Features

Everything you need.
Nothing you don't.

Cookie consent built for Webflow from day one. Every paid plan includes the full compliance foundation, not just the marketing-friendly basics.

01 · Banner builder

Brand-perfect banner builder with live preview

Match your Webflow brand exactly. No CSS required.

theConsent's banner builder is built around a real-time preview iframe — the right side of the editor shows your banner exactly as visitors will see it. Change a color, see it update. Tweak the copy, see it update. No save-and-refresh cycles.

Choose from 5 layouts (bottom bar, top bar, modal center, bottom-left card, bottom-right card), 3 button styles (rounded, pill, square), 10+ typography presets (Inter, Roboto, Poppins, Open Sans, Lato, Montserrat and more), and full color control for primary, background, text, and border.

For Pro users, custom CSS injection lets you target our scoped class names directly (.tc-banner, .tc-prefs, .tc-btn-primary) and override anything. All theConsent CSS is namespaced under .tc-root so it never collides with your site's styles.

5 layouts — bottom/top bar, modal, bottom-left, bottom-right
3 button styles — rounded, pill, square + radius slider
10+ font presets including Inter, Poppins, Lato, Roboto
Live preview updates instantly as you edit
Custom CSS injection (Pro+)

theConsent · Banner Builder

Layout

Colors

Copy

Layout

Colors

Save

Live preview

02 · Compliance

GDPR, CCPA, CPRA, LGPD, PIPL — all by default

No "compliance pack" upsell. Every paid plan ships full regulatory coverage.

theConsent supports every major privacy regulation out of the box. EU GDPR requires opt-in consent with accept/reject parity and granular categories — we deliver that. California's CCPA / CPRA requires a "Do Not Sell or Share" opt-out and Global Privacy Control honoring — done. Brazil's LGPD, China's PIPL, South Africa's POPIA, Singapore's PDPA — all use the same consent model under the hood and theConsent handles them.

On Pro and Agency plans, geo targeting rules let you serve a different banner per visitor country: an EU visitor sees the full GDPR opt-in banner, a Californian gets the CCPA opt-out interface, and a US visitor without a state law sees a minimal banner.

For advertising-heavy sites running programmatic ads, IAB TCF v2.2 framework support (Agency plan) provides the __tcfapi vendor consent signals required by Google, Meta, and 1000+ TCF-registered vendors.

EU GDPR · CCPA / CPRA · LGPD · PIPL · POPIA · PDPA
Accept/reject parity enforced by default
Global Privacy Control auto-rejects (CCPA / CPRA)
Per-region geo rules (Pro)
IAB TCF v2.2 framework support (Agency)
DSAR-ready consent records with retention

theConsent · Compliance

96% compliant

5 of 6 checks passed

LIVE

GDPR consent categories

Reject all visible (GDPR)

GPC honored (CCPA)

Google Consent Mode v2

Pre-consent script blocking

03 · Google Consent Mode v2

Google Consent Mode v2 — synchronous, by default

Your GA4 and Google Ads keep working under EU consent rules.

Since March 2024, Google requires all EEA sites running Ads or Analytics to implement Consent Mode v2. Without it, your conversion data degrades and remarketing audiences shrink. theConsent emits all required GCM v2 signals — ad_storage, ad_user_data, ad_personalization, analytics_storage, functionality_storage, personalization_storage, and security_storage.

Critically, we emit the consent defaults synchronously at the very top of page load — before GA4 or GTM scripts execute. Most consent tools emit defaults after their own runtime loads, which means GA4 fires with the wrong consent state and you lose data. We avoid this by inlining the default signals in the bootstrap loader.

You can also use the dataLayer events theConsent pushes (tc_consent_default, tc_consent_update) to trigger custom GTM tag firing rules — useful when you need consent-gated tags beyond Google's own.

All 7 GCM v2 signals supported
Synchronous defaults — GA4 sees them before firing
Tag-level consent in GTM via custom dataLayer events
Category-to-signal mapping fully customisable
No code required to enable

DevTools · Console

> window.dataLayer

[

{ event: 'tc_consent_default',

tc: {

ad_storage: 'granted',

ad_user_data: 'granted',

analytics_storage: 'granted',

functionality_storage: 'granted'

} }

]

04 · Auto-blocking

Auto-blocks 30+ trackers until visitor consents

GA4, Meta Pixel, HubSpot, Hotjar — all blocked until you have permission.

Most cookie consent tools only emit consent signals — they don't actually stop trackers from loading. That leaves you legally exposed: even if a visitor rejects all cookies, their browser still sent a request to Meta's pixel servers. theConsent solves this with two layers of protection.

First, we install no-op stubs on common tracker globals — when a tracker script tries to call gtag(), fbq(), _hsq.push(), hj(), clarity() etc. before consent, we silently queue those calls instead of executing them. After the visitor accepts, we replay the queue against the real implementation so no events are lost.

Second, we intercept dynamically-injected <script> tags (the common pattern for GTM, Meta Pixel, HubSpot loaders) and neutralize their src attribute. When the visitor grants consent for that category, we replace the neutralized script with a fresh one that actually loads. The result: zero tracker network requests before consent.

Our blocklist covers 30+ trackers including Google Analytics 4, Universal Analytics, Google Tag Manager, Google Ads, Meta Pixel, TikTok Pixel, LinkedIn Insight, X / Twitter Pixel, Pinterest Tag, Snapchat Pixel, Reddit Pixel, Bing UET, HubSpot, Hotjar, Microsoft Clarity, Mixpanel, Amplitude, Segment, FullStory, Heap, Intercom, Drift, Tawk, Crisp, YouTube embed, Vimeo, VWO, Optimizely, Mailchimp, and Klaviyo.

Function-level stubs (gtag, fbq, _hsq, hj, clarity, …)
<script> src interception via createElement override + MutationObserver
Queued calls replayed after consent — no lost events
Blocklist updated continuously by the theConsent team
Available on Pro and Agency plans

theConsent · Auto-block

30+ trackers monitored

Real-time

Google Analytics 4

BLOCKED

Meta Pixel

BLOCKED

HubSpot

ALLOWED

Hotjar

BLOCKED

LinkedIn Insight

BLOCKED

TikTok Pixel

ALLOWED

Auto-blocks until visitor grants consent

05 · Cookie scanner

Cookie scanner powered by Vercel Sandbox

Automatically discover every cookie on your site. Auto-categorize. Generate a cookie declaration page.

You can't accurately disclose what you don't know is there. theConsent's cookie scanner uses Vercel Sandbox to launch a real headless Chromium browser, navigate your site like a normal visitor, interact with forms and pages, and catalog every cookie that gets set.

For each detected cookie, we record the name, domain, lifetime (session vs persistent), 1st vs 3rd party origin, and a best-guess category mapping (analytics, marketing, preferences, necessary) based on our database of known cookies. You can review and adjust each before saving.

Scans generate two outputs: a regenerated cookie declaration page (embeddable in your privacy policy), and a compliance delta report showing what changed since the last scan — useful for catching unexpected third-party cookies introduced by new GTM tags.

Headless Chromium scan via Vercel Sandbox
Auto-categorizes against database of 1000+ known cookies
Detects 1st + 3rd party cookies, session + persistent
Generates cookie declaration page for your privacy policy
Free: 0 scans · Starter: 1/month · Pro & Agency: unlimited

theConsent · Scanner

Scanning acme.com

23 cookies found

2.4s

Type

Geo targeting — show the right banner per country

EU visitors see GDPR. California sees CCPA. Everyone else sees a minimal banner.

Different regions have different consent rules. Showing an EU visitor a CCPA "Do Not Sell" link is useless; showing a Texas visitor the full GDPR banner is unnecessary friction that hurts conversion.

theConsent's geo targeting (Pro+) detects the visitor's country from request headers and applies region-specific rules. Configure pre-built regions (EU 27, EEA, California, Brazil) or custom country sets. Each rule can override layout, banner copy, which categories are shown, and whether the banner appears at all.

Country detection happens on Vercel's edge network before the banner renders — no client-side geolocation API requests, no delay. The detected country is also included in your consent logs for compliance reporting.

Pre-built regions: EU 27, EEA, California, Brazil
Custom country sets with full banner overrides
Edge-detected country (no client geolocation)
Region-specific copy and category configuration
Compliance reporting by region

theConsent · Geo Rules

EU · GDPR active

EU (27)

Show GDPR banner

California

Honor GPC, opt-out link

United States

Minimal banner

07 · Analytics

Consent analytics — see how visitors interact

Accept rates, geographic breakdown, daily trends, category-level acceptance.

Most consent tools treat analytics as an afterthought. theConsent ships a real analytics dashboard on every paid plan with accept rate, reject rate, partial-accept rate, GPC rate, and per-category acceptance percentages.

The daily trend chart shows consent activity over the last 7, 30, or 90 days, broken down by accepted vs rejected. The geographic breakdown shows your top countries — useful for spotting regions where your accept rate is unusually low (often a sign that your banner copy doesn't resonate locally).

Coming Q3 2026: A/B testing for banner copy and layout, so you can optimize your consent rate without guesswork.

Accept / reject / partial / GPC rates
Daily activity trend (7/30/90 days)
Top countries with consent rate per country
Category-level acceptance percentages
Coming soon: A/B testing for consent rate optimization

theConsent · Analytics

Events

12.4k

67%

Reject

24%

GPC

Daily activity

Top countries

4200

1800

1200

08 · Consent logs

Consent logs — legally defensible records

Every visitor consent event recorded. Plan-tiered retention. DSAR-ready.

GDPR Article 7 requires you to demonstrate that a data subject consented. theConsent logs every consent event with an anonymous visitor hash, timestamp, the consent map (which categories accepted), the country code, and the GPC signal status.

Retention is plan-tiered: Starter keeps 7 days (covers most disputes), Pro keeps 90 days, Agency keeps 1 year. After retention, records are automatically deleted to minimize data retention obligations.

For DSAR (Data Subject Access Request) handling, you can look up consent history by visitor hash. Coming Q3 2026: CSV export and webhook events for integrating with your DPO tooling.

Anonymous visitor hash (no PII stored)
Consent map + timestamp + country + GPC flag
Retention: Starter 7d · Pro 90d · Agency 1yr
DSAR lookup by visitor hash
Coming soon: CSV export + webhooks

theConsent · Logs

Time

Visitor

Geo

Consent