Why Multi-Site Cookie Consent Is an Agency Problem
A single website with a single cookie banner is straightforward enough. Multiply that by dozens of client sites, each running different CMS platforms, analytics tools, and marketing pixels, and consent management becomes a genuine operational burden.
Agencies building and maintaining websites for clients carry a particular responsibility. When a client's site drops a _fbp cookie or fires a Google Ads tag before the visitor has granted consent, the compliance failure sits with the site owner, but the reputational damage lands squarely on the agency that built it. The CNIL issued 83 sanctions in 2025 totalling over EUR 486 million, with cookie violations among the most common grounds. Agencies that treat consent as an afterthought are exposing every client in their portfolio to enforcement risk.
The problem compounds when clients operate across different jurisdictions. A UK-based ecommerce shop follows UK GDPR and PECR, a client targeting California must respect CCPA opt-out requirements, and a site with European traffic needs consent that satisfies Article 5(3) of the ePrivacy Directive. Handling each one ad hoc is unsustainable.
Building a Centralised Consent Workflow
The first step is to stop treating each client site as an isolated project. A centralised workflow means standardising how consent is configured, deployed, and monitored across every domain in the agency's portfolio.
Start with a shared cookie categorisation framework. Every client site should use the same four-category model: strictly necessary, functional, analytics, and marketing. Consistent cookie categories across sites reduce confusion during audits and make it easier to train team members on classification decisions. When a developer asks whether _gid belongs in analytics or marketing, the answer should be documented once and applied everywhere.
A single dashboard for managing multiple domains is not optional at scale. Agencies need the ability to view consent rates, scan results, and configuration status across all client sites without logging into separate accounts. This is where a CMP with multi-site management features becomes a practical necessity rather than a convenience.
Regulatory Mapping: One Policy Does Not Fit All
A common mistake is copying one client's cookie banner configuration to another client's site. Consent requirements vary by jurisdiction, and an agency must map each client's regulatory obligations before configuring anything.
| Jurisdiction | Consent Model | Key Requirement | Relevant Law |
|---|---|---|---|
| EU/EEA | Opt-in | Prior consent before non-essential cookies | GDPR + ePrivacy Directive |
| United Kingdom | Opt-in | Clear, affirmative action required | UK GDPR + PECR |
| California | Opt-out | Do Not Sell/Share link, honour GPC | CCPA/CPRA |
| Brazil | Opt-in (broadly) | Consent as legal basis for non-essential processing | LGPD |
| Canada | Implied/express | Meaningful consent with transparency | PIPEDA |
| South Africa | Opt-in | Consent or legitimate interest basis | POPIA |
Geo-detection is what turns this table into a working system. A visitor from Berlin should see an opt-in banner with granular category controls. A visitor from Texas should see an opt-out mechanism that respects Global Privacy Control signals. Configuring geo-rules once per jurisdiction and applying them across all client sites saves significant time. Kukie.io's geo-detection feature handles this automatically, adjusting the banner behaviour based on the visitor's location.
The Cookie Audit Cycle for Agency Portfolios
Websites change constantly. A client installs a new chat widget, the marketing team adds a TikTok pixel, or a WordPress plugin update introduces a previously absent tracking cookie. Each change can break consent compliance if the CMP does not know about the new cookie.
Agencies should establish a recurring cookie audit schedule for every client site. Monthly automated scans catch new cookies before they become a compliance problem. The scan results should feed directly into the CMP's cookie inventory so that newly detected cookies are flagged, categorised, and either blocked pending consent or classified as strictly necessary.
Scheduled scans remove the need to remember which client site is due for review. Set the frequency, let the scanner run, and review only the exceptions.
Consistent Banner Design Without Losing Client Branding
Agencies face a tension between consistency and customisation. The consent logic should be standardised, but every client expects their cookie banner to match their brand identity.
Use a templated approach. Define a base banner layout that meets all regulatory requirements: clear accept and reject buttons with equal visual weight, a link to the cookie policy, and granular category toggles accessible within one click. Then customise colours, fonts, and logo placement per client. This approach satisfies dark pattern regulations by default, because the template enforces button parity and proper disclosure from the start.
The CNIL's record EUR 150 million fine against a major retailer in 2025 specifically cited the absence of an equally prominent reject button. When the base template already includes one, no client site ships without it.
Banner Copy and Language
Cookie banner text should be plain, specific, and free of jargon. For multilingual sites, auto-translation can speed up deployment, but a human review of translations for key markets (German, French, Portuguese) is worth the investment. Mistranslated consent text can invalidate the consent itself under GDPR recital 42, which requires information to be provided in clear and plain language.
Script Blocking and Tag Management at Scale
The banner is only half the solution. If a marketing tag fires before the visitor clicks accept, the banner is decorative rather than functional. Agencies must ensure that non-essential scripts are genuinely blocked until consent is granted.
Google Tag Manager is the most common tag deployment tool across agency portfolios. Configure a consent initialisation trigger in GTM so that tags only fire after the CMP passes the appropriate consent signal. Google Consent Mode v2 became mandatory for personalised advertising in the EEA and UK in March 2024, meaning every client site using Google Ads or GA4 needs this integration regardless.
For clients not using GTM, script blocking via the CMP's built-in mechanism (typically changing type="text/javascript" to type="text/plain" and letting the CMP re-enable scripts after consent) is the fallback. Document the blocking method used for each client so that handovers between team members are seamless.
Monitoring Consent Rates and Spotting Problems Early
Consent rate data is valuable operational intelligence for agencies. A sudden drop in consent rates on a client site often signals a broken banner, a layout change that pushed the banner off-screen, or a new cookie wall that frustrates visitors.
Track consent rates across all client sites from a single view. Benchmarks vary by industry and geography, but a European site typically sees opt-in rates between 40% and 70%. If a client's rate falls below 30%, investigate. If it sits above 95%, check for dark patterns - a rate that high usually means the reject option is buried or missing.
Monthly consent rate reports for clients serve two purposes: they demonstrate the value of ongoing compliance management, and they provide early warning of technical issues.
Onboarding New Client Sites Efficiently
Every new client website that enters the agency's portfolio should go through a standard onboarding checklist.
Agency Onboarding Checklist
- Run an initial cookie scan to identify all cookies and scripts
- Map the client's target audience to the relevant jurisdictions
- Configure geo-detection rules based on the jurisdiction map
- Categorise all detected cookies using the shared framework
- Deploy the banner template with client branding applied
- Set up script blocking or GTM consent triggers
- Verify blocking works by testing in browser DevTools
- Schedule recurring automated scans
- Document the configuration for internal handover
This process should take hours, not days. Agencies that have already standardised their categorisation framework and banner templates can onboard a new site in a single session.
Handling Client Handovers and Staff Changes
Agency teams rotate. Account managers change. Developers move between projects. If consent configuration lives only in one person's head, the agency has a single point of failure.
Document every client's consent setup in a shared, version-controlled location. Record which cookies are classified as essential, which scripts are blocked pending consent, which geo-rules are active, and where the CMP snippet is installed. When a new team member picks up the account, they should be able to understand the consent architecture without reverse-engineering it from browser DevTools.
Frequently Asked Questions
Can one cookie consent platform manage multiple client websites?
Yes. Most modern CMPs, including Kukie.io, support multi-domain management from a single account. Each domain gets its own configuration, cookie inventory, and banner design, but the agency manages all of them from one dashboard.
Do all client websites need the same cookie banner design?
The consent logic and regulatory compliance elements should be consistent, but the visual design (colours, fonts, logo) should match each client's brand. A templated approach achieves both goals.
How often should agencies scan client websites for new cookies?
Monthly scans are a sensible baseline. Sites that change frequently, such as ecommerce stores adding new integrations, may benefit from weekly scans.
What happens if a client adds a new tracking script without telling the agency?
The script will likely fire without consent, creating a compliance gap. Automated scheduled scans detect new cookies and flag them for review, catching these additions before a regulator does.
Is cross-domain consent sharing possible between client websites?
Cross-domain consent sharing is technically possible but legally complex. Each website typically needs its own consent because the data controller, purposes, and cookie inventory differ. Sharing consent is only appropriate when the same controller operates multiple domains with identical cookie categories.
How do agencies handle clients in different countries with different cookie laws?
Geo-detection is the standard solution. The CMP detects the visitor's location and applies the appropriate consent model, whether that is an opt-in banner for EU visitors or an opt-out mechanism for California visitors. The agency configures these rules once per jurisdiction.
Take Control of Your Cookie Compliance
If your agency manages multiple client websites, cookie compliance does not have to be a per-site headache. Kukie.io detects, categorises, and helps manage cookies across every domain in your portfolio, with geo-detection, scheduled scans, and a centralised dashboard built for multi-site workflows.
