying ongoing disputes over law enforcement access to encrypted user information.

Germany – EU Child Abuse Scanning Bill Division
Germany remained divided on the EU’s proposed child abuse content scanning legislation, with mounting pressure from various stakeholders regarding privacy and security implications.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #148) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EDPB Reviews Brazil’s Data Protection Adequacy
The European Data Protection Board shared its opinion on recognizing Brazil’s data protection laws as adequate under EU standards. While finding Brazil’s framework largely compliant with GDPR, the EDPB advised clarification on privacy assessments, transparency limits, and law enforcement applications.

Latvia – Guidance Issued on Cookie Opt-Out Simplification
Latvia’s Data Protection Authority published guidance urging websites to make cookie consent withdrawal easier (in Latvian). The authority emphasized that non-essential cookies require freely given consent and highlighted best practices for clear withdrawal tools.

European Union – AI Content Transparency Code Development Begins
The European Commission launched development of a Code of Practice for AI-generated content transparency. The seven-month process involves industry and civil society input to meet AI Act requirements for clearly marking AI-produced content by August 2026.

France – CNIL Surveys DPOs on AI Governance Role
France’s data protection authority launched a nationwide survey exploring how Data Protection Officers adapt to AI oversight responsibilities (in French). The initiative examines AI Act and GDPR interactions, with results expected in early 2026.

2) Notable Case Law

Spain – Carrefour Financial Services Fined €2.5 Million
Spain’s data protection authority fined Servicios Financieros Carrefour €2.5 million for data breach failures (in Spanish). The breach exposed customer ID numbers, contact information, and financial data due to weak security systems and poor monitoring practices.

Poland – Courts Approve UODO’s Data Communication Framework
Polish Courts of Appeal approved the national data protection authority’s standardized communication templates for personal data protection claims (in Polish). The decision supports streamlined information sharing under Poland’s Personal Data Protection Act.

3) New and Upcoming Legislation

USA (New York) – Final Cybersecurity Rules for Small Firms Active
New York’s amended cybersecurity rules final phase took effect, requiring small businesses to adopt multi-factor authentication and maintain detailed asset inventories. Class A companies must ensure universal MFA access and comprehensive IT asset records.

Hungary – National AI Law Enacted
Hungary enacted comprehensive AI legislation effective December 2025, creating the AI Market Surveillance Authority and Hungarian Artificial Intelligence Council. The law applies to all AI providers and users, with maximum fines reaching HUF 13.3 billion (approximately €33 million).

4) Strong Impact Tech

USA – OpenAI and Amazon Sign $38 Billion AI Infrastructure Deal
OpenAI secured a multi-year agreement with Amazon for AI infrastructure capacity, including hundreds of thousands of Nvidia processors through AWS. Full capacity deployment is expected by end of 2026, reflecting massive capital investment in next-generation AI systems.

USA – Meta Announces $600 Billion AI Infrastructure Investment
Meta committed to spending $600 billion over three years expanding US infrastructure and creating jobs through new data centers. CEO Mark Zuckerberg outlined the AI growth preparation plan, including recent investments in Louisiana and Texas facilities.

Other key information from the past weeks

Hong Kong – Privacy Commissioner Alerts LinkedIn Users on AI Data Use
Hong Kong’s Privacy Commissioner reminded users that LinkedIn began using personal data and public content to train generative AI models from November 3, 2025. The change affects Hong Kong, EU, and Canadian users under reviewed privacy settings.

APEC – Leaders Adopt Digital Transformation Declaration
APEC leaders adopted the Gyeongju Declaration committing to regional digital and AI transformation readiness. The joint commitment emphasizes collaboration in digital policy research, voluntary data sharing, and human-centered AI development approaches.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #149) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

European Union – EU Explores Cloud and AI Act for Data Centre Sovereignty
Parliament analysts outlined how a forthcoming Cloud and AI Development Act could expand EU data-centre capacity, reduce reliance on US cloud providers, and foster secure EU-based services to strengthen digital sovereignty and competitiveness.

European Union – Meta to Offer Real Choice on Personalised Ads Under DMA
Under Digital Markets Act pressure, Meta agreed to give Facebook and Instagram users genuine choice between fully personalised ads and versions using significantly less personal data, starting January 2026.

2) Notable Case Law

South Korea – Coupang CEO Resigns After Breach Affecting 33.7 Million Users
South Korean e-commerce giant Coupang disclosed a breach affecting 33.7 million customers after attackers used active cryptographic keys to forge access tokens, exposing personal details for nearly five months.

United Kingdom – ICO Fines LastPass £1.2 Million Over Major Data Breach
The UK Information Commissioner’s Office fined LastPass £1.2 million after a cyberattack exposed data of up to 1.6 million UK users due to inadequate technical and organizational safeguards.

3) New and Upcoming Legislation

USA (Federal) – Trump Signs Order to Preempt State AI Laws
President Trump signed an executive order creating national AI policy to displace conflicting state laws, directing federal agencies to challenge state measures while exempting child safety and procurement rules.

Ireland – Government Approves Garda Facial Recognition Bill
The Irish Government approved publication of legislation enabling police to use facial recognition and biometric tools for serious crime investigations, subject to High Court judge oversight.

4) Strong Impact Tech

European Union – Commission Probes Google’s Use of Content for AI Training
The European Commission launched an investigation into whether Google abuses dominance by using publishers’ content and YouTube videos to train AI models without fair compensation or meaningful opt-out.

South Africa – WhatsApp Settles With Regulator Over Data Compliance
WhatsApp reached an out-of-court settlement with South Africa’s Information Regulator over alleged non-compliance with local data-processing conditions, with confidential corrective measures agreed.

Other key information from the past weeks

Vietnam – Vietnam Passes First Comprehensive AI Law
Vietnam’s National Assembly approved its first Law on Artificial Intelligence, effective March 2026, establishing core principles, prohibited practices, and risk-based framework with centralized oversight.

Australia – Reddit Challenges Social Media Age Ban in Court
Reddit initiated High Court proceedings to overturn Australia’s ban on social media access for minors, arguing the regulation infringes upon free political dialogue and poses privacy concerns.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #150) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

France – CNIL Publishes Guidance on Analyzing AI Models Under GDPR
France’s CNIL published guidance helping AI providers assess whether their models store personal data from training and are subject to GDPR, building on the EDPB’s opinion on AI development.

Denmark – Datatilsynet Announces 2026 Supervisory Focus on AI Monitoring Technologies
Denmark’s Data Protection Authority published 2026 priorities focusing on AI monitoring in care settings, patient devices, employee tracking, and website tracking, signaling heightened healthcare and workplace scrutiny (Danish).

European Union – European Commission Publishes DMA Review Consultation Summary with 450+ Responses
The European Commission published all contributions from its Digital Markets Act review consultation, with stakeholders supporting DMA objectives while calling for expanded AI and cloud scope. The review report is due May 3, 2026.

2) Notable Case Law

European Union – EU Commission Orders X to Preserve All Grok Documents Until End of 2026
The European Commission instructed X to retain all Grok-related records through December 31, 2026, as it examines Digital Services Act compliance following criticism over AI-generated harmful imagery.

United Kingdom – UK Prime Minister Starmer Seeks International Coalition Against X Over AI-Generated Abuse Images
UK Prime Minister Starmer is building an international “coalition of decency” after X’s Grok enabled non-consensual imagery creation, with the government supporting potential enforcement action under the Online Safety Act.

3) New and Upcoming Legislation

European Union – European Parliament Confirms Digital Omnibus as 2026 Priority with Potential AI Act Timeline Delays
The European Parliamentary Research Service confirmed the AI Act will fully apply from August 2, 2026, but the proposed Digital Omnibus could delay certain high-risk system deadlines to late 2027 and 2028.

Netherlands – Ministry Delays Cybersecurity Act Entry Into Force to Q2 2026
The Dutch Ministry confirmed NIS2 Directive transposition into the national Cybersecurity Act is delayed until Q2 2026, with the existing Security of Networks and Information Systems Act remaining in effect.

4) Strong Impact Tech

USA – Meta Strikes Nuclear Power Agreements Worth 6.6 GW to Support AI Infrastructure
Meta announced agreements with Vistra, TerraPower, and Oklo to secure up to 6.6 gigawatts of nuclear capacity by 2035, including 20-year deals and funding for eight new advanced reactors.

European Union – EU Antitrust Regulators Set February 10 Deadline for Google’s $32 Billion Wiz Acquisition
EU antitrust regulators will decide by February 10, 2026, whether to approve Alphabet’s $32 billion Wiz acquisition, Google’s largest deal ever, or open a full investigation.

France – Macron Calls for Deepening EU’s Digital Rules in Face of US Pushback
French President Macron urged Europe to defend its Digital Services Act and Digital Markets Act, emphasizing European digital sovereignty as Washington criticized EU tech regulations.

Other key information from the past weeks

Brazil – ANPD Extends Digital ECA Compliance Deadline to February 13
Brazil’s ANPD extended the deadline for 37 tech companies to submit compliance information on the Digital Child and Adolescent Statute, including Amazon, Apple, and Google Brazil (Portuguese).

New Zealand – Privacy Commissioner Confirms Manage My Health Cyber Breach Notification
New Zealand’s Privacy Commissioner confirmed Manage My Health reported a ransomware incident on January 1, 2026, affecting thousands of users’ sensitive health information including discharge summaries and referral letters.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #151) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On March 19, 2025, the German Administrative Court of Hanover (VG Hannover) issued a decision that has big implications for anyone using Google Tag Manager (GTM). The court ruled that GTM requires explicit user consent before it can load — even if GTM itself doesn’t use cookies.

This ruling has caused understandable concern for website owners and marketers across the EU. Let’s break down what the court decided, what it means in practice, and how iubenda is approaching this development.

What the court decided

The court looked at how GTM works in practice and concluded that it is not just a neutral tool. Here’s why:

• Connection to Google servers: GTM contacts Google servers as soon as a page loads.
• Personal data transfer: IP addresses, device details, and referrer URLs are sent to Google automatically.
• Local storage: The GTM script (gtm.js) is stored on the user’s device.
• Hidden execution: GTM enables other third-party scripts to run, often before consent.

Because this happens before a user can give consent, the court found it violates both the GDPR and the German Telemedia Act (TTDSG).

The ruling also criticized invalid consent banners — for example, banners that make “Reject All” harder to find or use misleading symbols like “X” to imply consent. According to the court, these designs don’t count as genuine consent.

What this means for website owners

The main takeaway is simple:

• GTM requires explicit consent before loading.
• Consent must be informed and easy to refuse — no dark patterns.
• A Consent Management Platform (CMP) is not enough if GTM runs before the user makes a choice.
• Google’s Consent Mode 2.0 may not fully solve the compliance issue.

In short, GTM is not “just technical.” It’s a data processing tool, and that means it falls under EU consent rules.

iubenda’s approach

At iubenda, our Privacy Controls and Cookie Solution already give you two clear options for managing GTM in line with consent requirements:

1. Block tags inside GTM (granular approach)
   • In GTM, you can configure triggers to fire only after iubenda’s consent signals are received.
   • This means you can decide which tags are allowed for each consented purpose (e.g., analytics, marketing).
2. Block the GTM script itself (non-granular approach)
   • You can assign GTM to a specific purpose in iubenda.
   • With this setup, the entire GTM container will only load once a user gives consent for that purpose.

By default, our generator currently categorizes GTM as a strictly necessary service, which means it is not blocked automatically. This choice was made because blocking GTM at the script level can cause technical issues for many websites.

However, if you prefer to apply the strictest interpretation of the German court ruling, you can switch to one of the two blocking methods above to ensure GTM only runs after user consent is collected.

Will iubenda block GTM automatically?

Not at this time. Here’s why:

• The VG Hannover decision is regional and not yet binding across the entire EU.
• Automatically blocking GTM would disrupt many websites, and it’s not yet clear whether this will become the EU-wide standard.
• Our users already have the tools to choose stricter compliance and manage GTM accordingly.

We’re closely monitoring the situation, and we’ll update our recommendations if the legal landscape changes.

What you can do today

If you want to apply the strictest standard immediately, you have two options with iubenda’s Privacy Controls and Cookie Solution:

1. Block the GTM script until consent is given
   • Assign GTM to a specific purpose in iubenda (for example, “Marketing”).
   • The GTM container will only load after the user consents to that purpose.
   • This option is simpler but less flexible, because all tags wait for consent together.

   

2. Control tags inside GTM (granular consent)
   • Set up GTM triggers to listen for iubenda’s consent signals.
   • Allow or block each tag depending on the purposes the user has agreed to (e.g., Analytics, Remarketing).
   • This option takes a bit more configuration, but it gives you full control and aligns closely with GDPR requirements.

Both methods are supported by iubenda. Which one you choose depends on your compliance strategy and the level of risk tolerance you want to adopt.

The German court’s decision is a reminder that even tools considered “technical” — like Google Tag Manager — can have significant data protection implications. For now, we are not enforcing automatic GTM blocking in our products, but we give you the flexibility to decide how to configure GTM for your business.

As always, we recommend keeping a close eye on legal developments and ensuring your consent banner offers users a real, transparent choice.

The post Google Tag Manager and GDPR: What a Recent German Court Decision Means appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The pricing of the iubenda Accessibility Widget product is based on the number of pageviews your website receives. What do we mean by that?

What is a pageview?

One pageview is counted when a user visits any page on which the Accessibility Widget is active.

How are pageviews calculated?

In more technical terms, pageviews are calculated following the number of executions of the Accessibility Widget script. Whenever the Accessibility Widget code runs, our software records a pageview.

Pageviews are not recorded only at the first visit of each user, but also during all subsequent visits. The reason is that our Accessibility Widget must keep being active, and its script keeps running continuously.

In fact, the parameters selected on the Accessibility Widget (e.g., aligning all text to the right) are instantly applied as well as saved for future visits, so users don’t need to select them again.

Why is the iubenda pageview count different from other analytics tools?

The number of pageviews calculated by our software may differ from those calculated using other software such as Google Analytics, ShinyStat, or Matomo/Piwik.

This difference is because other tools typically use different metrics, like the number of visitors or the number of sessions.

The post How Are the Accessibility Widget Pageviews Calculated? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On this page, you can find information about which data from the products you use can be exported, in which formats, as well as known restrictions, technical limitations, and details on international governmental access and jurisdiction.

• Dataset: team admin details, activated and installed products, timestamp of the user’s takeout request, email addresses of team members and their roles, payment history and subscription plan details for each website, owner information, site business and service preferences, metadata about Cookie Banner installation (color, positioning, etc.), CS analytics (page views, consent percentage, etc.), custom clauses, CPL, metadata about widget installation, export of Whistleblowing Management Tool requests and related data (text, email, phone number, etc.), export of Data Subject Rights Management Tool data (user consents, etc.), and export of Newsletter Opt-in Booster subscriptions (creation date, subject, source).
• Formats: JSON
• Standards/specs: UTF-8
• Notes: clauses protected by intellectual property rights are non-exportable; the dataset above includes data relating to all products, therefore some of the listed data may apply only to specific products.

Jurisdiction to which the ICT infrastructure deployed for data processing of services is subject: Italy.

To ensure the lawful and secure handling of EU-held non-personal data, we have established the following technical, organisational, and legal safeguards to prevent international governmental access or transfers that would conflict with EU or Member State law:

• Technical measures: cryptography; EU Cloud; EU-only key management; access management with admin access from EEA only; yearly audits; ISO 27001 certification.
• Organisational and legal measures: business continuity and incident management procedures; cloud security procedures; designated legal team to assess any government requests; employees' training; suppliers' qualification and monitoring procedure; data deletion policy; records of requests maintained; notice to customers.

If you would like to know more about the measures in place, please refer to Annex I of the DPA at this link.

The post Data Export Register – Dataset, Formats, Standards, Jurisdiction appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The European Commission published its Digital Omnibus Regulation proposal on November 19, 2025. For anyone working in digital compliance, this is worth paying attention to.

The proposal aims to simplify and modernize Europe’s regulatory framework by amending several key laws, including the GDPR, ePrivacy Directive, Data Act, NIS2, eIDAS, DORA, and CER.

The text will evolve as it moves through the EU legislative process. But the trajectory is promising, and we’re committed to helping you understand what’s ahead.

Before we dive in, here’s what you need to know: this is a proposal, not law. The text is at an early stage and may change substantially as it moves through the EU legislative process. The principles and obligations outlined aren’t yet in force or enforceable. Until the Regulation is formally adopted, the existing legal framework (including the GDPR and other relevant laws) continues to govern data processing activities.

View timeline: From proposal to law (click to expand)

Cookie consent gets a refresh

The proposal moves the ePrivacy cookie rule into the GDPR as new Article 88a. Consent remains the general rule for storing or reading information on devices, but with important updates.

Here’s what’s changing:

• No-consent exceptions added: A closed list now covers transmission, strictly-necessary cookies, first-party audience measurement for your own services, and security of the service or device.
• One-click accept and reject required: Cookie banners must make both options equally easy to choose.
• Six-month cooling-off period: Sites can’t keep re-asking users after they refuse consent for at least six months, unless something relevant changes in your processing activities.

What’s not changing:

• Consent stays central: You’ll still need consent for advertising, profiling, cross-site tracking, and third-party analytics. The proposal doesn’t weaken these requirements.

Machine-readable preference signals

Article 88b introduces something new: machine-readable preference signals. Think browser settings that communicate consent or objection automatically. Controllers will need to honor these signals, and browser vendors will gradually need to support them.

This could fundamentally change how consent flows across the web, moving some choices upstream to the browser level while maintaining user control.

GDPR updates worth noting

The proposal brings several practical changes to the GDPR:

Personal data and pseudonymization

The definition of personal data is narrowed. The key question becomes whether a given controller or recipient has the means to “reasonably ” identify someone. Just because someone else can identify a person doesn’t automatically make that data personal for everyone.

What this means: The Commission, working with the European Data Protection Board (EDPB), can adopt criteria for when pseudonymized data no longer counts as personal data for specific entities.

Right of access gets anti-abuse protections

Article 12 is amended so controllers may refuse access requests or charge a reasonable fee where requests are clearly abusive. This covers scenarios like:

• Harassment campaigns
• Speculative compensation claims
• “Pay me and I’ll withdraw the request” schemes

The burden of proof stays with the controller.

Transparency exceptions for low-risk situations

For low-risk, obvious situations (like local craftspeople or small clubs), controllers may rely on a wider exception where there are reasonable grounds to assume people already have the necessary information.

Standardizing DPIAs and breach notifications

The EDPB must propose EU-wide lists of processing that does or doesn’t require a Data Protection Impact Assessment (DPIA), plus a common template and methodology. The same goes for high-risk data breach notifications: a standard template and criteria that the Commission will turn into implementing acts.

Why this matters: This standardization could reduce compliance complexity, especially for organizations operating across multiple EU member states.

AI and personal data

The proposal’s recitals clarify that using personal data to train, test, and validate AI systems can rely on legitimate interest under Article 6(1)(f). The catch: you need a strict balancing test and safeguards in place.

Required safeguards include:

• Transparency about AI training use
• Unconditional right to object
• Privacy-preserving techniques
• Additional protections based on risk level

A narrow derogation is added for incidental special-category data in AI training sets where removal would be disproportionate. In those cases, the data must be strongly protected and not used to infer or disclose sensitive information. The usual Article 9(2) grounds still apply where special-category processing is actually needed.

Other changes to note

Single EU entry point for incident reporting

A single EU entry point is created for cybersecurity and personal data incident reporting. GDPR controllers will use it for breach notifications, cutting duplicate reporting under NIS2, GDPR, eIDAS, DORA, and CER.

The benefit: This consolidation addresses a real pain point for organizations juggling multiple reporting obligations.

Data Act adjustments

The Data Act gets several updates:

• Stronger trade-secret safeguards
• Business-to-government (B2G) data sharing is limited to public emergencies
• Lighter regime for some cloud contracts
• Open Data Directive and Data Governance Act folded into it

The Platform-to-Business Regulation (P2B) is repealed as largely superseded by newer platform rules.

What this means for your business

This proposal points to where EU privacy regulation is going, and it’s a future we welcome.

Greater user control. Streamlined requirements. Standardization that actually helps. These aren’t just policy goals; they’re the foundation of what we’ve been building at iubenda since the beginning.

“The Digital Omnibus is not law, yet. And until it is, GDPR and ePrivacy compliance remains exactly as you know it. What will not change, even under the future regime, is the need for a robust operational layer translating legal requirements into technical enforcement. That’s still your CMP. Global signals and automation don’t replace CMPs; they make them indispensable, because someone still needs to bridge abstract rights and concrete code.”

Giulia Stancampiano, Product Legal Manager Privacy, iubenda

We’re committed to playing an active role as this proposal takes shape, helping ensure it works in practice for businesses and their customers alike.

The legislative process takes time, but we’ll be with you every step of the way, turning regulatory change into clear, actionable guidance.

Frequently asked questions

What is the Digital Omnibus Regulation?

The Digital Omnibus is a proposal from the European Commission that amends and harmonizes multiple EU digital laws, most notably the GDPR and the ePrivacy Directive, to reduce complexity, improve coherence, and modernize outdated provisions.

Is the Digital Omnibus Regulation in force?

No. The Digital Omnibus is still a proposal at an early stage of the EU legislative process. It may be substantially amended before adoption. Until it becomes law, existing regulations like the GDPR continue to apply.

When will the Digital Omnibus become law?

 There’s no fixed timeline.  EU legislative procedures typically take 12–30 months. Once adopted, the Regulation enters into force 20 days after publication. Its new obligations apply in stages (e.g., 6 months for the new cookie rules, 24 months for machine-readable signals).

Does the Digital Omnibus replace the GDPR?

No. The Digital Omnibus amends and updates the GDPR rather than replacing it. It proposes changes to specific articles, such as cookie consent rules and data breach notification procedures.

What changes to cookie consent does the Digital Omnibus propose?

The proposal would require one-click accept and reject options, preventing repeated consent prompts for at least six months after a refusal, and introducing machine-readable preference signals. It also moves the cookie rules into the GDPR (new Article 88a) and clarifies which limited purposes may rely on non-consent exceptions, such as first-party aggregated audience measurement and security.

Will I still need a cookie banner under the Digital Omnibus?

Yes. Consent management systems remain essential for handling user choices, managing proof of consent, and applying preferences correctly. What would change is that some users who set browser-level preferences may not see a banner, as the system would read their existing preference instead. However, media service providers may still request consent even when a global ‘reject’ signal is present.

How does the Digital Omnibus affect AI and personal data?

The proposal clarifies that using personal data to train AI systems can rely on legitimate interest under Article 6(1)(f), provided strict safeguards are in place: transparency, unconditional right to object, and privacy-preserving techniques. It creates a new Article 88c GDPR.

Do I need to do anything right now?

No immediate action is required. Your compliance obligations under GDPR and other existing laws remain unchanged. We recommend staying informed as the proposal evolves, and we’ll keep you updated on any developments that affect your compliance work.

The post Understanding the Digital Omnibus Regulation proposal: what it means for privacy and compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

As an app developer, you must comply with several requirements before publishing your apps and games on the main platforms like Google Play.

The Developer Policy Center is the central hub where Google Play outlines all these rules. It’s divided into sections that you can easily navigate to understand your requirements across various categories.

We’ve put together an overview of these requirements below, with links to the corresponding sections in Google’s policy.

Restricted content

Before submitting an app to Google Play, ensure it complies with content policies and local laws. Restricted content can take many forms, which we have outlined below.

Child endangerment

Google Play’s Child Endangerment policy bans any app that allows child sexual abuse material (CSAM) or enables exploitation, grooming, sextortion, trafficking, or sexualisation of minors.

Apps that target or appeal to children cannot include adult themes like violence, harmful activities, or body-shaming cosmetic features.

Social and dating apps must follow strict child safety standards. They need to:

• Clearly prohibit child sexual abuse and exploitation in their Terms of Service or community guidelines
• Offer in-app reporting mechanisms
• Act quickly to remove CSAM
• Comply with child safety laws
• Appoint a dedicated child safety contact

These rules are designed to protect children and hold developers accountable. Read more about the Child Safety Standards policy here.

Inappropriate content

Google Play’s Inappropriate Content policy bans apps that promote or include:

• Sexual content or explicit material
• Profanity or hate speech
• Gratuitous violence or violent extremism
• Bullying, harassment, or other harmful behavior

Apps cannot:

• Exploit sensitive events like disasters or deaths
• Sell or promote dangerous products such as firearms or explosives
• Sell marijuana, THC products, or unregulated tobacco and alcohol products, especially when targeting or encouraging minors

Some limited exceptions apply to content with educational, documentary, scientific, or artistic (EDSA) value, but it must not be gratuitous or exploitative.

Financial services

Google Play’s Financial Services policy aims to stop deceptive or harmful financial products.

The policy:

• Bans short-term personal loans that must be repaid in 60 days or less
• Bans high-APR loans in the U.S. with an APR of 36% or more
• Requires lenders to provide proof of licensing where needed

Personal loan and earned wage access (EWA) apps must:

• Clearly disclose repayment terms, APR, fees, and privacy practices
• Avoid requesting sensitive permissions like contacts or location

Real-money gambling and illegal activity

Real-money gambling apps like daily fantasy sports and gamified loyalty programs are allowed, but only under strict rules.

Other real-money games or contests involving wagers or real-world prizes are generally not allowed, unless they are part of approved pilot programs.

Gambling apps must:

• Be free to download
• Hold valid licenses in every jurisdiction where they operate
• Prevent underage access
• Display clear responsible gambling information
• Not use Google Play Billing for gambling transactions

Loyalty programs are allowed if they:

• Are tied to real transactions
• Follow fixed, transparent rules
• In non-game apps, disclose odds or selection methods for chance-based rewards

Gambling ads are permitted only if they follow local laws, do not target minors, and meet responsible gambling standards.

User-generated content

User-generated content (UGC) is any content users create and share inside your app that other users can see (including apps that act as browsers/clients for UGC platforms).

Apps with UGC must:

• Require users to accept Terms of Use before creating or uploading UGC
• Clearly define and ban objectionable content and behaviors in their policies
• Have ongoing, effective moderation suited to the type of UGC (with stricter controls for things like DMs, augmented reality, or public feeds)
• Offer in-app tools to report and block content and users, and act on reports
• Include safeguards so monetization does not encourage bad or harmful user behavior

Health content and services

Google Play’s Health Content and Services policy bans apps that expose users to harmful or misleading health information, unsafe medical claims, or unapproved substances.

Health and medical apps must:

• Provide accurate information and clear disclosures
• Include a privacy policy and use permissions responsibly
• Clearly state any required hardware or devices
• If providing regulated or research functions, give proof of approvals, affiliations, or ethics compliance when required

Apps may not:

• Sell prescription drugs without a valid prescription
• Promote unapproved health products
• Spread health misinformation

Blockchain-based content

Blockchain‑based content includes tokenised digital assets stored on a blockchain. Apps that offer these must follow strict rules. In particular:

• Cryptocurrency exchanges and wallets must use certified services and operate in regulated jurisdictions
• Apps must clearly declare any tokenised assets in the Play Console

• Cryptomining on user devices is not allowed
• NFT features must avoid gambling-like mechanics and should enhance gameplay, not act as wagers or purely speculative assets

AI-generated content

AI-generated content is material created by generative AI, such as chatbots or AI-made images and videos.

Apps using AI must:

• Follow all Google Play policies
• Prevent harmful or restricted content, including child exploitation and deceptive behavior
• Provide in-app reporting tools so users can flag offensive content, and use these reports to improve moderation and filters

Intellectual property

Apps and developer accounts may not infringe on others’ intellectual property rights (such as trademark, copyright, patent, trade secret, or other proprietary rights), or encourage users to do so.

Common violations include using:

• Cover art from music albums, video games, or books
• Marketing images from movies, TV shows, or video games
• Photos taken from a public figure’s social media
• Full reproductions or translations of books that are not in the public domain

Other requirements

You’ll find below other sections from Google Play’s policy that might be of interest to you.

Targeting children

Before submitting an app that targets children to the Google Play Store, you are responsible for ensuring your app is appropriate for children and compliant with all relevant laws.

SDKs

Third-party software development kits have several requirements and restrictions. If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices do not cause your app to violate Google Play Developer Program Policies.

Monetization and ads

Google Play supports a variety of monetization strategies to help developers and users, including paid distribution, in-app products, subscriptions, and ad-based models. It requires you to comply with policies on payments, subscriptions, ads, and the Families Ads Program.

Store listing and promotion

Some additional guidelines relate to app promotion, metadata, user reviews and installs, user and content ratings, and news‑related apps.

Main restrictions

Dive deeper and find all details in the Google Play Developer Policy Center and the full Developer Program Policy

The post An overview of Google Play’s requirements and restrictions for app submission appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Change was in the air. On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal. You can think of it as an update of Europe’s privacy rulebook, including laws like the GDPR and ePrivacy Directive, to make them easier to apply without lowering protection for people.

Simplification, but without weakening privacy rights

It’s no secret. Everyone knows today’s cookie banners can be frustrating. Repeatedly clicking on a banner for every new site you visit is not valuable. The Commission wants to change this.

The Digital Omnibus proposal aims to simplify and modernize several key existing privacy laws. The idea is to reduce friction, improve user experience, while keeping strong user rights.

The proposal suggests:

• One-click “accept” and “reject” options at the same level on cookie banners (no multiple layers), and not asking again as long as consent is valid, or for at least six months after a refusal. This reduces repetitive consent requests that build “consent fatigue.”
• Smarter “central cookie management mechanisms”, so users can set their privacy preferences once, in a simple interface. This could mean browser- or OS-level “privacy switches”. A user might choose “reject tracking” or “only essential cookies” once, and websites would read and respect that preference automatically.
• Cookie rules to be moved into the GDPR, and a review of which situations can rely on exceptions (no consent needed), for example for security purposes, or basic, first-party, aggregated audience measurement.

What this means in practice

If you run a website, app, or online campaigns, there’s no need to panic. Quite the opposite. Compliance processes will become simpler for you and your users. Plus, this is still a proposal, not a final law:

• You do not need to change anything yet because of the Digital Omnibus.
• Your current obligations under the GDPR and other laws remain unchanged for now.
• You still need your cookie banner and CMP now and under the new rules, even if they may operate differently.

Realistically, most people won’t adopt browser-level settings immediately.

Over the years, users who have set global preferences may not see a banner at all, except when it needs to be displayed for specific purposes. Others, who haven’t set anything, will interact with banners as usual.

The proposal mentions that if you’re a media service provider, you will not be required to respect global preferences since you rely heavily on advertising to remain financially sustainable.

We recommend staying informed as the proposal moves through the EU legislative process. It’s currently expected to start applying sometime between 2026 and 2027. Here’s the European Commission’s announcement.

iubenda is ready and remains your trusted partner to keep privacy central but simple

At iubenda, we’re all about making compliance simpler for digital professionals. We keep both your business goals and your users’ privacy in mind in everything we do.

Rest assured, as privacy experts, we’re here to handle both the technical and legal details so you don’t have to. We’ll keep supporting you with all aspects of digital compliance, not just cookies.

Stay tuned. We’ll inform you of any updates and help you implement them quickly and confidently.

The post The European Commission’s proposal for new cookie rules: our first look at potential implications appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal as part of its wider Digital Package.

By amending cornerstone laws such as the GDPR, the ePrivacy Directive, the Data Act, and the AI Act, the proposal targets practical issues around things like cookies and consent, personal data, and AI. The purpose is clear: simplify and modernize the EU’s digital framework.

At the same time, the proposal has triggered intense public debate. Some view it as a necessary update to keep Europe competitive and reduce friction for users and businesses; others warn against any perceived “rollback” of fundamental rights.

In this context, the voices of those who build and operate digital compliance every day are crucial.

As a Consent Management Platform (CMP), we sit at the intersection of regulation, technology, and user experience. That’s why we are actively contributing to the discussions shaping the Digital Omnibus.

Why the Omnibus matters

The Commission frames the Digital Omnibus as a competitiveness and simplification initiative, intended to cut red tape and give organisations clearer, more coherent obligations across the digital landscape.

For privacy and cookies in particular, the proposal is designed to:

• Limit consent fatigue and limit repetitive, confusing banner requests.
• Reduce compliance costs by simplifying time-consuming and costly legal requirements.
• Align overlapping laws, especially where the GDPR and ePrivacy Directive currently interact in complex ways.
• Provide legal clarity on areas that have proven vague or outdated in practice.

Engaging in discussions with the European Commission

Speaking with a united CMP voice: our joint submission to the Commission

When the Commission opened its call for evidence and public feedback on its initiative, it explicitly invited stakeholders to share concrete ideas for simplifying rules without weakening protection.

As a leading European CMP, we joined forces with other CMP providers to submit a joint response to the Commission. Our goal was to ensure that the practical reality of consent management on the ground is reflected in the future legal framework.

In our joint feedback, we stress a core point:

It must be recognised that online consent goes beyond cookies. CMPs play a key role in obtaining consent for all non-essential treatment of data, for all types of technologies.

We argue that the conversation must move from “cookie banners” to “consent infrastructure”. If the EU goes toward central consent management inside browser mechanisms, it should promote an interoperable model.

Users should be able to choose trusted tools that can communicate seamlessly with browsers and apps to provide a transparent user experience.

European CMPs stand ready to support the Commission in designing practical, future-proof solutions that combine ease of compliance for businesses with genuine control for users, creating a model of European digital trust by design.

Concretely, we recommend that any future rules:

• Require browsers that offer central consent features to expose open APIs that CMPs can use. CMPs will still be needed to determine whether cookies and tracking technologies can be installed, to manage proof of consent, and to apply consent or refusal correctly.
• Protect genuine, granular consent. GDPR consent must remain specific, contextual, and be collected in a transparent way by neutral, independent tools.
• Simplify without centralising power. As reinforced in the Digital Markets Act, simplification must not mean concentrating control of the consent layer in a handful of browsers, which would risk gatekeeper issues.

Bringing real-world insights: our technical contribution

Following our joint feedback, key contributors, including our CPTO and Head of Frontend Engineering, took part in a dedicated roundtable with European Commission policymakers.

Matteo Colucci, our Head of Frontend Engineering, says that “the main purpose of the meeting was to open a dialogue between the European Commission and CMPs”, to ensure that all perspectives were taken into account.

He describes that participants brought hands-on implementation experience into the room, clarifying:

• The essential role of banners and CMPs in enabling users to exercise their rights.
• What really drives consent fatigue and how it could be improved (accessing user preferences across multiple contexts).
• That any new model must keep transparency central and make sure users are aware of and know how to exercise their privacy rights.

The Commission is meeting with a broad range of stakeholders, like advertisers and publishers, and we expect further discussions.

In the words of our CPTO Filippo Barra, “the Commission demonstrated its willingness to leverage industry expertise and collaborate with CMP counterparts.”

The post Inside the Digital Omnibus: our experts’ contributions appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is the Digital Omnibus?

The Digital Omnibus proposal is the European Commission’s plan to simplify and modernize several key EU digital laws, including the GDPR and the ePrivacy Directive.

The goal is to reduce friction and improve user experience, without weakening people’s rights.

It touches a wide range of topics: cookies and consent, use of personal data and AI, pseudonymization, and GDPR rights.

A big focus is on fixing today’s consent experience. The Commission knows that constantly clicking through cookie banners on every new site is quite tedious. The Omnibus proposal tries to ease that pain while keeping a robust privacy framework in place.

What practical changes should marketers expect?

The main changes you should be aware of concern cookie banners and consent, as well as how preferences are expressed.

1. Central consent mechanisms and signals

To reduce being prompted with the banner repeatedly, the proposal looks at “central cookie management mechanisms”, such as browser or OS-level privacy settings. Think of a simple switch like:

• “Reject tracking”
• “Only essential cookies”

Users could set this once, and websites would then read and respect that choice automatically via machine-readable signals.

2. Cookie rules moving into the GDPR and clarifying consent exceptions

The rules on storing or accessing information on a user’s device (cookies and similar tech) are expected to be moved into the GDPR and paired with clearer exceptions where no consent is needed. Key examples:

• Strictly necessary cookies, for the transmission of a communication or to provide a service the user explicitly requested.
• First-party, aggregated audience measurement, when you measure your own audience for your own use only, without sharing or selling the data, and without using it for other unrelated purposes.

3. Updated banner rules to reduce consent fatigue

Here’s what The Omnibus suggests:

• When a banner is needed, a single-click “Reject” option must be as visible and easy as “Accept” (this requirement was already commonly enforced at a member-state level).
• You can’t re-ask for consent while it remains valid.
• If a user refuses, you can’t re-prompt them for the same purpose for at least 6 months.

Will cookie banners disappear?

No. The European Commission wants to avoid users being prompted with banners again and again, not to remove consent or banners altogether.

In practice:

• Banners will still be the main way most users give consent, especially those who never touch browser/OS privacy settings. Some users will set global preferences; in those cases, your CMP can read the signal and skip the banner.
• You will still need a Consent Management Platform or equivalent system to enforce whether tracking can run, keep proof of consent, and let users review and update their choices.

What should marketers do now?

No action is needed now. The Digital Omnibus is still a proposal, not a final law. Until it’s adopted and the application dates arrive:

• Your current obligations under the GDPR and ePrivacy remain unchanged.
• You do not need to change your setup because of the Omnibus.

When will the proposal take effect?

The proposal was published on 19 November 2025, but it is not yet law. The text can change substantially at any stage during European Parliament and Council negotiations.

If and when it is adopted, it will apply in stages. Each requirement will apply months after entry into force (from 6 to 48 months).

The Omnibus is intended to be an EU Regulation, meaning it will apply directly and uniformly across all Member States.

So this is a multi-year transition, not an overnight change. You’ll have time to adapt, and your digital compliance tool, including iubenda, will guide you through the practical steps.

The post Your questions answered: what the EU Omnibus proposal means for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But GDPR compliance is about more than avoiding fines. It’s about building trust with your customers – showing them that their personal data is safe in your hands. In a time when data breaches and privacy scandals can seriously damage a brand’s reputation, being compliant gives you a competitive edge.

What Does GDPR Mean for E-Commerce Businesses?

The GDPR applies to any business that processes personal data of individuals in the EU and that includes nearly every e-commerce shop. Whether you’re running a small online store or managing a large retail platform, if you’re collecting names, email addresses, payment details, or tracking customer behavior through cookies, the regulation affects you.

But what exactly does “processing personal data” mean?

According to the GDPR, personal data is any information that can identify an individual directly or indirectly. This includes obvious identifiers like names and email addresses, but also IP addresses, location data, purchase history, and even behavioral data gathered through analytics tools.

Your responsibilities as a shop owner

As an e-commerce business, you are considered the data controller, meaning you determine the “why” and “how” of processing personal data. That comes with legal responsibilities:

• You must have a lawful basis for every data processing activity, from sending newsletters to handling payments.
  
  
• You need to inform users transparently about what data you collect and why – typically through a clear and accessible privacy policy.
  
  
• You are required to protect that data through technical and organizational measures.
  
  
• And you must enable your customers to exercise their rights, including the right to access, delete, or correct their data.
  
  

Non-compliance can be costly: regulators can impose fines of up to €20 million or 4% of your global annual revenue whichever is higher. But more importantly, failing to comply can undermine customer trust, damage your brand, and cause irreversible harm to your business.

The good news? GDPR compliance is manageable especially if you understand the core principles and build a privacy-first infrastructure.

What does GDPR compliance require in practice?

For e-commerce businesses, GDPR compliance isn’t just about adding a checkbox or updating a privacy policy. It’s about building a transparent, secure, and user-centric data ecosystem across your entire online shop from checkout to backend infrastructure.

Transparency starts with clear communication

Every online shop processes personal data, whether it’s a shipping address, email, or even a behavioral profile for product recommendations. According to the GDPR, you must clearly explain what data you collect, why, and on what legal basis. That information needs to be presented in a privacy policy that’s easy to understand and easy to find.

For example, if you use behavioral analytics to improve your shop, you need to state that explicitly, including who provides the tool (like Google Analytics or Hotjar), whether data is transferred internationally, and how long it’s stored. Tools like Privacy and Cookie Policy Generator make it easier to generate legally accurate, tailored policies that evolve with your tech stack.

Consent is more than a popup

Under GDPR and the ePrivacy Directive, you can’t simply notify users about tracking — you need active, informed consent for non-essential cookies. That includes analytics, A/B testing, marketing pixels, and embedded third-party content.

What does that look like in practice? A compliant cookie banner that doesn’t pre-tick boxes, provides granular choices (e.g., marketing vs. functional), and stores consent logs for audit purposes. It also needs to be revocable at any time, with just one click.

The same applies to email marketing: opt-in must be voluntary and documented. No soft opt-ins. No bundled checkboxes. No tricks.

Only collect what you need

GDPR is built on the idea of data minimization: collect only the personal data necessary for a specific purpose. That means reviewing all data fields on your forms and checkout pages.

Do you really need a customer’s phone number for a downloadable product? Do you store newsletter sign-ups indefinitely, even if a user never confirms?

Limiting data collection reduces your legal risk and increases user trust. It also makes compliance with other GDPR requirements (like data access or erasure) much easier in the long run.

Security isn’t optional

Article 32 of the GDPR requires businesses to implement “appropriate technical and organizational measures” to protect personal data. That’s not just a legal obligation; it’s also essential for brand trust and customer retention.

These measures include:

• Encrypting all data in transit with SSL/TLS certificates,
  
  
• Strong access controls with role-based permissions,
  
  
• Regular updates and patching of your shop system and plugins,
  
  
• Protection against attacks, such as firewalls and malware scanners,
  
  
• Secure backups and recovery strategies in case of data loss.
  
  

The challenge for many businesses is that these technical safeguards often depend on their infrastructure partner.

Empowering your users

Finally, GDPR gives users clear rights, including the right to access their personal data, correct inaccuracies, request deletion, or receive a copy in a portable format. As a shop owner, you must ensure these rights can be exercised easily and efficiently.

This means:

• Establishing internal workflows to process requests within the 30-day GDPR deadline;
• Mapping how data flows through your shop and third-party tools;
• Clearly listing user rights in your privacy policy, ideally with a direct contact form or DPO email address.

Example: If a customer requests deletion of their account, your system should trigger a checklist — remove order history from the frontend, anonymize transactional data where legally required, and confirm completion via email.

These steps not only fulfill your legal obligations but also demonstrate transparency, strengthening user trust and reducing the risk of formal complaints or supervisory intervention.

Why your hosting infrastructure matters more than you think

When we talk about GDPR compliance in e-commerce, most businesses immediately think of cookie banners, privacy policies and email opt-ins. All of that is important, but there’s a deeper layer that’s often overlooked: your technical infrastructure.

GDPR doesn’t just regulate what data you collect, it also regulates how you store, protect, and process that data. And much of that happens on the server level.

A secure online shop starts with the foundation — hosting. According to the GDPR, hosting providers are generally considered processors because they process personal data on behalf of others, regardless of whether they actively access it.

That means:

• You must conclude a data processing agreement (DPA) in accordance with Art. 28 GDPR.
• The provider should host in compliance with GDPR, ideally within the EU.
• Certifications such as ISO 27001 or SOC 2 provide additional security and transparency.

If your server is located outside the EU, if backups aren’t encrypted, or if your shop shares resources with unknown third parties, you may be exposed to compliance risks without realizing it.

That’s why the choice of hosting provider is not just about performance or price, it’s about trust, transparency, and legal accountability.

Questions you should ask:

• Where are the servers physically located?
  
  
• Who has access to customer data and how is it logged?
  
  
• Are security updates handled proactively?
  
  
• Can you get audit logs or proof of data protection measures if needed?
  
  

If your hosting provider can’t answer these questions clearly, it’s time to reconsider.

maxcluster: GDPR-ready infrastructure for e-commerce

For high-performance shops that need legal certainty, maxcluster offers an e-commerce-focused hosting platform. Here’s how they support your GDPR compliance:

• 100% EU hosting: All servers are located in ISO 27001–certified data centers in Germany. No hidden third-country transfers.
  
  
• 24/7 proactive monitoring: Security issues are identified and resolved before they become a problem with real-time alerting and patch management.
  
  
• Differentiated authorization management ensures that only authorized individuals can access specific types of data.

More than 1,500 online shops trust maxcluster to keep their data and their customers’ data secure. Whether you run on Magento, Shopware, WooCommerce or a custom stack, they tailor your infrastructure to meet legal, technical, and business requirements.

Hosting is the foundation of compliance

The most polished privacy policy or elegant cookie banner won’t protect your customers if your server is compromised. True compliance starts with the infrastructure that powers your shop.

Choosing the right hosting provider is one of the most impactful and often overlooked steps toward GDPR compliance. And it’s one of the few that directly supports both your legal duties and your business resilience.

Conclusion

Let’s face it: GDPR compliance isn’t always simple. It requires attention to detail, technical expertise, and ongoing effort. But it’s also a chance to strengthen your business by building trust, reducing risk, and ensuring that your operations are future-proof.

As an e-commerce business, your responsibility goes beyond just installing a cookie banner or copying a privacy policy template. You’re expected to actively protect personal data through secure processes, transparent communication, and reliable infrastructure.

Here’s what you can start doing today:

• Review your privacy policy and data collection workflows
  
  
• Make sure all tools and processors are GDPR-compliant
  
  
• Implement robust data security practices (incl. 2FA, access control, backups)
  
  
• Choose a hosting provider that supports your compliance goals, not just your performance needs
  
  

And if you’re looking for a hosting partner that understands both e-commerce and compliance, maxcluster is here to support you. Our infrastructure is built for high-performing online shops with high standards both technical and legal.

With the right foundation, GDPR isn’t a roadblock. It’s your competitive advantage.

The post GDPR Compliance in E-Commerce: What Online Shops Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Ready? Let’s jump straight into what’s changed.

New plan for our accessibility widget

Our AI-powered accessibility widget now has a Standard Plan, ideal for high-traffic websites or advanced needs like preset accessibility profiles.

• Up to 1 million monthly pageviews
• Preset profiles (vision impairment, ADHD, and more)
• 10% discount with annual payment

See the difference between Lite and Standard

The Standard Plan is available on new subscriptions and coming soon to pre-2023 legacy ones.

Clauses update for mobile apps and e-commerce

Two important updates in our Terms and Conditions Generator:

Mobile apps

A new Google Play clause on child abuse prevention was added for social and dating apps. You can include it in the generator under “Acceptable Use” and “Mobile App”.

E-commerce

The EU’s ODR platform for online shopping disputes was shut down on July 20, 2025. This clause will be fixed the next time you update your Terms and is no longer available for new projects.

Access your dashboard

Coming soon: Custom position and style in our Accessibility Widget

We’re putting the final touches on two major updates coming in the next few weeks:

• Custom positioning & styling. Match the widget’s appearance to your site’s look and feel.

• Enhanced iubenda widgetLet users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,200+ users.

In case you’ve missed it

Google is enforcing Consent Mode

Avoid losing data in Google Ads and Analytics with our certified solution.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Read the guide for more details.

1-Click Shopify Installation

Bring iubenda’s cookie banner to your Shopify store in seconds. Just one click, no manual coding. Check our guide for more information.

The post New plan for the Accessibility Widget and updated clauses in our T&C Generator (August-September 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

Germany – BfDI Updates GDPR and BDSG Guidance Brochure
The Federal Commissioner for Data Protection updated comprehensive guidance (in German) covering GDPR-BDSG relationships, lawful processing bases, data protection principles, DPO requirements, and data subject rights with practical implementation examples.

Luxembourg – CNPD Publishes AI Literacy Guidance Under EU AI Act
The authority provided a framework for Article 4 AI literacy requirements, emphasizing tailored employee training based on experience levels, risk assessment for AI-affected individuals, and development of appropriate oversight mechanisms.

Norway – NSM Releases National Cyber Incident Response Framework
The National Security Authority established a collaborative approach between businesses and National Cyber Security Center (in Norwegian), requiring compliance with ICT security principles, third-party supplier reviews, and systematic incident handling processes.

Canada – OPC Launches Children’s Privacy Code Consultation
Privacy Commissioner initiated stakeholder consultation to clarify PIPEDA obligations for children’s data until August 19, 2025. The consultation covers privacy by default and privacy rights, transparency requirements and deceptive practice avoidance.

2) Notable Case Law

USA – FTC Fines Companies $145 Million for Telemarketing Violations
Assurance IQ fined $100 million and MediaAlpha $45 million for deceptive healthcare plan marketing. In addition, MediaAlpha also carried out unauthorized robocalls to Do Not Call Registry numbers, and misled consumers about coverage benefits.

3) New and Upcoming Legislation

Greece – ADAE Issues Electronic Communications Privacy Regulations
Decision 304/2025 requires providers to establish security policies, conduct risk assessments, implement incident reporting procedures to ADAE, and maintain employee training and encryption standards for network protection (in Greek).

USA (Federal) – Senate Introduces Trustworthy AI Validation Act
Legislation mandates NIST Director develop voluntary AI assurance guidelines within one year, addressing harm mitigation, consumer privacy, governance controls, and dataset quality with biennial reviews.

4) Strong Impact Tech

USA – State Attorneys General Challenge Instagram Location-Sharing Feature
Multiple AGs expressed concerns about Meta’s Instagram location feature risks to vulnerable populations, recommending minor access restrictions, adult user risk alerts, and simplified disable controls for enhanced safety.

United Kingdom – Law Commission Examines AI Legal Personality Framework
Discussion paper explores AI autonomy, adaptiveness, and potential legal personality grants, emphasizing need for legal evolution amid rapid AI advancement while considering implications of non-personality scenarios.

Other key information from the past weeks

France/Netherlands – Air France and KLM Third-Party Data Breach
Forbes reported that a breach in a third-party customer support tool exposed passenger names, contact details, and loyalty numbers, linked to a phishing campaign targeting Salesforce platforms. Authorities have been notified.

Switzerland – PostFinance Voice Recognition Violation
The Swiss Federal Data Protection and Information Commissioner (FDPIC)  ruled against PostFinance AG for unlawful biometric voice recognition collection in violation of proportionality principles. The bank used opt-out rather than express consent and was ordered to obtain proper consent and delete existing voiceprints. However, it has appealed the FDPIC’s decision to the Federal Administrative Court.

USA – GameStop Settles Facebook Data Sharing Case for $4.5 Million
Settlement covers unauthorized customer data sharing via Facebook tracking pixels between August 2020-April 2025 without proper consent. Claims deadline was August 15, 2025.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #146) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Privacy laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Brazil’s General Personal Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) require websites to inform users, collect valid consent, and respect their choices.

By asking for cookie consent the right way, you’ll help yourself align better with international privacy laws, and increase user trust in the process.

Enter cookie consent banners. The right cookie consent plugin helps you move towards compliance without slowing down your site or confusing your visitors.

The only problem? There are hundreds of plugins out there: some clunky, some outdated, and many that create an intrusive user experience that frustrates visitors before they even see your content.

In this guide, we’ll break down the best cookie consent plugins for WordPress in 2026, from fully certified privacy tools to simple, well-designed banners that play nice with your existing tools.

Whether you’re running a personal blog, a global e-commerce site, or anything in between, there’s a solution here that can help you get closer to compliance and keep your visitors in the loop, without the headache.

Cookie consent plugin comparison: at a glance

What to look for in a cookie consent plugin

Choosing the right cookie plugin isn’t just about checking a compliance box, but about protecting your business, your data, and your reputation. Here’s what really matters:

Alignment with global privacy laws

Why it matters: Privacy laws like the GDPR and the CCPA all have specific requirements for consent, including when to ask, how to store it, and what to do if a user refuses it.

What to look for: A plugin that supports multiple frameworks and stays updated with legal changes. Bonus points if it’s Google Consent Mode and IAB TCF-certified, which are must-haves for sites running ads or analytics in Europe.

Easy setup and WordPress compatibility

Why it matters: Some plugins require technical know-how just to get off the ground. If it takes hours of fiddling or hiring a developer, it’s not saving you time or money.

What to look for: A native WordPress plugin with a simple setup flow, auto cookie detection, and solid documentation or support to guide you through the rest.

Customization and UX control

Why it matters: Your cookie banner is one of the first things users see. A clunky or mismatched design can hurt trust, frustrate visitors, or lead to higher bounce rates.

What to look for: Flexible design controls, layout options, multi-language support, and geo-targeting so you can show the right banner to the right users in the right way.

Performance and script management

Why it matters: Some plugins slow down your load times or block scripts inefficiently, which can affect SEO, analytics accuracy, or even break your site.

What to look for: Efficient script blocking and cookie categorization, without compromising speed. Ideally, the plugin should allow for asynchronous loading and advanced tag management (like via Google Tag Manager).

Reporting and consent logs

Why it matters: If you’re audited or need to demonstrate compliance, you’ll need proof of users’ consent and clear evidence showing when they were collected and what exactly users agreed to.

What to look for: Clear consent logs, downloadable reports, and audit-friendly documentation. Some tools also provide A/B testing or consent analytics to help optimize banner performance.

Ongoing updates and legal backing

Why it matters: Privacy regulations evolve fast, and so do the interpretations. You don’t want to be stuck with a plugin that’s out of date or legally risky.

What to look for: A provider with a legal or compliance background, frequent updates, and a team that monitors privacy law changes in the background and adapts accordingly.

Best cookie consent plugins for WordPress:

In this section, we break down the strengths and limitations of the top cookie consent plugins for WordPress, so you can choose the one that fits your business. We’ve looked at everything from legal certifications and ease of use to real-world reviews and performance under pressure.

1. iubenda All-in-one Compliance for GDPR/CCPA

Best for

Businesses of all sizes that need scalable, multi-regulation consent management with legal backing.

Pros

• Global frameworks supported (GDPR, CCPA, LGPD, and more)
• Google certified with Google Consent Mode v2 to help recover marketing data and keep ad campaigns running effectively
• Fully compatible with IAB TCF 2.3, creating a foundation for more compliant ad campaigns
• Automatically scans your site and auto-configures solutions to match what your site needs
• Multi-language, geo-targeted consent banners that match your branding
• View, sort, and filter users’ cookie preferences with Cookie Preference Log
• Generates Terms & Conditions documents to reduce liability
• Supports up to 27 languages
• Meets the highest accessibility standard, WCAG Level AAA, helping you widen your business’s reach

Cons

• Some advanced features, like multi-language support or custom clause editing, are only available on paid plans

Pricing

• Free plan available with everything you need to get started on a basic site
• Paid plans from €4.99/month

2. WP Cookie Consent

Best for

Small to medium-sized businesses that need a straightforward consent banner without technical complexity.

Pros

• Customizable cookie consent banners in line with regional regulations and user preferences
• Simple, easy-to-use interface
• Compatible with major plugins like WooCommerce, TagManager, and Elementor

Cons

• Regional and multi-law support only available with paid premium plan
• Analytics features are not as advanced as other solutions

Pricing

• Free plan available
• Paid premium plan required for multi-law support

3. Complianz by iubenda

Best for

WordPress users who want a native, wizard-driven compliance plugin with broad legal coverage.

Pros

• Trusted by 1 million users and businesses around the world
• Designed specifically for WordPress
• Quick and easy setup
• Supports compliance across GDPR, CCPA, and local laws like Germany’s TDDDG
• Continuously updated to match current laws
• Smart site scanner that automatically detects and handles cookies in use before visitors see them
• Generates related documents like privacy policies, imprint, and T&Cs

Cons

• Currently focused on WordPress; not available for other platforms

Pricing

• Free plan available
• Paid plans from €59/year (less than €5/month)

4. Cookiebot by Usercentrics

Best for

Enterprises with strict audit requirements and multi-language, global ad tracking needs.

Pros

• Dynamic banners based on visitor location and region
• Multi-language support
• Detailed audit logs and integration with major marketing stacks
• Google-certified CMP and recognized by enterprise-level publishers

Cons

• Some users report an impact on site performance, particularly on ad-heavy pages
• Focuses on consent; legal document generation requires a separate solution
• The interface may feel less modern compared to newer plugins
• More technical to configure

Pricing

• Plans start from €7/month

5. Termly

Best for

Small businesses and freelancers looking for a quick, lightweight consent setup.

Pros

• Lightweight plugin with cookie banner creation and access to policy generation
• Multi-language support
• Quick to install

Cons

• Limited customization, script blocking, and analytics
• Some users report an impact on page load times
• Some users have noted a steeper learning curve

Pricing

• Free plan available
• Paid plans from $10/month

6. CookieYes

Best for

Visually-driven sites that need branded consent banners with GDPR, CCPA, and LGPD support.

Pros

• Supports GDPR, CCPA, and LGPD with branded banners and easy theme alignment
• Integrates with Google Tag Manager

Cons

• The interface may take more time to learn
• Cookie scanning may require manual verification in some cases
• Consent logs and analytics are only available on paid plans
• Free plan comes with limited features

Pricing

• Free plan available with limited features
• Paid plans available

Frequently asked questions

What is the best cookie consent plugin for WordPress?

The best plugin depends on your site’s size, compliance needs, and technical setup. Look for a plugin that supports multiple privacy frameworks, integrates with Google Consent Mode, and offers features like auto-scanning and consent logging. Whether your priority is ease of use, legal depth, or enterprise-scale audit support will determine which plugin fits best.

Do I need a cookie consent plugin for my WordPress site?

If your site uses cookies, privacy regulations like the GDPR and CCPA require you to inform visitors and collect valid consent before setting non-essential cookies. A cookie consent plugin handles this for you, including the banner, consent logging, and script blocking.

Does a cookie consent plugin slow down my WordPress site?

It depends on the plugin. Some are optimized for performance and load without disrupting page speed, while others can affect load times, especially on ad-heavy pages. Look for plugins that support asynchronous loading and efficient script management.

Choosing the best cookie consent plugin for your WordPress site

Cookie banners might not be the most exciting part of your site, but the right plugin helps you get closer to complying with privacy laws, keeps your services running smoothly, and shows your visitors that you take their data seriously.

So what plugin does it all best?

Your best bet is to use Complianz. It’s reliable, easy to use, backed by legal experts, and built specifically for WordPress. It’s a simple solution that can help you promote a strong reputation with a brand that puts privacy first. It comes with a free plan, so you can start using it right away. And paid plans start from less than €5 a month.

No matter your setup, whether blog, online store, or client projects, Complianz can support you to do it right, so you have a solid foundation for compliance and future growth.

The post Best Cookie Consent Plugins for WordPress (2026) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

1-Click Shopify Installation

Privacy Controls and Cookie Solution

Adding iubenda’s cookie banner to your Shopify store is now easier than ever:

• One click – Connect Shopify in one click.
• Automatic app installation – The system installs our app and embeds all necessary code for you.
• No code – No more multiple code snippets or manual integrations: just configure your cookie banner.

Already installed your cookie banner? No action needed—this update is for new and ongoing installations.

Try 1-Click Shopify Installation

Coming soon: More powerful, customizable accessibility widget

Accessibility Widget

We’re putting the final touches on major updates to Accessibility Widget (formerly Accessibility Solution), your AI-powered tool for making websites more accessible with ease.

Here’s what’s coming in the next few weeks:

• Custom positioning & styling: Match the widget’s appearance to your site’s look and feel.
• Enhanced iubenda widget: Let users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,000+ users.

In case you’ve missed it

Control access with teams

We’ve updated our Teams feature, allowing you to create teams to organize your projects and easily move sites between teams.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Try it now or read the guide.

The post 1-Click Shopify Installation, improved Accessibility Widget, and more (July 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What’s the true cost of ignoring email marketing compliance?

For noicompriamoauto.it, one of Italy’s well-known online car dealers, it was €45,000.

That’s the amount the Garante (the Italian data protection authority) fined a business for failing to comply with key privacy rules around email marketing.

The case serves as a cautionary tale for any organization using email to promote products (especially if your opt-in flows aren’t airtight).

But here’s the good news: this kind of penalty is completely avoidable.

Let’s take a closer look at what went wrong, what the Garante expects, and how iubenda can help you stay on the right side of compliance.

Firstly, what happened?

The Garante’s investigation was triggered by a user complaint.

They said they’d received unsolicited promotional emails from multiple unknown third-party senders – all partners of noicompriamoauto.it. Worse still, when the user submitted a data subject rights request, it was ignored.

The Garante’s recommendation: Double opt-in is a minimum safeguard

Although Italian law doesn’t explicitly require double opt-in for promotional emails (DEM), the Garante made its stance clear in this case:

Double opt-in is a best-practice safeguard that protects both users and businesses.

Here’s why double opt-in matters:

• It asks users to confirm their subscription via a second step, usually an email link
• It provides strong evidence that consent was freely and clearly given
• It reduces the risk of spam complaints and misuse

That makes it one of the most effective tools for compliant email marketing.

How iubenda keeps your email marketing legally covered

Our Newsletter Opt-in Booster has double opt-in built in by default – so you don’t have to think twice.

With it, you can:

• Embed GDPR-compliant opt-in forms with pre-configured legal language
• Automatically log consent for full audit readiness
• Seamlessly integrate with your favorite email marketing platforms – from Mailchimp to HubSpot

It’s ideal for marketers, developers, and compliance professionals who want to grow their email list while staying compliant.

What about user rights?

The Garante case wasn’t just about consent – it also involved a delayed data subject request.

Under GDPR, users have the right to:

• Request access to their personal data
• Ask for that data to be deleted
• Object to how their data is being used

And companies are required to respond within strict deadlines.

The Data Subject Requests Management Tool from iubenda helps you:

• Receive and process user rights requests easily
• Track all actions taken for compliance logs
• Automate responses and task assignments within your team

The takeaway: Prevention is better than a €45,000 fine

This fine wasn’t the result of malicious intent. It was a lack of process, oversight, and the right tools.

About us

GDPR compliance for your site, app and organization

www.iubenda.com

The post Why the Garante’s €45K fine should be a wake-up call for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Server-side tracking is emerging as a more effective solution. Introduced in 2020, it gained popularity over the past years due to higher transparency and the ability to address these problems.

How data loss and privacy regulations affect the performance of marketing campaigns

Browser restrictions, such as ITP in Safari, ad blockers, and privacy regulations, can result in a significant loss of data when running marketing campaigns. In the long run, it can have such consequences:

• Worse targeting and personalization. Highly personalized ad campaigns are becoming more challenging with restricted access to data on user behaviour and interactions with your website.
• Less precise conversion attribution. The restrictions on data tracking affect the accurate measurement of campaign performance and conversion attribution across different channels. Missing attribution data often leads to unassigned traffic in Google Analytics 4. 
• Inefficient campaign optimization. Inaccurate data prevents marketing platforms from optimizing ad campaigns effectively. It results in a decrease in key marketing metrics such as return on ad spend (ROAS) and conversion rates (CR).
• Insufficient marketing budget management. Business owners may waste a lot of money on campaigns that don’t bring the expected results, and the lack of reliable data makes it harder to spot such campaigns and optimize them.

Why server-side tracking is a game-changer for agencies 

To improve data quality and comply with privacy regulations, agencies use server-side tracking. Server-side tracking allows collecting data (user interactions or website events) directly from the user’s device to the server. This tracking method eliminates the need to rely on third-party services, offering more control over the data.

User data is gathered once consent is granted. Data from the website is transmitted to a cloud server, which then forwards it to third-party vendors and analytics platforms. The server acts as an intermediary, serving as a proxy between the website (or other data sources) and external tracking tools.

How server-side tracking works

Server-side tracking provides agencies with accurate information about user behavior. In this way, Farmasave, with the help of Tag Manager Italia, could reduce the gap between backend data and Google Analytics 4, cutting the discrepancy from 20% to just 6%. This improvement raised the accuracy of the data displayed and analyzed in GA4 to 94%.

Agencies can improve campaign cost-efficiency by using server-side tracking. For instance, this tracking method implementation helped increase the conversion rate of Decathlon Italia’s Facebook Ads campaigns while lowering the cost per click.

Consent management configuration on the server side allows tracking user consent more effectively. For example, by optimizing the layout of the cookie banner and configuring server-side tracking, MecShopping was able to double user consent rates from 24% to 50%.

Server-side tracking implementation path 

Implementing server-side tracking includes the following steps:

1. Choose a tag management system. The most versatile and popular is Google Tag Manager (GTM). It provides a wide range of tags, clients, and variables for the server GTM container, making it easier to implement server-side tracking for third-party platforms. With GTM, you get full control over your data.
2. Decide on a hosting platform for a server GTM container. There are a few options. The first platform that comes to mind for GTM users is Google Cloud Platform (GCP). However, the hosting price on platforms like GCP is higher compared to third-party platforms like Stape. In addition, this hosting platform offers other benefits, such as a Demo account to pitch clients, an  Agency account to manage clients’ containers in one place, or built-in Analytics to measure the impact of server-side tracking setup.
3. Configure server-side tracking for the required platform. The configuration process will depend on the platforms your client uses (Meta, Google Ads, GA4, TikTok, etc.). Setting up tracking via a server GTM container requires more effort, but gives full flexibility. You’ll need to create a server container, configure clients and tags, and set up the connection to the web container. For agencies, this type of setup is ideal when you want to standardize tracking across multiple clients or build custom logic tailored to specific use cases. To get the most out of server-side tracking, it’s important to also add a protection layer for tracking scripts. For example, Stape provides additional features like Custom Loader (to increase resistance to ad blockers) and Cookie Keeper (to extend cookie lifetime in browsers like Safari). In combination with a custom tracking domain setup, you can improve data accuracy and conversion attribution for your clients.
4. Set up a server-side consent management. That’s an essential step, as server-side tracking still requires asking for the user’s consent before data collection. One of the most popular server-side Consent Management Platforms is iubenda. It is an easy-to-use platform that prioritizes privacy in its approach to collecting and processing user data. In addition, it is a highly customizable solution, so you can create an appealing design while staying compliant with data regulations.

Conclusion 

Data regulations such as GDPR and CCPA, the rise of ad blockers, and browser restrictions on cookie lifetime change the way the data is collected. Server-side tracking is a solution that lets agencies track data accurately. 

With the proper configuration, clients can get precise data and stay compliant with regulations. Explore how to configure server-side consent management using iubenda and GTM in Stape’s blog post and start benefiting from complete control over the data collection process.

The post How agencies can grow with server-side tracking: drive better ROAS without compromising privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• France’s CNIL established comprehensive standards for analytics providers seeking consent exemptions under GDPR. The framework mandates exclusive use for anonymous traffic measurement without cross-domain tracking or profile matching. Key requirements include transparent user notifications, 13-month tracking limits, 25-month data retention periods, and regular assessment cycles. Third-party vendors may conduct comparative studies when maintaining isolated data collection systems per publisher client. Read the guidance here (in French) →
• The UK’s Information Commissioner’s Office has launched two public consultations on digital privacy. The first covers revised storage and access technology guidance incorporating Data (Use and Access) Act 2025 amendments, specifying five consent exceptions under PECR including transmission facilitation and essential services. Organizations must align activities with specified purposes and obtain consent for expanded usage. Access the storage guidance here → The second consultation reviews online advertising enforcement, examining when low privacy-risk advertising might proceed without consent, though behavioral profiling will still require explicit consent. Consultation periods end August 29 and September 26, 2025 respectively. Learn more about advertising enforcement here →
• The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the Commission’s GDPR amendment proposal within the fourth simplification Omnibus package. The proposal extends small-medium enterprise provisions to small mid-cap enterprises while introducing additional administrative burden reductions. Notably, the amendment would modify Article 30(5) GDPR record-keeping obligations, providing expanded derogations for processing documentation requirements. View the opinion here →
• Germany’s Federal Network Agency established an AI service desk providing practical implementation guidance for EU Artificial Intelligence Act compliance. The platform features an interactive assessment tool helping organizations determine AI Act applicability, transparency requirements, and risk categorization for their systems. The service includes comprehensive FAQ resources supporting the Agency’s enforcement responsibilities under the new regulation. Check it out (in German) →

2) Notable Case Law

• Italy’s Garante imposed a €45,000 penalty on Noi Compriamo Auto.it S.r.l. for unlawful marketing and data processing following a consumer complaint regarding unwanted communications and delayed rights response. The investigation identified several GDPR violations including insufficient technical safeguards, absent legal basis for processing, and inadequate data subject rights facilitation. The Garante also referred to the acquisition of consent in double opt-in mode for direct email marketing, to better confirm the subscriber’s intention of the receipt of same. Get the details (in Italian) →
• Connecticut’s Attorney General secured USD 85,000 (approximately €78,000) settlement with TicketNetwork, Inc. for alleged Connecticut Data Privacy Act violations. The enforcement action followed the company’s failure to remedy deficient privacy notices featuring unreadable content and malfunctioning data subject rights mechanisms despite receiving November 2023 cure notice. The settlement mandates CTDPA compliance including data subject request metrics maintenance and regular reporting to the Attorney General. Read the details here →

3) New and Upcoming Legislation

• California’s Assembly reintroduced Assembly Bill 566 (formerly AB 3048) mandating mobile operating systems integrate opt-out preference signal settings for consumer privacy protection. The legislation defines browser, mobile operating system, and opt-out preference signal parameters under California Consumer Privacy Act amendments. The bill advanced through Privacy and Consumer Protection, Appropriations, and Judiciary committee stages, receiving Senate Judiciary recommendation for passage. Track the Bill →
• Pennsylvania introduced House Bill 1559 requiring employers provide advance written notification for electronic employee monitoring activities, excluding security surveillance in shared spaces. The legislation defines electronic monitoring as information collection through non-direct observation methods, with exceptions for suspected legal violations or hostile workplace situations. Violations carry USD 500-5,000 (approximately €460-4,600) penalties alongside private enforcement options, effective 60 days post-enactment. Follow the Bill here →

4) Strong Impact Tech

• Missouri Attorney General Andrew Bailey initiated investigation into AI chatbot bias and misinformation by Google, Microsoft, OpenAI, and Meta platforms. The inquiry examines ChatGPT, Meta AI, Microsoft Copilot, and Gemini for alleged historical inaccuracies and misleading responses under Missouri Merchandising Practices Act provisions. Companies must explain algorithmic bias mechanisms, provide internal input selection records, and clarify founding-era inaccuracies while ensuring accurate, unbiased information delivery. Read more →
• European corporate leaders from 40+ companies including ASML, Philips, Siemens, and Mistral petitioned Commission President von der Leyen for two-year AI Act implementation delay. The executives requested postponement of August 2026 high-risk AI system obligations and August 2025 general-purpose AI model requirements, citing implementation complexity and rule simplification needs. However, Commission spokesperson Thomas Regnier confirmed no grace period extensions, maintaining August 2026 deadlines while discussing voluntary code initiatives and administrative burden reductions. View the report here →

Other key information from the past weeks

• European privacy advocacy group noyb filed a complaint against dating platform Bumble with Austria’s Data Protection Authority regarding AI-powered conversation features. The challenge targets Bumble’s “Opening Moves” functionality for processing user profiles, photographs, and personal information through artificial intelligence without adequate GDPR legal basis. The complaint alleges transparency violations and inadequate user consent mechanisms for automated decision-making processes. See the full story →
• CNIL has opened a public consultation on draft guidelines for email tracking pixels, highlighting that the GDPR requires recipient consent for purposes like marketing and personalization. The draft clarifies that senders act as data controllers, while email service providers function as processors or sub-processors. CNIL recommends the use of clear, purpose-specific consent that can be withdrawn anytime, and stresses the importance of retaining proof of consent. Consultation period ends July 24, 2025. Read the guidance here (in French) →
• Denmark implemented facial copyright protections enabling individuals to claim copyright over their likeness as deepfake countermeasure. The legislation grants people legal ownership of their facial features for protection against unauthorized artificial intelligence manipulation and synthetic media creation. The framework establishes precedent for personal biometric data ownership within European privacy law contexts. Explore more →

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPO Newsletter: Global Data Protection & Privacy News (issue #145) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Below, we break down the key provisions of the Act and how you can prepare. 

Key Features of the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 brings a wide range of updates, not just to data protection law but also to emerging areas like smart data and digital verification services. The Act covers the following key areas:

1. Amendments to UK Data Protection and ePrivacy Laws

The Act updates the UK GDPR and the Data Protection Act 2018, including:

• More Special Category Data: Whilst additional categories have not been added yet, the Act provides for a new mechanism to introduce further classes of special category data by the secretary of state.
• Purpose Limitation: The Act extends the purpose limitation principle when processing is carried out for the public interest. A list of derogations deemed compatible with the original purpose or processing are introduced in the Act which range from protecting vital interests to complying with legal obligations.
• Data Subject Requests: The Act codifies ICO’s “stopping the clock” approach, where the clock on responding to reasonable and proportionate data subject requests within the set time frame, only starts to run once the identity of the requestor has been verified. 
• Complaints Process: The Act introduces a new right to complain directly to the controller pursuant to measures such as an electronic form. The controller is to acknowledge complaints within 30 days and have a clear process for handling data subject complaints. This right to complain should also be included in privacy notices.
• Automated Decision Making: The Act narrows the scope of the current restrictions on automated decision-making, since they will now be limited to decisions involving special category data. This is a major shift from the existing rules.
• Legitimate Interests: The Act whitelists certain activities, such as direct marketing, intra-group data transfers, and network security as legitimate interests. This facilitates the process for controllers to determine whether their data processing purpose will be considered as legitimate.
• International Transfers: The Act retains a risk-based approach to assessing adequacy for international data transfers, focusing on whether the data protection standards in another jurisdiction are “materially lower” than those in the U.K. with the introduction of a “data protection test“.
• Public Task: The Act clarifies that the public task condition applies only to tasks performed by the controller in the public interest and does not extend to tasks carried out by third parties.
• Research Clarifications: The Act clarifies how personal data can be used for research purposes, explicitly including “scientific research” and genealogical research. It opens up new opportunities for technological development and fundamental research that can reasonably be described as scientific.

2. Amendments to ePrivacy Laws

The DUA Act also introduces some changes to the ePrivacy Regulations:

• Charity Soft Opt-in: The soft opt-in for electronic marketing is extended to charities, enabling them to contact individuals for marketing purposes related to furthering their charitable objectives.
• Cookie and Tracking Technologies: Cookies used for analytics or website optimization are exempt from the requirement to obtain prior consent, as long as users are clearly informed beforehand about the use of such cookies and have a simple, free method to opt out. This may still mean that cookie consent pop-ups remain in use.
• Fines Alignment: The fines for ePrivacy breaches are now aligned with those under the UK GDPR, allowing for substantial penalties for violations.

3. Smart Data Framework

One of the most innovative aspects of the DUA Act is its establishment of a smart data framework. This framework aims to enable consumers and businesses to grant third parties access to their data, encouraging competition and the development of new products and services.

Key points include:

• Smart Data Schemes: Building on the Open Banking model, the Act facilitates schemes across various sectors, with the energy sector as an early target. These schemes will enable customers to share data (such as consumption patterns) for price comparisons or carbon reporting, spurring innovation.
• Obligations for Traders: Businesses that supply goods or services will be subject to new obligations under these schemes, including investment in IT infrastructure to support data sharing.

4. Digital Verification Services (DVS)

The Act introduces a framework for digital verification services (DVS), including electronic signatures and eID. This will enable a trust framework for DVS providers, ensuring they meet the required standards and can be certified and included in a statutory register.

• Public Authority Gateways: DVS providers will be able to interact with public authorities via secure information gateways, allowing for the use of certified DVS for tasks such as right-to-work or right-to-rent checks.
• Reduced Personal Data Collection: DVS will help reduce the need for businesses to collect personal data, minimizing risks for both businesses and individuals.

5. The Future of AI and Automated Decision-Making

With the amendments to research definitions and automated decision-making restrictions, the U.K. is positioning itself as a more flexible environment for AI development. These changes make the U.K. an attractive destination for AI innovation, especially given that the EU has introduced specific AI regulations that U.K.-based businesses will not need to adhere to. However, multinational businesses must remain mindful of the differences between U.K. and EU data protection laws when developing or deploying AI technologies.

The Act’s Impact on Business Operations

The Data (Use and Access) Act 2025 will require businesses to:

• Review Data Governance Practices: Businesses will need to reassess their data collection, processing, and sharing policies, particularly for research and AI development.
• Prepare for Digital Verification Services: Businesses relying on identity verification will need to familiarize themselves with the new DVS framework and adjust their systems accordingly.
• Monitor Smart Data Schemes: Traders in sectors like energy and finance should prepare for the potential obligations that will come with smart data schemes.
• Adapt to ePrivacy Changes: Businesses will need to review their cookie consent practices and ensure they comply with the new exemptions and requirements for clear information.

Penalties and Enforcement

As with GDPR, the Data (Use and Access) Act 2025 establishes significant penalties for non-compliance. Penalties for breaches of electronic marketing regulations and placement ofcookies are currently capped at £500,000. However, ePrivacy breaches will soon be subject to the Data Protection Act 2018 leading to severe fines up to 4% of global turnover or £17.5 million, whichever is higher.

Preparing for the DUA Act

Organizations should begin preparing for the full implementation of the Act by:

• Familiarizing themselves with the new rules on automated decision-making and research to better align with evolving AI development.
• Reviewing their data processing practices, particularly around smart data schemes and digital verification.
• Ensuring compliance with ePrivacy laws and data subject rights.

While substantial changes to data protection frameworks are not required immediately, organizations should stay informed and proactive to take full advantage of the Act’s provisions and ensure continued compliance.

Conclusion

The Data (Use and Access) Act 2025 marks a major step forward in the U.K.’s data protection and digital verification landscape. It aligns with international standards like the GDPR but also opens new avenues for innovation, particularly in AI, smart data, and digital verification services. Businesses should remain vigilant, staying up to date with secondary regulations and prepare for the upcoming changes that will impact their data handling practices.

The post The U.K. Data (Use and Access) Act 2025: What you need to know  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

If you run a website or app, handling privacy isn’t optional; it’s the baseline. Between the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the incoming wave of global regulations, staying on top of consent isn’t just about ticking boxes or avoiding legal headaches. It’s about building trust, protecting your business’s revenue, and even improving marketing performance.

But with so many tools out there, from free WordPress plugins to full-blown enterprise suites, how do you know which one’s right for you?

In this post, we’ve rounded up 9 of the most popular consent management platforms and broken them down in plain English.

We’ll cover everything including features, ease of use, pricing, and overall function. And you’ll also find a table below to compare the different platforms at a glance, so you can see which one might be best.

Consent management platform comparison: At a glance

What is a consent management platform (CMP), and how does it work?

A consent management platform (CMP) helps website and app owners collect, manage, and document user consent in line with privacy regulations like the GDPR, CCPA, and more. In a nutshell, it’s what powers the cookie banner you see when you first land on a site. But the best ones go much deeper than that, providing tools that help you improve consent rates and boost conversions to help you grow your business.

At a basic level, a CMP lets users decide what data they’re comfortable sharing. But behind the scenes, it also needs to:

• Block cookies and tracking scripts until a user gives consent
• Store and log consent preferences
• Provide options for users to withdraw or update consent
• Stay aligned with legal requirements that change over time

What should you look for in a consent management platform?

Not all tools are built the same. Here’s what actually matters when choosing the right consent management platform:

• Ease of setup – Are you comfortable spending hours tweaking code or bringing in developers to do so?
• Regulation coverage – Does it support GDPR, CCPA, and other privacy laws?
• Customization – Can you adapt the look and feel to your brand?
• Legal reliability – Are the policies and mechanics backed by actual legal experts?
• Automatic notifications – Does it automatically notify you of evolving laws or will you have to scramble last minute to manually check them yourself?
• Performance impact – Does it run smoothly without slowing your site down?
• Integrations – Does it integrate with CMS systems like WordPress or online stores like Shopify?
• Built-in Google Consent Mode – Does it help you recover marketing data when users reject cookies, especially for Google Ads and Analytics?
• IAB’s TCF – Does it share user consent with ad partners so you can run ads easily and get closer to compliance?
• Customer support – When you run into issues, can you reach a real person who helps quickly? Or will you wait weeks for a response? Check review sites like Trustpilot and G2 to see how each platform treats customers when things go wrong.

The best platforms for cookie consent and data compliance

1. iubenda

Unlike standalone CMPs, iubenda offers a complete digital compliance suite in one connected platform: cookie banners, privacy policies, terms and conditions, consent records, internal compliance solutions, accessibility solutions, and more.

It’s a solution that real legal experts back. And over 150,000 companies worldwide use it, from solopreneurs to giant enterprises, to help them get closer to compliance. And it goes beyond compliance too. With iubenda, you have access to solutions that help you improve user experience and increase consent rates, ultimately boosting conversions, trust and customer loyalty over the long run.

Best for

Businesses of all sizes looking for an easy-to-use, attorney-quality solution that offers everything they need to set up for compliance.

Pros

• The auto-scan feature automatically scans your website for cookies, trackers, and third-party services to identify which disclosures you need in just a few minutes
• Customizable cookie banners integrate with Google Consent Mode v2
• Consent database and logs store records in a compliant format
• Easily manage and store consent across multiple platforms, handle data subject requests and whistleblowing reports, optimize newsletter opt-ins for better marketing, and more
• Easy plugin integrations for WordPress, Shopify, and more
• Up to 27 languages and coverage for global privacy laws (GDPR, CCPA/CPRA and other US State Laws, LGPD, and more)
• Notifies you as laws evolve
• Real lawyers build and maintain the entire suite
• Easy setup. Simply copy and paste one line of code and tweak what you need
• Creates a simpler, faster consent experience that helps reduce bounce rates and increase conversions
• Responsive customer support that stays with you until your issue is resolved

Cons

• You’ll need a paid plan to access multiple languages and the Terms and Conditions Generator

Pricing

• Free plan available with everything you need for low-traffic sites
• Paid plans start around €4.99/month, depending on your needs
• Flexible pricing based on which solutions you activate, so you never pay for more than what you actually need

What people say

Users consistently highlight responsive customer support and ease of use. Reviewers mention that support agents stay with them until issues are resolved, and praise how the platform simplifies compliance without requiring legal expertise.

2. consentmanager

consentmanager is a consent management platform built for compliance and performance, offering customizable cookie banners, reporting solutions, and optimization features to help businesses manage consent while improving user experience.

Best for

Enterprise companies with complex digital portfolios, publishers, and e-commerce teams looking for detailed consent analytics.

Pros

• Highly customizable: 200+ design options, flexible targeting by country, browser, device, and more
• Detailed reporting: Analyze consent behavior by region, device, design variant, and other dimensions
• A/B testing and machine learning optimization to improve consent rates over time
• Auto-blocking and integrated crawler for compliance monitoring
• Predefined texts in over 35 languages
• Fully compatible with IAB’s Transparency and Consent Framework
• Google certified and Google Consent Mode v2 integrated
• EU-only data storage
• Flexible customization options (design, targeting, variants)
• Strong reporting for marketing and growth teams
• Compatibility mode makes switching from other CMPs easier

Cons

• The interface can be a bit tricky for first-time users

Pricing

• Free plan available
• Paid plans start from €23/month, depending on number of websites and views per month

What people say

Users appreciate the responsive customer support and highlight the A/B testing capabilities. Some report the interface has a learning curve.

3. Complianz

Complianz is a WordPress and Shopify plugin designed to make privacy compliance more manageable. It covers cookie consent, legal documents, and regional compliance rules (GDPR, CCPA, and more).

Best for

WordPress and Shopify users who want privacy features that work smoothly out of the box.

Pros

• Designed specifically for WordPress and Shopify
• Research team regularly updates clause library to reflect the latest law changes
• Flexible banner designs
• Smart site scanner that automatically detects and handles cookies in use before visitors see them
• Region-specific banner behavior (e.g., GDPR vs. CCPA)
• Legal documents in multiple languages
• Trusted by 1 million users
• Quick and easy setup
• Helps build brand transparency and trust
• 30-day money-back guarantee

Cons

• You need a paid plan for the more advanced features

Pricing

• Free plan available
• Paid plans start from €59/year (less than €5 a month)

What people say

Reviewers report easy installation, a user-friendly interface, and solid compliance features. A go-to choice for WordPress and Shopify users who want privacy tools that just work.

4. Cookiebot

Cookiebot scans your site for cookies, categorizes them, and helps you display a compliant cookie banner.

Best for

Mid-sized businesses that want consent features with a focus on automation.

Pros

• Automatic cookie scanning and categorization
• Multi-language support
• Compatible with Google Tag Manager and Consent Mode
• Cookie banner creation
• Simple setup

Cons

• Focuses on consent management; legal document generation requires a separate solution
• The interface is better suited to technically experienced users
• Banner customization options are more limited compared to some alternatives

Pricing

• Free plan with limited features available
• Paid plans start from €7/month and increase in price if you have more than a certain number of subpages

What people say

Some users find initial setup straightforward. Others have raised concerns about unexpected price increases, billing changes, and support response times. User satisfaction on Trustpilot currently sits at 2.3/5.

5. Usercentrics

Usercentrics is a consent management platform with a focus on marketing, offering analytics tools that give users insights into their web audiences.

Best for

Enterprise-level businesses looking for detailed control and integrations.

Pros

• Data control and user segmentation
• Analytics and consent audit tools
• Affiliate and partner programs
• Customizable banners
• Multilingual support
• Offers tools for consent rate optimization
• Fully customizable

Cons

• Setup may require more technical involvement, especially for complex integrations
• The interface is designed for teams with technical resources; less experienced users may need more onboarding time

Pricing

• Plans start from €7/month for basic features
• No free plans but there is a 14-day trial

What people say

Users value the compliance tools and customization options. Some have raised concerns about pricing clarity, with session-based plan changes that can affect billing. Support response times have also been noted. User satisfaction on Trustpilot currently sits at 3.1/5.

6. Piwik PRO

Piwik PRO offers analytics software built with privacy in mind, along with consent management features to help align with regulations. It positions itself as a more compliant alternative to Google Analytics.

Best for

Businesses in regulated sectors like finances, government, and healthcare.

Pros

• Full analytics suite with consent tracking built in
• Server location controls
• Clear documentation and onboarding support

Cons

• Its interface is less intuitive than other platforms
• Overall features can be limited, depending on what you need
• Lacks flexibility with third-party integrations

Pricing

• No free plans but it does offer a 30-day free trial
• Paid plans start at €35/month
• Scaling is pricier, with Enterprise plans starting at €366/month

What people say

Users on G2 praise the analytics, but many report integration issues and limited CMP-specific features.

7. Termly

Termly is a lightweight tool that combines consent management with policy generators. It’s aimed at small businesses and freelancers who want basic compliance tools.

Best for

Small businesses, bloggers, and freelancers with basic compliance needs.

Pros

• Automatic cookie scanning and script blocking
• Built-in policy generators
• Google Consent Mode v2 compatible
• Simple setup process
• Free plan available

Cons

• Limited to one domain per license (costs add up for multiple sites)
• Customization options are limited
• Some users report slow customer support response times

Pricing

• Free plan available with capped monthly pageviews
• Paid plans start from $10/month

What people say

Users find the setup straightforward. Some report limitations with the free plan when accessing certain features.

8. Didomi

Didomi provides consent management along with real-time data tools to help enterprise businesses understand and optimize user experiences.

Best for

Large, global enterprise businesses.

Pros

• Real-time consent data dashboards
• Customizable banners and forms
• CRM and ad tech integration
• Solutions are scalable for large organizations
• Fully customizable

Cons

• Users find it hard to use at first
• It requires a lot of customer support to implement and response times can be slow

Pricing

• It doesn’t offer a free plan
• Didomi doesn’t seem to publish their pricing online, so you need to call for a custom quote

What people say