Articles on: Getting started

Cookie Consent Management

As websites and applications (apps) become a bigger part of everyday life, respecting user privacy is not just good practice, it’s a regulatory requirement. This guide explains why cookie consent matters, what cookies do, and practical ways to manage Personally Identifiable Information (PII) tracking on your website with Clym.


1. Regulatory Requirements


Cookie consent is a legal obligation in many regions, designed to protect users’ personal data and online privacy. Some key regulations:

  • GDPR (EU): Requires websites to obtain explicit consent before storing or accessing personal data
  • ePrivacy Directive (EU): Governs electronic communications, including cookies, emphasizing user choice
  • CCPA/CPRA (California, US): Grants consumers the right to opt-out of the sale of their personal information
  • Other regulations: Many countries, including Canada, Brazil, and Japan, have similar requirements for managing user data


Data privacy regulations typically require compliance in the following areas:

  • Default consent preferences: Users must actively opt-in to tracking / have the ability to opt-out.
  • Visual/UI requirements: Consent banner must be visible and not pre-checked.
  • Legal text: Must describe data collection and sharing practices.
  • Listing cookies, processors, services: Provide full disclosure of tracking.
  • Consent receipts: Keeping record of the consent receipts
  • Limiting PII: Block scripts or anonymize data when consent is not given.


Ignoring cookie consent can lead to regulatory fines, reputational damage, and loss of user trust. Therefore, proper cookie consent management is essential for legal compliance and user transparency.


Clym's ReadyCompliance™ feature automatically identifies applicable regulations based on your company’s needs and pre-configures Clym to help improve compliance.


2. Understanding Cookies


Cookies are small data files stored on a user’s device that help websites remember preferences and activity. They are essential for website functionality and user experience, however using them is not inherently bad, but cookies can also be used to track Personally Identifiable Information (PII), which is why many privacy regulations focus on how cookies are managed.

Key roles of cookies:

  • Essential functionality: Support login sessions, shopping carts, and other core features.
  • User experience: Enable personalization, such as remembering language preferences or recently viewed items.
  • Insights and analytics: Help track site performance and user behavior for informed decisions.


Cookies can be created by your own website and third-party services such as Google Ads/Analytics, Meta Pixel. These services create cookies in the browser to maintain functionality and track user behaviour. To meet regulatory requirements, we need to limit PII tracking for these services.


3. How to Limit PII Tracking on Your Website


Due to technical limitations in the browser, cookies can not be just limited. Therefore instead of just trying to restrict cookies, the goal of modern consent management is to limit the tracking of Personally Identifiable Information (PII), which can be achieved by:

  1. Service management (blocking or controlling services based on consent)
  2. Signal frameworks (communicating user consent preferences to third-party scripts)
  3. Embedded content (blocking iFrames such as videos, chat widgets, forms)


Each website and use case is unique. Choose the combination that meets your needs and compliance requirements for your business and audience. Please seek legal and development counsel in order to discuss your particular settings and needs.


3.1 Service Management


The Clym Widget allows users to choose exactly which services they allow to run.

  • If a user opts out of a service, such as Google Analytics, the corresponding script of Google Analytics will not run for that user.
  • Since the script does not run, no cookies are created and no tracking occurs for that individual.
  • It’s important to note that if a service is blocked, it will not function at all for that user - for example Google Analytics will not capture that user as that script is not running for them.

This approach follows a strict connection between user preferences and maintaining control over PII tracking, though it may at times, impact functionality for opted-out users.


Clym offers multiple ways of managing your scripts on your website:


3.2 Signal Frameworks


Frameworks allow websites to communicate user consent preferences to third-party vendors, so that tracking aligns with privacy regulations. Unlike full script blocking, this method allows the Clym Widget to send a signal to each service, indicating the user’s consent choices. The service then adjusts its behavior accordingly. For example, continuing to operate but limiting or anonymizing data collection.


This approach enables your website to maintain functionality while respecting user privacy and regulatory requirements.


Signal frameworks:

  • IAB GPP (Global Privacy Platform): Standard for transmitting privacy signals. Read more.
  • TCF (Transparency & Consent Framework): Enables publishers to collect, store, and share user consent with partners in the EU. Read more.
  • GCM (Google Consent Mode): Adjusts Google tags (Analytics, Ads) behavior based on user consent status. Read more.
  • MCM (Microsoft Consent Mode): Similar functionality for Microsoft tracking scripts. Read more.


Example:

If Google Consent Mode is enabled and a user declines Analytics tracking:

  • Google Analytics will still load and capture essential site interactions (e.g., page views).
  • The Clym Widget sends a “rejected” signal to Google.
  • Google respects this signal and anonymizes user data, ensuring no PII is stored.

While this approach may result in less granular analytics data, it preserves partial functionality and improves user experience compared to fully blocking scripts.


3.3 Embedded Content


Embedded content often comes in the form of third-party iFrames, such as YouTube videos, chat widgets, maps, or data collection forms. These elements can begin tracking user activity or even collect Personally Identifiable Information (PII) before a visitor has given consent.

To prevent this, Clym provides an option to overlay embedded content, temporarily blocking it until the user provides the appropriate level of consent.


This approach helps that:

  • No tracking or data collection occurs until explicit consent is granted.
  • Users clearly understand why the content is blocked and how to enable it.
  • Your website can safely integrate rich, third-party experiences while addressing compliance requirements.


Example:

  • A YouTube video may initially appear with a consent overlay.
  • Once the user accepts it, the video loads and plays normally. If the user doesn't accept it, the consent overlay will remain.


3.4 RealTime Compliance™


RealTime Compliance™ continuously scans your website to detect third-party services and cookies that may collect user data. Based on your regulatory settings, it automatically updates your Clym Widget, adding new services and removing inactive ones, as they appear or disappear from your site.

This helps that your consent management setup always reflects the current state of your website, without requiring manual maintenance.


Key benefits:

  • Automatically identifies and categorizes new third-party services and cookies.
  • Keeps your Clym Widget up to date for accurate consent control.
  • Helps maintain ongoing compliance with global privacy regulations.


Learn more: See our detailed RealTime Compliance™ guide for setup steps and advanced configuration options.


4. Default Clym Widget Behavior


The Clym Widget can be customized to fit your organization’s needs, but it also comes with sensible default settings.

Feature

Default Setting

Description

Automatic Blocking

✅ Enabled

Blocks all non-essential services until consent is provided. (Google Analytics, Meta...)

RealTime Compliance™

✅ Enabled

Continuously scans your site and updates the widget automatically.

Google Consent Mode

✅ Enabled (if Google services detected)

Adjusts Google tags according to user consent.

Microsoft Consent Mode

✅ Enabled (if Microsoft services detected)

Adjusts Microsoft tags according to user consent.

IAB GPP (US)

✅ Enabled

Sends privacy signals in applicable U.S. states.

IAB TCF (EU)

❌ Disabled

Can be enabled if operating under EU consent frameworks.

Embedded Content Blocking

❌ Disabled

Can be turned on to block iframes (e.g., videos, chat widgets) until consent.



Updated on: 22/10/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!