Webflow Has No Native Cookie Consent
Webflow gives you full control over design and layout, but it ships without any built-in cookie consent management. If your site uses Google Analytics, Hotjar, Meta Pixel, or any other tracking tool, those scripts will fire the moment a visitor loads the page - before anyone has a chance to accept or reject cookies.
That is a problem under European privacy law. Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a visitor's device, unless the cookie is strictly necessary for the service the user requested. Analytics and marketing cookies never qualify as strictly necessary.
CNIL fined SHEIN EUR 150 million in September 2025 for placing cookies before users gave permission. The UK ICO reviewed the top 1,000 UK websites in 2025 and flagged non-essential cookies loading without consent as a primary compliance failing. Webflow sites are not exempt from these rules simply because the platform lacks a native solution.
Which Cookies Does a Typical Webflow Site Set?
Before configuring consent, you need to know what your site actually drops. A free cookie scan will reveal the full picture, but most Webflow sites share a common set of cookies depending on the integrations added through the project settings or custom code.
| Cookie | Source | Category | Consent Required? |
|---|---|---|---|
_ga, _ga_* | Google Analytics 4 | Analytics | Yes |
_gid | Google Analytics 4 | Analytics | Yes |
_hjSessionUser_* | Hotjar | Analytics | Yes |
_hjSession_* | Hotjar | Analytics | Yes |
_fbp | Meta Pixel | Marketing | Yes |
_gcl_au | Google Ads | Marketing | Yes |
__stripe_mid | Stripe | Functional | Depends on use |
Webflow itself sets minimal first-party cookies. The tracking burden comes almost entirely from third-party scripts added in Project Settings or embedded via custom code blocks.
Run a scan before going live. Cookies change whenever you add a new integration, update a marketing pixel, or embed a third-party widget. Regular scheduled scans catch new cookies that appear between audits.
Legal Requirements: GDPR, ePrivacy, and Beyond
The GDPR sets out six principles for processing personal data, including the requirement for a lawful basis. For cookies, the lawful basis is almost always consent. The ePrivacy Directive reinforces this by specifically targeting the storage of information on terminal equipment.
Under the GDPR's consent rules (Article 7), consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Burying a reject option behind extra clicks - a dark pattern - violates these requirements. CNIL's 2025 enforcement actions against Google (EUR 325 million) confirmed that steering users toward acceptance through design choices is unlawful.
If your Webflow site also attracts visitors from the United States, the CCPA and various state laws impose separate obligations around opt-out rights and data selling disclosures. A consent management platform with geo-detection can display the correct banner based on the visitor's location.
How to Add a Cookie Banner to Webflow
Webflow supports custom code injection at the project level. This is where your cookie banner script belongs. You will need a Webflow site plan (Basic, CMS, or Business) to access the custom code settings - the free Starter plan does not support custom code in the site-wide head.
Step 1: Get Your Banner Script
Sign up for a consent management platform and add your Webflow domain. After running an initial cookie scan, the platform will generate a JavaScript snippet for your site.
Step 2: Add the Script to Webflow
Open your Webflow project dashboard. Go to Project Settings, then click the Custom Code tab. Paste the snippet into the Head Code section. The consent script must load before any tracking scripts, so place it as the very first item in the head code area.
Step 3: Block Tracking Scripts Until Consent
Simply showing a banner is not enough. You must prevent analytics and marketing cookies from loading until the visitor actively opts in. There are two approaches on Webflow:
Script blocking via CMP - The consent platform intercepts cookie-setting behaviour and defers script execution until the correct consent category is granted. This is the recommended method.
Manual script type change - Change the
typeattribute of tracking scripts fromtext/javascripttotext/plainand let the CMP re-enable them after consent. This works but requires more manual upkeep.
For a detailed walkthrough specific to Webflow, see the Webflow installation guide in the Help Centre.
Step 4: Publish and Verify
Publish your Webflow site after saving the custom code. Open the published site in an incognito window, check that the banner appears, and confirm that no analytics cookies are set before you interact with the banner. Chrome DevTools (Application tab, then Cookies) will show exactly what is stored. The cookie banner verification guide covers this process in detail.
Google Consent Mode v2 on Webflow
If you run Google Analytics 4 or Google Ads on your Webflow site, Google Consent Mode v2 is relevant. Since March 2024, Google requires Consent Mode v2 for any site serving ads to EEA users. Without it, remarketing audiences and conversion data from the EEA will be limited.
Consent Mode works alongside your cookie banner. When a visitor declines analytics cookies, GA4 sends cookieless pings instead of setting _ga. Google then uses modelling to fill gaps in reporting. Your CMP handles the integration - look for a platform that supports Consent Mode v2 out of the box, so no additional code is needed on the Webflow side.
Common Mistakes on Webflow Sites
Several patterns appear repeatedly when auditing Webflow sites for cookie compliance.
Loading GA4 Through the Integrations Panel Without Blocking
Webflow offers a native Google Analytics integration in Project Settings. Entering your Measurement ID there loads the GA4 script on every page - with no consent gate. You must either remove the native integration and load GA4 through your CMP, or configure your consent platform to intercept the script.
Embedding Hotjar or Other Tools in Custom Code Without Consent
Pasting a Hotjar snippet directly into the head code means it fires on every page load, regardless of consent. The same applies to Meta Pixel, LinkedIn Insight Tag, and any other tracking script added as custom code.
Cookie Banner Without a Reject Button
A banner that only offers "Accept" or "Got it" does not meet GDPR requirements. Rejecting cookies must be as easy as accepting them. The one-click reject standard is now the baseline expectation across EU data protection authorities.
No Cookie Policy Page
Your banner should link to a dedicated cookie policy that lists every cookie, its purpose, duration, and category. Webflow makes it simple to create a new CMS or static page for this.
Choosing the Right Consent Management Platform
Not every CMP works well with Webflow. When evaluating options, check for these capabilities:
Automatic script blocking that intercepts cookies added via Webflow custom code and integrations
Support for Google Consent Mode v2
Geo-detection to show the right banner for GDPR, CCPA, or LGPD visitors
Banner customisation that matches your Webflow design
Automatic cookie scanning and categorisation
Kukie.io supports Webflow through a single script tag in the head code section. The scanner detects cookies set by GA4, Hotjar, Meta Pixel, and other common Webflow integrations, then categorises them automatically.
Webflow Compared to Other Platforms
Unlike WordPress, which has plugin-based consent solutions, or Shopify, which provides a Customer Privacy API, Webflow relies entirely on custom code injection for third-party tools. This gives you flexibility but also means full responsibility for compliance sits with you.
The process is similar to adding consent on Framer or Squarespace - paste a script, configure blocking, publish. The key difference is that Webflow's custom code area accepts any JavaScript, giving your CMP the ability to intercept and manage scripts without platform restrictions.
Frequently Asked Questions
Does Webflow set cookies by default?
Webflow itself sets very few cookies. The tracking cookies on most Webflow sites come from third-party scripts such as Google Analytics, Hotjar, or Meta Pixel added through custom code or the integrations panel.
Can I use Webflow's free plan with a cookie banner?
The free Starter plan does not support site-wide custom code in the head section. You need a Basic, CMS, or Business site plan to add a consent management script globally.
Do I need cookie consent if my Webflow site only targets the US?
The CCPA and several US state privacy laws require opt-out mechanisms for data selling and sharing. If your site uses analytics or advertising cookies, a consent banner helps meet these obligations even for a US-only audience.
How do I block Google Analytics on Webflow before consent?
Remove the GA4 Measurement ID from Webflow's native integrations panel. Instead, load the GA4 script through your consent management platform so it only fires after the visitor grants analytics consent.
What happens if I do not have a cookie banner on my Webflow site?
If your site places non-essential cookies without consent, you risk enforcement action from data protection authorities. Fines under the GDPR can reach EUR 20 million or 4% of global annual turnover, whichever is higher.
Can I customise the cookie banner to match my Webflow design?
Most consent management platforms offer visual customisation options including colours, fonts, button styles, and layout. Some also support custom CSS for precise control over the banner appearance.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Webflow site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
