# Secure Privacy Knowledge Base - Full Content

> Complete article content for AI and LLM indexing. Published by Secure Privacy (https://secureprivacy.ai).
> This knowledge base covers GDPR compliance, cookie consent, data privacy governance, DPO services, and more.

---

# Google Tag Gateway (GTG) and Consent Management: How to Prevent Late Consent Signals and Keep Measurement Working

URL: https://support.secureprivacy.ai/article/google-tag-gateway-consent-management-late-consent-signal
Product: Consent Management
Category: Google Consent Mode
Published: 2026-06-04T12:33:00+00:00
Updated: 2026-06-04T12:40:02.126+00:00
Reading Time: 12 minutes
Summary: Google Tag Gateway can break consent mode timing on Cloudflare, Akamai & Fastly. Learn how to detect late consent signals and fix them with Secure Privacy.

Why your Google Ads conversions can disappear after enabling Google Tag Gateway
You enabled Google Tag Gateway (GTG) through your CDN — maybe a one-click Cloudflare, Akamai or Fastly integration — expecting better measurement and first-party tag serving. Instead, your Google Ads conversions drop, GA4 reporting goes quiet, and Tag Assistant starts flagging a late consent signal warning. Your cookie banner looks fine. Your tags look fine. So what's going on?
The common but painful "fixes" people try first all have downsides:
- Rolling back GTG entirely — you lose the conversion-measurement and first-party data benefits Google designed GTG to deliver.

- Switching to Basic Consent Mode — tags are blocked entirely until the user clicks Accept, so any late-loading consent stub means zero measurement for that page load.

- Hand-editing CDN routing rules — possible, but fragile, and most teams don't have the infrastructure access to do this safely.

There's a cleaner path. With Secure Privacy configured for Advanced Consent Mode (U+C), combined with Google's Data Transmission Controls and Global Consent Defaults, Google tags can load immediately under GTG and still respect consent — sending cookieless pings while consent is denied, and switching to full measurement the moment a user accepts. The load-order race condition stops mattering.
By the end of this article you'll know exactly what Google Tag Gateway does, how to check whether it's active on your site, how to diagnose a late consent signal, and which of three remediation paths fits your setup — with our recommended fix detailed step by step.
Who is this article for?
- Marketing, analytics or web teams who have enabled (or are considering enabling) Google Tag Gateway on Cloudflare, Akamai or Fastly

- Anyone seeing a "late consent signal" or "tag fired before consent default" warning in Google Tag Assistant

- Teams running Secure Privacy as their CMP alongside Google Ads, GA4 or Campaign Manager 360

- Implementers troubleshooting a sudden drop in conversions or modelled data after a CDN change

Prerequisites
- Access to your Google tag UI (Google Ads, GA4, or Google Tag Manager)

- Admin access to your Secure Privacy dashboard

- Google Tag Assistant installed for debugging

- Access (or a colleague with access) to your CDN configuration if you intend to use manual GTG setup

Overview
If your website uses Google Tag Gateway (GTG), the way your tags are served can affect when consent signals reach Google — and in some configurations, your measurement may stop working even when your banner is set up correctly.
This article explains what GTG is, how it can interact with your Secure Privacy banner, how to check whether GTG is active on your site, and what steps to take if you detect a timing issue.
What is Google Tag Gateway?
Google Tag Gateway (GTG) is a feature that lets you serve Google tags (gtm.js and similar scripts) from your own domain rather than from googletagmanager.com. It works through your existing Content Delivery Network (CDN), load balancer, or web server.
GTG is available for Google Tag Manager, Google Ads, and Google Analytics 4, and can be set up with major CDN providers including Cloudflare, Akamai, and Fastly.
Benefits Google cites for Google Tag Gateway
- Improved conversion measurement completeness

- Reduced reliance on third-party script domains

- First-party data collection from your own domain

See Google's overview: Google Tag Gateway for Advertisers.
How GTG can affect consent signal timing
One-click / automated CDN setup
When you set up GTG using the automated option (available for Cloudflare, Akamai, and Fastly), Google injects routing rules directly into your CDN configuration. This means gtm.js is served from your domain automatically, without you controlling when or in what order scripts load.
This creates a potential problem: your CMP consent stub may load after gtm.js has already initialised.
Why load order matters for Google Consent Mode
For consent mode to work correctly, your consent defaults must be established before any Google tags fire. Google's own documentation is explicit:
"The order of the code is vital. If your consent code is called out of order, consent defaults won't work."
"Don't set default consent states asynchronously."

When gtm.js loads before your Secure Privacy stub has called consent('default', ...), tags may execute before any consent state exists. This is called a late consent scenario.
What a late consent signal looks like in practice
In a correctly configured setup, the sequence is:
- CMP stub loads → calls consent('default', { ad_storage: 'denied', ... })

- gtm.js loads → tags respect the default denied state

- User interacts with banner → consent('update', ...) fires → tags fire or remain blocked based on choices

In a late consent scenario with GTG CDN injection:
- gtm.js loads (via CDN injection)

- Tags fire — no consent state exists yet

- CMP stub loads → calls consent('default', ...) — too late

Google's Tag Assistant will flag this as an error in the consent timeline.
For more on consent mode fundamentals: Consent Mode overview · Set up consent mode on websites.
How to check whether Google Tag Gateway is active on your site
You can verify GTG enrollment status from within your Google tag interface (Google Ads, GA4, or Google Tag Manager).
GTG status indicators to look for
Status
Meaning

First-party
GTG is active and serving tags from your domain

Active
Setup complete; your domains are listed

Pending
GTG is enabled but no diagnostic data has been received yet

Paused
GTG has been paused

Not started
GTG has not been activated

How to verify using Google Tag Assistant
- Open Tag Assistant and enter your website URL

- Start a session and allow the page to load

- In the Summary panel, go to Output → Hits Sent

- Check that hits are routed to your own measurement path (your domain), not to googletagmanager.com

If hits show your domain as the source, GTG is active.
Setup guides by CDN provider: Cloudflare · GTG setup guide (general) · GTG with CDN + server-side tagging.
What to do if you detect a late consent signal and GTG is active
If your Secure Privacy banner is detecting a late consent signal (consent update fires after Google tags have already executed), and you have confirmed that GTG is active, you have three remediation paths. We recommend Option A.
Option A — Adopt Advanced Consent Mode (U+C) with Data Transmission Controls and Global Consent Defaults (recommended)
Why this works: Advanced Consent Mode loads Google tags immediately but sends cookieless measurement pings when consent is denied. This means even if there is a load-order issue with GTG, measurement continuity is preserved — tags are never fully blocked, they simply operate in a privacy-safe mode until consent is granted.
Step 1 — Enable Advanced Consent Mode (U+C) in Secure Privacy
In your Secure Privacy dashboard, switch the banner to Advanced Consent Mode (U+C). This configures your banner to call consent('default', ...) with denied states and consent('update', ...) when the user makes a choice.
Step 2 — Enable Data Transmission Controls in your Google tag
Data Transmission Controls are available in Google Ads, GA4, and Campaign Manager 360. They let you independently configure what data Google tags can send while consent is denied:
- Advertising data — limit or block ad data until consent is granted

- Behavioural analytics — block analytics data collection until consent is granted

- Diagnostics — block diagnostic pings until consent is granted

Step 3 — Enable Global Consent Defaults in GTM
In your Google tag configuration in GTM, enable Global Consent Defaults. This setting overrides any consent('default') commands in your website code and sets a baseline denied state per region — useful when you cannot guarantee the CMP stub will always load first.
Reference: Data Transmission Controls · About Consent Mode (GTM).
Option B — Migrate all tags into a GTM container and deploy GTM via GTG
Why this works: If all your tags live inside a single GTM container, GTM's built-in consent mode support ensures tags respect the consent state set by your CMP. GTG then serves the GTM container itself from your domain, rather than injecting individual tag scripts separately.
Step 1 — Consolidate all Google tags into a single GTM container
Move Google Ads, GA4, Floodlight, and any other Google tags currently loaded directly on the page into one Google Tag Manager container.
Step 2 — Configure GTG to serve the GTM container from your domain
Set up GTG so that the GTM container (gtm.js) is served from your first-party domain.
Step 3 — Place the Secure Privacy stub before the GTM snippet
Ensure your Secure Privacy banner is initialised before the GTM snippet in your page <head> so that consent defaults are set first.
Option C — Set up GTG manually to regain control over script load order
Why this works: Instead of using the one-click automated CDN injection (which removes your control over load order), you configure your CDN or load balancer routing rules manually. This lets you ensure your CMP stub always loads and fires consent('default', ...) before gtm.js is requested.
Step 1 — Do not use the automated one-click GTG setup
Avoid the one-click GTG setup option in the Google tag UI, since it removes your control over load order.
Step 2 — Configure your CDN routing rules manually
Configure your CDN (Cloudflare, Akamai, Fastly, etc.) routing rules manually, following Google's self-service setup instructions.
Step 3 — Place the Secure Privacy stub before the Google tag snippet
Ensure your page <head> order places the Secure Privacy stub snippet above the Google tag snippet.
Reference: GTG setup guide · GTG with CDN.
Why Advanced Consent Mode is the recommended path for GTG-enabled tags
Advanced Consent Mode (also called U+C — "Update and Collect") is the only remediation path that works regardless of your GTG configuration:
- It is fully compatible with one-click automated CDN injection (Option A)

- It is fully compatible with manual GTG setup (Option C)

- It preserves conversion modeling even when consent is denied, by sending cookieless pings to Google

- Basic Consent Mode, by contrast, blocks tags entirely until consent is granted — if the consent stub loads late, there is no measurement at all for that page load

If you are using GTG and are unsure which path to take, start with Option A. Options B and C require more infrastructure changes and may not be feasible depending on your setup.
Debugging late consent issues with Google Tag Assistant
If you suspect a late consent problem, use Google's Tag Assistant to diagnose it:
- Open Tag Assistant and connect to your site

- Open the Consent tab in the Summary panel

- Look at the consent timeline — Tag Assistant will flag cases where tags fired before consent('default', ...) was called

- Check the order of events: the default consent call must appear before any tag firing events

Full debugging guide: Troubleshoot consent mode with Tag Assistant.
Common late consent failure modes
- "Tag fired before consent default was set" — almost always a load-order issue caused by one-click GTG CDN injection. Fix with Option A.

- Tags blocked entirely / no pings at all on denied page loads — you're on Basic Consent Mode with a late-loading stub. Move to Advanced (U+C) so cookieless pings continue while consent is denied.

- Consent state shows as unknown in Tag Assistant — the default consent command never fired on this page. Confirm your Secure Privacy stub is present and that wait_for_update is set (500ms is the Google-recommended value).

Summary table — which fix to choose
Situation
Recommended action

GTG is active (one-click CDN) and you see late consent
Follow Option A — enable Advanced Consent Mode + DTCs + Global Consent Defaults

GTG is active and you want maximum control over load order
Follow Option C — switch to manual GTG setup

You want to simplify tag management and have all tags in GTM
Follow Option B — migrate to GTM container deployed via GTG

You're unsure if GTG is active
Check status in Google tag UI or verify via Tag Assistant

Frequently asked questions
What is Google Tag Gateway (GTG)?
Google Tag Gateway is a Google feature that lets you serve Google tags such as gtm.js from your own first-party domain instead of from googletagmanager.com. It works through your CDN, load balancer or web server, and is available for Google Tag Manager, Google Ads, and Google Analytics 4 — with one-click setup for Cloudflare, Akamai, and Fastly.
Why are my Google Ads conversions dropping after enabling Google Tag Gateway?
The most common cause is a late consent signal. When GTG is set up via one-click CDN injection, gtm.js may load before your CMP stub has set consent defaults. Tags fire without a consent state, Tag Assistant flags it as an error, and conversion data is lost or unmodeled. The recommended fix is to enable Advanced Consent Mode (U+C) in Secure Privacy together with Data Transmission Controls in your Google tag.
How do I check if Google Tag Gateway is active on my site?
Open your Google tag UI (Google Ads, GA4, or GTM) and look at the GTG enrollment status — "First-party" or "Active" means GTG is serving tags from your domain. You can also confirm via Google Tag Assistant: in the Summary panel, check Output → Hits Sent. If hits route to your domain rather than googletagmanager.com, GTG is active.
What is a late consent signal?
A late consent signal is when Google tags fire before your CMP has called consent('default', ...) to set a baseline consent state. Google's documentation is explicit that this breaks consent mode behaviour: tags may collect data without respecting the user's eventual choice, and Tag Assistant will flag the event in the consent timeline.
Does Google Tag Gateway work with Cloudflare, Akamai, and Fastly?
Yes. All three providers support GTG, and Google offers a one-click automated setup for each. The trade-off with one-click setup is that Google injects routing rules directly into your CDN configuration, which can introduce a load-order issue between gtm.js and your CMP stub. Manual setup is also available if you need full control over load order.
What is the difference between Basic and Advanced Consent Mode for GTG?
Basic Consent Mode blocks Google tags entirely until consent is granted — so if the consent stub loads late under GTG, there is no measurement at all for that page load. Advanced Consent Mode (U+C) lets tags load immediately and send cookieless pings while consent is denied, preserving conversion modelling. Advanced Consent Mode is the recommended path for any site using Google Tag Gateway.
Do I need to roll back Google Tag Gateway to fix a late consent signal?
No. Rolling back GTG forfeits the first-party measurement benefits it provides. The recommended fix is to switch Secure Privacy to Advanced Consent Mode and enable Google's Data Transmission Controls and Global Consent Defaults, so measurement continues safely under denied consent without depending on script load order.
What are Data Transmission Controls and where do I enable them?
Data Transmission Controls are settings in Google Ads, GA4, and Campaign Manager 360 that independently restrict what data Google tags can transmit while consent is denied — covering advertising data, behavioural analytics, and diagnostics. You enable them inside your Google tag configuration in the respective product UI.
Related articles
- Google Consent Mode: Basic vs Advanced — Complete Guide

- How to Implement Google Consent Mode Advanced with GTM

- How to Check If Google Consent Mode Is Working

- How to Set Up Secure Privacy CMP via Google Tag Consent Mode

- How to Comply with Google's EU User Consent Policy

For further guidance, contact Secure Privacy support or refer to Google's consent mode implementation guide.

---

# How to Install Secure Privacy CMP via Google Tag Consent Mode (Google Ads & GTM)

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-cmp-via-google-tag-consent-mode-google-ads-gtm
Product: Consent Management
Category: Google Consent Mode
Published: 2026-06-01T07:29:00+00:00
Updated: 2026-06-04T13:36:11.834+00:00
Reading Time: 9 minutes
Summary: Set up Google Consent Mode v2 with Secure Privacy in minutes — directly inside Google Ads or GTM. Step-by-step guide. No manual gtag configuration needed.

If your website serves visitors in the European Economic Area (EEA) or the UK, and you're running Google Ads or using
    Google Analytics, you're almost certainly losing conversion data — and you may not have noticed yet. Since
    March 2024, Google has required all advertisers to implement Google Consent Mode
        v2 via a certified Consent Management Platform (CMP) for EEA and UK traffic. By July
        2025, Google began actively restricting conversion tracking and audience creation for accounts that
    weren't compliant. For some advertisers that meant an overnight drop of 80–90% in measured conversions.

The two painful workarounds most teams try first don't hold up. Writing manual
    gtag('consent', 'default', ...) code is error-prone, hard to maintain, and still requires a separate
    consent banner that actually meets GDPR standards. Bolting on a generic cookie notice without a proper Google
    integration means consent signals never reach your Google tag — so modeling never kicks in and attribution stays
    broken.

There's a cleaner path. In 2025, Secure Privacy built a deep integration directly inside the Google Tag
        platform, which Google approved and made live in April 2026. Secure Privacy is now listed as a
    fully integrated platform inside Google's own consent mode wizard — meaning you can connect a
    compliant, Google Gold CMP Partner to your Google tag in minutes, with no manual gtag configuration on your end.

By the end of this guide you will have Google Consent Mode v2 active on your site, your consent signals flowing
    correctly to Google Ads and Google Analytics, and a built-in test to confirm everything is working.

Who Is This Guide For?

This guide is for you if any of the following apply:

    - 
        You run Google Ads campaigns targeting EEA or UK audiences and you don't yet have a consent banner connected
            to your Google tag.

    

    - 
        You're a marketer or developer setting up Google Consent Mode v2 for the first time and want to avoid manual
            gtag code.

    

    - 
        You've seen a warning in Google Ads about consent mode not being configured, or you've noticed a spike in
            "(not set)" traffic source data in GA4.

    

    - 
        You're evaluating a Google-certified CMP and want to understand what the setup process looks like in
            practice.

    

Prerequisites

    - 
        Access to a Google Ads or Google Tag Manager account — specifically, access to a Google Tag.
            This can be a tag connected to Google Ads, Google Analytics 4, or any other Google product.

    

    - 
        Your website domain (you will associate it with your Secure Privacy account during setup).

    

    - 
        A Secure Privacy account — a free tier is available and can be created directly inside the wizard without
            leaving Google.

    

Step-by-Step Setup Guide

Step 1 — Open the Google Tag Admin Settings

In Google Ads: navigate to Tools in the left sidebar, then open Data
        manager. Click into your Google tag to open its settings panel, and select the Admin
    tab along the top.

Google Ads → Tools → Data manager → select your Google tag → Admin tab.

In Google Tag Manager: navigate to Google tags and select your tag from the list.
    Click into your Google tag to open its settings panel, then select the Admin tab along the top.

Google Tag Manager → Google tags → select your tag → Admin tab.

Step 2 — Click "Set Up Consent Mode"

On the Admin tab you will see a Google tag management section listing several configuration options.
    Click Set up consent mode. This launches a guided setup wizard.

Under Google tag management, click "Set up consent mode" to launch the wizard.

Note: If you see a Google tag gateway: Incomplete status on the Admin page, this is
    a separate first-party tagging concern and does not block consent mode setup. You can proceed with the
    wizard regardless.

Step 3 — Select Your Consent Banner Type

The first screen of the wizard asks: "Which type of consent banner do you have?"

Select "I don't have a consent banner", then click Next. This is the correct option
    even if you have a basic cookie notice — if it's not yet connected to a certified CMP, you effectively don't have a
    compliant banner for Google's purposes.

Select "I don't have a consent banner" and click Next.

Step 4 — Select Your Platform

The next screen is titled "Set a third-party banner" and explains how CMPs work with Google Consent
    Mode. Click the "Select your platform" button to open the platform picker.

Click "Select your platform" to open the CMP platform picker.

Step 5 — Choose Secure Privacy

A side panel will appear titled "Select a third-party platform (to create your banner)". Under the
    Fully integrated platforms section, find and select Secure Privacy — it is listed
    with "Free tier available".

Under Fully integrated platforms, select Secure Privacy.

Follow the remaining on-screen prompts. If you don't yet have a Secure Privacy account, you can create one here — no
    need to leave the Google interface.

Why "fully integrated" matters: Secure Privacy's fully integrated status means Google has a direct,
    verified integration path. No manual gtag('consent', 'default', ...) configuration is required on your
    end — Secure Privacy handles consent signal communication to your Google tag automatically.

Step 6 — Confirm Setup

After completing the prompts, you'll see a setup confirmation screen showing your Secure Privacy CMP
        account connected to the Google tag, along with options to publish your consent banner via Google Tag
    Manager or manually.

Setup confirmation — your consent signals are now active.

To publish your banner, select a GTM container from the list and apply the changes to a workspace, or use the Install
    manually option if you manage your tag code directly.

What Happens After Setup

Test your consent signals

After completing setup, return to the first screen of the consent mode wizard and expand the "Test your
        consent signals" section. This built-in tool confirms whether consent state is being communicated
    correctly from Secure Privacy to your Google tag. Look for a green "Your consent signals are active"
    confirmation.

When will Google Ads show consent mode as active?

The consent mode status in your Google Ads account typically updates within 48 hours, but may take
    up to two weeks to fully reflect in your account's consent settings panel.

When will conversion modeling start?

Google Ads conversion modeling for consent-denied users requires at least 700 ad clicks over a 7-day
        period per country and domain grouping. Modeled conversions begin appearing in your Conversions columns
    after the threshold is reached. Google Analytics 4 behavioral modeling requires at least 1,000 denied-consent events
    per day for at least 7 days.

What about users who already had consent granted?

For users who interacted with your site before consent mode was in place, there is no retroactive data recovery.
    Going forward, Advanced consent mode (which Secure Privacy implements) enables advertiser-specific modeling to
    estimate conversions from non-consenting users based on aggregate signals.

Troubleshooting

Secure Privacy doesn't appear in the platform picker

Make sure you are on the Fully integrated platforms section of the picker, not the "Set instructions
    only" section lower down the list. If the panel doesn't load, try refreshing the page and re-entering the wizard
    from the Admin tab.

Consent signals test shows "Not active" after setup

This usually means the banner has not yet been published. Complete the banner publication step — either by selecting
    a GTM container and publishing the workspace, or by installing the banner code manually on your site. Once the
    banner is live, re-run the consent signals test.

Google tag gateway shows "Incomplete"

This is a separate first-party tagging configuration and does not affect consent mode. It refers to whether your
    Google tag is operating in a first-party context. You can address it independently through the Google tag gateway
    settings without any impact on your consent mode integration.

GA4 shows a spike in "(not set)" for traffic source

This is a known issue that occurs when session_start and page_view events fire before
    consent is established. Make sure your Secure Privacy banner is loading before any Google tags fire on your
    pages. If you're using GTM, ensure the consent initialization tag fires on the earliest possible trigger (Consent
    Initialization trigger type).

GOOGLE GOLD CMP PARTNER · SOC 2 TYPE II · IAB TCF v2.3

Get compliant with Google Consent Mode v2 — without the complexity

Secure Privacy is a fully integrated Google Tag platform partner. Set up your consent banner directly inside Google
    Ads or GTM and restore conversion tracking for EEA audiences.

Get Started
            for Free Schedule a Demo

30-day free trial · No credit card required

Frequently Asked Questions

Do I need a consent banner to run Google Ads in the EEA?

Yes. Since March 2024, Google requires all advertisers with EEA or UK traffic to implement Google Consent Mode v2 via
    a certified CMP. Without it, Google will not populate remarketing audiences and conversion tracking is restricted
    for those users. Enforcement with active account restrictions began in July 2025.

What is Google Tag Consent Mode and why do I need it?

Google Tag Consent Mode is a framework that tells Google's tags (Google Ads, GA4, Floodlight) how to behave based on
    a visitor's cookie consent choices. It enables conversion modelling so Google can estimate conversions from users
    who did not consent, recovering a portion of the attribution data that would otherwise be lost entirely.

Is Secure Privacy a Google-certified CMP?

Yes. Secure Privacy is a Google Gold CMP Partner and appears in Google's own platform picker as a
    fully integrated platform. This is the highest tier of Google CMP certification and means the integration is
    verified and maintained directly with Google.

Do I need to write any gtag code to set this up?

No. Because Secure Privacy is listed as a fully integrated platform inside the Google Tag consent mode wizard, the
    integration is handled automatically. Secure Privacy manages consent signals to your Google tag without any manual
    gtag code.

Can I do this setup inside Google Tag Manager instead of Google Ads?

Yes. The same wizard is available inside Google Tag Manager. Navigate to your Google tags list, click into your tag,
    open the Admin tab, and follow the same steps described in this guide.

What happens if the Google tag gateway shows as Incomplete?

This is a separate first-party tagging concern and does not block consent mode setup. You can complete the consent
    mode integration regardless, and address the gateway configuration separately at a later stage.

How do I verify that consent signals are working after setup?

Use the "Test your consent signals" section available on the first screen of the consent mode
    wizard. It will confirm whether consent state is being communicated correctly to the Google tag. You can also use
    Google Tag Assistant to inspect consent state values (gcs parameter) in real time.

Related Articles

    - 
        How
                to Implement Google Consent Mode Advanced with GTM

    

    - 
        Google Consent Mode Basic
                vs Advanced — Complete Guide

    

    - 
        How to Check If Google Consent Mode Is
                Working

    

    - 
        How to Implement Google Consent
                Mode Basic

    

    - 
        How to Comply
                with Google's EU User Consent Policy

    

    - 
        Secure Privacy:
                Google-Certified Consent Management Platform

---

# What Is Amazon Consent Mode (Amazon Consent Signal)? A Complete Guide for Advertisers

URL: https://support.secureprivacy.ai/article/what-is-amazon-consent-mode-amazon-consent-signal-a-complete-guide-for-advertise
Product: Consent Management
Category: Policies & User Consent
Published: 2026-05-19T19:25:00+00:00
Updated: 2026-05-20T19:49:22.431+00:00
Reading Time: 10 minutes
Summary: Amazon Consent Signal (ACS) is mandatory for EEA/UK Amazon Ads since Feb 2025. Learn how amzn_user_data & amzn_ad_storage work and how to stay GDPR compliant.

If you run Amazon Ads with EEA or UK traffic, you are required to send a valid consent signal to Amazon before transmitting any personal data. Here is what that means, where it comes from officially, and what you need in place.
You have a cookie consent banner on your site. Your visitors see it, some accept, some decline. But does Amazon Ads actually know about those choices? Unless you have specifically configured a consent signal for Amazon, almost certainly not — and that is a compliance and campaign performance problem.
Amazon Ads operates its own consent framework, officially called the Amazon Consent Signal (ACS). You will also see it referred to informally as "Amazon Consent Mode", by analogy with Google's equivalent. The requirement exists because Amazon's advertising services process personal data on behalf of advertisers — and under GDPR and the ePrivacy Directive, that processing requires valid, documented user consent for EEA and UK users.
This article explains what Amazon's official policy requires, how ACS works based on available documentation, how it differs from Google Consent Mode, and what you need to put in place. Where specific technical details could not be confirmed directly from Amazon's own public documentation, this is explicitly flagged.
Who Needs to Read This?
- Advertisers using Amazon Ads (Sponsored Products, Sponsored Brands, Amazon DSP, Display Ads, Amazon Attribution) with EEA or UK traffic

- Publishers and third-party data providers transmitting audience data to Amazon Ads on behalf of advertisers

- Privacy and compliance teams verifying GDPR coverage across all ad platforms, not just Google

- Marketing teams troubleshooting Amazon campaign performance issues tied to consent gaps

Not in scope: If you run Amazon Ads targeting only US audiences with no EEA or UK traffic, Amazon's consent signal requirement does not currently apply to those campaigns.
What Amazon's Official Policy Requires
Amazon's own policy page — Sending Personal Information to Amazon Ads & Amazon Consent Signal requirements — states the following directly:
"If you transmit or make available to Amazon Ads any personal information in connection with your use of any Amazon advertising services, you must either use (i) the IAB European Transparency & Consent Framework (TCF) signal(s), or (ii) Amazon Consent Signal, to communicate your UK and EEA users' privacy choices to Amazon Ads."

That same policy page specifies that advertisers must:
- Publish a clear and transparent privacy policy that meets applicable legal requirements including GDPR

- Collect individuals' affirmative opt-in consent for Amazon to process their personal information and use cookies or similar technology for advertising

- Allow individuals to withdraw consent at any time

- Keep records of consent and opt-out choices and provide Amazon with access to those records upon request

- Not pass personally identifiable information (names, email addresses, phone numbers) to Amazon

- Not pass personal information collected from children under 13

- Not pass sensitive personal information (financial status, health or medical information)

Amazon's EU data protection page confirms that Amazon Ads is a registered vendor on the IAB Europe Transparency & Consent Framework (TCF), and that third-party publishers adhering to TCF v2.0 allow users to consent to or object to receiving interest-based ads from Amazon.
In plain terms: you have two compliant options — implement IAB TCF via a compatible CMP, or implement Amazon's own Amazon Consent Signal. A CMP that supports neither means you are transmitting EEA/UK user data to Amazon without a valid consent mechanism.
What Is Amazon Consent Signal?
Amazon Consent Signal (ACS) is Amazon Ads' own consent communication framework — the alternative to IAB TCF for advertisers who want to use Amazon's proprietary format. It lets advertisers tell Amazon whether a given user has consented to having their personal data processed for advertising and whether advertising cookies may be read or written to their device.
Based on implementation documentation published by Amazon's certified CMP partners (including Usercentrics and Cookiebot, both of whom have integrated directly with Amazon), ACS communicates consent via a first-party cookie named amzn_consent, containing a structured JSON object that Amazon's tags read at request time.
Source note: The specific technical details below — parameter names, cookie format, and JSON structure — are sourced from CMP partner implementation documentation, not directly from an Amazon-published technical specification. Amazon's Advanced Tools Center documentation requires authentication and was not publicly accessible at the time of writing. These details are consistent across multiple independent CMP implementations and are included here as the best available technical reference, not as verified Amazon primary source material.
The Two Consent Parameters
ACS is built around two parameters:
Amazon Consent Signal parameters — as documented by Amazon CMP implementation partners

Parameter
What it controls
Accepted values

amzn_user_data
Whether the user has consented to Amazon processing their personal data (such as advertising identifiers) for advertising purposes
GRANTED or DENIED

amzn_ad_storage
Whether the user has consented to Amazon reading or writing advertising cookies or similar tracking technologies on their device
GRANTED or DENIED (may also be NULL when ad storage is not relevant)

Both parameters map to the Marketing consent category in a CMP. When a visitor grants Marketing consent, both are set to GRANTED. When they decline, both are set to DENIED.
The Country Code Requirement
ACS also requires an ISO 3166-2 country code alongside the consent parameters — for example DE for Germany, FR for France, GB for the United Kingdom. Your CMP must detect the visitor's country and include the correct code so Amazon can apply the appropriate regional compliance rules.
The amzn_consent Cookie
The signal is stored and transmitted as a first-party cookie. A typical cookie value looks like this:
amzn_consent={
  "geo": { "countryCode": "DE" },
  "amazonConsentFormat": {
    "amznAdStorage": "GRANTED",
    "amznUserData": "GRANTED"
  },
  "timestamp": "2025-06-15T09:42:11.000Z",
  "version": "1"
}WAF note: Because the amzn_consent cookie value contains JSON, some Web Application Firewalls may flag or block it. If the cookie is not being set after CMP configuration, check your WAF rules and add an explicit exception for the amzn_consent cookie name.
Amazon Consent Signal vs. Google Consent Mode: Key Differences
Having Google Consent Mode v2 implemented does not satisfy your Amazon obligation. The two frameworks are entirely separate and must each be configured independently.
Amazon Consent Signal vs. Google Consent Mode v2 — comparison

Amazon Consent Signal (ACS)
Google Consent Mode v2 (GCM v2)

Official name
Amazon Consent Signal
Google Consent Mode v2

How consent is transmitted
First-party cookie (amzn_consent)
JavaScript API calls via dataLayer (gtag('consent', ...))

Consent parameters
amzn_user_data, amzn_ad_storage
ad_storage, analytics_storage, ad_user_data, ad_personalization

Parameter values
GRANTED / DENIED (uppercase)
'granted' / 'denied' (lowercase strings)

Country code
Required — ISO 3166-2
Optional — via region parameter

IAB TCF alternative accepted
Yes — TCF is explicitly accepted in Amazon's policy
Works alongside TCF but requires its own separate configuration

Do they conflict?
No — both frameworks are independent and run simultaneously without conflict.

What Happens Without a Valid Consent Signal?
Amazon's own policy is explicit: if you transmit personal data from EEA or UK users to Amazon Ads without a valid TCF or ACS signal, you are in breach of Amazon's advertising policies. The policy states that if you discover personal data was shared in violation of these requirements, you must "cease processing and sharing that data immediately" and notify Amazon in writing.
Beyond policy consequences, the practical advertising impact is that Amazon cannot confirm valid consent exists for those users, which may restrict how their data is used for targeting, measurement, and attribution — reducing campaign reach and degrading conversion reporting for affected users.
There is also the underlying GDPR exposure: transmitting personal data of EEA/UK users to any ad platform without a documented consent basis is a potential regulatory violation independent of what Amazon enforces technically.
How Amazon Consent Signal Works With a CMP
The correct flow for ACS with a consent management platform is:
- A visitor arrives on your page and is shown the consent banner by your CMP.

- The visitor makes a consent choice — accepting, rejecting, or customising their marketing preferences.

- The CMP writes the amzn_consent cookie with the correct parameter values, the visitor's country code, and a timestamp.

- Amazon's advertising tags read the cookie on the next ad request and apply the appropriate data handling rules.

- The CMP logs consent evidence for audit purposes.

If the user returns later, the cookie persists within its expiry period. If they change their consent preferences, the CMP updates the cookie immediately to reflect the new state.
Secure Privacy and Amazon Consent Signal
Secure Privacy's Amazon Consent Signal integration is currently in development. When available, it will allow the same consent banner that drives your Google Consent Mode v2 signals to simultaneously write the correct amzn_consent cookie — with the right country code and consent values — removing the need to maintain separate integrations for each ad platform.
If you are a current Secure Privacy customer running Amazon Ads with EEA or UK traffic, contact our team to discuss your current compliance position and to be notified when ACS support is available.
Troubleshooting Amazon Consent Signal
The amzn_consent cookie is not being set
Most likely cause: a Web Application Firewall is blocking the cookie because its JSON value triggers a security rule. Add an explicit WAF exception for the amzn_consent cookie name. Also confirm that Amazon Advertising is added as a Marketing-category service inside your CMP settings and that the ACS integration is enabled.
The cookie shows DENIED even after the user accepts
Most likely cause: Amazon Advertising is not mapped to the Marketing consent category in your CMP, or the CMP is not triggering a cookie update after consent is granted. Verify the service mapping and confirm the consent-update event fires correctly on banner acceptance.
The country code is wrong or missing
Country code is a required field — an absent or incorrect value renders the signal invalid. Check that your CMP's geolocation feature is enabled and correctly detecting visitor countries for EEA and UK traffic.
Frequently Asked Questions
What is Amazon Consent Mode?
"Amazon Consent Mode" is the informal name for the Amazon Consent Signal (ACS) — Amazon Ads' framework for receiving user consent preferences from advertisers' websites. Amazon's official policy requires that any advertiser transmitting personal data from EEA or UK users to Amazon Ads must use either IAB TCF or ACS to communicate those users' privacy choices. ACS uses two parameters (amzn_user_data and amzn_ad_storage) transmitted via a first-party cookie called amzn_consent.
Is Amazon Consent Signal the same as Google Consent Mode?
No. They are entirely separate frameworks built for different ad ecosystems. Google Consent Mode v2 operates via JavaScript API calls and covers Google Ads, GA4, and related products. Amazon Consent Signal operates via a first-party cookie and covers Amazon Ads. Each must be implemented independently. Having GCM v2 in place does not satisfy your ACS obligation, and both can run simultaneously without conflict.
What are the two Amazon Consent Signal parameters?
The two ACS parameters are amzn_user_data (whether the user has consented to Amazon processing their personal data for advertising) and amzn_ad_storage (whether the user has consented to Amazon reading or writing advertising cookies on their device). Both accept GRANTED or DENIED and are transmitted inside the first-party amzn_consent cookie alongside an ISO 3166-2 country code.
Do I need Amazon Consent Signal if I already use IAB TCF?
No — Amazon's official policy explicitly accepts either IAB TCF or ACS. If your CMP generates a valid TCF consent string and passes it correctly to Amazon Ads, you satisfy the requirement through TCF. ACS is Amazon's alternative for advertisers not using a TCF-compliant CMP.
What does Amazon's policy actually say about EEA consent?
Amazon's official policy at advertising.amazon.com/resources/ad-policy/consent-signal-requirements states that any advertiser transmitting personal data to Amazon Ads in connection with advertising services must use either IAB TCF or Amazon Consent Signal to communicate UK and EEA users' privacy choices. It also requires advertisers to collect affirmative opt-in consent, maintain consent records, and allow users to withdraw consent at any time.
Can I implement Amazon Consent Signal without a CMP?
Technically yes — ACS can be implemented by manually writing the amzn_consent cookie with the correct JSON structure. However, this requires correctly detecting visitor country codes in real time, updating the cookie whenever consent changes, and maintaining consent records for audit purposes. A CMP with built-in ACS support handles all of this automatically and significantly reduces the risk of implementation errors.
Does Secure Privacy support Amazon Consent Signal?
Secure Privacy's Amazon Consent Signal integration is currently in development. Once available, it will allow the same consent banner driving your Google Consent Mode v2 signals to simultaneously write the correct amzn_consent cookie, covering both Google and Amazon from a single CMP configuration. Contact Secure Privacy to be notified when ACS support is released.
Related Articles
- Google Consent Mode v2 Parameters Explained: URL Passthrough, Data Redaction & Every Setting You Need to Know

- Google Consent Mode: Basic vs. Advanced — Complete Guide

- How to Implement Google Consent Mode Advanced with GTM

- How to Comply with Google's EU User Consent Policy

- Secure Privacy: Google-Certified Consent Management Platform

---

# Managing Data Subject Access Requests v2 (DSARs) in Secure Privacy

URL: https://support.secureprivacy.ai/article/managing-data-subject-access-requests-dsars-in-secure-privacy
Product: Consent Management
Category: DSARs
Published: 2026-05-15T21:56:00+00:00
Updated: 2026-05-18T10:30:48.571+00:00
Reading Time: 12 minutes
Summary: Create and manage GDPR-compliant DSAR forms in Secure Privacy. Configure request types, embed your widget, route to Governance, and handle privacy rights requests at scale.

Every website that collects personal data is legally required to give visitors a way to exercise their privacy rights — the right to access, delete, correct, or export the data you hold about them. Under GDPR, CCPA, LGPD, and 65+ other privacy laws, failing to provide a working, documented intake process for these requests isn't just a compliance gap: it's an enforcement risk. Yet most organisations still handle data subject access requests (DSARs) through ad-hoc email inboxes, spreadsheets, or generic contact forms — approaches that leave you exposed when regulators or auditors ask for evidence of timely, structured responses.
Dedicated DSAR management software closes this gap. The Secure Privacy CMP includes a built-in DSAR module that lets you create branded, multi-language privacy request forms, embed them on any website or app, route submissions to the right team members or to the Secure Privacy Governance Portal for centralised compliance tracking, and manage everything — including bulk operations across multiple properties — from a single dashboard.
This guide covers everything you need to configure, embed, and manage DSARs in Secure Privacy, including the latest DSAR 2.0 features that make the module faster to set up and easier to scale across multi-domain organisations.
By the end of this article you will be able to: create a DSAR form, customise its fields and request types, embed it on your website, route submissions to your team or Governance Portal, and handle incoming requests in a fully auditable, regulation-ready workflow.
Who Is This Guide For?
This article is written for Account Administrators on the Secure Privacy CMP. It is relevant to anyone responsible for privacy compliance, including Data Protection Officers (DPOs), legal teams, marketing operations managers, and web developers implementing privacy request forms on behalf of their organisation.
Overview: The Secure Privacy DSAR Module
The DSAR section of the Secure Privacy CMP is your central workspace for creating and managing Data Subject Access Request forms — the privacy rights intake mechanism through which website visitors can submit requests to access, delete, export, or correct their personal data. With DSAR 2.0, the module is now a dedicated, top-level feature in Secure Privacy Web, fully decoupled from the Template system, so DSAR management is easier to find, easier to configure, and easier to scale across multiple properties.
Each DSAR is a standalone, configurable form that can be:
- Linked to one or more of your registered domains, mobile apps, or TV apps

- Presented in multiple languages (70+ supported)

- Customised with your organisation's branding and field labels

- Routed to the Secure Privacy Governance Portal for centralised compliance tracking, or delivered by email to a designated team member or external DPO

- Embedded on any webpage via a lightweight JavaScript widget

Prerequisites
- An active Secure Privacy account with Account Administrator permissions

- At least one domain or mobile app registered in your Secure Privacy workspace

- Access to the page source of your website (to paste the embed script), or a developer who can add a <script> tag for you

- (Optional) Access to the Secure Privacy Governance Portal if you intend to route submissions there — contact support@secureprivacy.ai to enable it

Navigating to the DSAR Module
- Log in to the Secure Privacy CMP at cmp.secureprivacy.ai.

- Click DSAR in the top navigation bar.

The DSAR list page shows all existing forms. Each row displays:
Element
Description

Name
The label you assigned the DSAR form

Toggle
Enables or disables the form (green = active)

⋮ menu
Per-item actions: Edit, Duplicate, Delete

Use the Search DSARs bar to filter by name. The ⋮ icon at the top left of the list lets you Select All or Deselect All items for bulk operations.
DSAR 2.0 — Bulk Management: The DSAR list now fully supports multi-select, Select All / Deselect All, and bulk actions including bulk enable, bulk disable, and bulk delete. This makes managing DSARs across many properties significantly faster.
Creating a New DSAR Form
Step 1 — Open the DSAR Creation Flow
On the DSAR list page, click the green ADD DSAR button in the top right corner. You are taken to the DSAR Settings page for the new form.
Step 2 — Configure the DSAR Destination
The DSAR Destination section sits at the top of DSAR Settings and answers the most important operational question: where should incoming DSAR submissions go?
Field
Description

Route to the Governance Portal
Toggle ON to send all incoming requests to governance.secureprivacy.ai for centralised tracking, compliance dashboards, automated actions, and risk/compliance evaluation at scale.

Send by email to your organisation user
Select a team member from your organisation in the dropdown to receive email notifications for each new request. In DSAR 2.0, you can also assign an external user — such as an external DPO, legal team, or third-party privacy vendor — who does not require platform access.

Tip: You can enable both routing options simultaneously — submissions will be sent to the Governance Portal and trigger an email notification to the designated user.
Step 3 — Fill In DSAR Settings
Complete the fields in the DSAR Settings section:
Field
Required
Description

DSAR Label
Yes
An internal name for this form (e.g., "Main Website DSAR"). Visible in the list view only.

Domains
No
Link one or more of your registered domains so the widget activates on those sites.

Mobile apps
No
Associate one or more of your registered mobile apps. DSAR 2.0 makes domain and mobile app assignment consistent and reduces misconfiguration risk.

TV apps
No
Associate one or more of your registered TV apps.

Languages
Yes
Select which languages the DSAR form should support. All major languages are pre-selected by default; remove any that are not relevant to your audience.

Logo
No
Upload a brand logo to display at the top of the DSAR form. Click SELECT NEW IMAGE to upload.

Verify visitor's email
No
When enabled, the submitter receives an email verification step before their request is logged. Recommended for GDPR compliance to confirm identity.

Open DSAR in a separate page
No
When enabled, the form opens in a dedicated full-screen page instead of as an inline widget. When this option is active, the Captcha setting becomes available as an additional spam-prevention layer.

Step 4 — Save the DSAR
After filling in all required fields (marked with *), click SAVE to create the DSAR. It will immediately appear in your DSAR list.
Editing an Existing DSAR
There are two ways to open an existing DSAR for editing:
- Click the DSAR name directly in the list — this opens the Settings tab.

- Click the ⋮ menu on the row, then select EDIT.

```html
 ```
Once inside, navigate across four tabs using the left sidebar:
Tab 1 — Settings
Contains all the same fields described in the Create section above (Destination, Label, Domains, Mobile Apps, Languages, Logo, verification toggles, and separate-page mode). Make your changes and click SAVE.
Tab 2 — Form
Controls the language and field labels that end users see when filling out your DSAR form. DSAR 2.0 introduces more flexible form configuration throughout this tab.
Language selector
At the top of the tab, select the language you want to configure labels for. Changes to labels are language-specific, so you can maintain different label sets for each language your form supports.
Request Labels
Each label corresponds to a privacy request type button shown to the visitor. DSAR 2.0 provides nine standardised request types designed to cover the most common GDPR and CCPA scenarios, reducing ambiguity for visitors and improving internal routing and reporting consistency. All labels are fully editable — rename them to match your organisation's brand voice or legal terminology.
Field
Default label

Request type
Request type

Access data
Access my information

Export data
Export my information

Delete data
Delete my information

Correct data
Correct my information

Opt-out of data processing
Opt out of data processing

Restrict data processing
Restrict data processing

Object to data processing
Object to data processing

Withdraw consent
Withdraw consent

Controls (Form Fields)
This section defines the input fields shown on the form. DSAR 2.0 makes these controls more configurable, so you can match the DSAR experience to your organisation's needs without custom development. The default controls are:
- Name — the submitter's full name

- Email — a dedicated email input type (new in DSAR 2.0) that captures visitor email in a structured way, improving consistency and downstream processing

- Address — postal address

- Phone Number — contact phone

- Request Details — a free-text area for the submitter to describe their request

To add a custom field, click + Add control at the bottom of the controls list. Click SAVE after making any changes.
Tab 3 — Embed
Provides the JavaScript snippet to place the DSAR widget on your website - the feature is asctively being worked on and is not available at the moment.
Tab 4 — Submissions
The Submissions tab is designed for monitoring and quick triage of incoming privacy requests. It provides:
Element
Description

Total submissions counter
A summary count of all requests received so you can immediately see volume at a glance

Date range filter
Filters the list to a specific time window (default: last 30 days)

Search requests
Full-text search across key submission fields (email, source, type) to quickly locate relevant requests

Table columns
Email · Date · Source · Type — each submission includes an identifier and timestamp for traceability and correlation with internal processes

For advanced DSAR management: The submissions list in Secure Privacy Web shows only the essential fields needed for monitoring and basic triage. Full submission details, deeper context, structured processing, risk and compliance evaluation, and automated workflows are available in the Secure Privacy Governance Portal. Contact support@secureprivacy.ai for access.
Managing DSARs: Duplicate, Delete, Enable, and Disable
Duplicating a DSAR
Duplicating is useful when you want to create a variation of an existing form for a different domain without starting from scratch:
- Click the ⋮ menu on the DSAR row.

- Select DUPLICATE.

A copy is created with all settings preserved. Edit the duplicate's label, domains, and other fields as needed.
Deleting a DSAR
- Click the ⋮ menu on the DSAR row.

- Select DELETE (shown in red).

- Confirm the deletion when prompted.

Warning: Deleting a DSAR is permanent. Any embedded widget using that DSAR's ID will stop working immediately. Submissions associated with the DSAR will no longer be accessible from the CMP. If you are unsure, disable the DSAR instead of deleting it.
Enabling and Disabling a DSAR
Use the toggle on each row to turn a DSAR on or off without deleting it. When disabled, the embedded widget will not accept new submissions, but all existing submissions and configuration are fully preserved. You can also bulk-enable or bulk-disable multiple DSARs at once using the multi-select controls in the list header.
Troubleshooting Common DSAR Issues
The DSAR widget is not appearing on my website
Check that the embed snippet has been pasted into the <head> of the page (not the <body> or footer). Confirm that the data-dsar-id in the snippet matches the ID shown in the Embed tab of the correct DSAR form. Finally, check that the DSAR is enabled (green toggle in the list).
I am not receiving email notifications for new submissions
In the DSAR Settings, confirm that the Send by email destination is toggled on and a user (or external recipient) is selected in the dropdown. Check your spam folder. If the problem persists, contact support@secureprivacy.ai.
Submissions are not appearing in the Governance Portal
Confirm that the Route to the Governance Portal toggle is enabled in DSAR Destination settings. If you do not yet have a Governance Portal account, contact support@secureprivacy.ai to request access.
I duplicated a DSAR but the widget is still showing the old form
Each DSAR has a unique data-dsar-id. After duplicating, go to the new DSAR's Embed tab, copy the updated snippet, and replace the old snippet on the target pages.
Frequently Asked Questions
What is a DSAR and am I legally required to have one?
A Data Subject Access Request (DSAR) is a formal mechanism through which individuals exercise privacy rights granted by laws such as GDPR (EU/UK), CCPA (California), LGPD (Brazil), and many others. These rights include the right to access personal data, delete it, correct it, export it, or opt out of certain processing activities. If your website collects personal data from individuals in any of the 65+ jurisdictions with privacy legislation, you are legally required to provide a way for them to submit these requests and to respond within prescribed timeframes (30 days under GDPR, 45 days under CCPA).
Can one DSAR form cover multiple domains?
Yes. In the Settings tab, you can select multiple domains and the same form will serve all of them. The same applies to mobile apps — you can assign a single DSAR form to multiple registered mobile properties.
What is the difference between the CMP submissions view and the Governance Portal?
The Submissions tab inside the Secure Privacy CMP is designed for quick monitoring — it shows essential fields (email, date, source, type) and a submission counter so you can track volume and perform basic triage. The Governance Portal (governance.secureprivacy.ai) provides full submission details, deeper compliance context, structured processing workflows, risk and compliance evaluation, and automated actions at scale. For organisations that need to demonstrate regulatory compliance, the Governance Portal is strongly recommended.
What happens if I don't route to the Governance Portal?
If the Governance Portal toggle is off, requests are only delivered by email to the designated Secure Privacy user emailbox (or external recipient mailbox). The tracking has to happen on the mailbox level, dashboards, workflows are also to be created and controlled by the mailbox owner. For small volumes and simple workflows, email-only routing may be sufficient. For multi-domain organisations or those subject to regular audits, the Governance Portal provides the audit trail and structured processing that regulators expect.
Can I add fields beyond the defaults on the DSAR form?
Yes. Use + Add control in the Form tab to add custom input fields to the form. DSAR 2.0 makes controls more configurable than before, allowing you to tailor the form to your organisation's specific data collection practices without custom development.
How do I display the DSAR form in a different language on specific pages?
Update the data-lang attribute in the embed script to the appropriate language code before placing it on a specific page (for example, data-lang="de" for German). You can also set the default language for all instances of a DSAR widget using the Default language dropdown in the Embed tab.
Can an external DPO or legal team handle DSAR submissions without a Secure Privacy account?
Yes. DSAR 2.0 introduces support for external recipients: you can assign a DSAR email destination to an external user — such as an external Data Protection Officer, a legal team, or a third-party privacy vendor — who does not need a Secure Privacy platform login. They will receive email notifications for each new submission and can process requests through their own systems.
What happens when I delete a DSAR form?
Deleting a DSAR form is permanent. The embedded widget on your website will stop working immediately (it will no longer display or accept submissions), and submission records associated with that DSAR will no longer be accessible from the CMP. If you want to stop accepting new submissions temporarily while preserving the configuration and historical data, use the toggle to disable the DSAR instead.
Related Articles
- How to Set Up Secure Privacy CMP via Google Tag Consent Mode

- Secure Privacy — Google-Certified Consent Management Platform

- How to Comply with Google's EU User Consent Policy

- Google Consent Mode: Basic vs Advanced — Complete Guide

- Secure Privacy & Google Consent Mode — Product Overview

---

# Google Consent Mode v2 Parameters Explained: URL Passthrough, Data Redaction & Troubleshooting Guide

URL: https://support.secureprivacy.ai/article/google-consent-mode-v2-parameters-explained-url-passthrough-data-redaction-troub
Product: Consent Management
Category: Google Consent Mode
Published: 2026-04-15T17:15:00+00:00
Updated: 2026-04-15T21:48:22.189+00:00
Reading Time: 25 minutes
Summary: Master every Google Consent Mode v2 parameter—url_passthrough, ads_data_redaction, wait_for_update & more. Step-by-step setup, code examples & troubleshooting guide.

Your cookie consent banner is live. Your legal team is happy. But your Google Ads conversion data has quietly collapsed—sometimes by 50%, sometimes overnight. Sound familiar?
This is the hidden cost of implementing a consent banner without properly configuring Google Consent Mode v2 (GCM v2). When users in the EEA and UK decline cookies, Google tags don't just stop collecting data—they change how they operate. Without the right parameter settings, you lose conversion attribution, remarketing audiences stop building, and GA4 fills up with (not set) traffic sources. A documented case from April 2026 showed one Google Ads account losing 90% of measured conversions overnight due to a GCM v2 misconfiguration.
Many teams try to paper over the problem with workarounds: ignoring consent requirements entirely (a compliance and legal risk), using a bare-minimum cookie banner that blocks all tags in Basic mode (legal, but ruins measurement), or copying a consent snippet from a blog post without understanding what each parameter actually does.
The better path is to configure GCM v2 correctly from the start—and that means understanding every parameter. Especially the three that most guides skip entirely: url_passthrough, ads_data_redaction, and wait_for_update.
As a Google-certified Consent Management Platform (CMP) partner, Secure Privacy handles GCM v2 signal transmission automatically—so the right consent signals reach Google's ad and analytics infrastructure every time, without manual tag configuration. This guide explains the complete parameter set so you understand what's happening under the hood, can troubleshoot edge cases, and make informed decisions about your privacy-measurement trade-offs.
By the end of this article you will:
- Understand all seven consent type parameters and four configuration parameters in GCM v2

- Know exactly what url_passthrough and ads_data_redaction do, when to use each, and when to use both

- Know how to handle late consent, unknown states, and race conditions that cause (not set) attribution

- Have a troubleshooting checklist for the most common GCM v2 implementation problems

Who Is This Guide For?
- Digital marketers and PPC managers who have noticed a drop in Google Ads conversion data after adding a consent banner to their site

- Web developers and GTM implementers configuring GCM v2 via Google Tag Manager or gtag.js

- Privacy and compliance officers evaluating the privacy implications of specific GCM parameters, particularly URL Passthrough

- Analytics professionals troubleshooting (not set) dimensions and unexplained data gaps in GA4

- Anyone evaluating or already using a CMP who wants to understand what GCM v2 signals their platform is sending on their behalf

Why Google Consent Mode v2 Is Now Mandatory
Google Consent Mode v2 became mandatory on March 6, 2024 for any website using Google advertising products (Google Ads, Display & Video 360, Search Ads 360, Floodlight) with traffic from the European Economic Area (EEA) or the United Kingdom. From July 21, 2025, Google began actively restricting and disabling conversion tracking and audience creation for accounts that are not compliant.
GCM v2 added two new parameters—ad_user_data and ad_personalization—to the original v1 parameters (ad_storage, analytics_storage). All four must now be addressed in your implementation.
The core concept: instead of simply blocking Google tags when consent is denied, GCM allows tags to fire in a restricted "cookieless" mode. In Advanced implementation, this produces cookieless pings that feed Google's conversion and behavioral modeling—recovering an estimated 15–25% of otherwise lost conversion data.
GCM v2 Enforcement Timeline

Date
Event

September 2020
Consent Mode v1 released

November 2023
Consent Mode v2 released — added ad_user_data and ad_personalization

March 6, 2024
GCM v2 mandatory for EEA/UK advertising traffic

October 2024
GA4 backend improvements for retroactive session attribution

November 13, 2024
Google requires config command before custom events are processed

July 21, 2025
Google began restricting conversion tracking and audiences for non-compliant accounts— see Google's EEA enforcement notice

Complete Google Consent Mode v2 Parameters Reference
GCM v2 has two categories of parameters: consent type parameters (which declare what the user has consented to) and configuration parameters (which control how tags behave). Understanding the difference is critical—consent type parameters change what data Google collects and stores; configuration parameters change how and when your tags fire.
Core Consent Type Parameters (all four required for EEA/UK compliance)
GCM v2 Core Consent Parameters

Parameter
What it controls
Values
When denied
When granted
Google products affected

ad_storage
Cookies and device IDs used for advertising
'granted' | 'denied'
No new ad cookies written or read; requests sent through a different, cookieless domain; Google Signals paused; IP addresses truncated
Ad cookies read and written normally; full data collection including GCLID/DCLID, IP addresses, third-party cookies on google.com/doubleclick.net
Google Ads, Floodlight, Google Analytics (Signals), Display & Video 360

analytics_storage
Cookies and device IDs for analytics (visit duration, session continuity)
'granted' | 'denied'
No first-party analytics cookies read/written; cookieless pings sent (Advanced mode only) for modeling
Analytics cookies operate normally; full measurement data collected
Google Analytics 4, Firebase Analytics

ad_user_data (new in v2)
Sending user data related to advertising to Google
'granted' | 'denied'
Personal data for online advertising disabled, including user_id and Enhanced Conversions hashed first-party data
User data (including Enhanced Conversions hashed data) sent to Google for advertising
Google Ads (Enhanced Conversions), GA4→Ads data sharing

ad_personalization (new in v2)
Consent for personalized advertising and remarketing
'granted' | 'denied'
Remarketing disabled in Google Ads, Display & Video 360, Search Ads 360; no personalized advertising
Remarketing lists populated; personalized advertising enabled
Google Ads, Display & Video 360, Search Ads 360

Important distinction: ad_storage and analytics_storage are upstream qualifiers—they directly control which identifiers are transmitted with pings. ad_user_data and ad_personalization are downstream instructions—they tell Google services how to process data but do not change tag behavior on your site itself. When any conflict exists between consent settings, the strictest setting always wins in favor of data protection.
Additional Consent Type Parameters
Additional Consent Type Parameters

Parameter
What it controls
Current Google tag behavior

functionality_storage
Storage for website functionality (language settings, preferences)
Not currently checked by any Google tag; included for future-proofing

personalization_storage
Storage for personalization (video recommendations, content preferences)
Not currently checked by any Google tag; included for future-proofing

security_storage
Storage for security purposes (authentication, fraud prevention)
Not currently checked by any Google tag; always recommended as 'granted'

Configuration and Privacy Enhancement Parameters
GCM v2 Configuration Parameters

Parameter
Type
What it does
When to use

url_passthrough
true | false
Appends GCLID, DCLID, _gl, wbraid, and gclsrc as URL query parameters to internal links, preserving attribution when cookies are denied
When conversion measurement is a priority and ad_storage may be denied

ads_data_redaction
true | false
When ad_storage='denied', redacts GCLID/DCLID from network requests and routes traffic through a cookieless domain
When maximizing user privacy is the priority and you want to ensure no ad identifiers reach Google servers

wait_for_update
Integer (milliseconds)
Delays tag firing by the specified duration to allow an asynchronously loading CMP to send its consent update before tags fire
Always, when using any asynchronously loading CMP. Google's recommended value: 500

region
Array of ISO 3166-2 codes
Scopes a specific default consent state to visitors from listed regions; the most specific region always takes precedence
When you want different defaults for EEA/UK versus the rest of the world

By default, Google sets no consent mode values at all. Every parameter must be explicitly configured via the gtag('consent', 'default', {...}) command. Omitting the command does not mean "granted"—it means consent mode is not active, and modeling is unavailable.
URL Passthrough (url_passthrough): Preserving Ad Attribution Without Cookies
What URL Passthrough Does
When a user clicks a Google Ad and lands on your site, Google normally stores the GCLID (Google Click Identifier) in a first-party cookie. When ad_storage is 'denied', that cookie cannot be written—and without the GCLID, the conversion cannot be attributed to the original ad click.
URL Passthrough solves this by appending the click identifier directly to the URL as the user navigates through your site. Instead of reading the GCLID from a cookie on the next page, Google reads it from the URL parameter. No cookie is stored; the identifier travels with the user through their session.
What Gets Appended to URLs
When url_passthrough is true, Google tags append the following query parameters to outgoing internal links:
- gclid — Google Click ID (Google Ads)

- dclid — DoubleClick Click ID (Campaign Manager / Floodlight)

- gclsrc — Google Click Source identifier

- _gl — Google Linker parameter (carries client ID and session ID for cross-page analytics continuity)

- wbraid — Web-to-app attribution identifier

Five Conditions Required for URL Passthrough to Work
Google's official documentation states all five conditions must be met simultaneously:
- The Google tag is consent-aware and present on the page

- The advertiser has enabled the URL passthrough feature

- Consent mode is implemented on the page

- The outgoing link refers to the same domain as the current page (not cross-domain)

- A GCLID or DCLID is present in the URL (required for Google Ads and Floodlight tags)

How to Enable URL Passthrough
URL Passthrough is enabled in Secure Privacy under Domain Settings → Google Consent Mode. Advanced mode must also be active for URL Passthrough to function.
Important GTM note: If URL Passthrough is set in a CMP template, it still needs to be explicitly configured inside any Conversion Linker tags you are using to work as expected. A GCLID or DCLID is present in the URL (Google Ads and Floodlight tags only).
URL Passthrough Caveats and Best Practices
- Redirects must preserve all query parameters (gclid, dclid, gclsrc, _gl, wbraid). If your server strips query parameters on redirect, URL Passthrough breaks silently.

- Configure your analytics tools to ignore these parameters in page URLs to avoid inflating unique page counts.

- Test for URL conflicts. Sites that use query parameters for navigation, content routing, or filtering are especially at risk. URL Passthrough can interfere with site functionality if your application parses URL parameters for business logic.

- This only works for same-domain navigation. Cross-domain attribution requires a different setup (Cross Domain Measurement in GA4).

Is URL Passthrough GDPR Compliant?
URL Passthrough sits in a legal gray area. Google positions it as a privacy-respecting alternative to cookie storage for use when consent is denied. However, the GCLID is a unique identifier tied to a specific ad interaction, which some Data Protection Authorities may consider personal data under GDPR Article 4(1). Evaluate this with your legal counsel before enabling URL Passthrough as your default behavior for non-consented EEA users. Google's documentation does not explicitly address whether URL-passed GCLIDs constitute personal data under GDPR.
Further reading: Google's official Consent Mode implementation guide
Ads Data Redaction (ads_data_redaction): Maximum Privacy for Ad Identifiers
What Data Redaction Does
Where URL Passthrough preserves ad click identifiers by moving them into URLs, ads_data_redaction does the opposite: it removes them entirely from all network requests to Google's servers when ad_storage is denied.
Specifically, when ads_data_redaction=true AND ad_storage='denied', the following occurs:
- Ad click identifiers (GCLID, DCLID) are redacted from all consent pings and conversion pings

- Page URLs containing ad click identifiers are redacted in advertising requests

- Network requests are routed through a different, cookieless domain to prevent any previously set third-party cookies from being sent in HTTP headers

- No new advertising cookies or device identifiers are written

- No existing advertising cookies or device identifiers are read

- Google Signals features do not accumulate data

- IP addresses are truncated at collection

- Google Ads will delete any previously stored information if a user who previously granted consent later denies it

When Data Redaction Activates — and When It Does Not
ads_data_redaction is conditional on ad_storage. It has no effect when ad_storage='granted'—in that case, all data is collected normally regardless of what ads_data_redaction is set to.
ads_data_redaction activation matrix

ad_storage
ads_data_redaction
Outcome

'granted'
true
No effect — normal ad data collection

'granted'
false
Normal ad data collection

'denied'
false
No cookies; page URL with click ID still sent to Google Ads

'denied'
true
Full redaction: no cookies, click IDs redacted from all requests, cookieless domain routing

How to Enable Ads Data Redaction
Ads Data Redaction is enabled in Secure Privacy under Domain Settings → Google Consent Mode. This setting only takes effect when ad_storage is denied.
URL Passthrough vs. Data Redaction: A Decision Framework
These two parameters serve opposing purposes and represent the core privacy-vs-measurement trade-off in GCM v2:
URL Passthrough vs. Ads Data Redaction — choosing the right approach

url_passthrough=true
ads_data_redaction=true

Primary purpose
Preserve ad click attribution without cookies
Remove all ad click identifiers for maximum privacy

Effect on GCLID
Keeps GCLID in URL parameters for attribution
Redacts GCLID from all network requests

Best when
Maximizing conversion measurement is the priority
Maximizing user privacy is the priority

GDPR posture
More permissive (passes identifiers without cookie storage)
More restrictive (removes identifiers entirely)

Impact on modeling
Higher modeling accuracy (more signal available)
Lower modeling accuracy (less signal to Google)

Can you enable both? Yes. If both url_passthrough=true and ads_data_redaction=true are set while ad_storage='denied', the GCLID will be appended to URLs by URL Passthrough for internal navigation continuity, but the network requests to Google's ad servers will have identifiers redacted. When there is any conflict between settings, the strictest setting always wins in favor of data protection.
Further reading: Google Consent Mode concepts and behavioral reference
The wait_for_update Parameter: Preventing Race Conditions with Async CMPs
Most Consent Management Platforms load asynchronously—they add their consent logic to the page after the initial HTML loads. Without wait_for_update, your Google tags may fire before the CMP has had a chance to transmit the user's stored consent preference. The result: tags behave as if no consent state has been set, sending cookieless pings even for users who previously granted consent, and creating attribution gaps that look identical to a consent denial.
wait_for_update tells the Google tag to pause for a specified number of milliseconds before firing, giving your CMP time to call gtag('consent', 'update', {...}) first.
Google's recommended and industry-standard value is 500 milliseconds:
gtag('consent', 'default', {
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'analytics_storage': 'denied',
  'wait_for_update': 500
});Always set wait_for_update when using an async CMP. Its absence is one of the most common causes of the race condition described in the Troubleshooting section below.
The Wait for Update field accepts values between 500–5000ms. Google recommends 500ms as a starting point — increase if you notice race conditions where tags fire before your CMP has transmitted the user's consent state.
How Google Tags Behave in Each Consent State
When Consent Is Granted
When all four core parameters are set to 'granted':
- All advertising and analytics cookies are read and written normally

- Full data collected: page URLs, IP addresses, GCLID/DCLID, user agents, device identifiers

- Third-party cookies on google.com and doubleclick.net are accessible

- Remarketing audience lists populate normally

- Enhanced Conversions: hashed emails, phone numbers, and other first-party data are sent to Google

- No modeling required—full, unrestricted measurement

When Consent Is Denied — Advanced Mode vs. Basic Mode
This is where the choice between Basic and Advanced Consent Mode has its most significant practical impact:
Behavior when consent is denied: Basic vs. Advanced mode

Behavior
Advanced Mode
Basic Mode

Tags load
Yes — restricted mode
No — tags blocked entirely

Cookieless pings sent
Yes
No

Conversion modeling
Advertiser-specific modeling available
General model only

Behavioral modeling in GA4
Available (after thresholds met)
Not available

Data sent to Google
Timestamp, user agent, referrer, boolean consent state, random page ID
Nothing

Remarketing audience build
No (cookieless pings never build remarketing lists)
No

The Unknown / Not-Set State
Google's documentation states: "By default, no consent mode values are set." An "unknown" or not-set state occurs when:
- Tags fire before the default consent command executes (race condition)

- The CMP loads and fires consent updates after tags have already read the consent state

- The gtag('consent', 'default', {...}) command is missing from the page entirely

In this state, the gcd HTTP parameter encodes the signal as l (lowercase L), meaning "signal not set with Consent Mode." Google cannot apply conversion or behavioral modeling when the consent state is unknown. Attribution falls into (not set) or "Unassigned" channel groupings in GA4—the same symptom as a misconfigured default, but with a different root cause.
If you see a Tag Assistant warning reading "a tag read consent before a default was set," you have a race condition. See the Troubleshooting section below for resolution steps.
Recommended GCM v2 Default Configuration
The following is Google's recommended pattern for a compliant EEA/UK default with a separate "rest of world" default. Secure Privacy installation script with the Google Consent Mode defaults should be placed before your GTM snippet or any Google tag script:
<!-- Google Consent Mode v2 default  -->
  // EEA + UK: default denied, wait for CMP to update
  gtag('consent', 'default', {
    'ad_storage':          'denied',
    'ad_user_data':        'denied',
    'ad_personalization':  'denied',
    'analytics_storage':   'denied',
    'wait_for_update':     500,
    'region': ['AT','BE','BG','HR','CY','CZ','DK','EE','FI','FR','DE',
               'GR','HU','IE','IT','LV','LT','LU','MT','NL','PL','PT',
               'RO','SK','SI','ES','SE','IS','LI','NO','GB']
  });

  // Rest of world: default granted
  gtag('consent', 'default', {
    'ad_storage':          'granted',
    'ad_user_data':        'granted',
    'ad_personalization':  'granted',
    'analytics_storage':   'granted'
  });
</script>

<!-- Your GTM snippet here -->When a user grants or denies consent via your CMP banner, the Secure Privacy as certified Google CMP calls:
gtag('consent', 'update', {
  'ad_storage':          'granted', // or 'denied'
  'ad_user_data':        'granted', // or 'denied'
  'ad_personalization':  'granted', // or 'denied'
  'analytics_storage':   'granted' // or 'denied'
});The update command above, again, is fired automatically when the user interacts with the consent banner. No manual configuration is required.
For GTM-based implementations, see How to Implement GCM Advanced with GTM.
Official reference: Set up consent mode on websites — Google Tag Platform documentation
Impact on Google Ads Conversion Tracking and Google Analytics 4
Google Ads: Conversion Modeling Thresholds
When consent is denied and you are using Advanced Consent mode, Google fills the measurement gap with conversion modeling. Key facts:
- Modeling eligibility requires at least 700 ad clicks over a 7-day period per country and domain grouping

- At least 7 full days of GCM v2 implementation are required before modeling begins

- Modeled conversions appear in the standard "Conversions" and "Conversion value" columns with the same column granularity as observed conversions

- Consented users are typically 2–5× more likely to convert than unconsented users—meaning the modeled uplift is significant

- Consent mode status in Google Ads takes 48 hours to appear, but may require up to 2 weeks; modeling uplift numbers appear for 4 weeks after modeling start date

Remarketing enforcement (active since July 21, 2025): Without GCM v2, Google will not populate remarketing audiences for EEA users at all. Cookieless pings are never used to build remarketing lists—audience creation requires ad_personalization='granted'.
Google Ads modeling reference: About consent mode conversion modeling — Google Ads Help
Google Analytics 4: Behavioral Modeling Thresholds
GA4 behavioral modeling requires all of the following to be met:
- Advanced consent mode implemented on all pages

- Tags loaded before the consent dialog appears

- At least 1,000 events per day with analytics_storage='denied' for at least 7 days

- At least 1,000 daily users with analytics_storage='granted' for at least 7 of the previous 28 days

- Reporting Identity set to "Blended" in GA4 Admin → Data Display → Reporting Identity

TCF limitation: When users deny consent via an IAB TCF v2.0 implementation, GA4 is unable to model data to fill in missing information.
GA4 consent mode reference: Consent mode on websites and apps — Google Analytics Help
Troubleshooting Google Consent Mode v2: Common Problems and Fixes
The following issues represent the most common GCM v2 implementation problems, including late consent, unknown states, and race conditions that cause (not set) attribution in GA4.
Problem 1: Tags Fire Before Consent Is Set (Race Condition)
Symptom: Tag Assistant shows "a tag read consent before a default was set." GA4 shows (not set) for session source/medium on a high percentage of sessions, even for users who granted consent.
Root cause: The gtag('consent', 'default', {...}) command is executing after the GTM container or Google tag snippet has already initialized and begun reading consent state.
Fix:
- Ensure Secure Privacy script script appears before the GTM snippet or any Google tag script in your page <head>—not after.

- Add 'wait_for_update': 500 inside your default consent command (see the wait_for_update section above).

- In GTM: confirm the Consent Initialization trigger is used for Secure Privacy - please do not use the DOM Ready or Window Loaded triggers for Secure Privacy; the same way - make sure NO other tag is using the Consent Initialization trigger - only Secure Privacy - as this trigger is specifically designed to be used exclusevely by Consent Management Platforms, like Secure Privacy.

Problem 2: Late Consent — User Grants Consent After Initial Page Load
Symptom: Users who accept the banner after reading the page are still showing as (not set) in GA4 session source. session_start and first_visit events are missing for these users.
Root cause: In Advanced mode, GA4 can retroactively process events collected on the same page after consent is granted—but only if the default consent command (fired automatically be Secure Privacy) - gtag('consent', 'update', {...}) - fires before the user navigates away from the page. If the page transition happens before the update, the session attribution is permanently lost for that session.
What Google's October 2024 update improved: Google launched backend improvements allowing GA4 to retroactively apply session and identity context to events triggered before consent was granted, as long as the consent update fires on the same page. This significantly reduces, but does not eliminate, the (not set) attribution problem for late-consent scenarios.
Fix:
- Ensure your Secure Privacy fires default consent command - gtag('consent', 'update', {...}) 
(no race condition with other async / Google scripts)

- Implement a GA4 Config tag on the Consent Initialization trigger with send_page_view: false. This ensures the config is registered before GA4 events fire, preserving session context even for late-consent users.

- Since November 13, 2024, Google requires a config command before custom events are processed. Fire the Config tag on "Initialization" with send_page_view: false as a best practice to ensure this is always satisfied.

Problem 3: Unknown Consent State — gcd Parameter Shows l
Symptom: When inspecting network requests in the browser developer tools, the gcd parameter in Google's ping URLs contains l (lowercase L). Conversion modeling is not activating. GA4 attribution is mostly (not set).
Root cause: The gcd=l value means the consent signal has not been set with Consent Mode at all—neither granted nor denied. The most common causes are: the consent default script is missing from one or more page templates, for some reason Secure Privacy is not firing gtag('consent', 'update') when the user makes a choice, or the page has a custom event that fires before any consent initialization.
Fix:
- Audit every page template (including landing pages, thank-you pages, and error pages) to confirm Secure Privacy is running there and that the default consent event is firing as expected.

- Use Google's Consent Mode debugging guide and the Tag Assistant Chrome extension to verify the consent state on each page type.

- Use window.parent.google_tag_data.ics object to confirm the wasSetLate is false.

Open DevTools → Console and run window.parent.google_tag_data.ics to inspect the live consent state object. wasSetLate: false confirms that consent defaults were set before any Google tag fired — no race condition is present. If you see wasSetLate: true, move Secure Privacy script higher above in the <head> section or at least above your GTM snippet and increase wait_for_update.
Problem 4: Users Who Never Interact With the Banner
Symptom: A significant portion of sessions show no consent signal at all. Analytics and ad measurement for these sessions is entirely missing.
Root cause: Users who scroll past or close the page without interacting with the consent banner remain in the default consent state indefinitely. In Advanced mode with 'denied' as the default, cookieless pings continue to be sent throughout their session—which feeds modeling. In Google Consent Basic mode - no data is sent.
Fix:
- If you are using Basic mode and this scenario matters for your measurement, evaluate switching to Advanced mode. See Google Consent Mode: Basic vs. Advanced — Complete Guide for the trade-offs.

- Ensure the consent default command is on every page so that modeling can apply to these sessions. You can use the snippet below - set it as high and above as possible of any other script -

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag_first(){ dataLayer.push(arguments); }

  // Consent Mode v2: default DENIED
  gtag_first('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'wait_for_update': 500
  });

  // Optional hardening
  gtag_first('set', 'ads_data_redaction', true);
  gtag_first('set', 'url_passthrough', true);
</script>- Audit banner UX—a banner that is immediately dismissible without a clear choice leads to more unresolved consent states.

Problem 5: URL Passthrough Parameters Causing Site Errors
Symptom: After enabling url_passthrough, certain pages break, redirect incorrectly, or display wrong content. Analytics shows inflated unique page counts.
Root cause: Your application is reading URL query parameters for routing, content selection, or filtering logic. The _gl or gclid parameters appended by URL Passthrough are being interpreted as application parameters.
Fix:
- Audit your application's URL parameter handling. Ensure gclid, dclid, gclsrc, _gl, and wbraid are explicitly ignored or passed through by your routing logic.

- Configure GA4 to exclude these parameters from page URL reporting (Admin → Data Streams → Additional Settings → List unwanted referrals / excluded domains is not the right place—use a data filter or configure GTM to strip them from the page_location variable).

- Ensure any server-side redirects preserve all five URL Passthrough query parameters.

- If the site issues cannot be resolved, consider disabling URL Passthrough and relying on conversion modeling instead.

Problem 6: Consent Mode Status Not Appearing in Google Ads
Symptom: You have implemented GCM v2 but the consent mode status in your Google Ads account still shows as not configured or pending.
Fix:
- Allow 48 hours after correct implementation—this is normal. Full status may take up to 2 weeks.

- Make sure Secure Privacy is installed correctly on all pages, with Google Consent Mode Advanced enabled in the UI under Domain -> Settings -> Advanced

To enable Google Consent Mode Advanced in Secure Privacy, go to Domain Settings → Advanced tab → Google Consent Mode and complete three steps:
- Enable the Google Consent Mode master toggle

- Enable Advanced mode

- Configure default consent states per region — set all consent types to denied for EEA countries and granted for all other regions

Additionally:
- Verify the gcs parameter in your network requests. G100 = both denied, G101 = analytics denied/ads granted, G110 = analytics granted/ads denied, G111 = both granted. See How to Check If Google Consent Mode Is Working for the full gcs parameter reference.

- Confirm your Google Ads account is linked to the same Google tag or GTM container that has GCM v2 configured.

- Confirm GCM v2 is active on your live site using Tag Assistant: open tagassistant.google.com, enter your URL, and inspect the Consent tab for each tag.

Debugging reference on Google Tag Documentaion - Consent mode debugging — Google Tag Platform documentation
Frequently Asked Questions
Is Google Consent Mode v2 mandatory?
Yes, for any website using Google advertising products (Google Ads, Display & Video 360, Search Ads 360, Floodlight) with traffic from the European Economic Area (EEA) or the United Kingdom. Google made GCM v2 mandatory on March 6, 2024, and began actively restricting conversion tracking and audience creation for non-compliant accounts on July 21, 2025.
What are the four main Google Consent Mode v2 parameters?
The four core parameters required for GCM v2 compliance are: ad_storage (controls advertising cookies and device IDs), analytics_storage (controls analytics cookies and session tracking), ad_user_data (controls sending user data to Google for advertising, including Enhanced Conversions), and ad_personalization (controls remarketing and personalized advertising). The first two were present in v1; the last two are new in v2.
What is url_passthrough in Google Consent Mode?
url_passthrough is a GCM v2 configuration parameter that, when set to true, appends ad click identifiers (GCLID, DCLID, _gl, wbraid, gclsrc) as URL query parameters to internal links on your site. This preserves conversion attribution and session continuity across page navigations when ad_storage is denied and cookies cannot be used. It enables cookie-free attribution for same-domain navigation only.
What is ads_data_redaction in Google Consent Mode?
ads_data_redaction is a privacy enhancement parameter that, when set to true and ad_storage is 'denied', removes all ad click identifiers (GCLID, DCLID) from network requests to Google's servers, routes requests through a cookieless domain, and ensures no advertising cookies are read or written. It has no effect when ad_storage is granted. It is the highest-privacy option for handling ad data when users decline consent.
Should I enable url_passthrough or ads_data_redaction?
They serve opposing purposes. Enable url_passthrough=true when maximizing conversion measurement is the priority—it keeps click identifiers in URL parameters when cookies are unavailable, enabling better attribution. Enable ads_data_redaction=true when maximizing user privacy is the priority—it removes all click identifiers from Google's servers entirely. Both can be enabled simultaneously; when combined with ad_storage='denied', the click ID will travel in URLs for internal navigation but will be redacted from all network requests to Google. Always consult legal counsel on the GDPR implications of URL Passthrough for EEA users before enabling it as a default for non-consented users.
What is the difference between Google Consent Mode Basic and Advanced?
In Basic mode, Google tags are completely blocked from firing when consent is denied—no data is sent to Google at all. Conversion modeling uses only a general, non-advertiser-specific model. In Advanced mode, Google tags load but operate in a restricted, cookieless mode. Cookieless pings are sent even when consent is denied, feeding advertiser-specific conversion and behavioral modeling. Advanced mode typically recovers 15–25% of otherwise lost conversion data through modeling, but requires careful legal review since data is sent to Google from users who have not explicitly opted in.
What happens when ad_storage is denied in Google Consent Mode?
When ad_storage='denied': no new advertising cookies are written or read; requests are sent through a different, cookieless domain; Google Signals does not accumulate data; IP addresses are truncated at collection; full page URLs are still collected (including GCLID if present), unless ads_data_redaction=true is also set. In Advanced mode, cookieless pings are sent containing limited signals used for conversion modeling.
Why do I have (not set) traffic source in GA4 after adding a consent banner?
The most common causes of (not set) traffic source/medium in GA4 after adding a consent banner are: (1) session_start and first_visit events firing before the consent default is set, meaning GA4 cannot associate them with a session; (2) tags firing before the CMP loads (a race condition)—fixed by adding wait_for_update: 500 to your consent default; (3) the consent config command missing, causing GA4 to not register a session before events fire. Fire a GA4 Config tag on "Consent Initialization" with send_page_view: false to resolve the session registration issue.
Is url_passthrough GDPR compliant?
This is legally uncertain. Google positions URL Passthrough as a privacy-respecting alternative to cookie storage for use when consent is denied. However, GCLID is a unique identifier tied to an individual ad click, and some Data Protection Authorities may consider it personal data under GDPR Article 4(1)—which would mean processing it without explicit consent is non-compliant. Google's documentation does not explicitly address this question. Consult your legal counsel before enabling URL Passthrough as a default behavior for EEA users who have denied consent.
How do I check if Google Consent Mode v2 is working?
The easiest starting point is the Consent Mode Inspector by InfoTrust — install it, visit your site, and it displays the active consent state for every parameter in a clear UI without needing to read network requests. For a deeper check, open DevTools → Network tab and filter for Google tag requests. Look for the gcs parameter: G100 = both ad_storage and analytics_storage denied; G101 = analytics denied, ads granted; G110 = analytics granted, ads denied; G111 = both granted. Also check the gcd parameter—l means no consent signal was set at all. For a full step-by-step walkthrough of both methods, see How to Check If Google Consent Mode Is Working.
Related Articles
- How to Implement Google Consent Mode Advanced with GTM

- Google Consent Mode: Basic vs. Advanced — Complete Guide

- How to Check If Google Consent Mode Is Working

- How to Implement Google Consent Mode Basic

- How to Set Up Secure Privacy CMP via Google Tag Consent Mode

- How to Comply with Google's EU User Consent Policy

- Google Consent Mode v2 Advanced Setup with Secure Privacy

- Secure Privacy: Google-Certified Consent Management Platform

---

# How to Set Up Extra Consents and a Budget Limit in Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-set-up-extra-consents-and-a-budget-limit-in-secure-privacy
Product: Consent Management
Category: Policies & User Consent
Published: 2026-04-14T11:57:00+00:00
Updated: 2026-04-15T18:12:10.787+00:00
Reading Time: 6 minutes
Summary: Learn how to configure extra consent packages and set a monthly budget limit in Secure Privacy so your cookie banner never stops recording consents.

Configure automatic extra consent packages so your cookie banner keeps recording visitor choices — even after you exceed your plan's monthly limit.
If your website traffic is growing, there is a good chance you will eventually hit the monthly consent limit included in your Secure Privacy plan. When that happens, your cookie consent banner still appears to visitors, but new consents are only stored in the browser — they are not recorded in the Secure Privacy database. That gap can make GDPR, CCPA, and ePrivacy audits harder, because you lose the centralised proof-of-consent record regulators expect.
Some consent management platforms force you to upgrade to a more expensive tier the moment you exceed your quota. Secure Privacy takes a different approach: Extra Consent Packages. You set a monthly budget cap, and the system automatically activates additional blocks of 100,000 consents at $10 / €10 each — only when you actually need them. No surprise bills, no plan changes, and no interruption to consent recording.
By the end of this guide you will know exactly how the extra consent feature works, how to configure your budget limit, and what to expect on your invoice.
Who Is This For?
This article is for Secure Privacy customers on a paid monthly or annual plan who want to keep consent recording active after reaching their plan's included consent volume. The Extra Consents feature is not available during a free trial or on the Free plan.
Prerequisites
Before you begin, make sure you have an active paid subscription (monthly or annual) and access to the Billing page in your Secure Privacy dashboard. You will also need a valid payment method on file, since extra consent charges are billed automatically.
What Happens When You Reach Your Consent Limit
Once your recorded consents hit the monthly cap included in your plan, two things change:
The banner keeps showing. Visitors still see your cookie consent banner and can accept or decline cookies as usual. However, those consent records are only saved locally in the visitor's browser — they are not sent to the Secure Privacy database. This means your compliance proof has a gap until the counter resets.
The counter resets automatically. At the end of each billing period, Secure Privacy resets your consent counter and normal database recording resumes. You do not need to do anything manually.
The Current Plan panel shows your consent usage at a glance.
How to Configure Your Extra Consent Budget
Step 1 — Open Billing Settings
Log in to your Secure Privacy dashboard and navigate to the Billing page. Scroll down to the Extra Consents Settings panel.
Step 2 — Set a Monthly Budget Limit
Enter the maximum amount (in USD or EUR) you are willing to spend on extra consents each month. Each consent package costs $10 / €10 per 100,000 consents. For example, setting a budget of $30 allows up to three additional packages (300,000 extra consents) per billing cycle. If your budget is lower than $10, no extra packages will activate.
The default value for all accounts is $0 (feature disabled).
Enter your monthly budget cap in the Extra Consents Settings panel under Billing.
Step 3 — Save and Confirm
Click Save. From this point forward, Secure Privacy will automatically activate an extra consent package whenever your recorded consents exceed the plan limit — as long as your remaining budget covers the next $10 / €10 package.
How Extra Consent Packages Are Activated and Billed
Automatic Activation
When a visitor accepts or declines cookies and that consent pushes your count past the plan limit (plus any previously activated extra consents), the system checks your budget. If there is enough budget remaining, a new package of 100,000 consents is activated instantly, and the consent is recorded to the database without interruption.
First-Activation Email
The first time an extra package activates in a billing cycle, Secure Privacy sends you an email notification. This is a one-time alert per cycle so you know overage recording has begun. No action is required on your part — the charge will appear on your next invoice automatically.
Invoicing for Monthly Plans
For monthly subscriptions, a usage-based line item is added to your existing subscription. You will see it on the Billing page under Active Payment Items with the current quantity of activated packages. The charge appears on your regular monthly invoice alongside your plan fee.
Invoicing for Annual Plans
Annual subscriptions handle extra consents slightly differently. Instead of attaching a usage-based product to the subscription, Secure Privacy generates a separate invoice every 30 days for any extra consent packages used during that period. These invoices appear in your Billing History list and are charged to the payment method on file.
What Happens After You Change or Remove the Budget
You can update your budget limit at any time. If you reduce it to $0 (or remove it entirely) after packages have already been activated in the current cycle, those packages remain active until they are used up. The consents already allocated will continue to be recorded, and the corresponding charge will still appear on your next invoice. No consents are lost.
From the next billing cycle onward, no new packages will activate unless you set a budget again.
Troubleshooting
I set a budget but consents are still not being recorded
Make sure your budget is at least $10 / €10. Any amount below the cost of a single package will not trigger activation. Also confirm that your payment method is valid and has not expired.
I do not see the Extra Consents Settings panel
The panel is only visible on paid plans. If you are on a free trial or the Free plan, you will need to upgrade before the option appears.
My annual plan invoice does not show extra consent charges
For annual plans, extra consent charges are billed on separate invoices generated every 30 days — not on the main subscription invoice. Check your Billing History and adjust the date filter if needed, as these invoices may be dated slightly ahead of the current date.
Frequently Asked Questions
What happens when I exceed my cookie consent limit?
Your cookie banner continues to appear, but consents are only stored locally in the visitor's browser — they are not recorded in the Secure Privacy database. Enabling extra consent packages prevents this gap by automatically activating additional recording capacity.
How much do extra consent packages cost?
Each extra package provides 100,000 additional consents for $10 or €10. Packages are only activated when needed and only if your monthly budget allows it — you will never be charged more than the limit you set.
Can I use extra consents on a free trial or Free plan?
No. The Extra Consents feature is available only on paid monthly or annual plans. You will need to upgrade before you can set a budget limit.
Do extra consent charges differ between monthly and annual plans?
The per-package price is the same. The difference is in billing: monthly plans add the charge to your regular subscription invoice, while annual plans generate a separate invoice every 30 days for any extra consent usage.
What if I lower my budget mid-cycle after packages have activated?
Already-activated packages stay active until the consents are used up, and the charge still applies to your next invoice. New packages will not activate once the budget is reduced below the required threshold.
Related Articles
- Understanding Your Billing and Invoices

- How to Upgrade Your Secure Privacy Plan

- Consent Recording and Proof of Consent

- GDPR Cookie Consent Compliance Guide

---

# Why Cookies Are Still Visible After Declining Consent — And Why That Means Tracking Is Stopped

URL: https://support.secureprivacy.ai/article/why-cookies-are-still-visible-after-declining-consent-and-why-that-means-trackin
Product: Consent Management
Category: FAQs
Published: 2026-04-13T08:28:00+00:00
Updated: 2026-04-13T09:24:10.915+00:00
Reading Time: 12 minutes
Summary: Declining tracking consent doesn't delete cookies — and that's fine. Learn how script-blocking stops data collection, why cookies persist, and how to verify it in the Network tab.

You open your browser's developer tools, decline tracking on a website, and check the Storage or Application panel — and the cookies are still sitting there. That feels wrong. You said no. Shouldn't they be gone?
This is one of the most common sources of confusion around GDPR cookie consent, and it trips up developers and privacy-conscious users alike. The assumption is that consent = cookie deletion. In reality, that is not how tracking works — and understanding the difference is the key to knowing whether your consent solution is actually protecting your users.
Many cookie banners on the market lean into this misunderstanding and attempt to delete cookies on opt-out. The problem? It is technically and physically impossible for a web page to delete cookies it does not own. Browsers enforce this as a hard security boundary — a page on example.com cannot reach into storage belonging to analytics-vendor.com. Any tool claiming otherwise is either deleting only its own first-party cookies (and missing the rest) or giving you a false sense of compliance.
The correct mechanism for stopping tracking is script blocking: preventing the third-party JavaScript from loading and running in the first place. Secure Privacy works exactly this way. When a visitor declines a consent category, the associated tracking scripts are never injected — so no data is collected, no data is sent, and no GDPR violation occurs. The cookie files that may already exist locally are inert: there is no code running to read them, package them, or transmit them anywhere.
By the end of this article you will understand why cookies persist after a user opts out, why that is fine when script-blocking is in place, how to verify in the Network tab that tracking has genuinely stopped, and the one extra step users should take after declining consent to guarantee a clean state.
Who Is This Article For?
This guide is useful for:
- Website owners and developers who want to verify that their Secure Privacy implementation is blocking tracking correctly after a user opts out.

- Privacy officers and compliance teams who need to understand why cookie files remaining in storage does not constitute a GDPR violation when scripts are blocked.

- End users who declined tracking consent on a website and want to confirm their data is not being sent to third parties.

- QA testers checking consent behaviour across browser sessions.

The Two Browser Security Boundaries You Cannot Cross
Before diving into the verification steps, it helps to understand the two hard limits that browsers enforce. Both exist for your users' security — and both explain exactly why cookie-deletion-based "consent" is a fundamentally broken approach.
1. Cross-Origin Cookie Ownership
Every cookie belongs to the origin (domain) that set it. A script running on yoursite.com cannot read, modify, or delete a cookie that was set by googletagmanager.com, facebook.com, or any other third-party domain. This is the Same-Origin Policy — a foundational browser security rule. If this boundary could be crossed, any website could silently wipe authentication tokens or session data set by your bank.
The practical consequence: no cookie consent solution — not one — can reliably delete third-party tracking cookies, because the browser will not allow it. What some tools delete is only the first-party cookie proxies they themselves placed. The real third-party tracking cookies remain untouched in storage.
2. In-Memory JavaScript Cannot Be Evicted by Other Scripts
When a JavaScript file is loaded by the browser, it is compiled and placed into the browser's memory space. A separate script — even one from the same page — cannot reach into that memory and unload or overwrite it. Attempting to do so would be a serious security vulnerability. This is why a consent banner that appears after a tracking script has already loaded cannot "undo" what that script did: the code is already in memory and may have already fired its data-collection routines.
The practical consequence: even with correct script-blocking in place, if a user declines consent on a page where a tracking script was loaded during a previous session, the safest action is to refresh or navigate to a new page. This clears the memory space entirely, and on the fresh page load, the blocked scripts will not be injected at all.
How Script-Blocking Actually Stops Tracking (Even When Cookies Remain)
Think of cookies as a paper notepad left on a desk. Tracking does not happen because the notepad exists — it happens because a person (the JavaScript code) picks it up, reads it, and sends the information somewhere. If you prevent that person from entering the room, the notepad becomes irrelevant. The data sits there, locally, never read, never transmitted.
This is exactly what Secure Privacy does when a user declines a consent category:
- The associated third-party script tags are not injected into the page.

- No JavaScript from that vendor runs in the browser.

- No data — including the contents of any locally stored cookies — is read or transmitted.

- From a data privacy and GDPR compliance standpoint, no tracking is occurring.

The cookies that remain in the browser's storage are a local artefact with no active reader. They were written by previous sessions (or by the browser itself as part of browser functionality) and will eventually expire naturally. Their presence is not evidence of ongoing tracking — it is simply the browser's normal storage behaviour.
Compliance note: GDPR and ePrivacy regulations prohibit the collection and processing of personal data without consent. A cookie file sitting in local storage, unread and untransmitted, does not constitute processing. What constitutes processing is the script reading it and sending it to a remote server — and that is precisely what script-blocking prevents.
The Correct Way to Verify That Tracking Is Stopped After Declining Consent
Follow these steps to confirm that Secure Privacy is correctly blocking tracking scripts after a user declines consent. The Network tab in your browser's developer tools is the definitive source of truth.
Step 1 — Open the Browser's Developer Tools and Go to the Network Tab
On any modern browser (Chrome, Firefox, Edge, or Safari), press F12 or right-click anywhere on the page and select Inspect. Navigate to the Network tab. This panel records every HTTP request the browser makes — including requests from tracking scripts sending data to third-party servers. Keep this tab open throughout the test.
Step 2 — Load the Page Fresh and Note Which Scripts Are Present
Reload the page with the Network tab open. Before interacting with the consent banner, observe which third-party requests appear. You may see calls to Google Analytics, Meta Pixel, LinkedIn Insight, or other tracking vendors. This is your baseline: what the page loads before consent is given or declined.
Before declining — tracking requests to third-party vendors are visible in the Network tab, confirming scripts are active and data is being sent.
Step 3 — Decline the Relevant Consent Categories
Interact with the Secure Privacy consent banner and decline the tracking or analytics categories you want to verify. Click Save preferences or the equivalent confirmation button to register your opt-out choice.
Step 4 — Refresh the Page or Navigate to Another Page
This is a critical step. As explained above, any JavaScript already loaded into the browser's memory during this session cannot be forcibly evicted by another script. By refreshing or navigating to a new page, you clear the memory space entirely. On the fresh load, Secure Privacy will evaluate the stored consent decision and will not inject the declined scripts.
After declining consent and refreshing — the Network tab returns no results for the tracking vendor domain. The script is not loaded; no data is collected or transmitted.
Step 5 — Verify in the Network Tab That Blocked Scripts Are Absent
With the Network tab still open, examine the requests on the freshly loaded page. The tracking scripts associated with the declined categories should no longer appear in the request list. If a script is not loaded, it cannot collect data or send anything to a remote server — tracking has stopped. You can use the Filter field in the Network tab to search for specific vendor domains (e.g., google-analytics.com, facebook.net) to confirm their absence.
Step 6 — Ignore Cookie Files in the Storage / Application Panel
If you switch to the Application (Chrome/Edge) or Storage (Firefox) panel, you may still see cookies from previous sessions. As explained in this article, these are local artefacts. Because the scripts that would read and transmit them are not running, these cookies are inert. Their presence is expected and does not indicate tracking is occurring. The Network tab is the only reliable indicator of active tracking.
What Happens to the Remaining Cookie Data?
Cookie files left in local storage after a user opts out will remain there until one of the following occurs:
- The cookie reaches its natural expiry date and the browser removes it automatically.

- The user manually clears their browser's cookies and site data.

- The browser itself removes it as part of storage quota management or privacy mode behaviour.

None of these scenarios involve your website transmitting data. The consent choice stored by Secure Privacy ensures that, for every subsequent page load, the tracking scripts remain blocked. The leftover cookies are permanently without an active reader for as long as the user's opt-out consent decision is in place.
Troubleshooting: Scripts Still Appearing After Opt-Out?
If you decline consent, refresh the page, and tracking scripts are still appearing in the Network tab, work through the following checks before contacting support.
Check: Did you refresh or navigate after declining?
The decline takes effect on the next page load. If you checked the Network tab immediately after clicking "Decline" without refreshing, you will still see the scripts from the current session's memory. Refresh and test again.
Check: Is the script being loaded by another un-gated script?
Some tag managers (e.g., Google Tag Manager) load tracking scripts dynamically. If GTM itself is not gated by consent, it may inject sub-scripts regardless of Secure Privacy's settings. Ensure your GTM container is itself wrapped in a consent check, or use Secure Privacy's native GTM integration to manage this correctly.
Check: Are you testing in a private/incognito window?
Private windows do not share cookie storage with regular windows, which means any previously stored consent decision will not carry over. The consent banner may appear fresh, potentially with default consent state. Test in a regular browser window where your opt-out decision has been saved.
If none of the above resolves the issue, contact Secure Privacy support[?] with a screen recording of the Network tab behaviour and your site URL so we can investigate your specific implementation.
Frequently Asked Questions
Why are cookies still showing after I declined consent?
Cookies are small files stored by the browser, and browsers enforce a security rule that prevents one website from deleting files that belong to another. So cookies set by third-party tracking vendors in previous sessions will remain in your browser's storage even after you decline consent. What changes after you decline is that the scripts which read those cookies and send data to remote servers are blocked. With no active script, the cookie files are harmless local data that will expire naturally over time.
Does declining cookie consent actually stop tracking?
Yes — when implemented correctly via script-blocking (as Secure Privacy does). Tracking happens because JavaScript code runs in your browser, reads identifiers stored in cookies or memory, and transmits that data to a third-party server. When the script is blocked, that entire chain is broken. The cookie files that remain are never read or transmitted, so no tracking occurs. You can confirm this by checking the Network tab in your browser's developer tools after declining and refreshing: the tracking vendor's domain should not appear in any outbound requests.
Why do I need to refresh the page after declining consent?
JavaScript that was already loaded into the browser's memory during the current page session cannot be removed by another script — this is a browser security boundary. If a tracking script loaded before you declined consent, it may still be sitting in memory for the rest of that page session. Refreshing the page (or navigating to a new page) clears the memory entirely. On the next load, Secure Privacy reads your saved consent decision and does not inject the declined scripts, guaranteeing a clean, tracking-free session.
How can I check whether tracking scripts are really blocked?
Use the Network tab in your browser's developer tools (press F12, then click Network). After declining consent and refreshing the page, check whether requests to tracking vendor domains (such as google-analytics.com, facebook.net, or similar) appear in the request list. If those domains are absent, the scripts are blocked and no data is being transmitted. The Storage or Application panel showing residual cookie files is not a reliable indicator — always use the Network tab.
Is it a GDPR violation if cookies remain in storage after opt-out?
No. GDPR and ePrivacy regulations regulate the collection and processing of personal data. A cookie file sitting in a user's local browser storage, unread by any script and never transmitted to any server, does not constitute processing. The violation would occur if a script were actively reading that cookie and sending its value to a third party — which is exactly what script-blocking prevents. Cookie files left over from previous sessions, with no active reader, are outside the scope of GDPR processing requirements.
Can a cookie consent banner delete third-party cookies?
No. Browsers enforce the Same-Origin Policy, which prevents any script from deleting or modifying cookies set by a different domain. A consent banner running on your site cannot delete cookies that belong to Google, Meta, or any other third-party vendor. Tools that claim to "delete" cookies on opt-out are typically only deleting first-party cookies they themselves set, while leaving third-party tracking cookies intact — giving a false sense of compliance. The correct approach is to block the tracking scripts from loading in the first place, which is how Secure Privacy operates.
Related Articles
- How Secure Privacy Blocks Tracking Scripts by Consent Category

- Adding Third-Party Scripts to Consent Control[?]

- Using Secure Privacy with Google Tag Manager Consent Mode

- GDPR Compliance Checklist for Website Owners

- How to Test and Verify Your Consent Implementation

---

# How to Set Up Secure Privacy CMP via Google Tag Consent Mode

URL: https://support.secureprivacy.ai/article/how-to-set-up-secure-privacy-cmp-via-google-tag-consent-mode
Product: Consent Management
Category: Google Consent Mode
Published: 2026-04-09T09:09:00+00:00
Updated: 2026-04-09T21:25:34.549+00:00
Reading Time: 6 minutes
Summary: Connect Secure Privacy as your consent management platform directly in Google Ads or Tag Manager. Step-by-step Google Tag consent mode setup — no code required.

Google now requires websites using Google Ads, Analytics, and other Google tag products to implement consent mode before collecting data from users in regions covered by the GDPR, ePrivacy Directive, and similar privacy laws. Without a properly configured consent management platform (CMP), your Google tags default to restricted data collection — reducing conversion measurement accuracy, limiting remarketing audiences, and leaving gaps in your analytics.
You could wire up consent signals manually with gtag('consent', 'update', ...) calls, maintain your own cookie banner, and hope the implementation stays in sync every time Google updates its consent API. Or you could use a CMP that Google has fully integrated into the Google Tag platform itself — letting you connect, configure, and go live without writing a single line of consent code.
Secure Privacy is one of the CMPs listed as a fully integrated platform inside Google's consent mode setup wizard. That means Google handles the wiring: no manual gtag consent configuration, no extra scripts to maintain, and a free tier to get started. This guide walks you through every step of connecting Secure Privacy as your CMP directly within Google Ads or Google Tag Manager.
Who Is This For
This guide is for website owners, marketing teams, and ad-ops professionals who manage a Google tag (via Google Ads, Google Analytics, or Google Tag Manager) and need to set up Google Consent Mode v2 with a compliant cookie consent banner. It is especially relevant if you are setting up consent mode for the first time or switching from a manual implementation to a fully integrated CMP.
Prerequisites
- Access to the Google Ads or Google Tag Manager account that owns the Google tag you want to configure. The tag can be associated with Google Ads, Google Analytics, or any other Google product — the key requirement is admin-level access to the tag itself.

Step-by-Step: Connect Secure Privacy to Your Google Tag
Step 1 — Open the Google Tag Admin Settings
In Google Ads: Navigate to Tools in the left sidebar, then open Data manager. Click into your Google tag to open its settings panel and select the Admin tab along the top.
Google Ads — navigating to the Google tag Admin tab via Data manager.
The Google tag panel inside Data manager displays connected products and the Admin tab.
In Google Tag Manager: Navigate to the Google tags tab under your account. Select your tag from the list, click into it, and choose the Admin tab along the top.
Google Tag Manager — select your tag from the Google tags list.
Step 2 — Click "Set Up Consent Mode"
Under the Google tag management section on the Admin tab (click "Show more" if the option is not showing right away), click Set up consent mode. This opens a setup wizard that walks you through connecting a CMP to your Google tag.
The Admin tab with the "Set up consent mode" option visible under Google tag management.
Step 3 — Select Your Consent Banner Type
On the first screen of the wizard you will be asked "Which type of consent banner do you have?" Select "I don't have a consent banner", then click Next. This tells Google you want to set up a new banner through a third-party CMP.
Select "I don't have a consent banner" to proceed with the CMP integration flow.
Step 4 — Open the Third-Party Platform Picker
The next screen, titled "Set a third-party banner," explains the role of consent banners and CMPs. Click the "Select your platform" button to open the platform picker panel. Click "Select your platform" to browse available fully integrated CMPs.
Step 5 — Choose Secure Privacy as Your CMP
A side panel titled "Select a third-party platform (to create your banner)" will appear. Under the Fully integrated platforms section, find and select Secure Privacy (listed with "Free tier available"). Follow any remaining on-screen prompts to complete the integration.
Secure Privacy appears as a fully integrated platform in Google's CMP picker.
Step 6 — Confirm Setup and Publish Your Consent Banner
After selecting Secure Privacy, the wizard confirms your consent signals are active and shows your CMP account details. From this screen you can publish your consent banner by selecting a Google Tag Manager container or installing manually. Choose the publishing method that fits your workflow and follow the on-screen prompts to go live.
Setup confirmation — Secure Privacy is connected and consent signals are active.
Important Notes and Troubleshooting
- Secure Privacy is listed as a fully integrated platform, which means Google has a direct integration path — no manual gtag consent configuration is required on your end.

- If the Google tag gateway shows as "Incomplete" on the Admin page, that is a separate first-party tagging concern and does not block consent mode setup.

- After completing setup, use the "Test your consent signals" section (available on the first screen of the wizard) to verify that consent state is being communicated correctly to the Google tag.

- If the consent signal test does not detect your banner, confirm that the Secure Privacy script is loading on your site and that you have published the consent banner to the correct domain.

What Happens After Setup
Once Secure Privacy is connected through Google's consent mode wizard, your Google tags will automatically respect the consent choices visitors make through the Secure Privacy cookie banner. Consent signals for ad_storage, analytics_storage, ad_user_data, and ad_personalization are communicated to Google in real time. Google's conversion modeling fills measurement gaps for visitors who decline consent, preserving advertising performance data without compromising privacy compliance.
Frequently Asked Questions
Do I need Google Consent Mode if my site targets EU visitors?
Yes. If your site uses Google tags (Ads, Analytics, or others) and serves visitors in the EU or EEA, implementing consent mode ensures your tags respect user consent choices as required by the GDPR and ePrivacy Directive. Without it, Google restricts data collection by default.
Is Secure Privacy free to use with Google Consent Mode?
Secure Privacy offers a free tier that is available directly through Google's consent mode setup wizard. You can create an account and connect your CMP without leaving the Google Ads or Tag Manager interface.
Do I need to add any code to my site for this integration?
No. Because Secure Privacy is a fully integrated platform in Google's system, the consent mode wiring is handled automatically. You still need to publish the consent banner to your site (either manually or via Google Tag Manager), but no manual gtag('consent', ...) code is required.
What is the difference between a fully integrated CMP and a manual setup?
A fully integrated CMP like Secure Privacy has a direct integration path built into Google's tag platform. Google handles the consent signal configuration automatically. With a manual setup, you must write and maintain your own gtag consent commands, which increases implementation complexity and the risk of misconfiguration.
Related Articles
- Understanding Google Consent Mode v2

- Install Secure Privacy via Google Tag Manager

- How the Secure Privacy Cookie Scanner Works[?]

- Setting Up Cross-Domain Consent Sharing

---

# How to Find Your Domain ID in Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-find-your-domain-id-in-secure-privacy
Product: Consent Management
Category: Getting Started
Published: 2026-04-06T18:46:00+00:00
Updated: 2026-04-06T20:03:45.558+00:00
Reading Time: 5 minutes
Summary: Learn where to find your Domain ID in the Secure Privacy dashboard. Step-by-step guide for connecting integrations, APIs, and consent banner scripts.

Setting up an integration, embedding a consent banner script, or following a Secure Privacy help article — and suddenly everything asks for a Domain ID you can't find? You're not alone. The Domain ID is a unique identifier assigned to each website you manage inside Secure Privacy, and it's referenced throughout our documentation, API guides, and advanced configuration workflows. Without it, integrations stall and custom implementations can't connect to the right consent configuration.
Generic cookie consent plugins and manual script setups don't have this concept at all — which means when you move to a proper consent management platform like Secure Privacy, the Domain ID is a new piece of the puzzle. The good news: it takes about fifteen seconds to find once you know where to look.
This guide shows you exactly where your Domain ID lives in the Secure Privacy dashboard, how to copy it, and where you'll typically use it.
Who Is This For?
This article is for anyone using Secure Privacy who needs to:
- Connect a third-party integration that requires a Domain ID

- Make API calls scoped to a specific domain in their account

- Follow a Secure Privacy setup guide that references the Domain ID

- Troubleshoot a consent banner that isn't loading on the correct domain

What Is a Domain ID?
Every website (domain) you add to your Secure Privacy account is assigned a unique Domain ID — a short alphanumeric string that identifies that specific domain's consent configuration within the platform. It is distinct from your account ID and is scoped to a single domain, so if you manage multiple websites you will have a separate Domain ID for each one.
The Domain ID is used in contexts such as:
- API requests that read or write consent data for a specific domain

- Custom script implementations referencing a domain's consent settings

- Integration configurations (e.g., Google Tag Manager, Tealium, or other platforms)

- Support requests when our team needs to locate your domain configuration

How to Find Your Domain ID
Step 1 — Log in to your Secure Privacy account
Go to secureprivacy.ai and click the "Sign in" link in the top navigation bar, use your credentials. You will land on the main dashboard.
Step 2 — Open Domain Settings for the relevant website
In the left-hand navigation, click Websites (or select your domain from the account switcher at the top of the sidebar if you manage multiple sites). This opens the domain overview for that website.
The Websites section lists all domains in your account.
Step 3 — Navigate to Domain Settings
With the correct domain selected, click Installation in the domain-level navigation. This opens the domain configuration panel.
Click Settings in the domain navigation to open domain configuration.
Step 4 — Locate and copy your Domain ID
In the Domain Settings panel, your Domain ID is displayed in the URL (see screenshot).
Alternatively, Domain ID is "included" into the installation script URL - click the script link to add it to your clipboard, paste it into notepad and fetch the numeric domain ID, for example, for this script URL -
<script src="https://app.secureprivacy.ai/script/606acb2d5761b5f013b48067.js"></script>the domain ID would be
606acb2d5761b5f013b48067What to Do With Your Domain ID
Once you have your Domain ID, here are the most common places you'll use it:
- Google Tag Manager setup — Paste it into the Domain ID field when configuring the Secure Privacy tag in GTM. See how to install Secure Privacy via Google Tag Manager.

- API integrations — Include it as the domain_id parameter in API requests. See the Secure Privacy API overview[?] for full endpoint documentation.

- Custom script implementations — Reference it in any manual embed where the consent script requires a site or domain identifier.

- Support requests — Sharing your Domain ID with our support team helps us locate your exact domain configuration quickly.

Troubleshooting
I can't see a Domain ID in my settings
Make sure you have selected a specific domain before opening Settings — the Domain ID field only appears at the domain level, not on the top-level account overview. If you manage multiple sites, check that you've selected the correct one from the domain switcher.
I have multiple domains — which ID do I use?
Each domain has its own Domain ID. Use the ID that corresponds to the specific website you are configuring. If you're unsure which domain a script or integration should point to, match the Domain ID to the domain URL shown in the Websites list.
My integration says the Domain ID is invalid
Double-check that you copied the full value with no leading or trailing spaces. Some copy operations pick up an invisible whitespace character — pasting into a plain-text editor first and then re-copying can resolve this. If the problem persists, contact Secure Privacy support[?] with your Domain ID and a description of the integration you're configuring.
Frequently Asked Questions
Where do I find my Domain ID in Secure Privacy?
Log in to your Secure Privacy account, select the relevant domain, and navigate to Settings. Your Domain ID is displayed near the top of the Domain Settings page. Click the copy icon to copy it to your clipboard.
What is the Domain ID used for in Secure Privacy?
The Domain ID uniquely identifies a specific website within your Secure Privacy account. It is used in API calls, custom script embeds, third-party integrations (such as Google Tag Manager), and when contacting support so the team can locate your domain configuration.
Is the Domain ID the same as my account ID?
No. Your account ID identifies your Secure Privacy account as a whole, while the Domain ID is scoped to a specific website within that account. If you manage multiple domains, each one has its own unique Domain ID.
Can I have multiple Domain IDs on one account?
Yes. Every domain (website) you add to your Secure Privacy account receives its own Domain ID. You can view all your domains from the Websites section of the dashboard and find each domain's ID in its individual Settings page.
Do I need a Domain ID to install Secure Privacy on my website?
For most standard CMS installations (WordPress, Shopify, Wix, etc.), the Secure Privacy plugin or embed snippet handles domain identification automatically. The Domain ID is typically needed for manual script implementations, API integrations, and advanced configurations such as cross-domain consent sharing.
Related Articles
- Domain Settings Overview

- Installing Secure Privacy via Google Tag Manager

- Secure Privacy API Overview

- Setting Up Cross-Domain Consent Sharing

- How to Add a New Domain to Your Account

---

# How to Publish the GPC Well-Known File (/.well-known/gpc.json) for Full Global Privacy Control Compliance

URL: https://support.secureprivacy.ai/article/how-to-publish-the-gpc-well-known-file-well-knowngpcjson-for-full-global-privacy
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-31T19:42:00+00:00
Updated: 2026-03-31T23:00:49.738+00:00
Reading Time: 8 minutes
Summary: Learn how to create and deploy the /.well-known/gpc.json file to pass all three GPC compliance indicators. Templates for WordPress, Nginx, Apache & Shopify.

Your cookie consent platform can detect and honor Global Privacy Control (GPC) signals automatically — but that alone is not enough to pass a full GPC compliance check. Tools like the GPC Inspector browser extension, automated privacy scanners, and regulatory audits evaluate three separate indicators: whether GPC is enabled in the visitor's browser, whether the server detects the signal, and whether the website itself formally declares that it supports GPC. That third indicator is entirely on the website owner's side, and it requires one specific action: publishing a machine-readable JSON declaration file at a fixed path on your domain.
Without this file, the "supported by website" indicator stays inactive — even if your cookie consent solution is correctly installed and blocking non-essential cookies in response to GPC signals exactly as it should. It is the digital equivalent of honoring an opt-out request without ever publishing your opt-out policy: the practice is right, but the declaration is missing.
The good news is that Secure Privacy handles the detection and enforcement side of GPC out of the box — no script changes, no custom logic, no ongoing maintenance. The only task remaining for you as the website owner is publishing this one small file. This article explains what it is, where it goes, and how to deploy it across the most common hosting environments.
Who Is This For?
- Website owners and developers who have installed Secure Privacy and want to achieve a fully passing GPC compliance check

- Privacy and compliance teams whose GPC Inspector or compliance scanner shows the third indicator ("supported by website") as inactive

- Technical teams responsible for deploying the /.well-known/gpc.json file across static, WordPress, Shopify, Nginx, or Apache hosting environments

What Is the GPC Well-Known File?
The GPC well-known file is a small, publicly accessible JSON document that a website publishes to formally declare that it recognizes and honors the Global Privacy Control signal. It is part of the GPC specification, which follows the IETF Well-Known URIs standard — a common pattern used across the web for machine-readable site-level declarations (the same pattern used by robots.txt, security.txt, and Apple Pay domain verification files).
The file must be served at a fixed, predictable path so that browsers, privacy extensions, and compliance scanners can find it without any prior knowledge of your site's structure, for example this file path would look like this for secureprivacy.ai - on your domain the path should be exactly the same (just replace secureprivacy.ai below with your base domain DNS name):
https://secureprivacy.ai/.well-known/gpc.jsonWhen the GPC Inspector extension or an automated scanner fetches this URL and receives a valid response, it marks your site as actively declaring GPC support — completing the third indicator in a full GPC compliance check.
What Secure Privacy Handles Automatically
Before covering the file itself, it is worth being clear about what Secure Privacy already does for you out of the box — so you know exactly how much (or how little) is left to do.
From the moment the Secure Privacy script is installed on your website and the Global Privacy Control toggle is enabled in your Browser Signals settings, Secure Privacy will:
- Detect the Sec-GPC: 1 HTTP header and navigator.globalPrivacyControl JavaScript property sent by GPC-enabled browsers

- Automatically restrict all cookies to essential-only for any visitor whose browser has GPC active — no banner interaction required on their part

- Log GPC-triggered consent interactions alongside standard banner interactions in your consent dashboard

- Display detected GPC and Do Not Track signal status to visitors through the configurable browser signals indicator on your consent banner

None of this requires you to write code or configure anything beyond the initial script installation. The /.well-known/gpc.json file is the one remaining step — a public declaration that your site's behavior already reflects.
The GPC Well-Known File: Template
Create a plain text file named gpc.json with the following content:
{
  "gpc": true,
  "lastUpdate": "YYYY-MM-DD"
}- "gpc": true — the required field. Declares that this website supports and will honor the Global Privacy Control signal. Setting this to false is a valid declaration that the site does not honor GPC — which is the opposite of what you want.

- "lastUpdate" — an ISO 8601 date in YYYY-MM-DD format recording when this declaration was last reviewed. Replace with today's date. Update it whenever your GPC policy or implementation changes. This field helps regulators and auditors assess how current your declaration is.

That is the complete file. No additional fields are required by the current GPC specification.
Where and How to Deploy the File
Again, the file must be reachable at exactly this path - /.well-known/gpc.json from your domain root — for example, for secureprivacy.ai it would be - https://secureprivacy.ai/.well-known/gpc.json. The exact deployment method depends on your hosting environment.
Required Serving Conditions (All Environments)
Regardless of how you deploy the file, it must meet the following conditions to be recognized by GPC Inspector and compliance scanners:
- Returns HTTP status 200 OK — not a redirect (301/302) and not a 404

- Served with Content-Type: application/json

- Accessible without authentication — the file is fetched as an unauthenticated GET request

- If your site operates across multiple subdomains that process personal data, each subdomain should host its own /.well-known/gpc.json file

Static Sites and File Hosting
Create a folder named .well-known at the root of your web server's public directory (e.g., /public_html/.well-known/ or /var/www/html/.well-known/) and place gpc.json inside it. Ensure both the folder and file are publicly readable. On most static hosting platforms (Netlify, Vercel, GitHub Pages), simply committing the file at /.well-known/gpc.json in your repository root is sufficient.
WordPress
Upload the file via FTP, SFTP, or your hosting file manager to /public_html/.well-known/gpc.json (or the equivalent public root for your hosting provider). Alternatively, use a plugin that manages /.well-known/ routes, or add a rewrite rule to your .htaccess to serve the file. Confirm the file is reachable by opening its URL directly in a browser tab before testing with the GPC Inspector.
Shopify and Other Hosted Platforms
Fully hosted platforms like Shopify restrict direct file system access, which means you cannot simply upload a file to a .well-known/ directory. Options include creating a URL redirect to an externally hosted copy of the JSON file, or using a custom app or middleware layer to serve the response at the required path. Check your platform's documentation for the recommended approach to hosting well-known URIs.
Nginx
Add a location block to your server configuration to serve the .well-known directory from your document root:
location /.well-known/ {
    root /var/www/html;
    default_type application/json;
}Reload Nginx after making the change: sudo nginx -s reload.
Apache
Place the file in your document root under .well-known/gpc.json. If your .htaccess configuration blocks access to dotfiles or dotfolders, add an explicit exception:
<Files ~ "^\.well-known">
    Require all granted
</Files>You can also force the correct Content-Type header for the file:
<Files "gpc.json">
    Header set Content-Type "application/json"
</Files>How to Verify the File Is Working
Once the file is deployed, verification takes under a minute:
- Paste your file URL directly into a browser tab — https://<<your-domain-DNS-name>>/.well-known/gpc.json — and confirm it returns the JSON content with no redirect and no error.

- Open your website with the Global Privacy Control Inspector extension active and GPC enabled in your browser. The third indicator — "supported by website" — should now display as active.

- Check the HTTP response headers using browser DevTools (Network tab) to confirm the response status is 200 and Content-Type is application/json.

If the third indicator remains inactive after deployment, the most common causes are: the file path is not exactly /.well-known/gpc.json, the server is returning a redirect instead of a direct 200, or the file is blocked by an authentication layer or .htaccess rule.
Frequently Asked Questions
Do I need the gpc.json file if Secure Privacy is already installed?
Yes. Secure Privacy handles GPC signal detection and cookie blocking automatically, but the gpc.json well-known file is a separate, website-owner responsibility defined by the GPC specification. Without it, your site will not pass the third indicator in a GPC compliance check — even if Secure Privacy is correctly installed and functioning. The file is a public declaration that complements the enforcement Secure Privacy already provides.
Is publishing the gpc.json file legally required under CCPA?
The California Privacy Protection Agency (CPPA) guidance and the GPC specification strongly recommend publishing the well-known file as part of a complete GPC implementation. While enforcement actions to date have focused on honoring the GPC signal rather than on file publication specifically, publishing the file is considered best practice and is required for your site to pass automated GPC compliance checks and third-party audits.
Does the gpc.json file need to be updated regularly?
The file itself only needs to change if your GPC policy changes. However, it is good practice to update the lastUpdate date whenever you review your privacy implementation — for example, after a platform update, a change in your cookie categories, or a regulatory update. This keeps your declaration current and demonstrates active compliance maintenance to auditors.
What happens if my site has multiple subdomains?
Each subdomain that independently processes personal data should host its own /.well-known/gpc.json file. The GPC specification does not allow a root domain declaration to cover subdomains automatically. If your subdomains share a common infrastructure, you can configure your web server to serve the same file content across all of them.
Can I test my gpc.json file without the GPC Inspector extension?
Yes. Open your browser's developer tools, navigate to the Network tab, and fetch the file URL directly — https://yourdomain.com/.well-known/gpc.json. Confirm the response status is 200, the Content-Type header is application/json, and the response body contains valid JSON with "gpc": true. This confirms the file is correctly deployed regardless of which GPC-aware tool you use to check it.
You Are Now Fully GPC-Compliant
With the /.well-known/gpc.json file published and Secure Privacy installed, your website meets the full requirements of a GPC-compliant implementation: browser signal detection, automatic cookie restriction for GPC-enabled visitors, and a public machine-readable declaration. All three GPC Inspector indicators should now show as active — giving you a defensible, auditable record of your site's compliance with CCPA/CPRA opt-out signal obligations.
Secure Privacy continues to handle the enforcement layer automatically as visitor behavior, browser GPC support, and regulatory expectations evolve — with no ongoing changes required on your end.
Need Help?
Contact Secure Privacy support at support@secureprivacy.ai if you have questions about deploying the GPC well-known file or verifying your GPC compliance setup.
See Also
- Global Privacy Control (GPC) & Do Not Track — Browser Signals & Cookie Banner Setup[?]

- Global Privacy Platform (GPP) Setup

- Basic vs. Advanced Google Consent Mode

- Implementing Meta Consent Mode with Secure Privacy

---

# Self-Service Privacy Rights Portal: Submit GDPR & CCPA Data Requests and Link from Your Cookie Banner

URL: https://support.secureprivacy.ai/article/self-service-privacy-rights-portal-submit-gdpr-ccpa-data-requests-and-link-from-
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-31T19:42:00+00:00
Updated: 2026-03-31T20:41:07.455+00:00
Reading Time: 11 minutes
Summary: Allow visitors to exercise GDPR & CCPA rights via Secure Privacy's Self-Service Privacy Rights Portal. Learn how to link it from your cookie banner or policy.

When a visitor wants to delete their data, access what you've collected, or opt out of data processing, where do they go? Most websites bury a compliance email address in the footer — if they provide anything at all. That forces data subjects through slow, manual back-and-forth, leaves organizations scrambling to meet GDPR's 30-day response deadline, and creates a paper trail that's nearly impossible to audit.
Generic web forms and standalone DSAR ticketing tools exist, but they require separate setup, sit outside your consent stack, and rarely cover the full breadth of rights mandated by GDPR, CCPA/CPRA, India DPDPA, and similar frameworks.
Secure Privacy's Self-Service Privacy Rights Portal solves this with a single, branded DSAR hub — hosted at dsar.secureprivacy.ai and automatically scoped to your organization — that covers every data subject right in one place. You can surface it to visitors with two clicks from your cookie banner or privacy policy, without touching a single line of code.
By the end of this guide, data subjects will know how to submit any privacy request through the portal, and organizations will know exactly how to link the portal from their cookie banner and policies inside Secure Privacy CMP.
Who Is This For?
This article serves two audiences:
- Individuals (data subjects) — website visitors who need to exercise a privacy right (delete, access, correct, opt out, appeal, etc.) with an organization that uses Secure Privacy.

- Organizations and website owners — businesses using Secure Privacy CMP who want to make the Self-Service Privacy Rights Portal accessible to visitors via the cookie banner or a privacy/cookie policy link.

Portal Overview
The Self-Service Privacy Rights Portal is an enterprise-ready, multi-language interface for submitting and managing personal data requests. Key features include:
- Language selection — visitors choose their preferred language before or during a session.

- Action-card layout — each request type is a first-class card so users find and start the right request immediately.

- Secure, auditable submissions — requests are tracked with full transparency for both the data subject and the organization.

- Broad regulatory coverage — supports GDPR, UK GDPR, CCPA/CPRA, India DPDPA, and similar frameworks, including statutory response timelines and appeal paths.

Available Privacy Request Types
The portal exposes every major data subject right as a dedicated action card:
- Delete My Information — invoke the right to erasure (GDPR Art. 17 / CCPA deletion right).

- Access My Information — request a copy of collected personal data (right of access).

- Correct My Information — request correction of inaccurate or incomplete data (GDPR Art. 16).

- Opt Out of Sale or Sharing of My Information — exercise CCPA/CPRA opt-out rights.

- Restrict Processing of My Information — limit how data is processed (GDPR Art. 18).

- Object to Processing of My Information — object to data processing (GDPR Art. 21).

- Agent / Authorized Representative Request — submit a request on behalf of another individual.

- Consent Record / Proof of Consent — obtain a record of consent given.

- Appeals — appeal a denied or partially fulfilled data request.

How to Submit a Privacy Rights Request (Data Subjects)
This section is for individuals submitting a GDPR, CCPA, or other privacy request to an organization. How you reach the portal depends on the organization — many sites link it from the cookie banner or their Privacy Policy / Cookie Policy. You may also receive a direct URL.
Prerequisites
- A link or direct URL to the organization's Self-Service Privacy Rights Portal (provided in the cookie banner, privacy policy, or directly by the organization).

- Any identity-verification information the organization requires (e.g. email address or account details) as described on the portal.

Step 1 — Open the Self-Service Privacy Rights Portal
Click the link in the organization's cookie banner or privacy policy, or open the direct URL provided to you. The portal loads at dsar.secureprivacy.ai with an encoded parameter that ties the session to the organization.
Step 2 — Select your preferred language
If a language selector is shown at the top of the portal, choose your preferred language before proceeding.
Step 3 — Choose the request type
From the grid of action cards, select the request type that matches your need — for example, Delete My Information (right to erasure), Access My Information (data subject access request), or Opt Out of Sale or Sharing (CCPA opt-out).
Step 4 — Complete and submit the request
Follow the on-screen prompts to provide the required details, then submit. Note the reference number or confirmation message shown — you will need it to track your request.
Step 5 — Appeal if needed
If your request is denied or only partially fulfilled, return to the portal and use the Appeals card to challenge the decision.
How to Link the Privacy Rights Portal on Your Website (Organizations)
The steps below assume your organization already uses Secure Privacy and the CMP script is installed on your website. Use Option 1 to surface the portal from the cookie banner, or Option 2 to add it to your Privacy Policy or Cookie Policy.
Option 1 — Link from the Cookie Banner (Templates → Cookie Banner → Edit)
Use this path to add a Self-Service Privacy Rights Portal link directly inside your cookie banner text — the highest-visibility placement for GDPR and CCPA compliance notices.
Step 1 — Open Templates and select your template
In the Secure Privacy CMP, click Templates in the top navigation, then click the template that applies to your domain (for example, India DPDPA (Copy)).
Step 2 — Open the Cookie banner section
In the left sidebar, click Cookie banner. At the top right of the cookie text area, click Edit.
Step 3 — Select text and open the Link to control
In the editor, highlight the word or phrase where you want to add the privacy rights portal link. Then open the Link to dropdown in the cookie banner text toolbar.
Step 4 — Choose "Link to external data request form"
Select Link to external data request form from the dropdown. This points the selected text at your Self-Service Privacy Rights Portal hosted on dsar.secureprivacy.ai. Other available link targets (preference center, privacy policy, cookie policy, in-product data request form) are for different destinations — use the external option for the DSAR portal.
Cookie banner editor — Link to dropdown with Link to external data request form selected (Self-Service Privacy Rights Portal).
In the example shown in this documentation, the word preferences in the sentence "Feel free to update your preferences anytime." was linked to the external data request form. Visitors who click that word are taken directly to the privacy rights portal. The linked text appears as a styled hyperlink in both the editor and the live banner.
Cookie banner text after linking — preferences now points to the Self-Service Privacy Rights Portal (external data request form).
Step 5 — Save the template
Click the green SAVE button at the top right of the template editor. Your cookie banner changes are not live on the website until you save. Click CANCEL only if you want to discard all unsaved changes.
Step 6 — Verify the template is assigned to your domain
Open Domains in the top navigation, select the domain where the CMP script is installed, and confirm that the active template for that domain is the same template you just edited. If your domain uses a different template, either reassign the domain to this template or repeat the cookie banner steps on the correct template.
Multiple regions: If you use multiple templates by region or regulation, repeat this verification for every template that should surface the Self-Service Privacy Rights Portal link.
What Visitors See After Clicking the Banner Link
When a visitor clicks the linked text in the cookie banner, the browser opens the Self-Service Privacy Rights Portal at dsar.secureprivacy.ai with an encoded data= parameter that scopes the session to your domain and return URL. Visitors do not need to type or know this URL — it is opened automatically.
The portal displays a language selector and a grid of privacy rights action cards: Delete My Information, Access My Information, Correct My Information, Opt Out of Data Processing, Restrict Data Processing, Object to Data Processing, Authorized Agent Request, Withdraw Consent, and Appeal a Decision.
Live Self-Service Privacy Rights Portal (dsar.secureprivacy.ai) opened from the cookie banner link — language selector and full grid of GDPR and CCPA data subject rights cards.
Option 2 — Link from Privacy Policy or Cookie Policy (Policies → Edit)
Use this path to add a Self-Service Privacy Rights Portal link inside your Privacy Policy or Cookie Policy text — useful for fulfilling the GDPR requirement to inform data subjects how to exercise their rights within policy documents.
Step 1 — Open Policies and select the relevant policy
In the Secure Privacy CMP, click Policies in the top navigation. Click the Privacy Policy or Cookie Policy that applies to the domain where you want the portal link to appear.
Step 2 — Click Edit and select your link text
Click Edit to open the policy editor. Highlight the word or phrase you want to hyperlink to the portal (for example, "submit a data request" or "exercise your rights").
Step 3 — Choose "Link to external data request form"
Open the Link to control in the toolbar and select Link to external data request form. The behavior is identical to the cookie banner editor: the selected text becomes a hyperlink to your Self-Service Privacy Rights Portal on dsar.secureprivacy.ai.
Step 4 — Save or publish the policy
Save or publish the policy per your Secure Privacy CMP workflow. The updated policy text and portal link will be live wherever that policy is displayed.
Visitors who follow the link from your policy see the same Self-Service Privacy Rights Portal experience as visitors who follow the cookie banner link — language selector and full request-type card grid on dsar.secureprivacy.ai.
Admin Configuration Notes
- Configure and publish the Self-Service Privacy Rights Portal for your domain(s) from the Secure Privacy CMP dashboard.

- Link the portal URL from both your privacy policy and your consent/preference center so data subjects can always find it, regardless of how they browse your site.

- Configure request types, identity verification, and response workflows to align with your privacy program and legal obligations under GDPR, CCPA/CPRA, India DPDPA, and other applicable laws.

- If you use geotargeted templates (different consent banners per region), verify the portal link is added to each active template — not just the default.

Troubleshooting
The portal link is not appearing in the live cookie banner
Confirm you clicked SAVE after editing. Then check Domains → [your domain] and verify the active template is the one you edited. If a different template is assigned, either switch the domain to the edited template or add the link to the correct template.
Visitors are landing on the wrong portal or seeing an error
Ensure you selected Link to external data request form — not "Link to data request form" (which points to the in-product form, not the hosted DSAR portal). If visitors still encounter an error, confirm the Self-Service Privacy Rights Portal is fully configured and published for your domain in the CMP dashboard.
The link is showing in the editor but not on the live website
Clear your browser cache and check whether a cookie caching layer or CDN is serving a stale version of the banner script. Allow up to a few minutes for changes to propagate after saving.
Frequently Asked Questions
What is a Self-Service Privacy Rights Portal?
A Self-Service Privacy Rights Portal is a secure, branded interface that lets individuals submit and track privacy requests — data access, deletion, correction, opt-out, and more — under GDPR, CCPA/CPRA, India DPDPA, and similar regulations. Secure Privacy hosts the portal at dsar.secureprivacy.ai, automatically scoped to your organization.
How do I submit a GDPR data subject access request (DSAR)?
Open the portal link in the organization's cookie banner or privacy policy. Choose Access My Information from the action-card grid, complete the form, and submit. Note the reference number provided for tracking.
How do I request deletion of my personal data?
Use the Delete My Information card in the portal. This invokes your right to erasure under GDPR Article 17. If the request is denied, use Appeals to challenge the decision.
How do I add a DSAR link to my cookie banner in Secure Privacy?
Go to Templates, open the template for your domain, click Cookie banner → Edit, highlight your chosen text, open the Link to dropdown, select Link to external data request form, and click SAVE. Then verify the template is assigned to your domain under Domains.
What privacy regulations does the Secure Privacy DSAR portal support?
The portal supports GDPR, UK GDPR, CCPA/CPRA, India DPDPA, and similar frameworks, covering the full range of data subject rights: access, deletion, correction, opt-out, restriction, objection, consent records, authorized agent requests, and appeals.
Can I link the privacy rights portal from my Privacy Policy instead of the cookie banner?
Yes. In the Secure Privacy CMP, go to Policies, open the relevant policy, click Edit, highlight your link text, select Link to external data request form, and save. Visitors who click that link see the same portal experience as those who follow the cookie banner link.
Related Articles
- Consent Dashboard: Viewing and Managing Cookie Consent Records

- Cookie Banner Customization: Templates, Text, and Design Settings[?]

- Domain Settings: Assigning Templates and Managing Active Configurations

- GDPR Data Subject Rights: What They Are and How Secure Privacy Handles Them

- CCPA/CPRA Opt-Out of Sale: Configuring the "Do Not Sell or Share" Link[?]

---

# Extra Consents Settings: Managing Cookie Consent Overage in Your Secure Privacy Plan

URL: https://support.secureprivacy.ai/article/extra-consents-settings-managing-cookie-consent-overage-in-your-secure-privacy-p
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-31T19:42:00+00:00
Updated: 2026-03-31T20:27:58.793+00:00
Reading Time: 10 minutes
Summary: Hit your cookie consent plan limit? Learn how to set an extra consents budget in Secure Privacy to extend recording capacity and control overage spend.

When your website hits its subscription consent limit, cookie consent records can quietly stop being stored in the cloud — leaving you with compliance gaps you may not notice until an audit or a visitor complaint surfaces the problem. Most teams discover this only after the fact, scrambling to figure out why recorded consent counts no longer match their traffic.
Generic workarounds — manually tracking consent in spreadsheets, switching to a cheaper tool with no overage option, or simply ignoring the cap — either create more work or introduce real regulatory risk under GDPR, CCPA, and ePrivacy rules. And while upgrading your entire subscription plan is always an option, it can mean paying for headroom you only occasionally need.
Secure Privacy's Extra Consents Settings give you a smarter middle path: a configurable overage budget that extends your consent recording capacity exactly when you need it, charged in transparent per-block increments, with a hard cap so you stay in control of spend. By the end of this guide you'll know exactly how to set your extra consents budget, what happens at each threshold, and how to avoid common billing surprises.
Who Is This For?
This article is intended for:
- Account administrators responsible for managing the Secure Privacy CMP subscription and billing settings.

- Billing contacts who need to authorize usage-based spend above the included plan consent volume.

- Compliance or operations teams who need to ensure uninterrupted consent recording during traffic spikes or campaign periods.

If you are on a Free or Trial account, the Extra Consents Settings section is not available — see Eligibility below.
Overview: How Extra Consent Billing Works
Your Secure Privacy subscription plan includes a fixed consent volume. Extra Consents Settings let you set a spending budget for consent recording above that plan limit. You are charged at the rate shown in the product — for example, $10.00 per 100,000 consents over the limit. The currency and pricing on screen always reflect your account billing currency (EUR or USD).
Key distinction: Your plan's included consent allowance and your extra consents budget are two separate controls. Upgrading your plan (under Account → Plans) increases your included allowance. Setting an extra consents budget (under Account → Billing) adds flexible, usage-based overage capacity on top. You can use one, both, or neither — depending on your traffic and contract.
Important Points Before You Configure
Included consents vs. extra budget
Your plan covers a set consent volume. Extra Consents Settings only govern how much additional usage you authorize beyond that — they do not replace choosing the right plan for your long-term traffic.
No automatic plan upgrade
Secure Privacy does not automatically move your account to a higher subscription tier when usage climbs. Overage is handled entirely through your extra consents budget, which you control in the dashboard.
Default is zero (off)
The extra consents budget defaults to zero, meaning no paid overage is authorized. Until you enter a non-zero value and click SAVE, the feature is effectively disabled for billing purposes — even on paid plans.
Budget must cover the next block
Once you set a non-zero budget, it must be large enough to cover at least one full block at the rate shown (e.g. $10.00). If it is too low for the next purchasable block, consent recording behavior remains the same as when extra consents are disabled.
Eligibility
Extra Consents Settings are not available on Free or Trial accounts. If the section is absent from your Billing page, your account type may not include it. Upgrade or subscribe as required by your contract.
Monthly vs. yearly subscriptions
On monthly plans, extra consent usage is reflected in line with your Billing page. On yearly plans, overages may be billed on a separate schedule and may not appear on the main Billing summary — check your full invoice list and use date filters in the CMP for the complete picture.
Email notification at first activation
You may receive an email the first time extra consent usage is activated in a billing month, so your billing and operations teams are aware that usage-based charges have begun for that period.
Lowering the budget after activation
If extra consent usage has already been activated for a billing period, setting the budget back to zero does not instantly cancel an already-started block. You may still be invoiced for usage that was already committed. For exact impact, review your invoices and contact support or your account manager.
Where to Find Extra Consents Settings
- Sign in to the Secure Privacy CMP at cmp.secureprivacy.ai.

- Open Account from the main navigation.

- Select Billing.

- Scroll to the section titled EXTRA CONSENTS SETTINGS.

What You See on Screen
The Extra Consents Settings panel in Secure Privacy Billing — set your overage budget and click SAVE to authorize additional consent recording beyond your plan limit.
Element
Purpose

Section title
EXTRA CONSENTS SETTINGS

Description line
Explains the extra budget concept and shows the price per unit (e.g. $10.00 per 100,000 consents). Use the information (i) icon for in-product help.

Amount field
Numeric field prefixed with your billing currency symbol. Enter the maximum budget you want to authorize for extra consents (0 = no paid overage).

SAVE
Saves your extra consents budget. Always click this after any change.

Currency (EUR / USD)
The currency symbol and pricing shown depend on your account's billing currency. Accounts billed in euro see EUR (€) rates; accounts billed in US dollar see USD ($) rates. Always rely on what appears on your Billing page — not screenshots from another account.
What Happens When Your Cookie Consent Plan Limit Is Reached
Behavior at the plan limit depends on whether extra consents are enabled and whether your budget covers the next chargeable block.
Extra consents disabled (budget is zero or unsaved)
If you have not set a non-zero extra consents budget:
- Visitors may still see the cookie consent banner where your implementation shows it, but consent records may not be stored in your Secure Privacy account — they can be held locally in the browser for basic compliance display only.

- When your billing period resets the consent counter on Secure Privacy's side, normal cloud recording resumes up to your plan limit.

If full cloud recording must continue after the limit is hit, raise your plan and/or set an appropriate extra consents budget and save it.
Extra consents enabled but budget too low for the next block
If you entered a non-zero budget but it is insufficient to purchase the next block at the listed price, cloud recording does not switch on for that extra tier. Increase the budget to cover at least one full block at the rate shown, then click SAVE.
After Extra Consents Have Been Activated
Once usage-based extra consent recording has activated for your subscription:
- Setting the budget to zero later does not always mean immediate stop — you may still be invoiced for an already-committed block, and consent recording may continue until that package is used up.

- For the exact effect on your account, review Billing, your invoices, and your order form, or contact support or your account manager.

How to Set or Change Your Extra Consents Budget
Follow these steps to configure the extra consents overage budget in your Secure Privacy account.
Step 1 — Open Account Billing
Sign in to cmp.secureprivacy.ai, then navigate to Account → Billing.
Step 2 — Locate Extra Consents Settings
Scroll down the Billing page to the section titled EXTRA CONSENTS SETTINGS.
Step 3 — Confirm your overage rate
Read the on-screen description to confirm the rate per block (e.g. $10.00 per 100,000 consents) and the currency that applies to your account.
Step 4 — Enter your budget
Type your desired maximum overage budget in the amount field. The currency prefix is read-only — edit the number only. Enter 0 to disable paid overage.
Step 5 — Save your changes
Click SAVE. Confirm no error messages appear. If applicable, verify that billing or usage reports reflect the updated budget after processing.
Prerequisites and Permissions
- You need Account and Billing access in the CMP — typically an admin or billing role, depending on your organization's user configuration.

- Extra Consents Settings require a paid subscription. The section is not visible for Free or Trial accounts.

- Your subscription and payment method must be in a state that allows billing changes. If SAVE is disabled or errors appear, see Troubleshooting below.

Troubleshooting Extra Consents Settings
Issue
What to try

SAVE does nothing or stays disabled
Refresh the page, confirm you entered a valid number, and verify you have permission to edit billing settings.

Wrong currency on screen
Currency follows your account billing profile. Verify you are in the correct Secure Privacy account and that the billing contract matches your region.

Need to remove extra consents spend
Set the budget to 0 (or the minimum allowed) and click SAVE, unless your contract requires changes through your account manager.

Section missing on Billing page
Confirm you are not on a Free or Trial account — the section is hidden for those. Otherwise, refresh, check you are in the correct account, or contact support.

At plan limit and consents not appearing in the CMP
If extra consents are disabled (budget 0), cloud recording may stop until the period resets or you enable a sufficient budget — see What Happens When Your Cookie Consent Plan Limit Is Reached.

Budget is non-zero but nothing improved
The amount may be below the minimum needed for the next extra block at the listed price. Increase the budget and click SAVE.

Yearly plan and line items look different
Extra overage may appear on separate invoices. Widen the invoice date filters in the CMP to see the full picture.

Rate or limits unclear
Use the information (i) icon next to the description, or contact support/your account manager with your account name and a screenshot of the Extra Consents Settings block (redact sensitive data as needed).

Frequently Asked Questions
What happens when I reach my cookie consent plan limit?
When your included consent volume is exhausted and no extra consents budget is set, consent records may stop being stored in your Secure Privacy account. Visitors can still see the cookie banner, but recordings are held locally in the browser only. To resume full cloud recording, either upgrade your plan or set a non-zero extra consents budget in Account → Billing.
How does Secure Privacy charge for consent overage?
Secure Privacy charges for extra consents in blocks — for example, $10.00 per 100,000 consents. The rate and currency shown in the Extra Consents Settings section reflect your account's billing currency. You authorize a maximum budget cap; charges only apply once your included plan consents are used up.
Will Secure Privacy automatically upgrade my plan when I exceed my consent limit?
No. Secure Privacy does not automatically move your account to a higher subscription tier. You remain in control through the Extra Consents Settings budget. If your traffic consistently exceeds your plan limit, you can manually upgrade your plan under Account → Plans or set an appropriate extra consents budget.
Can I set a cap on how much I spend on extra consents?
Yes. The Extra Consents Settings section lets you enter a specific budget amount. Secure Privacy will not charge beyond that cap for extra consents in a billing period. Set it to zero if you do not want any paid overage.
What is the difference between upgrading my plan and setting an extra consents budget?
Upgrading your subscription plan (Account → Plans) permanently increases your included consent allowance. Setting an extra consents budget (Account → Billing) adds a flexible, usage-based overage allowance on top of your current plan. You can use one, the other, or both depending on your traffic and contract.
Why is the Extra Consents Settings section not showing on my Billing page?
This section is hidden for Free and Trial accounts. It only appears for paid subscriptions. If you are on a paid plan and still cannot see it, try refreshing the page, confirm you are in the correct account, or contact Secure Privacy support.
Related Articles
- Understanding Secure Privacy Subscription Plans[?]

- Reading Your Secure Privacy Billing Invoices[?]

- Using the Secure Privacy Consent Dashboard

- Account and User Management in Secure Privacy

---

# Complete Guide to Blocking Cookies for GDPR Compliance: Prior Consent, Script Load Order & GTM Setup

URL: https://support.secureprivacy.ai/article/complete-guide-to-blocking-cookies-for-gdpr-compliance-prior-consent-script-load
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-26T23:55:00+00:00
Updated: 2026-04-22T07:07:59.454+00:00
Reading Time: 28 minutes
Summary: Learn how to block cookies before consent under GDPR. Covers Secure Privacy auto-blocking, script load order, GTM consent triggers, and Google Consent Mode v2 setup.

If you've ever opened your browser's DevTools on a website — even one with a cookie consent banner — and watched analytics and advertising cookies land before you clicked anything, you've witnessed one of the most widespread GDPR violations on the web today. Non-essential cookies, from Google Analytics to the Facebook Pixel to LinkedIn's Insight Tag, are routinely set the moment a page loads, long before the consent banner has finished rendering — let alone before a visitor has responded to it. That's not a grey area: it's a direct violation of the ePrivacy Directive and GDPR Article 6, and it's one of the most frequently cited findings in enforcement actions by data protection authorities across the EU.
The instinct is to reach for a simple solution — a free cookie plugin, a manually coded delay, a "just add a banner" approach. These typically fail in one of three ways: they display a notice while tracking runs freely underneath, they block nothing but show a compliant-looking UI, or they break when a caching plugin reorders scripts and silently removes the consent gate. Getting genuine prior-consent cookie blocking right requires understanding four interlocking technical layers: automatic script interception, script load order, Google Tag Manager consent configuration, and Google Consent Mode v2 — each of which can independently undermine compliance if misconfigured.
This guide covers all four layers as implemented through Secure Privacy, a consent management platform built specifically for GDPR and ePrivacy compliance. By the end, you'll understand exactly how Secure Privacy intercepts non-essential scripts before they execute, why script load order is the single most overlooked compliance detail, how to configure Google Tag Manager so every tag respects consent status, how to implement and verify Google Consent Mode v2 for EU/EEA visitors, and how to maintain compliance as your site evolves.
Who Is This Guide For?
This guide is written for:
- Website owners and marketing teams who need to achieve GDPR cookie compliance and understand why a banner alone is not enough

- Developers and technical leads responsible for implementing or auditing a consent management platform, configuring GTM, or diagnosing pre-consent cookie firing

- DPOs and compliance managers who need a technical reference to evaluate whether an existing CMP implementation is genuinely blocking non-essential cookies before consent

- Anyone already using Secure Privacy who wants to understand how the blocking engine works, how to resolve gaps found in scan reports, and how to configure Google Consent Mode v2

If you are evaluating consent management platforms and want to understand what full technical compliance actually requires, this guide covers the complete picture — not just banner display, but script interception, load order, and platform-level consent signals.
Contents
- Why Prior Consent Is Non-Negotiable Under GDPR

- How Secure Privacy Automatic Blocking Works — and Its Limits

- Identifying & Manually Blocking Undetected Cookies

- Script Load Order: The Most Overlooked GDPR Compliance Detail

- Blocking Iframes, Pixels & Embedded Content

- GTM Installation: Consent-First Configuration

- Google Consent Mode v2 for EU/EEA Visitors

- Ongoing GDPR Cookie Audits & Maintenance

- Additional Compliance Considerations

- Frequently Asked Questions

- Quick Reference: All Related Guides

1. Why Prior Consent Is Non-Negotiable Under GDPR
GDPR Recitals 30 and 32, Article 6, and ePrivacy Directive Recital 25 are collectively unambiguous: any cookie or tracking technology that is not strictly necessary for a service explicitly requested by the user requires prior, freely given, specific, informed, and unambiguous consent before it may be set on a visitor's device.
"Strictly necessary" is a narrow category. It covers session authentication, shopping cart persistence, security tokens, and load-balancer cookies. It does not cover:
Cookies That Require Prior Consent Under GDPR

Cookie
Service
Category
Prior consent required?

_ga, _gid
Google Analytics
Analytics
Yes

_fbp, fr
Facebook / Meta Pixel
Advertising
Yes

IDE, NID
Google Ads / DoubleClick
Advertising
Yes

VISITOR_INFO1_LIVE
YouTube
Analytics
Yes

LinkedIn Insight Tag cookies
LinkedIn
Advertising
Yes

A consent banner that warns visitors while the scripts still run in the background is not compliant. The cookie must not be set until consent is recorded. This is not a technicality regulators overlook — pre-consent cookie loading is one of the most frequently cited findings in DPA enforcement actions across Germany, France, Italy, and Ireland.
Deep dive: Cookies Loading Before Consent? How to Fix Pre-Consent Cookie Loading and Achieve GDPR Compliance — covers how to identify non-compliant services in your scan report, step-by-step remediation, and a GDPR compliance checklist.
2. How Secure Privacy Automatic Blocking Works — and Its Limits
Secure Privacy generates a unique JavaScript blocking file for each domain based on its scan results. This file uses the MutationObserver API (compatible with all major browsers including IE11) to intercept scripts, pixels, and dynamically injected iframes in real time, holding them until the visitor grants the appropriate consent category.
The three blocking modes
Mode
Behaviour
Use when

v2 Blocking (current, recommended)
Intercepts all non-essential scripts, pixels, and dynamically injected iframes before they execute. Releases them as soon as the matching consent signal is received.
All new and existing installations — this is the default.

v1 Blocking (legacy)
Older interception mechanism. Less robust; maintained for backward compatibility only.
Existing v1 sites that have not yet migrated. Plan migration to v2.

Disabled
No automatic blocking. All scripts load freely unless you have manually gated every one.
Only for fully manual configurations — not recommended for general use.

Critical limitation: the scan boundary
Auto-blocking covers both the most recent scan detected and categorised and previously detected cookies via so called "aggregated scan" report". Any script, pixel, or tag added to your site after the last scan, or using a non-standard implementation that the crawler did not recognise, will not be blocked automatically. This is the single most common source of ongoing GDPR violations on sites that believe they are compliant.
Rule of thumb: Trigger a new scan every time a third-party script, marketing pixel, or analytics integration is added or updated — and at minimum once per quarter. Make sure these services and cookies ARE present in the scan report, correctly categorized and configured with a proper pixel/script/iframe source.
Deep dive: Automatic Cookie Blocking Explained – How Secure Privacy Blocks Scripts, Pixels, and Iframes — covers the MutationObserver mechanism, all three blocking modes, prerequisites, and how to manually extend the blocking configuration. Note: this article is from the legacy CMP v1 documentation. The step-by-step logic and concepts remain fully applicable to the current platform; however, the dashboard screenshots shown reflect the older interface.
3. Identifying & Manually Blocking Undetected Cookies
When automatic blocking has gaps, your scan report will show them inside "Prior consent to other than strictly necessary cookies" section inside the scan report.
Resolving this "usually" requires four steps:
Step 1 — Open the Scan Report
In your Secure Privacy dashboard, select the domain to work with, click the "Scan report" scroll down to the Prior consent to other than strictly necessary cookies (GDPR) → Cookies loaded before prior consent section. Note the cookie name and related service for each flagged item in the list.
Step 2 — Identify the source
Work with your development team to find the script URL, pixel endpoint, or iframe source responsible for the unblocked cookie. Browser DevTools (Network tab, filtered by the cookie name) will surface the originating request. Alternatively, directly searching the source code of the page (Ctrl+U or Command+U) could also help here.
Step 3 — Add the source to Service
In the dashboard, navigate to Classification → Services. Locate the service that is associated with the cookie in question - click the "three-dot" menu -> Edit. Check the entry, make sure to adjust/specify:
- Service name

- Category

- Instalaltion scripts got to: Script field, while Iframe, or Pixel sources also matches (if any)

- Privacy policy link (if avilable)

The script source URL must be best possbile match/pattern to cover different URLs and yes, partial URLs will work and usually are more useful, when used as a bare base domain name.
For example, instead of this full URL -
https://pagead2.googlesyndication.com/ccm/collect?frm=0&en=page_view&dl=https%3A%2F%2%2F&scrsrc=www.googletagmanager.com&rnd=39847927.1774647075&navt=n&npa=1&did=&gdid&_tu=CA&gtm=&gcs=G100&gcd=13p3p3p2p5l1&dma_cps=-&dma=1&tag_exp=0~115938465~115938468~116133312~117484252&apve=1&apvf=f&apvc=0&tids=AW-123123123123&tid=AW-123123123123&tft=1774647075154&tfd=123123you would want to simply add
googlesyndication.comStep 4 — Rescan to verify
Run a new scan from the Scan Report page. Confirm that the previously flagged service now shows as blocked.
Deep dive: How to Manually Block Cookies Not Blocked Automatically in Secure Privacy — full walkthrough of the Tag Blocking configuration screen, common causes of auto-blocking gaps, and troubleshooting exact-match URL issues. 
Note 1: all 4 required steps are covered above. 
Note 2: the link is a legacy CMP v1 documentation — steps still apply; screenshots reflect the older interface.
4. Script Load Order: The Most Overlooked GDPR Compliance Detail
Even a perfectly configured Secure Privacy CMP will fail to block cookies if it loads after the scripts it is supposed to intercept. Script load order is the most frequently overlooked compliance detail, and it is the root cause of many "but I installed the CMP!" GDPR violations.
Understanding async vs defer
Attribute
Download
Execution timing
Execution order
Good for compliance?

none (synchronous)
Blocks HTML parsing
Immediately, inline
Guaranteed DOM order
Yes — recommended,
but blocks rendering

defer
Parallel (non-blocking)
After HTML is fully parsed
Guaranteed DOM order
Yes — recommended, non-blocking if the execution order is correct

async
Parallel (non-blocking)
As soon as the file is downloaded — could be mid-parse
Not guaranteed — race condition
No !!! — compliance risk here !!! even if it "works in my browser"

async offers a performance benefit, but at a compliance cost: whichever script downloads fastest executes first. If Google Analytics or Facebook Pixel loads faster than Secure Privacy on that page request, the tracker fires before the CMP has initialised. Never use async on the Secure Privacy script.
defer is the correct choice. Deferred scripts download in parallel (fast, no render-blocking) but execute in DOM order after HTML parsing completes. Therefore, this would only if Secure Privacy is the first deferred script in <head>, so that it will always execute before any other deferred (but, again, not "asynced") script.
Non-GTM installation: placement rules
For sites that embed the Secure Privacy script directly (not via GTM), follow these rules precisely:
Rule 1 — Place Secure Privacy first in <head>
Position the Secure Privacy script in <head> as high as possible — ideally immediately after the opening <head> tag and any <meta charset> / <meta viewport> tags. It must appear before any other third-party script tag.
Rule 2 — Use defer on the Secure Privacy script, not async
The async attribute creates a race condition that can allow tracking scripts to fire before the CMP initialises. Always use defer. (again, make sure Secure Privacy is the first in the <head>)
Rule 3 — All other third-party scripts must also use defer
Because deferred scripts execute in DOM order, any script placed after Secure Privacy in the source will execute after it — preserving the consent gate. Do not allow any third-party script to use async.
Rule 4 — Synchronous legacy scripts must appear below Secure Privacy in source order
If a third-party script absolutely cannot use defer, it must still be placed below the Secure Privacy script in the source, so that Secure Privacy's synchronous initialisation completes first.
Correct example:
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">

  <!-- ✅ Secure Privacy first, with defer -->
  <script src="https://cdn.cookie-script.com/s/YOUR-DOMAIN-ID.js" defer></script>

  <!-- ✅ All other services also deferred — they execute AFTER SP due to DOM order -->
  <script src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX" defer></script>
  <script src="https://connect.facebook.net/en_US/fbevents.js" defer></script>

</head>Incorrect example (compliance risk):
<head>
  <!-- ❌ Google Analytics loads async — could fire before SP is initialised -->
  <script src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX" async></script>

  <!-- ❌ SP placed after GA, and also async — too late and wrong attribute -->
  <script src="https://cdn.cookie-script.com/s/YOUR-DOMAIN-ID.js" async></script>
</head>CMS script optimisation plugins — a hidden compliance trap
Many popular CMS caching and performance plugins include a feature that consolidates, minifies, or defers all scripts on a page automatically. This process frequently breaks the load order that compliance depends on by:
- Reordering scripts into a single concatenated bundle (Secure Privacy may end up in the middle or at the end)

- Changing defer attributes to async across all scripts

- Moving <head> scripts to the footer

A pretty bright example here — WP Rocket (WordPress) — disable script optimisation for the Secure Privacy script !!!. As WP Rocket's "Delay JavaScript Execution" and "Load JavaScript Deferred" features can silently reorder or re-attribute the Secure Privacy initialisation script, breaking prior-consent blocking for every visitor. In WP Rocket settings, add the Secure Privacy script URL to the Excluded files list under File Optimization. The same applies to Autoptimize, LiteSpeed Cache's JS optimisation, and any other plugin that touches script attributes or order.
After installing or updating any caching or performance plugin, make sure (1) to reset / rebuild cache of these plugins and (2) always re-run our compliance "website scan" to verify that none of the non-essential cookies appear in the "loaded before prior consent" section of the report.
5. Blocking Iframes, Pixels & Embedded Content
Scripts are only part of the tracking surface. Iframes (video embeds, social widgets, map embeds) and tracking pixels also set cookies and must be blocked until the correct consent category is granted.
Every pixel and iframe must be associated with a service
Secure Privacy's blocking engine operates on a service-to-category mapping. For a pixel or iframe to be held behind consent, it must be:
Step 1 — Attach a service to iframe / pixel under Classification
Every pixel and iframe source must appear in your Secure Privacy dashboard under Classification → Pixels or Classification → Iframes with a correct Service entity attached.
Note: If a pixel or iframe was not auto-detected during the scan, create a service entry manually.
Step 2 — Confirm a Service is connected to a consent category
Each Service must be assigned a consent category (Analytics, Advertising, Social Media, Customer Interaction) — none of the Services may be left uncategorised. Services without a category will not be gated by the consent banner.
Step 3 — Link the source URL or domain
The Service must be linked to its source URL or domain so the blocking engine can match and intercept it at load time. See example above, under "Step 3 — Add the source to Tag Blocking".
Manual blocking: sp-consent and data-src
Sometimes, for iframes embedded directly in page HTML (as opposed to being injected by a script), auto-blocking may not apply due to the wat iframe is added to the DOM / <body>. Therefore, you must modify the HTML attributes directly:
Step 1 — Add the sp-consent attribute
Add sp-consent="SERVICE NAME" to the iframe tag. The service name must exactly match the name shown in your Secure Privacy Scan Report — including capitalisation and spacing. Copy it directly from the dashboard rather than typing it manually, make sure no spaces before after the name (in both parts 😅).
Step 2 — Rename src to data-src
Rename the src attribute to data-src. This prevents the browser from loading the iframe until Secure Privacy releases it after consent is received.
Before:
<iframe src="https://www.youtube.com/embed/VIDEO_ID"
        width="560" height="315" allowfullscreen></iframe>After (GDPR-compliant):
<iframe data-src="https://www.youtube.com/embed/VIDEO_ID"
        sp-consent="Youtube"
        width="560" height="315" allowfullscreen></iframe>(Optional) the same transformation may be applied to tracking pixels (image tags):
<!-- Before -->
<img src="https://www.facebook.com/tr?id=PIXEL_ID&ev=PageView" width="1" height="1">

<!-- After -->
<img data-src="https://www.facebook.com/tr?id=PIXEL_ID&ev=PageView"
     sp-consent="Facebook Pixel" width="1" height="1">The youtube-nocookie.com trap. Using www.youtube-nocookie.com as the embed domain does not eliminate the consent requirement. While this domain avoids HTTP cookies, it stores persistent tracking data in the browser's HTML5 localStorage — which constitutes tracking under the ePrivacy Directive and requires prior consent in the same way. Apply the data-src + sp-consent transformation regardless of which YouTube embed domain is used.
Deep dive: How to Set Up Manual Script and iframe Blocking in Secure Privacy — full instructions for script type rewriting, iframe attribute modification, and the YouTube/Vimeo blocking pattern.
Note 1: all the required steps are provided above.
Note 2: the Deep dive" links to the legacy CMP v1 documentation — the implementation logic and attribute syntax are unchanged in the current platform; dashboard screenshots reflect the older interface.
6. GTM Installation: Consent-First Configuration
Google Tag Manager introduces additional compliance complexity because it manages multiple tags that may fire independently of each other. The following three configuration requirements are all mandatory — omitting any one of them creates a compliance gap. A bit more is covered here - How to Block Cookies in GTM Triggers Using User Consent Conditions.
6.1 Consent Initialization trigger — for Secure Privacy only
When Secure Privacy is deployed through GTM, it must use the "Consent Initialization — All Pages" trigger. This is a special GTM system trigger developed to be used only for Consent Management Platforms (like Secure Privacy) that fires before all other triggers on the page — it is the earliest possible execution point within the GTM lifecycle. Can't stress enough - no other tag should use this trigger.
Step 1 — Create a new tag using the Secure Privacy CMP template
In GTM, go to Tags → New. Under Tag Configuration, open the Community Template Gallery and search for Secure Privacy CMP. Select the template and enter your Secure Privacy Domain ID (found in the dashboard under Installation).
<script src="https://app.secureprivacy.ai/script/123123123123123123123.js"></script>in the code snippet above 123123123123123123123 would be your Domain ID.
Step 2 — Assign the Consent Initialization trigger
Under Triggering, select Consent Initialization — All Pages. Save and publish.
If you previously installed the Secure Privacy script directly in your site's <head>, remove it before activating the GTM template. Running both simultaneously causes a double-initialisation conflict and unpredictable consent behaviour (!!!).
6.2 Consent-based triggers for all non-essential services
Every tag (read my lips - each and every) that sets a non-essential cookie — analytics, advertising, personalisation — must be configured to fire only after the user has consented to the relevant category. GTM provides two patterns for this. Use the one that fits your trigger architecture.
Pattern A — Custom JavaScript variable (recommended for complex trigger logic)
Create a User-Defined Variable of type Custom JavaScript. This variable returns true if the visitor has consented to a specific service, or false otherwise. Add it as a condition to any trigger that should be consent-gated.
// Variable name: "Check Google Analytics consent"
function() {
  return sp.checkConsent("Google Analytics");
}Then, in the trigger that fires your Google Analytics tag, add a condition:
Check Google Analytics consent  |  equals  |  trueThe service name passed to sp.checkConsent() is case-sensitive and must exactly match the service name in your Secure Privacy Classification tab. Copy it directly from the dashboard. A mismatch causes the function to always return false, silently blocking the tag regardless of consent status.
Create one variable per service. Repeat for every non-essential tag in your container.
Deep dive: How to Block Cookies in GTM Triggers Using User Consent Conditions — step-by-step setup with GTM Preview Mode verification instructions.
Pattern B — sp-consent custom event trigger (recommended for simpler setups)
Secure Privacy pushes a custom event to the GTM dataLayer when a visitor grants consent for a service. You can listen for this event as a GTM Custom Event trigger and use it to fire the corresponding tag.
Step 1 — Create a Custom Event trigger in GTM
In GTM, go to Triggers → New → Custom Event. In the Event Name field, enter: sp-consent="Google Analytics" — replacing the service name with the exact name from your Classification tab.
Step 2 — Name and attach the trigger
Name the trigger descriptively — for example: SP-Consent-Google-Analytics. Attach it to the Google Analytics tag. The tag will fire when Secure Privacy signals consent. Repeat for each additional service, creating one trigger per service.
Deep dive: How to Block Cookies in Google Tag Manager Using Secure Privacy Consent Event Triggers — full walkthrough of the custom event trigger pattern, including the multi-trigger edge case.
Multiple triggers on one tag? If a tag uses more than one trigger (e.g. it fires on Page View AND on a custom event), additional configuration is required to ensure consent gates apply to all firing paths. See the linked article for details.
7. Google Consent Mode v2 for EU/EEA Visitors
If you run Google Ads, Google Analytics, or any other Google advertising product and serve EEA visitors, Google Consent Mode v2 (GCM v2) is mandatory as of March 2024 under Google's EU User Consent Policy. It is not a replacement for a CMP — it is an additional signal layer that tells Google tags how to behave based on the consent your CMP collects. Full comparison article is here - Google Consent Mode: Basic vs Advanced — Complete Guide for GDPR & CCPA Compliance
Basic Mode vs Advanced Mode
Basic Mode
Advanced Mode

Tags before consent
Completely blocked — no data sent to Google
Tags fire but send only anonymous, cookieless pings

Conversion modelling
Limited
Enhanced — Google can model unobserved conversions

Data gaps
Significant before consent
Minimal — cookieless pings partially fill the gap

GDPR risk
Lower (nothing fires pre-consent)
Acceptable if cookieless pings do not constitute personal data processing

Recommended for
Strict DPAs (Germany, France) or very conservative legal advice
Most EU/EEA use cases

The seven GCM v2 consent parameters
Parameter
Controls
New in v2?
EEA default (best practice)

ad_storage
Advertising cookies
No
denied

analytics_storage
Analytics cookies
No
denied

functionality_storage
Functional cookies (not used often)
No
denied (non-essential)

personalization_storage
Personalisation cookies (not used often)
No
denied

security_storage
Security cookies (not used often)
No
granted (essential)

ad_user_data
Sending user data for advertising
Yes
denied

ad_personalization
Personalised advertising
Yes
denied

Secure Privacy automatically maps its consent categories to all seven GCM v2 parameters — no manual mapping is needed.
Configuring default consent states by region
GCM v2 supports per-region default states using ISO 3166-2 country codes (e.g. DE for Germany, FR for France, US-CA for California). This allows you to set stricter defaults for EEA visitors while using different defaults elsewhere.
In the Secure Privacy GTM template, add a setting for each region under Default Consent Settings:
Region: DE  →  ad_storage: denied | analytics_storage: denied | ad_user_data: denied | ad_personalization: denied
Region: FR  →  ad_storage: denied | analytics_storage: denied | ad_user_data: denied | ad_personalization: denied
Region: all →  ad_storage: denied | analytics_storage: denied | ad_user_data: denied | ad_personalization: deniedApproach by DPA strictness level
Not all EU regulators apply the same standard. Adjust your GCM v2 configuration to match the strictness of the DPA(s) most likely to investigate your processing:
Standard EU/EEA (most countries)
Use Advanced Mode. Set all non-essential parameters to denied by default. Google tags fire pre-consent but send only cookieless aggregate pings — no personal identifiers stored. Consent updates are passed to Google when the visitor interacts with the banner.
Strict DPAs — Germany (BfDI / state DPAs), France (CNIL), Netherlands (AP)
These authorities have historically taken the most aggressive stance on analytics consent requirements and, in some decisions, have questioned whether even cookieless pings constitute personal data processing. For these jurisdictions, consider:
- Basic Mode: Google tags do not fire at all until consent is granted. Eliminates any pre-consent data transfer to Google entirely. Significant analytics data loss until the visitor accepts.

- Alternatively, in Advanced Mode, configure analytics_storage and ad_storage with "Additional Consent Required" signalling and apply regional overrides scoped to DE and FR so that tags are fully suppressed in those markets only.

Consulting your DPO or legal counsel for a final determination is a must!! — the right choice depends on your advertising spend, risk appetite, and whether you have a local establishment in those jurisdictions.
How to verify GCM v2 is working
After deployment, verify the consent signal using browser DevTools:
Step 1 — Check the pre-consent gcs parameter
Open DevTools, go to the Network tab, and filter by collect. Clear all cookies and reload the page without interacting with the banner. Inspect the outbound collect request — the gcs parameter should show G100 (all denied).
Step 2 — Confirm the post-consent update
Accept the banner and confirm gcs updates to G101 (analytics granted) or G111 (all granted).
You can also inspect the dataLayer in the browser console:
window.parent.dataLayerLook for consent events to confirm default states were set at initialisation and that updates are recorded after visitor interaction.
8. Ongoing GDPR Cookie Audits & Maintenance
A cookie compliance configuration is not a one-time task. Marketing teams add pixels, developers integrate new analytics tools, and CMS plugins update themselves — all without triggering a compliance review. The following cadence is the minimum required to maintain defensible GDPR compliance:
- After every third-party script, pixel, or integration change — trigger a fresh scan immediately and verify blocking status before releasing to production

- After any CMS, plugin, or theme update — re-verify that script load order has not been altered, especially if caching or performance plugins were involved

- Quarterly — full scan even if no changes are known; shadow IT additions are common

- After GTM container changes — verify all new tags are attached to consent-based triggers, not the generic All Pages trigger

For a complete ongoing compliance checklist, see Ongoing Checkups & Best Practices for Compliance.
9. Additional Compliance Considerations
The preceding sections cover the core cookie-blocking workflow. The following areas sit outside that workflow but are equally capable of creating GDPR exposure. Each deserves a deliberate decision, not a default.
9.1 Meta Consent Mode & Microsoft Consent Mode
Google Consent Mode is not the only platform-level consent API that requires explicit configuration. Both Meta (Facebook/Instagram) and Microsoft (Bing Ads, Microsoft Advertising, Clarity) have introduced their own consent mode mechanisms that govern how their tags and pixels behave in the absence of user consent. If you run advertising or analytics on either platform, enabling the corresponding consent mode is a separate requirement — configuring Google Consent Mode alone does not cover Meta or Microsoft signals.
Without Meta Consent Mode enabled, the Meta Pixel and Conversions API continue to send data to Meta regardless of the consent state recorded by your CMP. Without Microsoft UET Consent Mode, the Universal Event Tracking tag defaults to active tracking even when a visitor has declined advertising cookies. Microsoft now requires explicit consent from EU/EEA users before using first- and third-party cookies for advertising — making UET Consent Mode mandatory, not optional, for advertisers serving those markets.
Secure Privacy enables both modes from the dashboard, without custom code.
- Meta Consent Mode: How It Works & How to Enable It with Secure Privacy — covers Meta Pixel and Conversions API consent integration, regional configuration, and verification steps.

- How to Enable Microsoft UET Consent Mode with Secure Privacy — covers Microsoft Advertising UET tag consent integration; defaults ad_storage to denied for EU/GDPR regions automatically.

- How to Set Up Microsoft Clarity Consent Mode with Secure Privacy — covers Microsoft Clarity's separate consent commands; recommends the stop default state for EU/EEA regions.

9.2 IAB Transparency & Consent Framework (TCF 2.2)
If your website uses programmatic advertising — ad exchanges, SSPs, or DSPs that rely on standardised consent signals to decide whether to serve personalised ads — your CMP may need to support the IAB Transparency & Consent Framework (TCF). TCF defines a structured consent string format that is passed between your CMP, publishers, and the ad tech ecosystem so that every participant in the ad-serving chain can act on the visitor's consent choices.
TCF is not required for direct-tag setups (e.g. a single Google Ads tag managed in GTM) — it is relevant when you have a header bidding stack, an ad server, or third-party demand partners that read IAB consent strings. Be aware that several DPAs, including the Belgian DPA, have found specific aspects of TCF's implementation to be in breach of GDPR. If you operate under TCF, monitor DPA guidance actively and ensure your vendor list is kept current.
IAB Transparency and Consent Framework (TCF) Explained – GDPR Compliance Risks and Secure Privacy's Alternative Approach — covers what TCF is, how it interacts with Google Consent Mode, known DPA enforcement concerns, and when Secure Privacy's GCM-based approach is a simpler, lower-risk alternative.
9.3 Consent Re-collection & Validity Periods
Consent is not permanent. GDPR requires that consent be renewed whenever the purposes for which cookies are used change materially — for example, adding a new advertising network, switching analytics providers, or expanding cookie use to cover new categories. A visitor who consented to Google Analytics six months ago has not consented to a LinkedIn Insight Tag you added last week.
Regulatory guidance on maximum consent duration varies by authority. The CNIL (France) sets a ceiling of 13 months before re-consent must be sought; Irish DPC guidance for analytics cookies suggests a practical maximum closer to 6 months. As a baseline: any consent record older than 12 months should be treated as expired and visitors should be prompted again on their next session.
Practically, this means your implementation should:
- Store the timestamp of each consent decision alongside the decision itself

- Re-present the banner to returning visitors once their consent record has aged past your configured renewal threshold

- Re-present the banner any time you add a new cookie category or materially new service that was not disclosed at the time the original consent was collected

Secure Privacy logs a timestamped record of every consent decision in the Consent Dashboard. Defaults are correlated to the Template configuration, where most of the templates are set to 12 months, some 6 and most of the US to "Do not store". More information in this article here -
How to Change the Data Retention Period for a Legal Template in Secure Privacy
For guidance on how long to retain those records for your configuration — please consult your DPO or legal team — as this is an area where your legal or DPO team should set the threshold based on your processing activities and the DPAs most likely to scrutinise your site.
9.4 The "Consent Wall" — When Your Banner Becomes Invalid
A consent wall is any design that conditions access to website content on the visitor accepting non-essential cookies — "accept tracking or leave." The EDPB's Guidelines 05/2020 on consent are explicit: consent is not freely given if refusal results in a significant detriment to the user, and blocking access to a website constitutes exactly that detriment. A consent wall therefore produces invalid consent under GDPR, regardless of how well the underlying blocking and auditing is configured.
The same principle applies to subtler designs: pre-ticked boxes, dark patterns that make "Reject All" harder to reach than "Accept All," and banners that frame declining as an error or interruption all risk invalidating consent. The EDPB and national DPAs — particularly the CNIL, the Italian Garante, and the Irish DPC — have issued specific enforcement decisions on banner design and treat these patterns as violations independent of whether cookies are technically blocked correctly.
Practically: ensure your banner presents accept and reject options with equal visual prominence and equal number of clicks. There is no dedicated Secure Privacy support article on this topic; refer to EDPB Guidelines 05/2020 on Consent and your DPO for banner design review.
Frequently Asked Questions
Do I need to block cookies before the consent banner appears under GDPR?
Yes. GDPR Article 6 and the ePrivacy Directive require that non-essential cookies — including analytics and advertising cookies — must not be set until a visitor has given explicit prior consent. A banner that appears while tracking scripts are already running in the background is not compliant. The cookie must not be written to the visitor's device until consent is actively recorded.
Which cookies require prior consent under GDPR?
Any cookie that is not strictly necessary for a service explicitly requested by the user requires prior consent. This includes any of the mentioned cookie before, like Google Analytics (_ga, _gid), Facebook/Meta Pixel (_fbp, fr), Google Ads/DoubleClick (IDE, NID), YouTube (VISITOR_INFO1_LIVE), and LinkedIn Insight Tag cookies. Strictly necessary cookies — session authentication, shopping cart, security tokens — are exempt, because without these services - the very basic functionality of any website will be broken and it becomes unuable.
Why are my cookies still loading before the consent banner appears?
The most common causes are: (1) the Secure Privacy script is loading after the third-party scripts it is supposed to block — script load order is the most overlooked compliance detail; (2) the Secure Privacy script is using the async attribute instead of defer, creating a race condition; (3) a caching or performance plugin (such as WP Rocket) has reordered or re-attributed the scripts; or (4) a new script or pixel was added to the site after the last Secure Privacy scan, so it was never detected and added to the blocking configuration.
What is the difference between async and defer for cookie consent compliance?
Scripts with the async attribute execute as soon as they finish downloading — in no guaranteed order. If a Google Analytics script downloads faster than your CMP, it fires before consent is checked: a compliance violation. Scripts with defer download in parallel but execute in DOM order after HTML parsing completes. If Secure Privacy is the first deferred script in <head>, it always executes first. Always use defer on the Secure Privacy script — never async.
Does Google Consent Mode v2 replace the need for a cookie consent banner or CMP?
No. Google Consent Mode v2 is an additional signal layer that tells Google tags how to behave based on consent your CMP collects — it does not itself collect or record consent from the visitor. A compliant CMP (such as Secure Privacy) is still required to present the banner, record the visitor's choice, and block non-essential cookies until that choice is made. GCM v2 and a CMP work together; neither replaces the other.
How often should I rescan my website for GDPR cookie compliance?
At minimum: immediately after every third-party script, pixel, or integration change; after any CMS, plugin, or theme update; after any Google Tag Manager container change; and at least once per quarter even if no known changes occurred. Automatic blocking only covers what the most recent scan detected — any script added after the last scan will not be blocked.
Quick Reference: All Related Guides
Guide
What it covers

Cookies Loading Before Consent? How to Fix Pre-Consent Cookie Loading
Identifying cookies that fire before consent; scan report walkthrough; GDPR compliance checklist

Automatic Cookie Blocking Explained (CMP v1 — steps apply, screenshots outdated)
How the MutationObserver blocking engine works; blocking modes; adding scripts to the blocking configuration

How to Manually Block Cookies Not Blocked Automatically (CMP v1 — steps apply, screenshots outdated)
Reading the red ✗ indicators in scan reports; Tag Blocking configuration; rescan verification

How to Set Up Manual Script and iframe Blocking (CMP v1 — steps apply, screenshots outdated)
Script type rewriting; sp-consent + data-src iframe pattern; YouTube/Vimeo blocking

How to Block Cookies in GTM Triggers Using Consent Conditions
Custom JavaScript variable pattern; sp.checkConsent(); adding consent conditions to existing triggers

How to Block Cookies in GTM Using Secure Privacy Consent Event Triggers
sp-consent custom event trigger pattern; one-trigger-per-service setup; multi-trigger edge case

Meta Consent Mode: How It Works & How to Enable It with Secure Privacy
Meta Pixel and Conversions API consent integration; regional configuration; verification steps

How to Enable Microsoft UET Consent Mode with Secure Privacy
Microsoft Advertising UET tag consent; EU ad_storage denied by default

How to Set Up Microsoft Clarity Consent Mode with Secure Privacy
Clarity consent commands; stop default for EU/EEA regions

IAB TCF Explained – GDPR Compliance Risks and Secure Privacy's Alternative Approach
TCF overview; DPA enforcement concerns; when GCM-based approach is the lower-risk alternative

---

# CIPA vs. CCPA: How to Review Your California Consent Banner and CMP Settings in Secure Privacy

URL: https://support.secureprivacy.ai/article/cipa-vs-ccpa-cmp-and-consent-banner-changes-in-secure-privacy
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-11T11:32:00+00:00
Updated: 2026-03-26T01:42:12.404+00:00
Reading Time: 11 minutes
Summary: Does your CCPA banner cover CIPA wiretapping risk? Review four Secure Privacy settings — Consent Type, banner buttons, cookie widget, and Preference Center — in minutes.

California's wiretapping law — the California Invasion of Privacy Act (CIPA) — is creating a new wave of legal scrutiny for websites that use session replay tools, chat widgets, form analytics, and third-party tracking scripts. If your site serves California visitors, and those tools activate before a user has knowingly agreed to them, you may be exposed to CIPA liability under Penal Code sections 631 and 632 — even if you already have a CCPA-compliant consent banner in place.
That is the gap many website and legal teams are discovering right now. A standard CCPA opt-out consent model was designed for privacy rights and data disclosures. It was not necessarily designed with CIPA's interception standard in mind — and updating it often means revisiting whether an implicit opt-out approach is still appropriate for every technology on your site.
The instinct is to buy a new platform. In practice, the fix is almost always simpler: review and update the California template you already have in your consent management platform (CMP). If you use Secure Privacy, all four of the controls you need already exist — they just need to be checked against your current website stack and legal position.
By the end of this article, you will know exactly which four settings to review in Secure Privacy, what to look for in each one, and how to bring your California consent banner into alignment with both CCPA privacy requirements and the higher consent standard that CIPA questions are raising.
Who Is This Article For?
This guide is written for website managers, legal ops teams, and privacy engineers who already have a California consent banner live on their site — and who want to review whether that setup still reflects the tools running on the site, the current legal landscape in California, and their company's privacy disclosures. You do not need to replace your CMP. You need to know which settings to check.
CIPA vs. CCPA: What Website Teams Actually Need to Know
Many companies already use a California CCPA template in their CMP and assume the setup is complete. In practice, website teams are now revisiting those configurations as they compare CCPA privacy requirements with CIPA-related website risk questions.
That review usually does not mean replacing your CMP. It means checking whether the existing template in Secure Privacy is configured the right way for the tools running on the site.
At a high level:
- The CCPA focuses on privacy rights and disclosures, including notice at collection and the right to opt out of the sale or sharing of personal information. See California Civil Code sections 1798.100, 1798.120, and 1798.135.

- The California Invasion of Privacy Act (CIPA) raises separate questions under California Penal Code sections 631 and 632, which address interception and recording of communications.

For website teams, the practical question is:
Does your California banner setup still reflect what your site actually loads, tracks, and shares?
In Secure Privacy, there are four settings areas worth reviewing first.
Four Consent Banner Settings to Review in Secure Privacy
Step 1 — Review the Consent Type: Opt-In vs. Opt-Out for Your California Template
If your current California template was built mainly for CCPA rights management, the first setting to revisit is Consent Type.
In Secure Privacy, the California template supports:
- Explicit [Opt-in] — no tracking until the user actively accepts

- Implicit [Opt-out] — tracking proceeds by default until the user declines

If the template is currently set to Implicit [Opt-out], website teams may want to re-check whether that still fits all technologies running on the site — especially tools that go beyond basic analytics. That review is especially relevant for services such as:
- session replay tools

- chat widgets

- form analytics

- call tracking or call recording tools

- advertising or conversion pixels

- embedded third-party tools

The point is not that every service should automatically be moved to the same model. The point is that tools previously allowed under a broad opt-out setup may now need a more deliberate review — particularly any tool that could be characterised as intercepting or recording communications under CIPA.
Where to update this in Secure Privacy: Template → Settings → Consent Type
In Secure Privacy, website teams can review the California template's Consent Type and switch between Implicit [Opt-out] and Explicit [Opt-in] to match their current legal position.
Step 2 — Update the Cookie Banner to Eliminate Dark Patterns and Surface a Clear First-Layer Choice
Once the Consent Type is reviewed, the next place to look is the Cookie banner tab.
If your team wants users to make a clearer privacy choice, the first layer should be reviewed for:
- banner text

- accept button text

- decline button text

- customize button text

- category visibility

The California Privacy Protection Agency regulations state that agreement obtained through dark patterns does not constitute valid consent. The full regulations are published at CPPA Regulations — cppa.ca.gov. That makes button setup important: if the site is relying on consent for any category or service, website teams should review whether users can actually see and use the available choices.
What to review in the banner
- Is the Accept button text still too generic — for example, just "Okay"?

- Is the Decline button text enabled and visible?

- Is the Customize button text enabled so users can open the preference center?

- Are advanced categories turned on if you want users to make more granular selections?

Where to update this in Secure Privacy: Template → Cookie banner
Use the Cookie banner settings in Secure Privacy to surface Accept, Decline, and Customize options more clearly — and avoid CPPA dark-pattern concerns.
Suggested implementation review
If your current CCPA template uses an accept button labeled "Okay," no visible decline text, and no visible customize text, the setup likely deserves a second look. A practical update is to make the available user actions more explicit in the banner itself.
Step 3 — Update the Cookie Widget to Surface "Do Not Sell or Share" or "Your Privacy Choices" for California Users
After the banner is dismissed, many teams rely on the floating cookie widget as the persistent re-entry point for users who want to revisit their privacy choices. In Secure Privacy, this is controlled in the Cookie widget section of the Template.
The widget label often becomes the ongoing California privacy entry point for users. If the current widget text is too generic, website teams may want to review whether it should be more specific. Common labels teams evaluate include:
- Do Not Sell

- Do Not Sell or Share

- Your Privacy Choices

- Cookie Settings

Which text is appropriate depends on how the company is presenting its California privacy choices and how the preference center is configured. "Do Not Sell or Share" reflects the CCPA/CPRA language introduced by Proposition 24; "Your Privacy Choices" is a broader option accepted by CPPA guidance.
Where to update this in Secure Privacy: Template → Widget → Button text / Widget text
The Cookie widget text in Secure Privacy can be updated to reflect the California privacy choice you want to surface — such as "Do Not Sell or Share" or "Your Privacy Choices" — after the banner is closed.
This is one of the simplest changes to make, and one of the most visible to California users.
Step 4 — Review the Preference Center Labels and Descriptions to Match Your Actual Website Stack
If the banner points users into a preference center, the content of that experience should also be reviewed. In Secure Privacy, the Preference center lets you edit the tab names and descriptive copy shown to users — giving teams a place to align the consent experience with their actual privacy disclosures.
What to review in the Preference Center
- tab names

- descriptions

- privacy policy references

- category labels

- whether the wording still matches the services enabled on the site

For example, if your template language says only that the site uses cookies, but the site also uses chat, replay, or form-related tools, teams may want to review whether the wording remains accurate for users who are making a consent decision.
Where to update this in Secure Privacy: Template → Preference center
Use the Preference center in Secure Privacy to align tab labels, descriptions, and privacy links with the current website setup and the technologies you have deployed.
This is also the right place to review whether the user-facing privacy journey is too generic for the technologies actually in use on your site.
Where to Start: A Priority Review Checklist for Website Teams
If your California template has been live for a while, start with the items most likely to have been approved years ago as a standard business choice:
- analytics and measurement scripts

- ad and conversion pixels

- session replay tools

- chat services

- embedded third-party widgets

- form and lead-capture tools

Then compare those tools against your current Secure Privacy configuration:
- Is the template using the right Consent Type? (opt-in vs. opt-out)

- Does the banner show a clear first-layer choice? (accept, decline, and customize all visible)

- Is the Cookie widget labeled clearly enough for California users? (Do Not Sell or Share / Your Privacy Choices)

- Does the Preference Center language still match the tools on the site?

That review keeps the focus where it belongs: on implementation, not on platform replacement.
Why This Matters for Secure Privacy Users
The value of a consent management platform is not just that it displays a banner. The value is that it gives website teams a controlled place to update consent behavior, user-facing text, ongoing privacy access points, and preference-center content — without a development cycle. In Secure Privacy, those controls already exist in the California template. The practical work is making sure they still reflect your legal review, your website stack, and your current privacy choices.
Conclusion
A CIPA vs. CCPA review for your website almost never starts with buying a new platform. It starts with checking whether the existing California consent banner template is still configured correctly for the tools you are running today.
For most Secure Privacy users, the highest-impact updates are:
- reviewing Consent Type (opt-in vs. opt-out)

- updating banner buttons and text to eliminate dark patterns

- changing the Cookie widget label to "Do Not Sell or Share" or "Your Privacy Choices"

- revising the Preference Center copy to match the current website stack

Those four changes will usually tell you very quickly whether your California consent management setup still matches the site you are operating today.
Frequently Asked Questions
Does my CCPA consent banner also cover CIPA?
Not automatically. A standard CCPA consent banner is designed to give users notice and an opt-out right for the sale or sharing of personal information. CIPA (California Penal Code §§ 631–632) raises a separate question about whether tools that intercept or record communications — such as session replay, chat widgets, or call tracking — are operating with the user's prior consent. If those tools activate before a user has affirmatively agreed, an opt-out-only banner may not satisfy CIPA's standard. Reviewing your Consent Type in Secure Privacy is the starting point.
Do I need to switch from opt-out to opt-in for California users?
CCPA does not require opt-in consent as a baseline. However, if your site uses tools that could be categorised as intercepting communications under CIPA — such as session replay, live chat recording, or certain form analytics — your legal team may recommend opt-in consent for those specific categories or technologies. In Secure Privacy, you can set the California template to Explicit [Opt-in] for all categories, or review which tool categories warrant the higher standard.
What is a dark pattern in a cookie consent banner?
Under the California Privacy Protection Agency (CPPA) regulations, a dark pattern is a user interface design that subverts or impairs a user's ability to make a free and genuine choice — for example, making the "Accept" button prominent and brightly coloured while hiding the "Decline" button, or not showing a decline option at all on the first layer. The CPPA has stated that consent obtained through dark patterns is not valid. Reviewing your banner's button text and visibility in Secure Privacy's Cookie banner settings is the practical fix.
Should the Cookie widget say "Do Not Sell" or "Do Not Sell or Share"?
"Do Not Sell or Share My Personal Information" is the more current phrasing, reflecting the CPRA (Proposition 24) amendments to CCPA that added a right to opt out of sharing for cross-context behavioural advertising. "Do Not Sell" was the original CCPA language. The CPPA also accepts "Your Privacy Choices" as an alternative label. Which you use depends on your company's privacy disclosures and legal guidance. In Secure Privacy, the Cookie widget text can be updated directly under Template → Widget.
How often should I review my California consent banner configuration?
A good rule of thumb is to review your California consent banner configuration whenever you add or remove a technology from your website stack, after any significant change in California privacy regulations or CPPA guidance, and at least annually as a routine audit. Because CIPA litigation often targets tools that were added to a site without updating the consent layer, keeping the banner configuration in sync with the actual website stack is the most practical risk-reduction step.
Primary Sources
- California Civil Code § 1798.100 — Right to Know (leginfo.legislature.ca.gov)

- California Civil Code § 1798.120 — Right to Opt Out (leginfo.legislature.ca.gov)

- California Civil Code § 1798.135 — Opt-Out Methods (leginfo.legislature.ca.gov)

- California Penal Code § 631 — CIPA Wiretapping (leginfo.legislature.ca.gov)

- California Penal Code § 632 — CIPA Recording (leginfo.legislature.ca.gov)

- California Privacy Protection Agency (CPPA) Regulations — cppa.ca.gov

Related Articles
- Setting Up Your California CCPA Template in Secure Privacy[?]

- Opt-In vs. Opt-Out Consent: When to Use Each in Your CMP[?]

- Configuring the Do Not Sell or Share Button for CCPA Compliance

- CPPA Dark Pattern Rules: What Your Cookie Banner Must Avoid[?]

---

# Healthcare GDPR Compliance – Special Category Health Data, Article 9 Requirements, and DPO Guidance

URL: https://support.secureprivacy.ai/article/industry-specific-dpo-guidance-healthcare
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:30:00+00:00
Updated: 2026-03-22T01:21:41.705+00:00
Reading Time: 6 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR compliance for healthcare — covering Article 9 special category health data, patient rights, research data use, telemedicine, and clinical access controls.

Healthcare organizations process some of the most sensitive personal data of any sector — including patient medical records, genetic data, mental health records, and biometric data, all classified as special category data under GDPR Article 9. Processing this data requires satisfying both a lawful basis under Article 6 and an additional condition under Article 9(2), alongside national healthcare data protection laws, professional confidentiality obligations, and sector-specific regulatory requirements. Your Secure Privacy DPO provides specialized guidance for navigating this complex landscape — from access controls and patient rights through to research data use and telemedicine compliance.

Who Is This For?

  - Data Protection Officers and privacy managers in healthcare organizations managing GDPR Article 9 compliance

  - Clinical and administrative teams processing patient health data across electronic health record systems

  - Legal and compliance teams reviewing data sharing arrangements, research protocols, and vendor agreements

  - IT and information governance teams implementing access controls and security measures for health data systems

GDPR Healthcare Special Category Data: Key Categories and Considerations

Healthcare organizations process multiple types of special category data, each with distinct compliance requirements under GDPR Article 9:

  
    
    
    
  
  
    
      Data Type

      GDPR Classification

      Special Compliance Considerations

    

    
      Patient medical records

      Special category — health data

      Requires Article 9(2) condition; strict role-based access controls; long statutory retention periods

    

    
      Genetic data

      Special category

      Additional protections under national law in many jurisdictions; purpose limitation is critical

    

    
      Biometric data used for identification

      Special category

      Special category status applies only when used to uniquely identify an individual

    

    
      Mental health records

      Special category — health data

      Heightened confidentiality requirements; access more restricted than general health data in many jurisdictions

    

    
      Staff health screening results

      Special category — health data

      Employment law considerations; limited to occupational health purposes; strict access restrictions

    

  

DPO Focus Areas for Healthcare GDPR Compliance

Lawful bases and Article 9(2) conditions

Your DPO identifies the correct Article 9(2) condition for each health data processing activity — most commonly healthcare provision under Article 9(2)(h), public health under Article 9(2)(i), explicit consent under Article 9(2)(a), or substantial public interest. Both an Article 6 lawful basis and an Article 9(2) condition must be documented for every processing activity involving health data.

Data minimization in clinical systems

Your DPO advises on collecting only the health data strictly necessary for the specific treatment, administrative, or research purpose — reviewing clinical system configurations, intake forms, and data collection points to remove unnecessary fields and prevent over-collection.

Role-based access controls for patient data

Your DPO works with IT and clinical governance teams to implement and audit role-based access controls that restrict patient data access to authorized personnel only — ensuring clinical staff can access only the records necessary for their specific care role.

Data sharing between healthcare providers, insurers, and researchers

Your DPO manages the legal framework for health data sharing — including Data Processing Agreements, data sharing agreements, and appropriate Article 9(2) conditions for each sharing arrangement — covering referrals, multi-disciplinary care, insurance processing, and research collaborations.

Medical research and patient data use

Your DPO advises on the use of patient data for clinical research, epidemiological studies, and quality improvement — including requirements for anonymization, pseudonymization, ethics committee approvals, and the research exemptions available under GDPR Article 9(2)(j) and applicable national research law.

Telemedicine and remote healthcare data protection

Your DPO reviews telemedicine platforms for GDPR compliance — including security of video consultation data, cross-border data flows, patient consent mechanisms, and the obligations of technology vendors as data processors under GDPR Article 28.

Patient rights in a clinical context

Your DPO ensures processes are in place for patients to exercise their GDPR data subject rights — including access requests that may require clinical judgment about disclosure, erasure requests that conflict with statutory medical record retention obligations, and objection rights in research contexts.

Healthcare GDPR Compliance Requirements and DPO Recommendations

Conduct DPIAs for all new clinical systems and data sharing arrangements

Any new system or arrangement involving large-scale health data processing is highly likely to require a Data Protection Impact Assessment under GDPR Article 35. Your DPO conducts pre-screening and manages the full DPIA process before deployment.

Implement clinical staff data protection training

Clinical staff handle special category data daily — often under time pressure and across multiple systems. Your DPO delivers role-specific training covering health data handling obligations, incident reporting procedures, and patient rights responses tailored to the clinical environment.

Establish clear research data use policies

Your DPO develops documented policies for the use of patient data in research, covering consent or waiver requirements, anonymization standards, data access governance, and obligations under applicable clinical research regulations alongside GDPR.

Comply with national healthcare data protection laws

GDPR is supplemented by national healthcare data protection legislation in many EU member states — imposing additional obligations on health data processors beyond the GDPR baseline. Your DPO identifies and monitors the applicable national requirements for your jurisdiction.

Maintain detailed records of all health data processing activities

Given the sensitivity of health data and the frequency of supervisory authority scrutiny in the healthcare sector, maintaining a current and comprehensive ROPA covering all health data processing activities is essential. Your DPO creates and maintains these records as part of your ongoing compliance program.

Review electronic health record and medical device data processing

Electronic health record systems, connected medical devices, and interoperability frameworks all create data flows that must be assessed for GDPR compliance — including vendor DPA coverage, data residency requirements, and purpose limitation controls. Your DPO oversees these assessments as part of the annual compliance review.

Frequently Asked Questions

What Article 9(2) condition is most commonly used for healthcare data processing?

The most widely applicable condition for healthcare organizations is Article 9(2)(h), which permits processing of health data for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care treatment, or the management of health systems — subject to professional secrecy obligations. Article 9(2)(i) applies to public health purposes, and Article 9(2)(j) to archiving, research, and statistical purposes in the public interest.

Can patients request erasure of their medical records?

The right to erasure under GDPR Article 17 does not apply where retention is required for compliance with a legal obligation — and healthcare organizations are typically subject to statutory minimum retention periods for medical records under national law. Where a statutory retention obligation applies, erasure requests can be refused. Your DPO advises on the correct response and ensures patients are informed of the applicable retention basis.

Does GDPR apply to anonymized patient data used in research?

Truly anonymized data falls outside the scope of GDPR, as it can no longer be used to identify an individual. However, the anonymization standard is high — pseudonymized data, which can be re-identified using a separate key, remains personal data and is subject to GDPR. Your DPO advises on whether proposed anonymization methods meet the GDPR standard before research data is treated as out of scope.

Are telemedicine platforms subject to GDPR?

Yes. Telemedicine platforms that process patient health data — including video consultation recordings, symptom data, and diagnostic information — are subject to GDPR as data processors. They must be covered by a compliant Data Processing Agreement, and your DPO should review the platform's security measures, data residency, and subprocessor arrangements before deployment.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# E-Commerce GDPR Compliance – Data Protection for Online Retail, Marketing Consent, and Cookie Management

URL: https://support.secureprivacy.ai/article/industry-specific-dpo-guidance-ecommerce-retail
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:30:00+00:00
Updated: 2026-03-22T01:19:54.297+00:00
Reading Time: 6 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR compliance for e-commerce — covering customer data, cookie consent, marketing opt-ins, payment data, vendor management, and cross-border sales.

E-commerce and online retail organizations process some of the highest volumes of personal data of any sector — including customer account data, payment card information, behavioral tracking, marketing profiles, and delivery records. GDPR, the ePrivacy Directive, and sector-specific requirements such as PCI DSS all apply simultaneously, creating a complex compliance landscape. Your Secure Privacy DPO provides targeted guidance on managing e-commerce data protection obligations — from cookie consent and marketing compliance through to vendor management and cross-border sales.

Who Is This For?

  - E-commerce operators and online retailers processing customer personal data under GDPR

  - Marketing and CRM teams managing email marketing, retargeting, and customer profiling

  - IT and development teams implementing checkout flows, tracking technologies, and analytics tools

  - Legal and compliance teams reviewing vendor agreements, privacy notices, and cross-border data flows

GDPR E-Commerce Data Types and Compliance Requirements

Online retail organizations process a wide range of personal data categories, each with its own compliance considerations:

  
    
    
    
  
  
    
      Data Type

      Processing Purpose

      Key Compliance Consideration

    

    
      Customer account data

      Account management, order processing

      Data minimization; defined retention limits post-account closure

    

    
      Transaction records

      Order fulfillment, returns, accounting

      Retention aligned with tax and accounting law obligations

    

    
      Payment card data

      Payment processing

      PCI DSS compliance; tokenization; minimize post-transaction retention

    

    
      Browsing behavior

      Personalization, analytics, A/B testing

      Cookie consent under ePrivacy Directive; profiling transparency under GDPR Article 22

    

    
      Marketing preferences

      Email marketing, retargeting, segmentation

      Valid consent management; functional opt-out mechanisms

    

    
      Delivery addresses

      Shipping and logistics

      Third-party sharing with carriers; DPA requirements for logistics providers

    

    
      Customer service records

      Support, complaints, dispute resolution

      Defined retention periods; role-based access controls for support teams

    

  

DPO Focus Areas for E-Commerce GDPR Compliance

Marketing compliance under GDPR and ePrivacy

Your DPO ensures email marketing, behavioral retargeting, and customer profiling activities comply with both GDPR consent requirements and ePrivacy Directive rules — including obtaining valid opt-in consent, maintaining suppression lists, and ensuring marketing platforms are covered by compliant Data Processing Agreements.

Cookie consent and tracking technology management

E-commerce sites typically deploy a large number of third-party tracking scripts — analytics, advertising pixels, A/B testing, and personalization tools. Your DPO oversees regular cookie audits, consent banner configuration, and Google Consent Mode V2 implementation to ensure all tracking technologies are covered by valid prior consent.

Payment data and PCI DSS coordination

Your DPO coordinates GDPR compliance requirements with PCI DSS obligations for payment data processing — advising on tokenization, data minimization post-transaction, and the correct scope of payment data retention to satisfy both frameworks simultaneously.

Third-party vendor management

E-commerce operations typically involve multiple data processors — payment providers, logistics partners, marketing platforms, analytics tools, and marketplace operators. Your DPO manages the vendor register, reviews and maintains Data Processing Agreements, and conducts regular compliance assessments for all third parties with access to customer personal data.

Cross-border sales and international data compliance

When selling to customers across different jurisdictions, additional data protection obligations may apply — including GDPR for EU customers, UK GDPR for UK customers, CCPA for California residents, and local ePrivacy rules. Your DPO advises on the applicable requirements for each market and ensures your privacy notices, consent mechanisms, and data transfer arrangements reflect your geographic footprint.

Customer profiling and automated decision-making

Personalization engines, recommendation algorithms, and dynamic pricing tools may constitute automated decision-making or profiling under GDPR Article 22. Your DPO advises on when Article 22 applies, what transparency obligations it triggers, and whether a DPIA is required before deploying profiling-based features.

Common E-Commerce GDPR Compliance Failures and How to Avoid Them

Retaining customer data indefinitely

Storing customer account and transaction data without a defined retention schedule is one of the most common e-commerce GDPR failures. Your DPO implements a documented retention policy aligned with tax law, contractual limitation periods, and the storage limitation principle under Article 5(1)(e).

Sharing customer data with marketing partners without adequate consent

Passing customer data to third-party advertising platforms or data brokers without transparent disclosure and valid consent is a significant enforcement risk. Your DPO ensures data sharing practices are disclosed in privacy notices and covered by the correct lawful basis.

Pre-checked marketing opt-in boxes at checkout

Pre-ticked marketing consent boxes do not constitute valid GDPR consent. Your DPO reviews checkout flows to ensure all marketing opt-ins are active, affirmative choices — with no default selection applied.

Failing to update privacy policies when new tracking technologies are deployed

When new analytics tools, advertising pixels, or personalization scripts are added to a website, privacy notices and cookie policies must be updated before deployment. Your DPO establishes a change management process to ensure privacy documentation is always current.

Inadequate DPA coverage for marketplace and logistics vendors

Third-party marketplace sellers and logistics providers who access customer personal data must be covered by a compliant Data Processing Agreement. Your DPO identifies gaps in vendor coverage and ensures all processors are brought into a documented GDPR compliance framework.

Privacy by Design Best Practices for E-Commerce

  - Implement privacy-by-design principles in the checkout flow — collecting only the minimum personal data required to complete the transaction

  - Use granular consent for different marketing channels — separate opt-ins for email, SMS, and push notifications rather than a single blanket consent

  - Conduct regular cookie audits as product pages, A/B tests, and third-party integrations change

  - Maintain an up-to-date vendor register with scheduled compliance reviews for all data processors

  - Provide clear, accessible privacy information at every data collection point — account registration, checkout, newsletter signup, and contact forms

Frequently Asked Questions

Does GDPR apply to e-commerce businesses based outside the EU that sell to EU customers?

Yes. GDPR applies to any organization that offers goods or services to individuals in the EU — regardless of where the organization is based. E-commerce operators targeting EU customers must comply with GDPR for all personal data collected from those customers, including appointing an EU representative under GDPR Article 27 if they have no EU establishment.

Is email marketing to existing customers lawful without new consent?

In many EU member states, the ePrivacy Directive's "soft opt-in" rule permits direct marketing to existing customers for similar products or services — without requiring fresh consent — provided the customer was given a clear opportunity to opt out at the time their data was collected and in every subsequent communication. Your DPO advises on whether the soft opt-in applies in your specific circumstances and jurisdictions.

What lawful basis should e-commerce businesses use for customer profiling?

The appropriate lawful basis depends on the nature and purpose of the profiling. Behavioral profiling for personalization may rely on legitimate interests — subject to a Legitimate Interest Assessment — or on consent where the profiling involves cookie-based tracking. Where profiling produces decisions with significant effects on individuals, GDPR Article 22 may apply, requiring explicit consent or another Article 22(2) condition.

What are the GDPR requirements for abandoned cart emails?

Sending abandoned cart emails constitutes direct marketing and requires a valid lawful basis — typically consent or the soft opt-in under the ePrivacy Directive. The customer must have been clearly informed that their data may be used for this purpose, and a functioning opt-out mechanism must be provided in every communication. Your DPO reviews abandoned cart workflows to ensure they meet both GDPR and ePrivacy requirements.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Employee Data Compliance – HR Data Lifecycle, Lawful Bases, Workplace Monitoring, and Staff Privacy Rights

URL: https://support.secureprivacy.ai/article/how-your-dpo-supports-employee-data-protection
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:30:00+00:00
Updated: 2026-03-22T00:59:23.141+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR compliance for employee data — covering HR data lifecycle, lawful bases, workplace monitoring DPIAs, and employee privacy rights.

Organizations process large volumes of employee personal data throughout the entire employment lifecycle — from recruitment and onboarding through to post-employment record retention. GDPR applies to HR data processing in the same way it applies to customer data, and national employment laws add further obligations in many jurisdictions. Your Secure Privacy DPO provides expert guidance on handling employee data lawfully, minimizing risk in high-risk areas such as workplace monitoring, and ensuring staff can exercise their data subject rights.

Who Is This For?

  - HR managers and people operations teams responsible for employee data handling and retention

  - Data Protection Officers advising on lawful bases and compliance for HR data processing

  - Legal and compliance teams reviewing employment contracts, monitoring practices, and retention schedules

  - IT and security teams managing access controls for employee personal data systems

Why GDPR Employee Data Compliance Matters

Employee personal data — including payroll records, performance reviews, health declarations, and monitoring outputs — is subject to the full scope of GDPR obligations. Unlike customer data, HR data processing often involves special category data (such as health information) and inherently sensitive contexts such as disciplinary proceedings and workplace monitoring. Mishandling employee data is a growing area of regulatory scrutiny and can result in enforcement action, employee complaints to supervisory authorities, and reputational damage.

GDPR Employee Data Lifecycle

Employee personal data flows through six distinct phases, each with its own data types, lawful bases, and compliance considerations:

  
    
    
    
  
  
    
      Phase

      Data Types

      Key Compliance Considerations

    

    
      Recruitment

      CVs, applications, interview notes, references

      Retention limits for unsuccessful candidates; transparency requirements at point of collection

    

    
      Onboarding

      ID documents, bank details, emergency contacts, health declarations

      Data minimization; secure storage; clear lawful basis for each data type

    

    
      Employment

      Payroll, performance reviews, absence records, training records

      Access controls; purpose limitation; employee rights to access and rectification

    

    
      Monitoring

      Email logs, internet usage, CCTV footage, access logs

      Proportionality assessment; DPIA requirement; transparent employee notice

    

    
      Termination

      Exit interview data, reference requests

      Defined retention schedules; data portability obligations where applicable

    

    
      Post-Employment

      Pension records, tax records, references

      Legal retention periods under national law; secure deletion after retention period

    

  

Lawful Bases for HR and Employee Data Processing Under GDPR

Your DPO advises on the correct lawful basis for each category of employee data processing. The four most relevant bases in an employment context are:

  - Contract performance (Article 6(1)(b)): Processing necessary to fulfil the employment contract — including payroll, benefits administration, and managing leave entitlements.

  - Legal obligation (Article 6(1)(c)): Processing required by law — including tax reporting, health and safety obligations, and right-to-work verification.

  - Legitimate interests (Article 6(1)(f)): Performance management, fraud prevention, and internal administration — subject to a careful balancing test to ensure employee interests are not overridden.

  - Consent (Article 6(1)(a)): Rarely appropriate in employment contexts due to the inherent power imbalance between employer and employee. Used only sparingly for genuinely voluntary activities where freely given consent can be demonstrated.

Workplace Monitoring and GDPR: High-Risk Processing

Workplace monitoring — including email surveillance, internet usage tracking, CCTV, and access log monitoring — is a high-risk area of employee data processing that frequently requires a Data Protection Impact Assessment (DPIA). Your DPO advises your organization on all aspects of lawful monitoring:

Necessity and proportionality

Assess whether the proposed monitoring is necessary to achieve its stated purpose and whether less intrusive methods could achieve the same result. Monitoring that is disproportionate to its objective is unlikely to be lawful.

Choosing least-intrusive methods

Your DPO advises on which monitoring methods are least intrusive relative to the compliance or operational objective, reducing GDPR risk while meeting legitimate business needs.

Employee transparency and notice

Employees must be clearly informed about what is monitored, why, how data is used, and how long it is retained — typically through an employee privacy notice and acceptable use policies.

Monitoring data retention periods

Monitoring outputs must not be retained longer than necessary for their stated purpose. Your DPO defines proportionate retention periods for each monitoring type.

Access controls for monitoring outputs

Access to monitoring data must be restricted to those with a legitimate need. Your DPO advises on access control frameworks to prevent misuse of sensitive monitoring outputs.

Employee GDPR Privacy Rights in the Workplace

Employees hold the same data subject rights under GDPR as any other individual. Your DPO ensures your organization has clear processes in place for employees to exercise the following rights:

  - Right of access (Article 15): Employees can request a copy of their personal data held by the employer.

  - Right to rectification (Article 16): Employees can request correction of inaccurate HR records.

  - Right to erasure (Article 17): Applicable in limited circumstances — employer legal obligations to retain records often override erasure requests.

  - Right to object (Article 21): Employees can object to processing based on legitimate interests, such as certain monitoring activities.

Your DPO advises on balancing employee rights against employer obligations — particularly where legal retention requirements or contractual obligations limit the scope of erasure or objection rights.

Frequently Asked Questions

Can employers use consent as a lawful basis for processing employee data?

Consent is rarely appropriate in employment contexts. GDPR requires that consent be freely given — but the power imbalance between employer and employee means employees may not feel able to refuse or withdraw consent without fear of consequences. Your DPO advises on identifying alternative lawful bases for employee data processing wherever consent is being considered.

Is workplace monitoring under GDPR always subject to a DPIA?

Not always, but systematic or large-scale monitoring of employees is highly likely to require a DPIA under GDPR Article 35. This includes continuous email monitoring, widespread CCTV use, and keystroke logging. Your DPO conducts a pre-screening assessment to determine whether a full DPIA is required before any new monitoring activity is introduced.

How long can employers retain employee personal data after termination?

Retention periods for post-employment data vary by data type and applicable national law. Tax and payroll records typically carry statutory retention periods of several years. Your DPO establishes a documented HR data retention schedule that aligns with both GDPR data minimization requirements and applicable legal obligations in your jurisdiction.

Do employees have the right to access their performance reviews and disciplinary records?

Yes. Under GDPR Article 15, employees can submit a Data Subject Access Request (DSAR) to obtain a copy of any personal data the employer holds about them, including performance appraisals, disciplinary records, and absence data — subject to any applicable exemptions, such as where disclosure would reveal confidential third-party information.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Lawful Bases for Processing – Article 6 Guide, Legitimate Interest Assessments, and Special Category Data

URL: https://support.secureprivacy.ai/article/dpo-advisory-on-lawful-bases-for-processing
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:29:00+00:00
Updated: 2026-03-22T01:16:22.122+00:00
Reading Time: 6 minutes
Summary: Learn the six GDPR Article 6 lawful bases for processing personal data, when each applies, how Legitimate Interest Assessments work, and what Article 9 requires for special category data.

Every personal data processing activity must be grounded in one of the six lawful bases for processing defined in GDPR Article 6. Selecting the wrong lawful basis — or failing to document the basis chosen — is one of the most common GDPR compliance failures and can invalidate an organization's entire processing activity. Your Secure Privacy DPO advises on lawful basis selection for each processing activity, conducts Legitimate Interest Assessments (LIAs) where required, and ensures the correct basis is communicated to data subjects and documented in your Record of Processing Activities (ROPA).

Who Is This For?

  - Data Protection Officers and privacy managers advising on GDPR Article 6 compliance

  - Legal and compliance teams documenting lawful bases for processing activities in the ROPA

  - Marketing teams relying on consent or legitimate interests for customer data processing

  - HR and IT teams identifying lawful bases for employee and operational data processing

Why Choosing the Correct GDPR Lawful Basis Matters

The lawful basis selected for a processing activity determines the rights available to data subjects, the conditions under which processing can continue, and what your organization must communicate in its privacy notices. Relying on the wrong basis — for example, using consent when contract performance is more appropriate — can expose your organization to enforcement action, undermine the validity of consent obtained, and create inconsistencies in your ROPA and privacy documentation that supervisory authorities will identify during investigations.

The Six GDPR Article 6 Lawful Bases for Processing

GDPR Article 6 provides six lawful bases for processing personal data. Your DPO advises on which basis applies to each of your organization's processing activities:

  
    
    
    
  
  
    
      Lawful Basis

      GDPR Reference

      When to Use

    

    
      Consent

      Article 6(1)(a)

      The individual has given clear, specific, informed, and unambiguous consent to the processing for a defined purpose

    

    
      Contract

      Article 6(1)(b)

      Processing is necessary for the performance of a contract with the individual, or to take pre-contractual steps at their request

    

    
      Legal Obligation

      Article 6(1)(c)

      Processing is necessary to comply with a legal obligation to which the controller is subject under EU or member state law

    

    
      Vital Interests

      Article 6(1)(d)

      Processing is necessary to protect the vital interests of the data subject or another person — typically life-threatening situations

    

    
      Public Task

      Article 6(1)(e)

      Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

    

    
      Legitimate Interests

      Article 6(1)(f)

      Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the individual's rights and freedoms

    

  

How Your DPO Advises on GDPR Lawful Basis Selection

Purpose analysis

Your DPO works with relevant teams to understand the specific, defined purpose of each processing activity — the starting point for identifying the most appropriate lawful basis.

Basis assessment

Your DPO evaluates which lawful basis or bases are most appropriate for the processing, considering the nature of the data, the relationship with the data subject, and any applicable legal obligations. Where multiple bases could apply, your DPO advises on the most defensible choice.

Documentation in the ROPA

The chosen lawful basis and the reasoning behind the selection are recorded in your Record of Processing Activities (ROPA) — providing the documented accountability trail required under GDPR Article 5(2).

Privacy notice update

GDPR Article 13 and 14 require that the lawful basis for processing be communicated to data subjects in your privacy notice. Your DPO ensures privacy notices are updated to reflect the correct basis for each processing activity.

Ongoing lawful basis review

Lawful bases must be reassessed when processing purposes change, new processing activities are introduced, or regulatory guidance shifts. Your DPO conducts periodic reviews and updates documentation accordingly.

Legitimate Interest Assessment (LIA): The Three-Part Test

When your organization relies on legitimate interests as its lawful basis under Article 6(1)(f), your DPO conducts a Legitimate Interest Assessment (LIA) to confirm the basis is valid and defensible. The LIA applies a structured three-part test:

  - Purpose test: Is there a genuine legitimate interest behind the processing? The interest must be real, present, and not trivial — commercial interests, security interests, and administrative efficiency can all qualify, provided they are sufficiently clear and specific.

  - Necessity test: Is the processing actually necessary to achieve the legitimate interest? If the same result could be achieved through less privacy-intrusive means, legitimate interests may not be an appropriate basis.

  - Balancing test: Do the legitimate interests of the controller override the privacy rights, freedoms, and interests of the data subject? This is the most critical part of the assessment — factors include the nature of the data, the reasonable expectations of the individual, and the potential impact of the processing.

Your DPO documents the LIA in full, providing a written record that can be produced for supervisory authorities or data subjects who exercise their right to object under GDPR Article 21.

Special Category Data: GDPR Article 9 Additional Conditions

Processing special categories of personal data under GDPR Article 9 — including health data, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, trade union membership, and genetic data — requires your organization to satisfy two separate legal requirements simultaneously:

  - A lawful basis under GDPR Article 6 for the processing activity

  - An additional condition under GDPR Article 9(2) — such as explicit consent, employment law obligations, vital interests, or substantial public interest — that specifically permits the processing of special category data

Your DPO ensures both conditions are identified, documented, and reflected in your ROPA and privacy notices before any special category data processing begins. Relying on an Article 6 lawful basis alone is not sufficient for special category data.

Frequently Asked Questions

Can an organization rely on more than one lawful basis for the same processing activity?

Organizations should identify a single primary lawful basis for each processing activity before processing begins. While it is possible to document an alternative basis in some circumstances, switching between bases after the fact — particularly switching from consent to legitimate interests when consent is withdrawn — is not permitted and is a recognized enforcement finding.

Is consent always the strongest lawful basis for processing?

Not necessarily. Consent requires ongoing management, can be withdrawn at any time, and is inappropriate in contexts where there is a power imbalance (such as employment). Where contract performance or legal obligation genuinely applies, those bases are more appropriate and more stable than consent. Your DPO advises on the most suitable basis for each activity.

What happens if an organization cannot identify a lawful basis for a processing activity?

If no lawful basis applies to a processing activity, the processing must not take place. Your DPO will advise on whether the processing can be restructured to fall within a lawful basis, whether it should be discontinued, or whether a different approach to achieving the same organizational objective is available without requiring the processing of personal data.

What is the difference between consent under Article 6(1)(a) and explicit consent under Article 9(2)(a)?

Standard consent under Article 6(1)(a) must be freely given, specific, informed, and unambiguous — and can be expressed through a clear affirmative action. Explicit consent under Article 9(2)(a) for special category data requires a higher standard — the consent must be expressed in explicit terms, typically in writing, and must clearly reference the specific type of special category data being processed.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Cookie Compliance Under GDPR and ePrivacy – Cookie Categories, Consent Requirements, and DPO Guidance

URL: https://support.secureprivacy.ai/article/dpo-guidance-cookie-compliance-consent-management
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:29:00+00:00
Updated: 2026-03-22T01:14:02.538+00:00
Reading Time: 6 minutes
Summary: Learn how Secure Privacy's DPO manages cookie compliance under GDPR and the ePrivacy Directive — covering consent categories, cookie banners, Google Consent Mode V2, and common pitfalls.

Cookie compliance sits at the intersection of the ePrivacy Directive and GDPR. While the ePrivacy Directive governs the requirement to obtain consent before placing non-essential cookies, GDPR sets the standard for what valid consent looks like — freely given, specific, informed, and unambiguous. Your Secure Privacy DPO ensures your organization's cookie practices satisfy both frameworks, working alongside the Secure Privacy Consent Management Platform (CMP) to keep your cookie banner, preference center, and consent records fully compliant.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for cookie and consent compliance

  - Marketing and analytics teams using tracking technologies, advertising cookies, or third-party scripts

  - Web developers and IT teams implementing cookie banners, consent management platforms, and Google Consent Mode

  - Legal and compliance teams reviewing cookie policies and consent mechanisms for GDPR and ePrivacy compliance

How Cookies and GDPR Interact

The ePrivacy Directive requires prior informed consent before placing non-essential cookies on a user's device. GDPR Article 7 defines the standard that consent must meet to be legally valid — including requirements for freely given consent, granular choice per cookie category, equal prominence of accept and reject options, and the right to withdraw consent as easily as it was given. Organizations that fail to align their cookie consent practices with both frameworks face enforcement risk from supervisory authorities and, increasingly, from data subject complaints.

GDPR Cookie Consent Categories

Cookies are classified into four categories based on their purpose. Consent requirements differ by category:

  
    
    
    
  
  
    
      Category

      Consent Required

      Examples

    

    
      Strictly Necessary

      No

      Session cookies, authentication, security cookies, load balancing

    

    
      Functional

      Yes

      Language preferences, user settings, accessibility options

    

    
      Analytics

      Yes

      Google Analytics, traffic measurement, A/B testing tools

    

    
      Marketing

      Yes

      Advertising cookies, social media tracking pixels, retargeting scripts

    

  

The DPO's Role in Cookie and Consent Compliance

Cookie audit review and classification

Your DPO reviews regular cookie scan results to verify that all cookies deployed on your website are correctly identified, categorized, and declared — including third-party scripts loaded by analytics and marketing tools.

Consent mechanism review

Your DPO advises on consent mechanisms to ensure they meet GDPR Article 7 requirements — including freely given consent, equal prominence of accept and reject options, granular category-level choice, and easy withdrawal.

Cookie banner and preference center implementation

Your DPO reviews cookie banner design and preference center configuration to ensure the implementation reflects best practice guidance from supervisory authorities and does not use dark patterns that nudge users toward acceptance.

Cookie policy accuracy and completeness

Your DPO reviews your cookie policy to confirm it accurately reflects all cookies in use, provides clear descriptions of each cookie's purpose and retention period, and is updated whenever new cookies are added or existing ones change.

Google Consent Mode and IAB TCF compliance

Your DPO advises on the correct implementation of Google Consent Mode V2 and IAB Transparency and Consent Framework (TCF) requirements — ensuring your CMP integration signals consent correctly to advertising and analytics partners.

Regulatory guidance monitoring

Your DPO tracks emerging cookie enforcement decisions, supervisory authority guidance, and ePrivacy Regulation developments — updating your consent framework proactively as the regulatory landscape evolves.

Cookie Consent Management Platform Integration

Your DPO works directly alongside the Secure Privacy Consent Management Platform to ensure end-to-end cookie compliance:

  - Regular cookie scanning: Automated scans identify new and changed cookies before they create compliance gaps in your consent records.

  - Consent record maintenance: All consent events are logged and stored in line with GDPR accountability requirements — providing an auditable record for regulatory inspection.

  - Opt-out mechanism verification: Your DPO verifies that reject and withdraw consent functions operate correctly across all cookie categories and do not require additional steps beyond accepting.

  - Cross-domain consent management: Where your organization operates multiple domains, your DPO ensures cross-domain consent is correctly implemented and recognized across all properties.

  - Change management: When new cookies or tracking technologies are introduced, your DPO ensures consent requirements are reviewed and updated before deployment.

Common Cookie Compliance Pitfalls Under GDPR

Pre-checked consent boxes

Pre-ticked checkboxes do not constitute valid consent under GDPR Article 7 or the ePrivacy Directive. Consent must be an active, affirmative action — silence or pre-selection is explicitly excluded.

Cookie walls blocking access without consent

Requiring users to accept all cookies as a condition of accessing content is problematic under most supervisory authority guidance, as it prevents consent from being freely given. Your DPO advises on compliant alternatives.

Incorrect cookie categorization

Classifying analytics or marketing cookies as "strictly necessary" to avoid requiring consent is a frequently cited enforcement finding. Your DPO reviews all cookie classifications to ensure they reflect the cookie's actual function.

Failing to update cookie policies when new cookies are added

Cookie policies must accurately reflect all cookies currently deployed. When new tools, scripts, or third-party integrations are added, cookie policies and consent banners must be updated before the new cookies are placed.

Incomplete or inaccurate cookie declarations

Cookie declarations must include the name, provider, purpose, and retention period for each cookie. Incomplete or generic descriptions — such as listing only cookie categories without naming individual cookies — do not satisfy transparency requirements under GDPR and the ePrivacy Directive.

Frequently Asked Questions

Does GDPR apply to cookies directly?

GDPR does not regulate cookies directly — that is the role of the ePrivacy Directive. However, GDPR sets the standard for what constitutes valid consent, which applies to cookie consent under the ePrivacy Directive. Organizations must satisfy both frameworks: ePrivacy for when consent is required, and GDPR for how that consent must be obtained and recorded.

Are analytics cookies strictly necessary?

No. Analytics cookies — including Google Analytics — are not strictly necessary for the website to function and require prior consent under the ePrivacy Directive. Supervisory authorities across the EU have consistently confirmed this position in enforcement decisions against organizations treating analytics cookies as exempt from consent requirements.

What is Google Consent Mode V2 and is it required?

Google Consent Mode V2 is Google's framework for adjusting how Google tags behave based on users' consent choices. It is required for organizations using Google Ads, Google Analytics 4, or other Google services that rely on consent signals — particularly for retaining access to modeled conversion data and audience features. Your DPO advises on correct CMP integration to ensure consent signals are passed accurately to Google's services.

How often should cookie audits be conducted?

Cookie scans should be conducted regularly — at minimum quarterly — and triggered automatically whenever significant website changes are made, new third-party scripts are added, or CMS or tag manager configurations change. Your DPO reviews scan results and advises on any reclassification or policy updates required.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Annual GDPR Compliance Audit – Scope, Process, Ratings, and How Your DPO Manages the Review

URL: https://support.secureprivacy.ai/article/annual-dpo-compliance-audit-what-is-covered
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:29:00+00:00
Updated: 2026-03-22T00:57:44.023+00:00
Reading Time: 4 minutes
Summary: Learn how Secure Privacy's DPO conducts your annual GDPR compliance audit — covering governance, security, third parties, DSARs, training, and records across an eight-stage process.

The annual GDPR compliance audit is a comprehensive review conducted by your Secure Privacy DPO to assess your organization's overall data protection posture. It evaluates existing practices against GDPR legal requirements, identifies compliance gaps, classifies findings by severity, and sets remediation priorities for the year ahead — providing documented evidence of your organization's accountability obligations under GDPR Article 5(2).

Who Is This For?

  - Data Protection Officers and privacy managers responsible for annual GDPR compliance reviews

  - Senior leadership and board members receiving audit findings and remediation plans

  - Legal and compliance teams managing data protection governance and policy frameworks

  - IT, HR, and operational teams whose processes and records are in scope for the audit

Purpose of the Annual GDPR Compliance Audit

The annual compliance audit is a structured, evidence-based assessment of how effectively your organization meets its GDPR obligations across governance, processing activities, security, third-party management, and staff awareness. Conducted by your Secure Privacy DPO, the audit produces a formal report with prioritized recommendations and a tracked remediation action plan — creating an auditable record that can be presented to supervisory authorities as evidence of proactive compliance management.

GDPR Annual Compliance Audit Scope

The annual audit covers eight core areas of data protection compliance:

  
    
    
  
  
    
      Area

      What Is Reviewed

    

    
      Governance

      Data protection policies, DPO role effectiveness, organizational structure, and accountability measures

    

    
      Lawful Processing

      Lawful bases for all processing activities, consent management practices, and legitimate interest assessments

    

    
      Data Subject Rights

      DSAR processes, response times, quality of responses, and complaint handling procedures

    

    
      Data Security

      Technical security measures, access controls, encryption standards, and incident response procedures

    

    
      Third Parties

      Vendor register completeness, Data Processing Agreements, subprocessor management, and international transfer mechanisms

    

    
      Records

      Accuracy of the Record of Processing Activities (ROPA), breach register, DPIA register, and staff training records

    

    
      Transparency

      Privacy notices, cookie policies, employee privacy notices, and fair processing information provided to data subjects

    

    
      Training

      Staff awareness levels, training completion rates, and knowledge assessment results across all employee levels

    

  

Data Protection Audit Process: Step-by-Step

Your Secure Privacy DPO follows a structured eight-stage audit process from planning through to remediation tracking:

  - Planning: Define the audit scope, schedule, and key stakeholders across the organization.

  - Evidence gathering: Collect and review relevant documentation and interview key personnel in each audit area.

  - Assessment: Evaluate actual practices against GDPR requirements, organizational policies, and documented procedures.

  - Findings: Document all findings, classify each by severity, and identify root causes where gaps exist.

  - Recommendations: Provide prioritized, actionable recommendations for remediation of identified compliance gaps.

  - Report: Deliver a comprehensive audit report to senior management, including an executive summary and detailed findings by area.

  - Action plan: Work with your team to develop a realistic remediation action plan with assigned owners and target completion dates.

  - Follow-up: Track remediation progress through scheduled check-ins and update the action plan as items are resolved.

GDPR Audit Compliance Ratings

Each audit area is assigned a compliance rating based on the findings. Ratings determine the urgency of remediation and the priority assigned in the action plan:

  
    
    
    
  
  
    
      Rating

      Description

      Action Required

    

    
      Compliant

      Meets all GDPR requirements with no significant issues identified

      Maintain current practices; review at next annual audit

    

    
      Substantially Compliant

      Minor improvements needed; no material compliance risk at present

      Address improvements within standard planning cycle

    

    
      Partially Compliant

      Significant gaps identified that require attention within a defined timeframe

      Remediation plan required with assigned owners and deadlines

    

    
      Non-Compliant

      Critical compliance failures requiring immediate intervention

      Immediate remediation required; escalate to senior leadership

    

  

Frequently Asked Questions

How is the annual GDPR compliance audit different from a DPIA?

A DPIA (Data Protection Impact Assessment) is a targeted assessment of the risks associated with a specific data processing activity, required under GDPR Article 35. The annual compliance audit is a broader, organization-wide review covering all areas of GDPR compliance — governance, security, third parties, records, training, and more. Both are part of a complete GDPR compliance program.

Is a GDPR compliance audit legally required?

GDPR does not prescribe a mandatory annual audit format, but the accountability principle under Article 5(2) requires organizations to demonstrate ongoing compliance. Supervisory authorities expect organizations to conduct regular compliance reviews and maintain documented evidence of their data protection practices. An annual audit conducted by a qualified DPO is a widely recognized way to satisfy this obligation.

Who receives the audit report?

The comprehensive audit report is delivered to senior management and, where relevant, to board-level stakeholders. The DPO also presents key findings and the remediation action plan in a scheduled leadership review meeting. A summary version may be prepared for board reporting purposes.

What happens after a non-compliant finding?

Non-compliant findings are escalated to senior leadership and trigger an immediate remediation requirement. Your DPO works with the relevant teams to define specific corrective actions, assign owners, set deadlines, and track progress through the remediation action plan. Unresolved critical findings are flagged in subsequent compliance reports until resolved.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Data Retention Policy – Storage Limitation Principle, Retention Schedules, and DPO Oversight

URL: https://support.secureprivacy.ai/article/data-retention-policies-dpo-guidance
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:29:00+00:00
Updated: 2026-03-22T01:18:05.705+00:00
Reading Time: 6 minutes
Summary: Learn how Secure Privacy's DPO builds and enforces GDPR-compliant data retention policies — covering Article 5(1)(e) storage limitation, common retention periods, deletion controls, and audit oversight.

The GDPR storage limitation principle under Article 5(1)(e) requires that personal data is kept no longer than necessary for the purposes for which it is processed. Organizations that retain personal data beyond its legitimate retention period are in direct violation of GDPR — regardless of how securely the data is stored. Your Secure Privacy DPO helps define, implement, and monitor a comprehensive data retention policy that satisfies GDPR's storage limitation requirement while accounting for legal, regulatory, and operational retention obligations.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR Article 5(1)(e) storage limitation compliance

  - Legal and compliance teams building or auditing organizational data retention schedules

  - IT and systems administrators configuring automated deletion and archiving processes

  - HR, finance, and marketing teams managing personal data with legally mandated or business-defined retention periods

Why GDPR Data Retention Compliance Matters

Retaining personal data longer than necessary is one of the most common GDPR compliance failures — and one of the most straightforward for supervisory authorities to identify. Beyond the regulatory risk, unnecessary data retention increases the organization's exposure in the event of a data breach, as data that has not been deleted cannot be compromised. A well-defined and actively enforced data retention policy reduces compliance risk, limits breach exposure, and demonstrates GDPR accountability under Article 5(2).

Building a GDPR-Compliant Data Retention Schedule

Your DPO works with your teams across the organization to create a comprehensive, documented retention schedule covering all categories of personal data:

  - Inventory all categories of personal data processed: Identify every type of personal data held across systems, databases, archives, and third-party processors.

  - Identify the lawful basis and purpose for each processing activity: Retention periods must be tied to the specific purpose for which data was collected — data cannot be retained simply because it may be useful in future.

  - Determine the minimum retention period necessary: For each data category and purpose, establish the shortest retention period that satisfies operational, contractual, and legal requirements.

  - Account for legal or regulatory retention obligations: Certain data categories are subject to mandatory minimum retention periods under employment law, tax regulations, financial services rules, or other applicable legislation.

  - Define secure deletion or anonymization procedures: Establish how data will be destroyed or irreversibly anonymized at the end of its retention period — including procedures for backups and archived copies.

  - Document the rationale for each retention period: Every retention period must be justified and recorded in the ROPA, providing a defensible audit trail for supervisory authority review.

Common GDPR Retention Period Requirements by Data Category

Retention periods vary by data type and applicable legal obligations. The following table provides indicative retention periods for common data categories — your DPO will tailor these to your organization's specific legal obligations and jurisdiction:

  
    
    
    
  
  
    
      Data Category

      Typical Retention Period

      Basis

    

    
      Employee records

      Duration of employment + 6–7 years

      Employment law, tax obligations, limitation periods

    

    
      Customer transaction data

      Duration of contract + 6 years

      Contractual claims limitation period

    

    
      Marketing consent records

      Duration of consent + 1 year

      Accountability obligations; evidence of valid consent

    

    
      CCTV footage

      30 days (unless an incident has been recorded)

      Security purposes; proportionality requirement

    

    
      Website cookies and analytics data

      As specified in cookie policy and consent

      Consent duration; purpose limitation

    

    
      Job applicant data

      6–12 months after recruitment process ends

      Discrimination claims limitation period

    

  

Implementing Data Retention Controls

Automated deletion schedules

Configure automated deletion or archiving processes in key systems — including CRM, HR platforms, email systems, and databases — to enforce retention periods without relying on manual intervention.

Retention tags and metadata

Apply retention tags or metadata to stored records at the point of creation or ingestion, enabling systems to identify and action data at the end of its retention period reliably.

Periodic retention reviews

Conduct scheduled reviews to identify personal data that has passed its retention period and has not been automatically deleted — particularly in legacy systems, shared drives, and unstructured data stores.

Legal hold procedures

Establish documented legal hold procedures for data subject to active litigation, regulatory investigation, or other legal proceedings — suspending standard deletion schedules for the duration of the hold and resuming them upon resolution.

Staff training on retention obligations

Ensure staff in data-handling roles understand their responsibilities under the organization's retention policy, including how to apply retention schedules, recognize when data should be deleted, and escalate exceptions to the DPO.

DPO Oversight of Data Retention Compliance

Your Secure Privacy DPO monitors retention compliance through regular audits covering both automated deletion processes and manual data management practices. Audit findings are documented and addressed through the compliance reporting cycle — with any deviations from the retention schedule investigated, remediated, and recorded as part of the organization's GDPR accountability documentation under Article 5(2).

Where retention periods need to be revised — due to changes in applicable law, processing purposes, or regulatory guidance — your DPO updates the retention schedule and ensures the ROPA and privacy notices are amended accordingly.

Frequently Asked Questions

What is the GDPR storage limitation principle?

GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. This is the storage limitation principle — one of the seven core GDPR data protection principles. It does not prescribe specific retention periods, but requires organizations to define and enforce them based on the purpose of each processing activity.

Can personal data be retained indefinitely if it is anonymized?

Yes. Once personal data has been irreversibly anonymized — meaning it can no longer be used to identify an individual directly or indirectly — it falls outside the scope of GDPR and is no longer subject to retention period requirements. However, the anonymization process itself must be robust and documented. Pseudonymized data, which can still be re-identified using a separate key, remains personal data and is still subject to retention obligations.

What happens when a data subject requests erasure of data that is within its retention period?

A data subject's right to erasure under GDPR Article 17 does not override legitimate retention obligations. Where data must be retained to comply with a legal obligation, to establish or defend legal claims, or for other Article 17(3) reasons, erasure can be refused — but the refusal must be communicated to the data subject with the legal basis clearly explained. Your DPO advises on the correct response to erasure requests where retention obligations apply.

Do retention periods apply to backup copies of personal data?

Yes. Backup copies are not exempt from GDPR storage limitation requirements. Organizations must ensure that personal data deleted from live systems is also deleted from backups within a defined timeframe — or that backup restoration policies prevent deleted data from being reinstated after its retention period has expired. Your DPO advises on backup retention policies and secure deletion procedures for archived data.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Contact Your DPO – Communication Channels, Response Times, and Escalation Procedures with Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-contact-and-communicate-with-your-dpo
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T20:29:00+00:00
Updated: 2026-03-22T01:29:57.463+00:00
Reading Time: 5 minutes
Summary: Learn how to reach your Secure Privacy DPO — platform, email, scheduled meetings, and emergency hotline — plus when to escalate, response times, and what regular check-ins cover.

Effective communication with your Data Protection Officer is essential for maintaining GDPR compliance and responding to data protection issues promptly. Secure Privacy provides multiple channels for reaching your assigned DPO — from the platform dashboard for tracked formal requests to an emergency hotline for data breach incidents requiring an immediate response. This guide explains which channel to use, when to contact your DPO, and how escalation works.

Who Is This For?

  - Organizations subscribed to Secure Privacy's DPO as a Service who need to contact their assigned DPO

  - Legal, compliance, and IT teams managing data protection queries, incidents, and vendor reviews

  - HR and operations teams handling data subject requests, employee complaints, or new project approvals

  - Senior leadership receiving supervisory authority communications that require immediate DPO involvement

DPO Communication Channels and Response Times

Secure Privacy provides four communication channels for reaching your DPO, each suited to different types of queries and urgency levels:

  
    
    
    
  
  
    
      Channel

      Best For

      Response Time

    

    
      Secure Privacy Platform

      Formal requests, documentation submissions, and tracked compliance queries

      Within 1 business day

    

    
      Email

      General data protection questions and non-urgent advisory requests

      Within 1–2 business days

    

    
      Scheduled Meetings

      Strategic compliance reviews, project discussions, and staff training sessions

      As scheduled — weekly or monthly

    

    
      Emergency Hotline

      Data breach incidents, urgent regulatory matters, and time-critical compliance decisions

      Within 2 hours

    

  

When to Contact Your DPO

Your DPO should be involved in any situation with data protection implications — not only when a problem has already occurred. Contact your DPO whenever:

  - You discover or suspect a data breach: Use the emergency hotline immediately — the GDPR 72-hour notification clock starts when you become aware of a potential breach, not when it is confirmed.

  - You receive a data subject rights request: DSARs, erasure requests, and objections must be acknowledged and responded to within GDPR deadlines — involve your DPO from the point of receipt.

  - You are planning a new project or system involving personal data: Privacy by Design requires DPO input at the planning stage — before development decisions are made.

  - You need to engage a new vendor or data processor: Your DPO must review and approve Data Processing Agreements before any new processor accesses personal data.

  - You have questions about data protection compliance: For any processing activity where the lawful basis, retention period, or compliance approach is unclear — consult your DPO before proceeding.

  - You receive communication from a supervisory authority: Forward any regulatory correspondence to your DPO immediately — all supervisory authority responses should be coordinated through your DPO.

  - You need to update privacy policies or notices: Changes to processing activities, new cookie deployments, or updated vendor arrangements may require privacy notice amendments — your DPO should review before publication.

  - An employee has a data protection concern or complaint: Employee complaints about data handling or privacy violations should be escalated to your DPO for assessment and response.

DPO Escalation Procedures

Use the correct escalation path based on the urgency and nature of your query:

  - Standard queries: Submit through the Secure Privacy platform or by email for routine compliance questions, policy reviews, and non-urgent advisory matters. Response within 1–2 business days.

  - Urgent matters: Send directly to your DPO by email with "URGENT" clearly marked in the subject line for time-sensitive compliance questions that cannot wait for a standard response cycle.

  - Breach incidents: Call the emergency hotline immediately — do not wait for business hours. The GDPR 72-hour notification window begins on awareness, and early DPO involvement is critical to a compliant response.

  - Supervisory authority correspondence: Forward any communication received from a supervisory authority to your DPO without delay. All regulatory responses must be coordinated through your DPO to ensure accuracy and legal compliance.

Regular DPO Check-in Meetings

In addition to reactive communication, your DPO schedules regular check-in meetings to maintain proactive oversight of your compliance program:

Open compliance action review

Each check-in includes a structured review of outstanding compliance actions from the roadmap and previous meetings — tracking progress, updating priorities, and identifying any items that have become blocked or overdue.

Upcoming project and change review

Your DPO reviews any new projects, system changes, or operational developments in the pipeline that may have data protection implications — ensuring Privacy by Design input is provided before decisions are finalized.

Regulatory updates and guidance

Your DPO provides updates on relevant regulatory developments — including new supervisory authority guidance, enforcement decisions, and changes to applicable data protection law — and advises on any action your organization needs to take in response.

Team questions and concerns

Check-in meetings provide a structured opportunity for your teams to raise data protection questions, report potential issues, and seek clarity on compliance obligations — maintaining an open channel between your organization and your DPO.

Frequently Asked Questions

What counts as an emergency requiring the hotline rather than email?

Use the emergency hotline for any situation where a delay in DPO involvement could cause your organization to miss a legal deadline or worsen a compliance exposure. This includes suspected or confirmed data breaches (where the 72-hour GDPR notification clock is running), receipt of urgent regulatory correspondence with a short response deadline, and any situation involving imminent or active unauthorized access to personal data.

Can employees contact the DPO directly, or must all contact go through a designated internal contact?

GDPR Article 38(4) requires the DPO to be accessible to data subjects — which includes your employees in their capacity as data subjects. Employees can contact your DPO directly with data protection concerns or to exercise their own data subject rights. For operational compliance queries, your organization may designate an internal privacy coordinator as a first point of contact, with escalation to the DPO as needed.

What should I do if I receive a supervisory authority letter outside business hours?

Use the emergency hotline if the correspondence indicates an immediate deadline or requires urgent action — for example, a request for information with a short response window or an enforcement notice. For standard supervisory authority correspondence received outside hours, forward it to your DPO immediately on the next business day and do not respond directly until your DPO has reviewed it.

How are DPO communications and advice documented for accountability purposes?

All formal requests submitted through the Secure Privacy platform are automatically logged and tracked — creating an auditable record of compliance queries, DPO advice, and actions taken. This documentation is part of your organization's GDPR accountability record and can be produced for supervisory authority review if needed.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Privacy by Design and Data Protection by Default – GDPR Article 25 Requirements and How Your DPO Applies Them

URL: https://support.secureprivacy.ai/article/privacy-by-design-how-your-dpo-integrates-data-protection
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:28:00+00:00
Updated: 2026-03-22T01:09:11.771+00:00
Reading Time: 5 minutes
Summary: Learn what GDPR Article 25 requires for Privacy by Design and data protection by default, the seven foundational principles, and how your Secure Privacy DPO applies them across every project phase.

Privacy by Design (PbD) is a legal obligation under GDPR Article 25, requiring organizations to integrate data protection into the design of systems, processes, and products from the outset — not as an afterthought. Article 25 also requires data protection by default, meaning that only the minimum necessary personal data is processed unless the individual actively chooses otherwise. Your Secure Privacy DPO ensures both principles are applied consistently across every new project, product, and system your organization develops or deploys.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR Article 25 compliance

  - Product managers and developers building systems or features that involve personal data processing

  - IT and security teams designing access controls, retention policies, and data minimization measures

  - Legal and compliance teams reviewing new projects for GDPR privacy requirements before launch

What Is Privacy by Design Under GDPR Article 25?

Privacy by Design is the principle that data protection must be embedded into the architecture of systems and processes from the earliest stage of design — not retrofitted after development is complete. GDPR Article 25(1) makes this a legal requirement, obligating controllers to implement appropriate technical and organizational measures both at the time of design and throughout the processing lifecycle. Organizations that launch data processing systems without a documented Privacy by Design approach risk regulatory enforcement and are unable to demonstrate GDPR accountability under Article 5(2).

The Seven Foundational Principles of Privacy by Design

Privacy by Design is built on seven foundational principles, each of which your DPO applies when reviewing new projects and systems:

  - Proactive, not reactive: Anticipate and prevent privacy-invasive events before they occur — rather than addressing them after a breach or complaint has happened.

  - Privacy as the default setting: Ensure personal data is automatically protected in any given system or process, without requiring any action from the individual.

  - Privacy embedded into design: Build data protection into the architecture and design of IT systems and business practices — not bolted on as a separate layer.

  - Full functionality — positive-sum, not zero-sum: Accommodate all legitimate interests without unnecessary trade-offs, demonstrating that privacy and functionality are not mutually exclusive.

  - End-to-end security — lifecycle protection: Protect personal data securely throughout its complete lifecycle, from collection through to secure deletion.

  - Visibility and transparency: Keep processing operations open and transparent to individuals and verifiable by supervisory authorities.

  - Respect for user privacy: Keep the interests, needs, and rights of the individual at the center of system design and processing decisions.

DPO Project Privacy Review: Privacy by Design in Practice

When your organization launches a new project, product, or system involving personal data, your Secure Privacy DPO provides structured privacy input at every phase of the project lifecycle:

  
    
    
  
  
    
      Project Phase

      DPO Input

    

    
      Planning

      Privacy requirements gathering, DPIA screening, lawful basis identification

    

    
      Design

      Data minimization review, retention planning, access control design, consent mechanism design

    

    
      Development

      Security measure validation, privacy notice drafting, DPA review for new vendors

    

    
      Testing

      Privacy testing checklist review, data protection verification before go-live

    

    
      Launch

      Final compliance sign-off and monitoring plan establishment

    

    
      Operation

      Ongoing compliance monitoring and periodic Privacy by Design reviews

    

  

GDPR Data Protection by Default: Default Settings Review

GDPR Article 25(2) requires that, by default, only personal data that is necessary for each specific processing purpose is collected, retained, and made accessible. Your DPO reviews the default settings of every new system or product to verify compliance with this requirement:

  - Only the minimum necessary personal data is collected by default — no optional fields are pre-populated or active

  - Data sharing with third parties is opt-in rather than opt-out by default

  - Retention periods are set to the minimum necessary for the stated processing purpose

  - Access to personal data is restricted by default to those with a legitimate operational need

  - Privacy notices are clear, accessible, and presented at the point of data collection

Any system that collects more data than necessary by default, or that shares data unless the user actively opts out, is non-compliant with Article 25(2) and requires remediation before launch.

Frequently Asked Questions

What is the difference between Privacy by Design and data protection by default?

Privacy by Design (Article 25(1)) requires data protection to be built into the design of systems and processes from the outset. Data protection by default (Article 25(2)) is a more specific obligation requiring that systems are configured to process only the minimum necessary personal data by default — without any action required from the individual. Both obligations apply simultaneously to all new systems and processing activities.

Does Privacy by Design apply to existing systems or only new ones?

GDPR Article 25 applies to processing activities both at the time of design and throughout the processing lifecycle. While the obligation is most clearly triggered at the design stage of new systems, organizations are also expected to review and remediate existing systems where privacy protections fall below the required standard — particularly when processing activities are significantly changed or expanded.

When should a DPIA be conducted in relation to a Privacy by Design review?

A DPIA should be initiated at the planning stage — as early in the project lifecycle as possible — before significant design decisions have been made. This allows the DPIA findings to inform design choices, rather than requiring costly changes after development is complete. Your DPO conducts a DPIA screening assessment at the planning phase to determine whether a full DPIA is required.

What happens if a product is launched without a Privacy by Design review?

Launching a system that processes personal data without implementing Privacy by Design and data protection by default measures is a direct violation of GDPR Article 25 and can result in enforcement action. It also creates downstream compliance risk — including potential DPIA obligations, breach exposure, and the cost of retrofitting privacy controls after launch. Your DPO's involvement at the planning stage prevents these risks before they materialize.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# DPO as Supervisory Authority Contact – GDPR Article 39 Regulatory Liaison, Prior Consultation, and Investigation Preparedness

URL: https://support.secureprivacy.ai/article/dpo-communication-with-supervisory-authorities
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:28:00+00:00
Updated: 2026-03-22T01:06:57.571+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR supervisory authority interactions — covering breach notification, Article 36 prior consultation, regulatory investigations, and complaint handling.

Under GDPR Article 39(1)(d-e), the Data Protection Officer (DPO) is designated as the official contact point between your organization and the supervisory authority. This covers everything from DPO registration and data breach notification to managing regulatory investigations and coordinating prior consultation under Article 36. Your Secure Privacy DPO handles all supervisory authority interactions on your organization's behalf — maintaining a constructive regulatory relationship and ensuring your organization responds effectively to any inquiry, complaint, or investigation.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for supervisory authority communications

  - Legal and compliance teams preparing for or responding to regulatory investigations or inquiries

  - Senior leadership seeking assurance that regulatory relationships are managed proactively

  - Organizations subject to GDPR that have received or anticipate complaints, breach notifications, or authority inquiries

The DPO as GDPR Supervisory Authority Contact Point

GDPR Article 39(1)(d-e) establishes two specific DPO obligations: acting as the contact point for the supervisory authority, and cooperating with the authority on all processing-related matters. In practice, this means the DPO is the named individual through whom all regulatory communications flow — from routine registration and information requests through to formal investigations and enforcement proceedings.

Types of GDPR Supervisory Authority Interactions

Your Secure Privacy DPO manages the full range of regulatory interactions on your organization's behalf:

  
    
    
    
  
  
    
      Interaction Type

      Description

      DPO Role

    

    
      Registration

      DPO contact details registered with the supervisory authority as required under GDPR Article 37(7)

      Primary named contact point for all regulatory communications

    

    
      Breach Notification

      Mandatory notification to the supervisory authority within 72 hours of a qualifying personal data breach

      Prepares and submits the notification; manages follow-up correspondence

    

    
      Prior Consultation

      Required when a DPIA indicates high residual risk that cannot be sufficiently mitigated (GDPR Article 36)

      Coordinates the consultation process and implements authority recommendations

    

    
      Complaints

      Supervisory authority forwards data subject complaints to the organization for response

      Manages the response process and works toward resolution

    

    
      Investigations

      Supervisory authority conducts a formal investigation or compliance audit of the organization

      Coordinates the organizational response and manages document production

    

    
      Inquiries

      General questions or information requests from the authority on processing activities or compliance practices

      Responds formally on behalf of the organization within required timeframes

    

  

GDPR Article 36 Prior Consultation Process

When a DPIA reveals that processing would result in a high residual risk that cannot be sufficiently mitigated by the organization alone, GDPR Article 36 requires prior consultation with the supervisory authority before processing begins. Your DPO manages this process end-to-end:

  - Compile the DPIA and supporting documentation required by the supervisory authority under Article 36(3).

  - Prepare a summary of the proposed processing activity, identified risks, and mitigation measures already implemented or planned.

  - Submit the consultation request to the relevant supervisory authority in the correct format and through the correct channel.

  - Manage communications during the consultation period — supervisory authorities have up to 8 weeks to respond, extendable by a further 6 weeks for complex cases.

  - Implement any conditions or recommendations provided by the authority before the processing activity commences.

Regulatory Investigation Preparedness

Your DPO ensures your organization is in a state of continuous investigation readiness — so that if a supervisory authority initiates an inquiry or formal investigation, your organization can respond promptly and confidently.

Maintaining organized compliance documentation

All compliance records — including the ROPA, DPIA register, breach register, and training records — are maintained in an organized, accessible format through the Secure Privacy governance platform, ready for production on request.

Keeping the ROPA and breach register current

Your DPO ensures Records of Processing Activities and breach registers are accurate and up to date at all times — two of the first documents a supervisory authority will request during an investigation.

Maintaining DSAR records

All data subject requests and their outcomes are documented and retained, providing evidence that your organization handles individual rights requests in compliance with GDPR deadlines and requirements.

Establishing an internal regulatory response protocol

Your DPO defines and maintains a clear internal protocol for handling authority requests — including escalation paths, response timelines, and document review procedures — so your organization is never caught unprepared.

Conducting regular compliance self-assessments

Proactive self-assessments identify and address compliance gaps before they become findings in a regulatory investigation — reducing enforcement risk and demonstrating good faith accountability to the authority.

Frequently Asked Questions

What does the supervisory authority do with a registered DPO's contact details?

Under GDPR Article 37(7), organizations must publish their DPO's contact details and communicate them to the relevant supervisory authority. The authority uses these details to direct all formal regulatory communications — including breach notifications, complaints, inquiries, and investigation notices — to the correct point of contact within your organization.

What triggers a prior consultation under GDPR Article 36?

Prior consultation is required when a completed DPIA indicates that the processing would result in a high residual risk to individuals' rights and freedoms, and the organization cannot implement sufficient measures to reduce that risk to an acceptable level. Your DPO assesses this threshold as part of the DPIA sign-off process and initiates consultation where required.

How long does the GDPR prior consultation process take?

Supervisory authorities have up to 8 weeks from receipt of a prior consultation request to provide written advice. This period can be extended by a further 6 weeks for particularly complex cases, with the organization notified of the extension within the initial 8-week window. Processing must not begin until the authority's response has been received and any conditions addressed.

What should an organization do when it receives a regulatory investigation notice?

Do not respond directly without involving your DPO. Your Secure Privacy DPO will review the scope of the investigation, coordinate the collection and review of relevant documentation, prepare formal responses, and manage all communications with the authority — ensuring your organization's response is accurate, legally appropriate, and submitted within required timeframes.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Vendor Compliance – Article 28 DPA Requirements, Risk Assessment, and International Data Transfers

URL: https://support.secureprivacy.ai/article/how-your-dpo-manages-third-party-vendor-compliance
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:28:00+00:00
Updated: 2026-03-22T00:53:50.261+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR vendor compliance — covering Article 28 DPA requirements, third-party risk assessment, and international data transfer obligations.

Under GDPR Article 28, organizations that share personal data with third-party vendors must ensure those vendors provide sufficient data protection guarantees — and must document those guarantees in a formal Data Processing Agreement (DPA). As the data controller, your organization remains legally responsible for how processors handle personal data. Your Secure Privacy DPO manages your vendor compliance framework from initial due diligence through ongoing monitoring and contract review.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for third-party data processor compliance

  - Legal and procurement teams reviewing vendor contracts and Data Processing Agreements

  - IT and security teams assessing the data protection practices of software and service vendors

  - Organizations subject to GDPR that share personal data with third-party processors or subprocessors

Why GDPR Vendor Compliance Matters

When your organization shares personal data with third parties, you remain fully responsible for ensuring that data is protected in line with GDPR. Selecting a processor without adequate data protection guarantees — or without a compliant DPA in place — exposes your organization to regulatory enforcement action under GDPR Article 28, regardless of whether the breach originates with the vendor.

Third-Party Vendor Assessment Process

Your Secure Privacy DPO conducts vendor assessments through a structured five-stage process:

  - Vendor inventory: Maintain a complete register of all third parties with access to personal data, including subprocessors.

  - Risk classification: Categorize vendors by the type, sensitivity, and volume of personal data they process.

  - Due diligence: Assess each vendor's data protection practices, security certifications (e.g., ISO 27001, SOC 2), and compliance track record.

  - Contract review: Ensure all Data Processing Agreements contain the mandatory clauses required under GDPR Article 28(3).

  - Ongoing monitoring: Conduct regular vendor reassessments based on risk classification to maintain continuous compliance oversight.

GDPR Article 28(3) DPA Requirements: Required Clauses

Every Data Processing Agreement must satisfy the minimum content requirements set out in GDPR Article 28(3). Your DPO reviews all vendor DPAs to confirm the following clauses are present and enforceable:

  - Subject matter, duration, nature, and purpose of the processing

  - Type of personal data being processed and categories of data subjects affected

  - Obligations and rights of the data controller

  - Requirement to process data only on documented instructions from the controller

  - Confidentiality obligations for all persons authorized to process the data

  - Appropriate technical and organizational security measures under GDPR Article 32

  - Conditions and controls for engaging subprocessors

  - Assistance obligations for responding to data subject rights requests

  - Assistance with data breach notification and DPIA obligations

  - Deletion or return of all personal data upon contract termination

  - Audit rights for the controller and cooperation with supervisory authorities

Vendor Risk Categories and Review Frequency

Your DPO assigns each vendor a risk classification based on the nature and volume of data they process. Review frequency is determined by risk level:

  
    
    
    
  
  
    
      Risk Level

      Criteria

      Review Frequency

    

    
      High

      Processes large volumes of personal or sensitive data; transfers data internationally

      Quarterly

    

    
      Medium

      Regular access to personal data as part of standard service delivery

      Semi-annually

    

    
      Low

      Limited or occasional access to personal data with minimal processing scope

      Annually

    

  

International Data Transfers and GDPR Chapter V Compliance

When vendors process or transfer personal data outside the European Economic Area (EEA), additional compliance obligations apply under GDPR Chapter V. Your DPO ensures that all international data transfers by third-party vendors are covered by an appropriate transfer mechanism, including:

  - Standard Contractual Clauses (SCCs) — the most commonly used mechanism for transfers to third countries without an adequacy decision

  - Adequacy decisions — applicable where the European Commission has determined that the destination country provides an equivalent level of data protection

  - Other approved transfer mechanisms under GDPR Article 46, such as binding corporate rules or approved codes of conduct

Your DPO reviews transfer impact assessments where required and advises on supplementary measures when SCCs alone may not be sufficient to protect transferred data.

Frequently Asked Questions

What is a Data Processing Agreement and when is it required?

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor, required under GDPR Article 28 whenever a third party processes personal data on your behalf. It must be in place before any processing begins and must contain all clauses specified in Article 28(3).

What is the difference between a data processor and a data controller under GDPR?

A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the controller, following the controller's instructions. Under GDPR, controllers remain responsible for ensuring their processors comply with the regulation — including through a compliant DPA.

What happens if a vendor subcontracts processing to another party?

Under GDPR Article 28(2), processors must obtain prior written authorization from the controller before engaging subprocessors. Any subprocessor must be bound by the same data protection obligations as the primary processor. Your DPO reviews subprocessor arrangements as part of the vendor due diligence process.

Are Standard Contractual Clauses still valid for international data transfers after Schrems II?

Yes, but with additional requirements. Following the Court of Justice of the EU's Schrems II ruling, organizations must conduct a transfer impact assessment to verify that SCCs provide effective protection in the destination country. Where they do not, supplementary technical or contractual measures must be applied. Your DPO advises on this assessment for all relevant vendor transfers.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Staff Data Protection Training – Program Structure, Topics, and Compliance Tracking with Secure Privacy

URL: https://support.secureprivacy.ai/article/dpo-staff-training-and-awareness-programs
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:28:00+00:00
Updated: 2026-03-22T00:55:55.526+00:00
Reading Time: 4 minutes
Summary: Learn how Secure Privacy's DPO delivers GDPR staff data protection training — covering all employee levels, training topics, delivery methods, and completion tracking for regulatory accountability.

Human error remains one of the leading causes of personal data breaches. GDPR Article 39(1)(b) explicitly requires the DPO to monitor staff compliance with data protection obligations — including ensuring that employees receive adequate, role-appropriate training. Your Secure Privacy DPO designs and delivers a structured GDPR staff training program tailored to your organization, tracks completion, and reports on training metrics as part of your broader compliance accountability framework.

Who Is This For?

  - Data Protection Officers and HR teams responsible for staff compliance training programs

  - Legal and compliance managers demonstrating GDPR accountability to supervisory authorities

  - IT, marketing, and HR teams subject to role-specific data protection training requirements

  - Senior leadership and management teams with GDPR governance and breach notification responsibilities

Why GDPR Staff Data Protection Training Is Essential

Human error — including mishandled data, phishing susceptibility, and incorrect responses to data subject requests — is a primary driver of GDPR breaches. Beyond the operational risk, GDPR Article 39(1)(b) makes staff training a direct DPO obligation. Inadequate training exposes your organization to regulatory scrutiny, particularly when investigating breach incidents where employee awareness failures are a contributing factor.

GDPR Data Protection Training Program Structure

Your Secure Privacy DPO delivers a tiered training program aligned to employee roles and data protection responsibilities:

  
    
    
    
    
  
  
    
      Training Level

      Audience

      Topics Covered

      Frequency

    

    
      Foundation

      All employees

      GDPR basics, data protection principles, recognizing personal data, reporting incidents

      On hire + annually

    

    
      Role-Specific

      Teams handling personal data

      Lawful bases, data minimization, retention schedules, data subject rights, secure data handling

      Annually

    

    
      Management

      Senior leadership

      Accountability obligations, risk management, breach notification duties, governance responsibilities

      Annually

    

    
      Specialist

      IT, HR, Marketing

      Department-specific data protection requirements, tools, and operational processes

      As needed

    

  

Staff Data Protection Training Topics

The training program covers the full range of GDPR compliance topics relevant to day-to-day staff responsibilities, grouped by theme:

GDPR Principles and Legal Foundations

  - Key principles of GDPR and other applicable data protection laws

  - Recognizing and correctly classifying personal and special category data

  - Understanding lawful bases for processing and when each applies

Data Subject Rights and Request Handling

  - The six GDPR data subject rights and organizational obligations for each

  - How to recognize, log, and escalate a Data Subject Access Request (DSAR)

Breach Identification and Incident Reporting

  - How to identify a potential personal data breach and what constitutes a reportable incident

  - Internal reporting procedures and escalation paths to the DPO

Secure Data Handling Practices

  - Secure handling, storage, and lawful disposal of personal data

  - Email security and phishing awareness

  - Clean desk and clear screen policies

  - Social engineering awareness and prevention

Training Delivery Methods

Your Secure Privacy DPO uses a blended training approach to maximize engagement and retention across your workforce:

  - Live sessions delivered by your DPO — available in-person or virtually — for foundation, management, and specialist cohorts.

  - Self-paced e-learning modules for flexible completion, particularly suited to on-hire induction training and annual refreshers.

  - Scenario-based workshops and tabletop exercises that simulate real data protection incidents to build practical response skills.

  - Regular awareness communications — including newsletters and targeted privacy tips — to maintain ongoing data protection awareness between formal training cycles.

  - Simulated phishing exercises to test and strengthen employee resilience against social engineering attacks.

Training Completion Tracking and Compliance Reporting

Training completion rates and assessment results are tracked through the Secure Privacy platform, giving your DPO a real-time view of staff compliance across your organization. Training metrics — including completion rates by department, outstanding training, and assessment outcomes — are included in regular DPO compliance reports.

This creates a documented, auditable record of your organization's staff training program, which can be presented to supervisory authorities as evidence of GDPR accountability under Article 5(2).

Frequently Asked Questions

Is GDPR staff training legally required?

GDPR does not prescribe a specific training format, but GDPR Article 39(1)(b) requires the DPO to monitor staff awareness and compliance with data protection obligations. Supervisory authorities expect organizations to demonstrate adequate staff training as part of their accountability obligations under Article 5(2). Lack of training is frequently cited as an aggravating factor in enforcement decisions.

How often should GDPR training be repeated?

Foundation and role-specific training should be conducted at hire and repeated annually. Management training is also conducted annually. Specialist training for departments such as IT, HR, and marketing is delivered as needed when processes change or new tools are introduced. Your DPO tracks completion and schedules refreshers accordingly.

What should happen if an employee fails to complete required training?

Outstanding training is flagged in the Secure Privacy platform and included in compliance reports. Your DPO advises on escalation procedures for employees who have not completed mandatory training, particularly where their role involves regular access to personal data.

Can training be used as evidence of GDPR compliance?

Yes. Documented training records — including completion rates, assessment results, and training content — are valuable evidence of organizational accountability under GDPR Article 5(2). Your DPO maintains these records and can produce them for regulatory review or audit purposes.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR International Data Transfers – Chapter V Mechanisms, Transfer Impact Assessments, and Schrems II Compliance

URL: https://support.secureprivacy.ai/article/cross-border-data-transfers-and-your-dpo
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:28:00+00:00
Updated: 2026-03-22T01:12:22.498+00:00
Reading Time: 6 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR Chapter V international data transfers — covering SCCs, adequacy decisions, Transfer Impact Assessments, and Schrems II supplementary measures.

When personal data is transferred outside the European Economic Area (EEA), GDPR Chapter V requires organizations to ensure an adequate level of protection is maintained — through an approved transfer mechanism such as Standard Contractual Clauses (SCCs), an adequacy decision, or Binding Corporate Rules. Following the Schrems II ruling, organizations must also conduct Transfer Impact Assessments (TIAs) before transferring data to countries without an adequacy decision. Your Secure Privacy DPO maps all international transfers, identifies the correct mechanism for each, and keeps your transfer framework compliant as laws and adequacy decisions evolve.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR Chapter V international transfer compliance

  - Legal and compliance teams reviewing vendor contracts involving personal data transfers outside the EEA

  - IT and procurement teams engaging cloud providers or software vendors based in third countries

  - Multinational organizations managing cross-border data flows within corporate groups or with international partners

Understanding GDPR Cross-Border Data Transfer Requirements

GDPR Chapter V restricts the transfer of personal data to countries outside the EEA unless the transfer is covered by an approved mechanism or a specific derogation applies. The core principle is that personal data transferred internationally must receive the same level of protection as it would within the EEA — regardless of where the data physically moves. Organizations that transfer personal data to third countries without an appropriate transfer mechanism in place are in direct violation of GDPR and face significant enforcement risk.

GDPR International Data Transfer Mechanisms

GDPR provides six lawful mechanisms for international data transfers. Your DPO identifies and implements the correct mechanism for each transfer activity:

  
    
    
    
  
  
    
      Mechanism

      GDPR Article

      Description

    

    
      Adequacy Decision

      Article 45

      Transfer to countries the European Commission has formally determined provide an adequate level of data protection — no additional safeguards required

    

    
      Standard Contractual Clauses (SCCs)

      Article 46(2)(c)

      Pre-approved contractual terms between the data exporter and importer, updated by the European Commission in 2021 following Schrems II

    

    
      Binding Corporate Rules (BCRs)

      Article 47

      Approved internal data protection rules governing transfers within a multinational corporate group — requires supervisory authority approval

    

    
      Codes of Conduct

      Article 46(2)(e)

      Approved industry codes of conduct with binding commitments from the controller or processor in the third country

    

    
      Certification Mechanisms

      Article 46(2)(f)

      Approved certification schemes with binding and enforceable commitments applied by the data importer

    

    
      Derogations

      Article 49

      Limited, case-by-case exceptions for specific situations such as explicit consent, contract performance, or important public interest — not suitable for systematic or repeated transfers

    

  

Transfer Impact Assessments After Schrems II

Following the Court of Justice of the EU's Schrems II ruling (C-311/18), organizations must conduct a Transfer Impact Assessment (TIA) before transferring personal data to any country that does not benefit from an adequacy decision. The TIA evaluates whether the legal framework of the recipient country undermines the protections provided by the chosen transfer mechanism — and whether supplementary measures are needed to fill any gaps. Your DPO manages the TIA process end-to-end:

  - Map all international data transfers: Identify every flow of personal data leaving the EEA, including transfers to cloud providers, software vendors, and group entities.

  - Identify the transfer mechanism for each flow: Confirm which GDPR Chapter V mechanism is in place — or identify transfers that currently lack a lawful basis.

  - Assess the legal framework of the recipient country: Evaluate the destination country's surveillance laws, data access rights, and rule of law — the core Schrems II assessment.

  - Evaluate whether supplementary measures are needed: Determine whether the transfer mechanism alone provides effective protection, or whether additional technical, contractual, or organizational measures are required.

  - Document the assessment and conclusions: Produce a written TIA record that demonstrates the organization's due diligence — essential for accountability under GDPR Article 5(2).

  - Implement supplementary measures where required: Apply the identified measures before the transfer proceeds or continues.

Schrems II Supplementary Measures for International Transfers

Where a TIA reveals that a transfer mechanism alone does not provide sufficient protection, supplementary measures must be applied. Your DPO advises on the appropriate combination of measures for each transfer:

Technical measures

End-to-end encryption of data before transfer, pseudonymization to reduce re-identification risk, and split or distributed processing architectures that prevent any single importer from accessing complete personal data sets.

Contractual measures

Additional contractual obligations on the data importer — beyond the standard SCC provisions — including enhanced transparency requirements, notification obligations for government access requests, and restrictions on onward transfers to subprocessors.

Organizational measures

Internal access control policies limiting which personnel in the third country can access personal data, regular transparency reporting by the data importer on government access requests, and documented audit rights for the data exporter.

Ongoing Monitoring of International Transfer Compliance

The international transfer landscape changes frequently — adequacy decisions are adopted and challenged, SCCs are updated, and court rulings alter the risk profile of transfers to specific countries. Your DPO maintains continuous oversight of your organization's transfer framework, including:

  - Tracking new and revised adequacy decisions issued by the European Commission

  - Monitoring SCC updates and ensuring existing contracts are updated within required timeframes

  - Following relevant court decisions and EDPB guidance that affect the validity of transfer mechanisms

  - Reviewing TIAs when recipient country laws change in a way that may affect the adequacy of protections

  - Updating your transfer register in the ROPA to reflect any changes to transfer mechanisms or recipients

Frequently Asked Questions

What is the difference between an adequacy decision and Standard Contractual Clauses?

An adequacy decision is a formal determination by the European Commission that a specific country provides an equivalent level of data protection to the EEA — no additional contractual safeguards are required for transfers to that country. Standard Contractual Clauses are pre-approved contractual terms that must be signed between the data exporter and importer when no adequacy decision covers the destination country. SCCs require a Transfer Impact Assessment under Schrems II; adequacy decisions do not.

Does Schrems II mean US data transfers are unlawful?

Not necessarily. The EU-US Data Privacy Framework (adopted in 2023) provides an adequacy decision for transfers to certified US organizations. Transfers to non-certified US entities still require SCCs supplemented by a Transfer Impact Assessment. Your DPO assesses the correct mechanism for each US transfer on a case-by-case basis, accounting for the recipient's certification status and the nature of the data transferred.

Are Transfer Impact Assessments required for all international transfers?

TIAs are required for transfers to countries without an adequacy decision, where SCCs or another Article 46 mechanism is being used. They are not required where the transfer is covered by an adequacy decision — though your DPO monitors the validity of adequacy decisions and will initiate a TIA if an adequacy decision is suspended or invalidated.

What should an organization do if a TIA reveals that a transfer cannot be adequately protected?

If a TIA concludes that neither the transfer mechanism nor supplementary measures can provide effective protection for the data transferred, the transfer must be suspended or terminated. Your DPO advises on alternative processing arrangements — such as migrating data to an EEA-based processor — and documents the decision and rationale for regulatory accountability purposes.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | C

---

# DPO Compliance Reporting – GDPR Reports, Key Metrics, and How Findings Are Delivered via Secure Privacy

URL: https://support.secureprivacy.ai/article/dpo-compliance-reporting-what-to-expect
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:27:00+00:00
Updated: 2026-03-22T00:46:43.646+00:00
Reading Time: 3 minutes
Summary: Learn how Secure Privacy's DPO service delivers GDPR compliance reports — monthly, quarterly, and annual — covering DSARs, breach incidents, DPIAs, and risk metrics.

The Secure Privacy DPO service includes structured GDPR compliance reporting delivered to your leadership team on a regular basis. These reports give your organization visibility into its data protection posture, track key privacy metrics, and ensure accountability under GDPR's Article 39 DPO obligations.

Who Is This For?

  - Data Protection Officers and privacy managers overseeing compliance programs

  - Board members and C-Suite executives receiving quarterly compliance briefings

  - IT and privacy teams using operational reports to track DSARs, incidents, and audits

  - Legal and compliance leads managing GDPR accountability documentation

Why GDPR Compliance Reporting Matters

Regular compliance reporting is a core element of the DPO's accountability function under GDPR. These reports give your leadership team clear visibility into the organization's data protection status, surface emerging risks, and track progress on compliance initiatives — creating an auditable record of your privacy program over time.

Types of DPO Compliance Reports

Your Secure Privacy DPO delivers the following report types:

  
    
    
    
    
  
  
    
      Report Type

      Frequency

      Audience

      Content

    

    
      Executive Summary

      Quarterly

      Board / C-Suite

      High-level compliance status, key risks, and strategic recommendations

    

    
      Operational Report

      Monthly

      Privacy Team / IT

      DSAR statistics, breach incidents, training completion rates, and audit findings

    

    
      Annual Review

      Annually

      All Stakeholders

      Comprehensive compliance assessment, year-over-year trends, and priorities for the year ahead

    

    
      Ad Hoc Reports

      As needed

      Varies

      Specific compliance questions, incident reports, and DPIA findings

    

  

Key GDPR Compliance Metrics Tracked

Each report draws on data tracked continuously through the Secure Privacy platform, including:

  - Number of Data Subject Access Requests (DSARs) received and average resolution time

  - Data breach incidents, notification timelines, and response effectiveness

  - Staff privacy training completion rates

  - DPIA completion status for new or changed processing activities

  - Outstanding compliance actions and their priority level

  - Regulatory changes affecting your organization's data protection obligations

  - Third-party vendor and processor compliance status

How Compliance Reports Are Delivered

Reports are delivered securely through the Secure Privacy platform dashboard, with access restricted to authorized stakeholders. Your DPO also presents quarterly findings directly to your leadership team in scheduled review meetings, ensuring findings are understood and acted upon at the right level of the organization.

Acting on Compliance Report Findings

Every report includes prioritized recommendations tied to identified risks or compliance gaps. Your Secure Privacy DPO works with your team to translate findings into concrete compliance tasks, which are tracked and managed through the platform's built-in task management features — maintaining a clear record of remediation activity for audit purposes.

Frequently Asked Questions

How often does the DPO deliver compliance reports?

Report frequency depends on the report type. Operational reports are delivered monthly, executive summaries quarterly, and a full annual review is conducted once per year. Ad hoc reports can be requested as needed for specific compliance events or incidents.

Who has access to the compliance reports?

Reports are accessible through the Secure Privacy platform dashboard to authorized stakeholders only. Access levels are role-based — executive summaries are typically scoped to board and C-Suite audiences, while operational reports are available to privacy and IT teams.

What happens after a high-risk finding is identified in a report?

High-risk findings are accompanied by prioritized recommendations. Your DPO works with your team to define remediation actions, which are tracked through the platform. For critical risks, escalation to leadership is part of the standard reporting process.

Does the DPO reporting service cover DPIA requirements?

Yes. DPIA completion status is tracked as part of the operational reporting cycle, and DPIA findings can be issued as ad hoc reports when a specific processing activity requires assessment under GDPR Article 35.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Data Breach Response – 72-Hour Notification Requirements and How Your DPO Manages the Process

URL: https://support.secureprivacy.ai/article/how-your-dpo-handles-data-breach-notifications
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:27:00+00:00
Updated: 2026-03-22T00:52:07.167+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's DPO manages GDPR data breach response — covering the 72-hour notification deadline, risk assessment, supervisory authority reporting, and breach register maintenance.

Under GDPR Article 33, organizations must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. When a breach affects individuals at high risk, data subject notification is also required without undue delay. Your Secure Privacy DPO manages the full breach response process — from initial triage and risk assessment through supervisory authority notification, data subject communications, and post-breach review.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for breach response under GDPR

  - IT and security teams identifying and containing data security incidents

  - Legal and compliance teams managing notification obligations to supervisory authorities

  - Organizations subject to GDPR that handle personal data and need a structured breach response process

The DPO's Role in GDPR Data Breach Response

When a personal data breach occurs, time is critical. Your Secure Privacy DPO plays a central role in ensuring your organization identifies the breach correctly, assesses its severity, meets all notification deadlines, and documents the incident in line with GDPR Article 33(5) requirements.

Data Breach Assessment Process

When a potential breach is reported, your Secure Privacy DPO follows a structured five-stage assessment:

  - Initial triage: Determine whether a personal data breach has occurred as defined under GDPR Article 4(12).

  - Risk assessment: Evaluate the likelihood and severity of risk to the rights and freedoms of affected individuals.

  - Scope determination: Identify the categories and approximate number of data subjects and records affected.

  - Containment advice: Recommend immediate technical and organizational measures to contain and limit the breach.

  - Notification decision: Determine whether notification to the supervisory authority and/or affected data subjects is required under GDPR Articles 33 and 34.

GDPR 72-Hour Breach Notification Requirements

GDPR sets different notification obligations depending on the risk level of the breach. The table below summarizes each notification type, when it is triggered, the applicable deadline, and required content.

  
    
    
    
    
  
  
    
      Notification Type

      Trigger

      Deadline

      Required Contents

    

    
      Supervisory Authority (Article 33)

      Breach likely to result in risk to individuals' rights and freedoms

      72 hours from awareness

      Nature of breach, categories and numbers affected, likely consequences, measures taken or proposed

    

    
      Data Subjects (Article 34)

      Breach likely to result in high risk to individuals' rights and freedoms

      Without undue delay

      Plain language description of the breach, DPO contact details, likely consequences, measures taken and recommended to affected individuals

    

    
      No Notification Required

      Breach unlikely to result in risk to individuals

      N/A

      Document in internal breach register only — no external notification required

    

  

What Your Secure Privacy DPO Provides During a Data Breach

Expert notification assessment

Your DPO assesses notification obligations across all applicable jurisdictions — including requirements beyond GDPR where relevant — ensuring your organization meets every applicable deadline.

Supervisory authority notification drafting

Your DPO drafts the formal notification to the relevant supervisory authority, ensuring it meets the minimum content requirements under GDPR Article 33(3).

Data subject communication drafting

Where individual notification is required under Article 34, your DPO prepares clear, plain-language communications for affected data subjects.

Containment and remediation guidance

Your DPO advises on immediate technical and organizational measures to contain the breach and reduce further exposure, working alongside your IT and security teams.

Breach register documentation

Your DPO ensures every incident is fully documented in your internal breach register, regardless of whether external notification is required.

Post-breach review

After the immediate response, your DPO conducts a structured post-breach review to identify root causes and recommend measures to prevent recurrence.

GDPR Breach Register: Article 33(5) Requirements

Regardless of whether supervisory authority notification is required, GDPR Article 33(5) mandates that all personal data breaches be documented internally. Your Secure Privacy DPO maintains a comprehensive breach register that records:

  - The facts of each breach, including date, nature, and scope

  - The effects and likely consequences for affected individuals

  - The remedial actions taken and any notification decisions made

  - The rationale for decisions not to notify where notification thresholds were not met

This register provides your organization with a complete, audit-ready record of all breach incidents for regulatory review.

Frequently Asked Questions

What is the GDPR 72-hour breach notification deadline?

Under GDPR Article 33, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach — provided the breach is likely to result in a risk to individuals' rights and freedoms. If notification cannot be made within 72 hours, it must be accompanied by reasons for the delay.

Do all data breaches need to be reported to the supervisory authority?

No. Notification to the supervisory authority is only required when the breach is likely to result in a risk to individuals' rights and freedoms. However, all breaches — regardless of risk level — must be documented in the internal breach register under Article 33(5).

When must affected individuals be notified of a data breach?

Data subjects must be notified without undue delay when a breach is likely to result in a high risk to their rights and freedoms — a higher threshold than the supervisory authority notification trigger. Your DPO assesses this threshold as part of the breach triage process.

What if a breach involves personal data processed in multiple EU member states?

Cross-border breaches may trigger notification obligations with a lead supervisory authority under GDPR's one-stop-shop mechanism, as well as obligations to other concerned supervisory authorities. Your DPO will advise on the correct notification routing for multi-jurisdictional incidents.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Records of Processing Activities (ROPA) – Article 30 Requirements and How Your DPO Manages Them

URL: https://support.secureprivacy.ai/article/gdpr-article-30-records-of-processing-activities
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:27:00+00:00
Updated: 2026-03-22T01:04:27.211+00:00
Reading Time: 5 minutes
Summary: Learn what GDPR Article 30 requires for Records of Processing Activities (ROPA), who must maintain them, required contents, and how Secure Privacy's DPO keeps your ROPA audit-ready.

Under GDPR Article 30, most organizations that process personal data are required to maintain a Record of Processing Activities (ROPA). The ROPA is a foundational compliance document that maps every data processing activity your organization undertakes — capturing lawful bases, data categories, retention periods, recipients, and security measures. Your Secure Privacy DPO creates, maintains, and keeps your ROPA audit-ready as part of your ongoing GDPR compliance program.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR Article 30 compliance

  - Legal and compliance teams building or auditing their organization's data processing inventory

  - IT and operations teams supporting data mapping exercises to identify processing activities

  - Organizations subject to supervisory authority inspection who need an accurate, current ROPA

What Are Records of Processing Activities (ROPA) Under GDPR?

A Record of Processing Activities (ROPA) is a structured internal register of all personal data processing activities carried out by your organization as a data controller or processor. GDPR Article 30 makes maintaining this record a legal obligation — not a best practice. The ROPA provides supervisory authorities with a clear picture of how your organization handles personal data and is a primary document requested during regulatory inspections and investigations.

Who Must Maintain a ROPA Under GDPR Article 30?

GDPR Article 30(5) provides a limited exemption for organizations with fewer than 250 employees — but this exemption is narrower than it appears. It does not apply if any of the following conditions are met:

  - The processing is likely to result in a risk to the rights and freedoms of data subjects

  - The processing is not occasional — meaning it occurs on a regular or ongoing basis

  - The processing includes special categories of personal data (Article 9) or criminal conviction data (Article 10)

In practice, nearly all organizations that process personal data regularly — including most SMEs — must maintain a ROPA. If your organization processes employee data, customer data, or user data as a standard part of operations, the exemption almost certainly does not apply.

GDPR Article 30 Required ROPA Contents

Your ROPA must document the following information for each individual processing activity:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Controller Details

      Name and contact details of the controller, any joint controllers, and the DPO

      Acme Ltd; DPO: Secure Privacy

    

    
      Purposes

      The specific purposes for which the personal data is processed

      Employee payroll processing

    

    
      Data Categories

      Categories of personal data processed in the activity

      Name, address, bank details, salary

    

    
      Data Subject Categories

      Categories of individuals whose personal data is processed

      Employees, contractors

    

    
      Recipients

      Categories of recipients to whom personal data is disclosed

      Payroll provider, tax authority

    

    
      International Transfers

      Details of any transfers to third countries, including the transfer mechanism or safeguards applied

      US transfer under Standard Contractual Clauses (SCCs)

    

    
      Retention Periods

      Envisaged time limits for erasure or review of each data category

      7 years after employment ends

    

    
      Security Measures

      A general description of the technical and organizational security measures in place

      Encryption at rest and in transit, role-based access controls, audit logs

    

  

How Your Secure Privacy DPO Manages Your ROPA

Data mapping and processing activity discovery

Your DPO conducts structured data mapping exercises across your organization to identify all processing activities, data flows, and systems handling personal data — ensuring no processing activity is undocumented.

ROPA creation and structuring

Your DPO creates and maintains the ROPA in a structured, Article 30-compliant format — integrated with the Secure Privacy governance platform for centralized access and version control.

Ongoing updates when processing changes

When processing activities change — due to new products, system changes, or updated vendor relationships — your DPO reviews and updates the ROPA to keep it accurate and current.

Supervisory authority inspection readiness

GDPR Article 30(4) requires the ROPA to be made available to supervisory authorities on request. Your DPO ensures the register is maintained in a format that can be produced promptly during an inspection or investigation.

ROPA integration with the governance platform

ROPA management is integrated with the Secure Privacy governance platform, linking processing activities to associated DPIAs, vendor records, and risk assessments for a complete, cross-referenced compliance picture.

Frequently Asked Questions

What is the difference between a ROPA and a data mapping exercise?

A data mapping exercise is the process of discovering and documenting all personal data flows across your organization. The ROPA is the formal output of that exercise — a structured record of processing activities in the format required by GDPR Article 30. The data mapping feeds the ROPA, and both must be kept current as processing activities evolve.

Does GDPR require the ROPA to be in a specific format?

No. GDPR Article 30(3) requires the ROPA to be in written form, including electronic form, but does not prescribe a specific template or format. What matters is that it captures all required fields for each processing activity and can be produced for supervisory authorities on request.

How often should a ROPA be updated?

The ROPA should be treated as a living document — updated whenever a new processing activity is introduced, an existing activity changes in scope or purpose, a new vendor is engaged, or a retention period is revised. Your DPO reviews the ROPA as part of the annual compliance audit and on an ad hoc basis as changes occur.

What happens if an organization cannot produce a ROPA during a supervisory authority inspection?

Failure to maintain a ROPA when required under GDPR Article 30 is a direct compliance violation and can result in regulatory enforcement action. Supervisory authorities treat the absence of a ROPA as an indicator of broader accountability failures, which may trigger deeper investigation into the organization's data protection practices.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# What Is a DPIA? GDPR Article 35 Requirements, Process Steps, and How Your DPO Helps

URL: https://support.secureprivacy.ai/article/understanding-dpia-with-your-dpo
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:27:00+00:00
Updated: 2026-03-22T00:50:08.192+00:00
Reading Time: 4 minutes
Summary: Learn when a DPIA is required under GDPR Article 35, what it must contain, and how Secure Privacy's DPO service guides your organization through every step of the process.

A Data Protection Impact Assessment (DPIA) is a mandatory GDPR process for identifying and minimizing privacy risks before high-risk data processing activities begin. Under GDPR Article 35, organizations must complete a DPIA whenever processing is likely to result in a high risk to individuals' rights and freedoms. Your Secure Privacy DPO guides your team through every stage of the assessment — from initial screening to sign-off and ongoing review.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR Article 35 compliance

  - Legal and compliance teams assessing new data processing activities

  - IT and product teams launching projects that involve personal data processing

  - Organizations subject to GDPR that process special category data or conduct large-scale profiling

What Is a Data Protection Impact Assessment (DPIA)?

A DPIA is a structured process designed to systematically analyze and minimize the data protection risks of a project or processing activity. Under GDPR Article 35, completing a DPIA is not optional — it is a legal requirement for processing activities that pose a high risk to individuals. Failing to conduct a required DPIA can result in regulatory enforcement action and significant fines.

DPIA Requirements Under GDPR: When Is One Mandatory?

A DPIA is required under GDPR Article 35 when processing is likely to result in a high risk to individuals. This includes, but is not limited to, processing that involves:

  - Systematic and extensive evaluation of personal aspects through profiling, where decisions produce significant effects on individuals

  - Large-scale processing of special categories of personal data (e.g., health, biometric, or criminal offense data)

  - Systematic monitoring of publicly accessible areas on a large scale (e.g., CCTV)

  - Any processing activity included on your supervisory authority's published list of operations requiring a DPIA

When in doubt, your DPO can conduct a pre-screening assessment to determine whether a full DPIA is needed.

The DPIA Process: Step-by-Step

Your Secure Privacy DPO guides your organization through a structured, seven-stage DPIA process:

  - Screening: Determine whether a DPIA is required for the proposed processing activity.

  - Description: Document the nature, scope, context, and purposes of the processing in full.

  - Necessity assessment: Evaluate whether the processing is necessary and proportionate to its stated purpose.

  - Risk identification: Identify specific risks to the rights and freedoms of data subjects arising from the processing.

  - Risk mitigation: Define technical and organizational measures to address and reduce identified risks.

  - Sign-off: The DPO provides formal written advice and the completed assessment is approved by the data controller.

  - Review: Schedule ongoing reviews to keep the DPIA current as the processing activity evolves over time.

GDPR Article 35(7) DPIA Contents: What Must Be Included

GDPR Article 35(7) specifies the minimum required contents of a valid DPIA. Your Secure Privacy DPO ensures all four elements are fully addressed:

  
    
    
  
  
    
      Requirement

      Description

    

    
      Processing Description

      A systematic description of the envisaged processing operations and their purposes, including the legitimate interest pursued where applicable

    

    
      Necessity Assessment

      An assessment of the necessity and proportionality of the processing in relation to its purpose

    

    
      Risk Assessment

      An assessment of the risks to the rights and freedoms of data subjects, including likelihood and severity

    

    
      Mitigation Measures

      The measures envisaged to address identified risks and demonstrate GDPR compliance, including safeguards and security measures

    

  

How Your Secure Privacy DPO Supports the DPIA Process

Your Secure Privacy DPO provides expert guidance at every stage of the DPIA lifecycle. This includes reviewing completed assessments for completeness and legal sufficiency, advising on the adequacy of proposed mitigation measures, and determining whether the residual risk is acceptable for processing to proceed.

Where residual risk remains high after mitigation, your DPO will advise on whether prior consultation with the supervisory authority is required under GDPR Article 36 — a step that is mandatory if the risk cannot be sufficiently reduced by the data controller alone.

Frequently Asked Questions

What happens if an organization fails to conduct a required DPIA?

Failing to carry out a mandatory DPIA is a direct violation of GDPR Article 35 and can result in regulatory enforcement action, including fines of up to €10 million or 2% of global annual turnover under GDPR Article 83(4).

Who is responsible for approving a completed DPIA?

The data controller is responsible for approving the DPIA. The DPO provides formal written advice as part of the sign-off process but does not bear personal liability for the controller's processing decisions. Where disagreement exists, the DPO's advice and the controller's reasoning must both be documented.

Does a DPIA need to be repeated?

Yes. DPIAs are not one-time documents. GDPR requires organizations to review a DPIA when the processing activity changes or when there is reason to believe the risk level has shifted. Your DPO will help schedule and manage periodic reviews.

When is prior consultation with a supervisory authority required after a DPIA?

Under GDPR Article 36, prior consultation with the relevant supervisory authority is required when the DPIA indicates that high residual risk cannot be adequately mitigated by the organization alone. Your DPO will assess this and manage the consultation process on your behalf if needed.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR Data Subject Rights and DSAR Handling – How Your DPO Manages Requests with Secure Privacy

URL: https://support.secureprivacy.ai/article/managing-dsar-through-your-dpo
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T20:27:00+00:00
Updated: 2026-03-22T00:48:33.686+00:00
Reading Time: 4 minutes
Summary: Learn how Secure Privacy's DPO service handles GDPR data subject rights requests — covering all six GDPR rights, response timelines, exemptions, and DSAR best practices.

Under GDPR, individuals have the right to access, correct, delete, and restrict the use of their personal data. These requests — known as Data Subject Access Requests (DSARs) — must be handled within strict legal timeframes. Your Secure Privacy DPO ensures your organization can respond to all types of data subject rights requests correctly, on time, and with proper documentation.

Who Is This For?

  - Data Protection Officers and privacy managers handling GDPR compliance

  - Legal and compliance teams managing data subject rights workflows

  - HR and IT teams responsible for locating and processing personal data in response to DSARs

  - Organizations subject to GDPR looking to streamline their DSAR handling process

GDPR Data Subject Rights: Full Overview

GDPR grants individuals six core rights over their personal data. The table below summarizes each right, the applicable GDPR article, and what it requires of your organization.

  
    
    
    
  
  
    
      Right

      GDPR Article

      Description

    

    
      Right of Access

      Article 15

      Individuals can request a copy of their personal data and information about how it is processed

    

    
      Right to Rectification

      Article 16

      Individuals can request correction of inaccurate or incomplete personal data

    

    
      Right to Erasure

      Article 17

      Individuals can request deletion of their personal data in certain circumstances (the "right to be forgotten")

    

    
      Right to Restriction

      Article 18

      Individuals can request that processing of their personal data be restricted under specific conditions

    

    
      Right to Data Portability

      Article 20

      Individuals can receive their personal data in a structured, commonly used, machine-readable format

    

    
      Right to Object

      Article 21

      Individuals can object to processing based on legitimate interests or for direct marketing purposes

    

  

GDPR DSAR Response Timeline

Organizations must respond to Data Subject Access Requests within one month of receipt. For complex or numerous requests, this deadline can be extended by a further two months — but the data subject must be notified of the extension within the initial one-month period, along with the reason for the delay.

How Your DPO Manages DSAR Handling

Your Secure Privacy DPO supports every stage of the DSAR response process:

  - Request validation: Verify the identity of the requester and determine which data subject right applies.

  - Scope assessment: Define the scope of the request and identify all relevant internal data sources.

  - Exemption review: Advise on applicable exemptions under GDPR, such as legal privilege or third-party rights.

  - Response preparation: Guide your team in preparing a complete, compliant response.

  - Quality review: Review the final response before it is sent to the data subject to ensure accuracy and compliance.

  - Documentation: Ensure the request, decision-making process, and response are fully documented for audit purposes.

DSAR Best Practices for GDPR Compliance

Acknowledge requests promptly

Send an acknowledgment as soon as a DSAR is received. This confirms receipt and starts the clock on your one-month response window.

Use a centralized DSAR tracking system

Manage all incoming requests through a single platform to avoid missed deadlines and ensure consistent handling. Secure Privacy's built-in DSAR tracking tools support this directly.

Train staff to recognize and escalate DSARs

Any employee may receive a data subject request — not just the privacy team. Ensure all staff know how to identify a DSAR and who to escalate it to immediately.

Document all refusals and exemption decisions

If a request is refused or an exemption applied, document the legal basis and reasoning clearly. This is critical for demonstrating GDPR accountability if the decision is challenged.

Track and manage all requests through Secure Privacy

Use the Secure Privacy DSAR management tools to log, assign, and track every data subject request from receipt to resolution.

Frequently Asked Questions

What is the GDPR deadline for responding to a DSAR?

Organizations must respond within one month of receiving the request. This can be extended by two further months for complex or high-volume cases, provided the data subject is informed of the extension within the initial one-month period.

Can an organization refuse a data subject request?

Yes, in certain circumstances. GDPR provides exemptions — for example, where disclosure would adversely affect the rights of third parties or where a legal privilege applies. Any refusal must be documented with the legal basis clearly stated, and the data subject must be informed of their right to complain to a supervisory authority.

What is the difference between a DSAR and a DPIA?

A DSAR (Data Subject Access Request) is a request made by an individual exercising their rights over their own personal data. A DPIA (Data Protection Impact Assessment) is an internal process carried out by an organization to assess the privacy risks of a specific data processing activity before it begins.

How does Secure Privacy help manage GDPR data subject requests?

Secure Privacy provides built-in DSAR forms, request tracking, and workflow tools to help organizations handle data subject rights requests on time and with a complete audit trail. Your DPO also provides direct support at each stage of the response process.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# DPO as a Service – What It Is, Who Needs It, and What Secure Privacy's DPOaaS Includes

URL: https://support.secureprivacy.ai/article/what-is-dpo-as-a-service-complete-overview
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T20:25:00+00:00
Updated: 2026-03-22T01:28:19.599+00:00
Reading Time: 5 minutes
Summary: Learn what DPO as a Service is, who needs a DPO under GDPR Article 37, the key benefits of DPOaaS, and what Secure Privacy's outsourced Data Protection Officer service includes.

DPO as a Service (DPOaaS) is an outsourced solution that gives organizations access to a qualified Data Protection Officer without the cost and overhead of a full-time in-house hire. Under GDPR Article 37, many organizations are legally required to appoint a DPO — and even those that are not face significant compliance risk without expert data protection guidance. Secure Privacy's DPO as a Service provides certified privacy professionals who fulfil all GDPR Articles 37–39 obligations on your behalf, tailored to your organization's size, sector, and regulatory footprint.

Who Is This For?

  - Organizations subject to GDPR that are required to appoint a Data Protection Officer under Article 37

  - SMEs and growing businesses that need qualified DPO expertise without a full-time senior hire

  - Organizations operating across multiple EU jurisdictions requiring multi-regulatory knowledge

  - Any business seeking to reduce GDPR compliance risk and demonstrate accountability to supervisory authorities

What Is DPO as a Service?

DPO as a Service is an outsourced model permitted under GDPR Article 37(6), which explicitly allows the DPO function to be fulfilled by an external service provider under a service contract. Rather than recruiting and employing a full-time DPO — a specialist role in high demand and short supply — organizations engage a qualified external DPO team that provides the same statutory functions at a fraction of the cost, with greater expertise and guaranteed continuity of service.

Secure Privacy's DPO as a Service bridges the gap between mandatory GDPR compliance obligations and the practical realities of resourcing a qualified data protection function — making expert DPO support accessible to organizations of all sizes.

GDPR DPO Requirements: Who Needs to Appoint a DPO?

Under GDPR Article 37, DPO appointment is mandatory in three scenarios:

  - The processing is carried out by a public authority or body (except courts acting in their judicial capacity)

  - The organization's core activities require regular and systematic monitoring of data subjects on a large scale

  - The organization's core activities consist of large-scale processing of special categories of data (Article 9) or data relating to criminal convictions and offenses (Article 10)

Even where mandatory appointment does not apply, the European Data Protection Board recommends appointing a DPO as a best practice for any organization that processes personal data regularly. Voluntary DPO appointment significantly reduces compliance risk and demonstrates GDPR accountability under Article 5(2). Secure Privacy's DPO as a Service is available for both mandatory and voluntary appointments.

Key Benefits of DPO as a Service

Compared to an in-house DPO hire, DPO as a Service offers significant advantages across cost, expertise, independence, and scalability:

  
    
    
  
  
    
      Benefit

      Description

    

    
      Cost Efficiency

      A fraction of the cost of a full-time DPO hire — no recruitment, onboarding, or ongoing training overhead

    

    
      Expert Knowledge

      Access to a team of certified privacy professionals with cross-industry and multi-jurisdictional experience

    

    
      Scalability

      Service level adjusts as your organization grows, enters new markets, or faces changing regulatory requirements

    

    
      Independence

      External DPOs are naturally independent — satisfying GDPR Article 38 requirements with no internal conflicts of interest

    

    
      Regulatory Currency

      Stay current with evolving GDPR guidance, supervisory authority decisions, and regulatory developments — without internal training investment

    

    
      Service Continuity

      No disruption from leave, illness, or resignation — guaranteed continuity of DPO coverage at all times

    

  

What Secure Privacy DPO as a Service Includes

Secure Privacy's DPO as a Service covers the full scope of GDPR Articles 37–39 obligations and operational data protection support:

  - Official DPO registration: Your appointed DPO is registered with the relevant supervisory authority under GDPR Article 37(7) from the start of the engagement.

  - GDPR compliance monitoring: Ongoing monitoring of your organization's compliance with GDPR and other applicable data protection laws, including national implementing legislation.

  - DPIA advice and oversight: Guidance on when Data Protection Impact Assessments are required, review of completed assessments, and monitoring of mitigation implementation.

  - Data subject and supervisory authority contact point: Your DPO serves as the accessible, registered contact point for all data subject queries and supervisory authority communications.

  - Staff data protection training: Role-specific training delivery and awareness programs covering GDPR obligations across your workforce.

  - Compliance audits and reporting: Regular compliance audits and structured reporting to your leadership team — providing documented accountability evidence.

  - Breach response and notification support: Expert guidance on breach assessment, 72-hour supervisory authority notification, data subject communication, and breach register documentation.

Getting Started with Secure Privacy DPO as a Service

Onboarding with Secure Privacy's DPO as a Service typically takes two to four weeks and begins with an initial GDPR compliance assessment of your organization. To get started, contact your account manager or explore DPO as a Service plans on the Secure Privacy website.

Frequently Asked Questions

Is DPO as a Service legally valid under GDPR?

Yes. GDPR Article 37(6) explicitly permits the DPO function to be fulfilled by an external service provider under a service contract. A DPOaaS arrangement satisfies all GDPR Article 37–39 obligations — including mandatory supervisory authority registration, accessibility to data subjects, independence requirements, and the full scope of Article 39 tasks — provided the service agreement is structured to reflect these obligations.

How quickly can a DPO as a Service be operational?

Unlike an in-house hire — which involves a recruitment process, notice period, and onboarding timeline that can take several months — Secure Privacy's DPO as a Service can be operational within days of contract execution. DPO registration with the supervisory authority is completed at engagement confirmation, ensuring your organization is formally compliant from the outset.

What is included in the initial compliance assessment?

The initial compliance assessment is a structured gap analysis covering your existing privacy policies, ROPA, security measures, data subject rights processes, vendor agreements, and international transfer arrangements. Findings are used to build your prioritized compliance roadmap — identifying critical issues for immediate action and medium-term improvements for the months ahead.

Can Secure Privacy's DPO as a Service support organizations in multiple countries?

Yes. Secure Privacy's DPO team has multi-jurisdictional expertise covering GDPR requirements across EU member states, UK GDPR, and applicable national data protection legislation. The compliance assessment and ongoing support account for all jurisdictions in which your organization operates — from supervisory authority registration to national-law-specific compliance obligations.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# DPO as a Service Onboarding – Five-Step GDPR Compliance Setup Process with Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-onboard-with-dpo-as-a-service
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T20:25:00+00:00
Updated: 2026-03-22T01:26:39.961+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's DPO as a Service onboarding works — from initial GDPR gap analysis and DPO registration through to a prioritized compliance roadmap and ongoing support.

Getting started with Secure Privacy's DPO as a Service is a structured five-step onboarding process designed to establish your organization's GDPR compliance baseline, register your appointed DPO with the relevant supervisory authority, and deliver a prioritized compliance roadmap from day one. This guide walks you through each phase — from the initial discovery consultation through to ongoing DPO support.

Who Is This For?

  - Organizations that have purchased or are evaluating Secure Privacy's DPO as a Service

  - Legal and compliance teams coordinating the DPO onboarding process internally

  - Senior leadership seeking to understand what the DPO engagement process involves and what it delivers

  - IT, HR, and operational teams who will be involved in the compliance gap analysis and policy review stages

DPO as a Service Onboarding Overview

Secure Privacy's DPO onboarding process is designed to move your organization from initial engagement to active GDPR compliance support as efficiently as possible — with no compliance gaps left unaddressed. The process runs across five structured phases, each building on the last to establish a complete, documented compliance foundation.

Step 1: Initial Consultation and Discovery

The onboarding process begins with a structured discovery call where your assigned DPO team assesses your organization's current data protection posture and compliance context:

  - Your organization's size, structure, and industry sector

  - Types of personal data you process and the lawful bases currently relied upon

  - Existing data protection measures, policies, and documentation

  - The jurisdictions in which you operate and the applicable regulatory frameworks

  - Any known compliance gaps, active regulatory matters, or upcoming compliance deadlines

Step 2: GDPR Compliance Gap Analysis

Following the initial consultation, your assigned DPO conducts a thorough compliance gap analysis across all key areas of your data protection program. This assessment identifies existing strengths and prioritizes areas requiring immediate or near-term remediation:

  - Privacy policy and notice review: Assess whether existing privacy notices meet GDPR Articles 13 and 14 transparency requirements.

  - Data processing records assessment: Review the completeness and accuracy of your Record of Processing Activities (ROPA) under GDPR Article 30.

  - Technical and organizational security measures: Evaluate whether security measures meet the GDPR Article 32 standard appropriate to the risk.

  - Data subject rights fulfillment processes: Review how your organization handles DSARs, erasure requests, and other data subject rights under GDPR Articles 15–22.

  - Third-party data processing agreements: Assess DPA coverage for all vendors and processors handling personal data on your behalf.

  - Cross-border data transfer mechanisms: Evaluate whether international data transfers are covered by appropriate GDPR Chapter V mechanisms.

Step 3: DPO Registration Under GDPR Article 37(7)

Once the engagement is confirmed, Secure Privacy registers your appointed DPO with the relevant supervisory authority as required by GDPR Article 37(7). This step includes publishing the DPO's contact details — ensuring data subjects can contact your DPO directly and that the supervisory authority has the correct point of contact for all regulatory communications from the outset of the engagement.

Step 4: Prioritized GDPR Compliance Roadmap

Based on the gap analysis findings, your DPO prepares a structured, prioritized compliance roadmap with clear action items, owners, and timelines:

  
    
    
    
  
  
    
      Priority

      Action Item

      Timeline

    

    
      Critical

      Address any active non-compliance issues identified in the gap analysis

      Weeks 1–2

    

    
      High

      Implement missing policies, procedures, and documentation

      Weeks 2–4

    

    
      Medium

      Staff data protection training and awareness programs

      Weeks 4–8

    

    
      Ongoing

      Continuous compliance monitoring, periodic reviews, and reporting

      Monthly

    

  

Step 5: Ongoing DPO Support and Compliance Monitoring

After the onboarding phases are complete, your Secure Privacy DPO transitions into continuous support mode — providing the full range of GDPR Articles 37–39 services on an ongoing basis:

  - Regular compliance check-ins and progress reviews against the roadmap

  - Continuous monitoring of your data protection posture and processing activities

  - Advisory support for new projects, processing activities, and vendor engagements

  - Breach response management and supervisory authority liaison as needed

  - Periodic compliance reporting delivered to your leadership team

Your DPO is accessible at any time through the Secure Privacy platform — ensuring your organization always has expert data protection guidance available when it is needed. Learn more about Secure Privacy DPO as a Service.

Frequently Asked Questions

How long does the DPO as a Service onboarding process take?

The onboarding timeline depends on the size and complexity of your organization and the extent of the compliance gaps identified. Critical issues are typically addressed within the first two weeks, with the full compliance roadmap implemented over the first one to two months. DPO registration with the supervisory authority is completed at the point of engagement confirmation — ensuring your organization is formally compliant from the outset.

What information does my organization need to provide during onboarding?

Your DPO team will work through the discovery consultation to gather the necessary information — including your existing privacy policies, any current data processing records or ROPA, vendor agreements, security documentation, and details of any known compliance gaps or regulatory matters. Your internal teams will be guided through what is needed at each stage.

What happens if the gap analysis identifies critical compliance issues?

Critical findings are addressed immediately in the first two weeks of the compliance roadmap. Your DPO will advise on the specific remediation actions required, work with your team to prioritize and implement them, and document the steps taken — ensuring your organization moves out of active non-compliance as quickly as possible.

Can Secure Privacy's DPO as a Service support organizations in multiple jurisdictions from the start of onboarding?

Yes. The initial discovery consultation specifically covers all jurisdictions in which your organization operates, and the gap analysis accounts for both GDPR requirements and applicable national data protection legislation in each relevant member state. Your compliance roadmap reflects the full regulatory footprint of your organization from day one.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# GDPR DPO Appointment Requirements – When Is a Data Protection Officer Mandatory Under Article 37?

URL: https://support.secureprivacy.ai/article/when-is-appointing-a-dpo-mandatory
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T20:25:00+00:00
Updated: 2026-03-22T01:02:16.558+00:00
Reading Time: 5 minutes
Summary: Learn when GDPR Article 37 makes DPO appointment mandatory, what large-scale processing means, national requirements across EU member states, and when voluntary appointment is recommended.

Under GDPR Article 37, certain organizations are legally required to appoint a Data Protection Officer (DPO). The conditions for mandatory appointment are broader than many organizations assume — and several EU member states impose additional national requirements beyond the GDPR baseline. This guide explains when a DPO appointment is mandatory, what "large-scale processing" means in practice, and when a voluntary appointment is strongly recommended even if not legally required.

Who Is This For?

  - Legal and compliance teams assessing whether their organization is required to appoint a DPO under GDPR

  - Data Protection Officers and privacy managers advising leadership on DPO appointment obligations

  - Organizations operating across multiple EU member states subject to national DPO requirements

  - Growing businesses evaluating whether their current or planned processing activities trigger mandatory appointment

GDPR Article 37: When Is DPO Appointment Mandatory?

Not every organization is required to appoint a DPO under GDPR — but the mandatory conditions are more widely applicable than many organizations realize. Under GDPR Article 37(1), DPO appointment is mandatory in three scenarios:

  - Public authorities or bodies: Any organization that is a public authority or body — except courts acting in their judicial capacity — must appoint a DPO.

  - Large-scale systematic monitoring: Organizations whose core activities require regular and systematic monitoring of individuals on a large scale — for example, behavioral advertising networks, telecom operators, or organizations using tracking technologies at scale.

  - Large-scale special category data processing: Organizations whose core activities involve large-scale processing of special categories of personal data under GDPR Article 9 (such as health, biometric, or religious data) or data relating to criminal convictions and offenses under Article 10.

What Does "Large-Scale Processing" Mean Under GDPR?

GDPR does not define a precise numeric threshold for large-scale processing. The European Data Protection Board (EDPB) advises that the following factors should be considered when determining whether processing qualifies as large scale:

  - The number of data subjects concerned — either as a specific figure or as a proportion of the relevant population

  - The volume of data or range of data items being processed

  - The duration or permanence of the data processing activity

  - The geographical extent of the processing — local, regional, national, or international

Where there is genuine doubt about whether your processing qualifies as large scale, your DPO can conduct an assessment and document the reasoning — providing a defensible position if the question is raised by a supervisory authority.

National DPO Appointment Requirements Across EU Member States

Several EU member states have enacted national legislation that imposes DPO appointment obligations beyond the GDPR Article 37 baseline. Organizations operating in multiple jurisdictions must assess both GDPR requirements and applicable national rules:

  
    
    
  
  
    
      Country

      Additional DPO Appointment Requirement

    

    
      Germany

      Organizations with 20 or more employees regularly processing personal data must appoint a DPO under the Federal Data Protection Act (BDSG)

    

    
      France

      DPO appointment is strongly recommended for all organizations processing personal data; the CNIL has issued binding guidance on DPO obligations

    

    
      Austria

      Organizations that systematically process personal data as their primary activity are required to appoint a DPO

    

    
      Poland

      Public entities and organizations processing special categories of personal data are required to appoint a DPO under Polish national law

    

  

When Voluntary DPO Appointment Is Recommended

Even where GDPR Article 37 does not strictly require a DPO, the European Data Protection Board recommends voluntary appointment for organizations that process personal data regularly or at meaningful scale. Consider appointing a DPO if:

  - You process customer, employee, or user data on an ongoing basis

  - You operate across multiple EU jurisdictions subject to varying national requirements

  - Your organization is growing in a way that may trigger mandatory DPO thresholds in the near future

  - You want to demonstrate GDPR accountability and good data governance to regulators, customers, and partners

Secure Privacy's DPO as a Service makes it straightforward to meet mandatory and voluntary DPO requirements without the cost and overhead of a full-time in-house hire.

Frequently Asked Questions

Does a DPO need to be an employee of the organization?

No. GDPR Article 37(6) explicitly permits the DPO role to be fulfilled by an external service provider under a contract. A DPO as a Service arrangement — such as that offered by Secure Privacy — satisfies this requirement and provides access to specialist expertise without the cost of a full-time hire.

What happens if an organization fails to appoint a mandatory DPO?

Failure to appoint a DPO when required under GDPR Article 37 is a direct violation of GDPR and can result in enforcement action and fines of up to €10 million or 2% of global annual turnover under GDPR Article 83(4). Supervisory authorities have issued fines for this specific failure in several EU member states.

Can one DPO serve multiple organizations?

Yes. GDPR Article 37(3) allows a single DPO to be appointed for a group of undertakings or a group of public authorities, provided the DPO is easily accessible from each entity. Availability and accessibility requirements must be met in practice, not just on paper.

How does an organization assess whether its processing triggers the mandatory DPO threshold?

Organizations should document their core processing activities and assess each against the three Article 37(1) scenarios — public authority status, large-scale systematic monitoring, and large-scale special category data processing — using the EDPB's large-scale assessment factors. Where the answer is uncertain, the assessment and its reasoning should be documented. Secure Privacy's DPO can conduct and document this assessment on your behalf.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# In-House DPO vs DPO as a Service – GDPR Article 37(6) Comparison, Costs, and When Each Makes Sense

URL: https://support.secureprivacy.ai/article/dpo-as-a-service-vs-in-house-dpo
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T20:25:00+00:00
Updated: 2026-03-22T01:23:28.184+00:00
Reading Time: 5 minutes
Summary: Compare in-house DPO vs DPO as a Service under GDPR Article 37(6) — covering cost, expertise, independence, scalability, and when each model is the right choice for your organization.

Under GDPR Article 37(6), the DPO function can be fulfilled by either an in-house employee or an external service provider. Both approaches are legally valid — but they differ significantly in cost, expertise, independence, and scalability. This guide compares in-house DPO and DPO as a Service (DPOaaS) across the key factors to help your organization make the right choice for its size, structure, and compliance requirements.

Who Is This For?

  - Legal and compliance leads evaluating DPO appointment options under GDPR Article 37

  - HR and finance teams assessing the cost and resourcing implications of in-house vs external DPO models

  - Senior leadership and board members responsible for data protection governance decisions

  - SMEs, startups, and growing organizations weighing DPO as a Service against internal hiring

In-House DPO vs DPO as a Service: Detailed Comparison

GDPR Article 37(6) explicitly permits the DPO role to be fulfilled by an external service provider under a service contract. The table below compares the two models across the factors that matter most to organizations making this decision:

  
    
    
    
  
  
    
      Factor

      In-House DPO

      DPO as a Service

    

    
      Annual Cost

      $80,000–$180,000+ including salary, benefits, and ongoing training

      Fraction of the cost — predictable monthly service fee with no recruitment overhead

    

    
      Expertise

      Single individual's knowledge base — depth varies by background and continuing development

      Access to a team of specialists with cross-industry and multi-jurisdictional experience

    

    
      Independence

      May face internal pressure, reporting line conflicts, or organizational politics

      Naturally independent as an external party — no internal conflicts of interest

    

    
      Availability

      Subject to leave, illness, resignation, and knowledge loss on departure

      Guaranteed continuity of service regardless of individual availability

    

    
      Scalability

      Limited to one individual's capacity — additional resource requires additional hire

      Scales with your organization's evolving compliance needs without additional hiring

    

    
      Regulatory Knowledge

      May specialize in one jurisdiction or sector — breadth depends on the individual

      Multi-jurisdictional and cross-sector expertise distributed across the service team

    

    
      Recruitment

      Lengthy hiring process in a competitive and specialist talent market

      Immediate access to qualified DPO professionals — no recruitment delay

    

    
      Organizational Knowledge

      Deep understanding of internal operations, culture, and systems from day one

      Built progressively through structured onboarding and ongoing engagement

    

  

When an In-House DPO Makes Sense

An in-house DPO appointment is most appropriate in a limited set of circumstances where the depth of internal organizational knowledge and continuous presence outweigh the cost and scalability advantages of DPOaaS:

  - Very large organizations with complex, high-volume, and continuous data processing needs that require a full-time dedicated resource embedded within the business.

  - Organizations where data protection is a core competitive differentiator — such as data-intensive technology companies where privacy strategy is integral to product development and market positioning.

  - Organizations with highly specialized or sensitive data processing requirements — such as defense, intelligence-adjacent, or critical national infrastructure sectors where external access is restricted.

When DPO as a Service Is the Better Choice

For most organizations subject to GDPR, DPO as a Service offers a more cost-effective, flexible, and expertise-rich solution than an in-house hire:

  - Small to medium-sized organizations that need qualified DPO guidance and accountability documentation without the cost of a full-time senior hire.

  - Organizations operating across multiple EU jurisdictions where diverse regulatory knowledge — covering different supervisory authority expectations and national implementing legislation — is required.

  - Organizations looking to reduce compliance overhead while maintaining full GDPR accountability, reporting, and supervisory authority liaison capabilities.

  - Startups and rapidly growing companies where data processing activities, headcount, and regulatory exposure change quickly and compliance requirements need to scale accordingly.

  - Any organization where an internal DPO appointment could create conflicts of interest — for example, where the only suitable internal candidate also holds a role that involves making data processing decisions.

The Hybrid DPO Model

Some organizations adopt a hybrid approach: an internal privacy champion or data protection coordinator handles day-to-day privacy activities and acts as the internal point of contact, while an external DPO service fulfils the formal GDPR Article 37–39 obligations — including supervisory authority liaison, DPIA sign-off, breach notification, and compliance reporting.

Secure Privacy's DPO as a Service is designed to support this model. Your external DPO works alongside your internal privacy team, providing expert oversight and formal accountability while your internal coordinator manages operational privacy tasks. Learn more about the Secure Privacy DPO as a Service.

Frequently Asked Questions

Is a DPO as a Service legally equivalent to an in-house DPO under GDPR?

Yes. GDPR Article 37(6) explicitly states that the DPO function can be fulfilled by an external service provider under a service contract. A DPOaaS arrangement satisfies the same GDPR Article 37–39 obligations as an in-house appointment — including supervisory authority registration, accessibility requirements, and independence obligations — provided the service agreement is structured correctly.

What are the GDPR independence requirements for a DPO?

GDPR Article 38(3) requires that the DPO does not receive instructions regarding the exercise of their tasks, does not be dismissed or penalized for performing those tasks, and reports directly to the highest management level of the organization. An external DPO as a Service is inherently well-positioned to meet these independence requirements, as the service provider has no employment relationship with the organization and no conflicting internal responsibilities.

Can a DPO as a Service be easily accessible to data subjects and supervisory authorities?

Yes — provided the DPOaaS contract includes clear accessibility provisions. GDPR Article 38(4) requires the DPO to be accessible to data subjects for queries about their rights and to supervisory authorities for compliance matters. Secure Privacy's DPO as a Service includes defined contact channels and response commitments that satisfy this requirement.

How quickly can a DPO as a Service be operational?

Unlike an in-house hire — which involves a recruitment process, notice period, and onboarding timeline that can take several months — a DPO as a Service can typically be operational within days of contract execution. Secure Privacy provides a structured onboarding process to build organizational knowledge quickly, ensuring your DPO can fulfil their obligations from the outset.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Data Protection Officer Role – GDPR Articles 37–39, Mandatory Tasks, Independence Requirements, and DPOaaS

URL: https://support.secureprivacy.ai/article/dpo-roles-and-responsibilities-under-gdpr
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T20:25:00+00:00
Updated: 2026-03-22T01:25:03.962+00:00
Reading Time: 6 minutes
Summary: Learn what GDPR Articles 37–39 require of a Data Protection Officer — mandatory tasks, independence protections, practical responsibilities, and how Secure Privacy's DPO as a Service fulfils them.

The Data Protection Officer (DPO) is a formally designated role under GDPR Articles 37–39, responsible for advising on compliance, monitoring data protection obligations, overseeing DPIAs, and acting as the official contact point between your organization and the supervisory authority. This guide explains the mandatory tasks, independence requirements, and practical responsibilities of the DPO role — and how Secure Privacy's DPO as a Service fulfils all GDPR Article 39 obligations on your organization's behalf.

Who Is This For?

  - Organizations subject to GDPR that are required or considering appointing a Data Protection Officer

  - Legal and compliance teams seeking to understand what the DPO role requires under GDPR Articles 37–39

  - Senior leadership and boards responsible for data protection governance and DPO oversight

  - Privacy professionals evaluating whether an in-house or external DPO model best meets their obligations

The Role of the Data Protection Officer Under GDPR

The DPO plays a central role in ensuring an organization's ongoing compliance with GDPR and other applicable data protection regulations. Unlike a general compliance function, the DPO is a formally designated position with specific statutory tasks, strict independence protections, and a direct reporting line to the highest level of management. GDPR Articles 37–39 define the conditions for appointment, the independence requirements, and the minimum tasks the DPO must fulfil.

GDPR Article 39 Mandatory DPO Tasks

GDPR Article 39 sets out the minimum tasks every DPO must perform. These are baseline obligations — not an exhaustive description of what a well-functioning DPO program delivers in practice:

Inform and advise on data protection obligations

The DPO informs and advises the controller, processor, and employees about their obligations under GDPR and other applicable data protection law — ensuring decision-makers across the organization understand the privacy implications of their activities before processing begins.

Monitor GDPR compliance

The DPO monitors compliance with GDPR, other EU or member state data protection provisions, and the organization's internal data protection policies — including assigning responsibilities, raising awareness, and conducting regular compliance assessments.

Advise on and oversee DPIAs

The DPO provides advice on when Data Protection Impact Assessments are required under GDPR Article 35, reviews completed assessments for sufficiency, and monitors the implementation of mitigation measures identified in the DPIA process.

Cooperate with and act as contact point for the supervisory authority

The DPO is the designated contact point for all supervisory authority communications — including breach notifications, prior consultation requests, complaints, inquiries, and investigations — and cooperates with the authority on all processing-related matters under GDPR Article 39(1)(d-e).

Take due regard of risk in processing operations

When performing their tasks, the DPO takes due account of the risk associated with each processing activity — considering the nature, scope, context, and purposes of processing — and prioritizes their activities accordingly.

GDPR Article 38 DPO Independence Requirements

GDPR Article 38 establishes strict protections for the DPO's independence — requirements that are non-negotiable and that supervisory authorities actively assess during investigations:

  - No instructions on DPO tasks: The DPO must not receive instructions from the controller or processor regarding the exercise of their tasks — they must be free to form their own professional judgments on compliance matters.

  - Protection from dismissal or penalty: The DPO cannot be dismissed, penalized, or disadvantaged for performing their duties — including when their advice conflicts with the organization's preferred course of action.

  - Direct reporting to senior management: The DPO must report directly to the highest management level — ensuring their findings and recommendations reach the appropriate decision-making level without being filtered through intermediate management.

  - No conflict of interest: The DPO must not hold a position within the organization that would lead to a conflict of interest with their DPO responsibilities — for example, a role that involves making data processing decisions that the DPO would then be required to oversee.

The independence requirement is one of the primary reasons organizations choose an external DPO through a service like Secure Privacy — an external provider is naturally independent, with no employment relationship or conflicting internal responsibilities that could compromise the role.

DPO Responsibilities in Practice

Beyond the minimum Article 39 tasks, a well-functioning DPO program covers the full range of operational data protection responsibilities:

  
    
    
  
  
    
      Area

      Responsibilities

    

    
      Policy Management

      Review and advise on privacy policies, data retention schedules, and internal data protection procedures

    

    
      Staff Training

      Deliver role-specific data protection training and ensure all employees understand their GDPR obligations

    

    
      Breach Management

      Advise on breach detection, risk assessment, 72-hour notification, data subject communication, and breach register documentation

    

    
      DPIA Oversight

      Advise on when DPIAs are required, review assessments for GDPR Article 35 compliance, and monitor mitigation implementation

    

    
      Data Subject Rights

      Oversee processes for responding to DSARs, erasure requests, rectification, restriction, and objection within GDPR deadlines

    

    
      Vendor Management

      Review Data Processing Agreements, maintain the vendor register, and advise on third-party processor risk and international transfers

    

  

How Secure Privacy's DPO as a Service Fulfils GDPR Requirements

When you engage Secure Privacy's DPO as a Service, our appointed DPO fulfils all mandatory GDPR Articles 37–39 requirements — including supervisory authority registration, breach notification, DPIA oversight, and staff training — while maintaining full structural independence as an external service provider.

Regular compliance reports keep your leadership informed of your organization's data protection posture, and the Secure Privacy governance platform provides complete transparency into all DPO activities, documentation, and risk management. Learn more about Secure Privacy DPO as a Service.

Frequently Asked Questions

What is the difference between the DPO's tasks under Article 39 and their broader responsibilities?

GDPR Article 39 defines the minimum mandatory tasks every DPO must perform — the legal baseline. In practice, an effective DPO program extends well beyond these minimum tasks to cover policy management, staff training, vendor oversight, breach response, ROPA maintenance, and ongoing compliance monitoring. The Article 39 tasks are the floor, not the ceiling, of what a well-functioning DPO delivers.

Can the DPO be overruled by senior management on a compliance matter?

No. GDPR Article 38(3) prohibits instructions to the DPO regarding the exercise of their tasks. The data controller remains the decision-maker on whether to proceed with a processing activity, but they cannot instruct the DPO to change their compliance advice or findings. Where the controller proceeds against the DPO's advice, both the advice and the controller's decision should be documented — providing an important accountability record if the matter is later reviewed by a supervisory authority.

What qualifications does a DPO need under GDPR?

GDPR Article 37(5) requires the DPO to be appointed based on professional qualities — in particular, expert knowledge of data protection law and practices — and the ability to fulfil the tasks set out in Article 39. GDPR does not mandate a specific qualification or certification, but the DPO must have sufficient legal and technical knowledge to advise credibly on the full scope of the organization's data processing activities.

How does the DPO report to senior management in practice?

GDPR Article 38(3) requires the DPO to report directly to the highest management level — typically the board, CEO, or equivalent. In practice, this is typically fulfilled through regular written compliance reports, quarterly or annual board presentations, and direct escalation of high-risk findings. Secure Privacy's DPO as a Service includes structured reporting cycles designed to satisfy this obligation and keep leadership appropriately informed.

See Also

  - Setup DSAR Forms in Secure Privacy

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Privacy Program Maturity Scoring – How the Governance Solution Measures and Benchmarks GDPR Compliance

URL: https://support.secureprivacy.ai/article/understanding-privacy-program-maturity-scoring
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T15:56:34.547+00:00
Reading Time: 5 minutes
Summary: Understand how Secure Privacy's Governance Solution scores your privacy program maturity across six GDPR dimensions — with maturity levels, risk indicators, cross-entity benchmarking, and improvement guidance.

Secure Privacy's Governance Solution evaluates your organization's privacy program maturity across six key dimensions — giving compliance teams, privacy officers, and executive leadership a clear, scored view of where the program stands and where improvements are needed. Maturity scores are used across the Dashboard, compliance reports, and Cross-Company Analytics to support benchmarking, gap analysis, and regulatory accountability.

Who Is This For?

  - Privacy officers tracking privacy program improvement over time and identifying dimension-level gaps

  - Executives and board members who need a high-level view of organizational compliance readiness

  - Compliance managers benchmarking maturity scores across multiple entities, regions, or business units

Privacy Maturity Scoring Model

Your privacy program maturity score is calculated as a percentage (0–100%) based on your organization's performance across six dimensions. Each dimension reflects a core area of GDPR compliance program effectiveness:

  
    
    
  
  
    
      Dimension

      What It Measures

    

    
      Governance

      Organizational structure, defined roles, and accountability frameworks including DPO appointment

    

    
      Policies

      Privacy policy documentation, review cycles, and coverage across applicable processing activities

    

    
      Data Inventory

      Completeness of data mapping, system inventory, and process documentation in the ROPA

    

    
      Individual Rights

      DSAR handling capabilities, response times, and performance against GDPR deadlines

    

    
      Security

      Technical and organizational security measures in place across systems processing personal data

    

    
      Risk Management

      Risk identification, scoring, mitigation activities, and DPIA completion for high-risk processing

    

  

Privacy Program Maturity Levels

Based on the overall score, the platform assigns a maturity classification that reflects the current state of your privacy program:

  
    
    
    
  
  
    
      Maturity Level

      Score Range

      Description

    

    
      Reactive Maturity

      0–40%

      Privacy program is in early stages with significant compliance gaps requiring prioritized remediation

    

    
      Developing Maturity

      41–70%

      Core compliance elements are in place but gaps remain across one or more dimensions

    

    
      Proactive Maturity

      71–100%

      Comprehensive privacy program with strong controls, documented processes, and continuous improvement

    

  

Risk Level Indicators

Alongside the maturity score, the platform assigns a risk level indicator reflecting the organization's current compliance exposure:

  - High Risk: Significant compliance gaps requiring immediate attention — typically associated with Reactive Maturity scores

  - Medium Risk: Some areas need improvement but core controls are in place — typically associated with Developing Maturity

  - Low Risk: Strong compliance posture with minimal gaps — typically associated with Proactive Maturity

Cross-Entity Privacy Maturity Comparison

For organizations managing multiple entities, the Privacy Program Maturity Comparison report provides structured cross-entity benchmarking:

  - Side-by-side maturity scoring across all entities in your portfolio

  - Spider chart visualizations showing dimension-by-dimension performance for each entity

  - Identification of highest and lowest scoring entities — highlighting where intervention is most needed

  - Average, highest, and lowest scores across the full entity portfolio for executive reporting

Improving Your Privacy Maturity Score

Each dimension of the maturity score can be improved through targeted actions within the Governance Solution:

Complete your data mapping

Ensure all processing activities and systems are fully documented in the Process Register and Systems Management modules. Incomplete ROPA coverage is one of the most common causes of low Data Inventory scores.

Maintain up-to-date policies

Upload current versions of all privacy policies and procedures to the Document Repository, and set annual review reminders in the Compliance Calendar. Outdated or missing policies directly reduce your Policies dimension score.

Address open risks

Work through your risk register systematically — implementing mitigation plans, updating risk status as actions are completed, and closing resolved items. Active risk remediation improves your Risk Management score in real time.

Handle DSARs promptly

Respond to all data subject requests within GDPR's one-month deadline. DSAR response performance is a direct input into the Individual Rights dimension — consistently missed deadlines will reduce this score.

Complete DPIAs for high-risk processing

Run Data Protection Impact Assessments for all processing activities that meet the GDPR Article 35 threshold. Incomplete DPIA coverage for high-risk items negatively affects both the Risk Management and Governance dimensions.

Assign ownership to all items

Ensure every process, system, and risk record has a clearly assigned owner. Unowned compliance items are treated as accountability gaps — assigning ownership across your compliance program improves scores across multiple dimensions simultaneously.

Using Maturity Scores in Compliance Reports

Maturity scores are surfaced across several reports in the Reporting & Analytics module:

  - Compliance Dashboard: Overall maturity score with a dimension-by-dimension breakdown for the current organization

  - Executive Summary: High-level maturity overview formatted for board and leadership reporting

  - Privacy Program Comparison: Cross-entity maturity benchmarking with spider chart visualizations

  - Cross-Company Analytics: Aggregated maturity metrics across all organizations managed in the platform

Next Steps

  - Review your current maturity score and dimension breakdown on the Dashboard

  - Use the Gap Analysis report to identify the lowest-scoring dimensions and prioritize remediation

  - Create targeted tasks in Task Management to address identified compliance gaps

  - Schedule regular maturity reviews in the Compliance Calendar to track improvement over time

Frequently Asked Questions

How frequently is the maturity score updated?

The maturity score updates in real time as compliance activities are completed within the Governance Solution — including adding new process records, completing risk mitigations, handling DSARs, and uploading policy documents. There is no need to manually trigger a recalculation; the score always reflects your current program status.

Can the maturity score be used as evidence of GDPR compliance for supervisory authorities?

The maturity score itself is an internal assessment tool rather than a formal regulatory certification. However, the detailed compliance data that underlies the score — including your ROPA, risk register, DPIA records, and DSAR performance metrics — can be exported from the Governance Solution as audit-ready evidence for supervisory authority review under GDPR Article 5(2) accountability requirements.

What is the fastest way to move from Reactive to Developing maturity?

The highest-impact actions for organizations at Reactive maturity are typically: completing data mapping in the Process Register, uploading current privacy policies to the Document Repository, assigning ownership to all systems and processes, and addressing any open High-risk items in the risk register. These actions span multiple scoring dimensions and generate rapid score improvement.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# DSAR Handling Module – GDPR Data Subject Request Management, Deadline Tracking, and Audit Logging in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/how-to-handle-dsars-governance-platform
Product: Privacy & AI Governance
Category: DSARs
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T16:39:43.556+00:00
Reading Time: 5 minutes
Summary: Manage GDPR and CCPA data subject access requests end-to-end using the DSAR Handling module in Secure Privacy's Governance Solution — with automated deadline tracking, secure data handling, and full audit logging.

The DSAR Handling module in Secure Privacy's Governance Solution manages the full lifecycle of Data Subject Access Requests — from intake and identity verification through to response delivery and audit logging. It helps your organization meet the legal response timeframes required by GDPR (30 days), CCPA (45 days), and other applicable privacy regulations, while maintaining a complete, defensible audit record of every action taken.

Who Is This For?

  - Privacy officers overseeing DSAR response processes and ensuring regulatory deadline compliance

  - Legal teams ensuring timely, compliant responses to all data subject rights requests

  - Support staff handling incoming data requests and coordinating the response workflow across departments

Accessing DSAR Handling

From the left sidebar in the Governance Solution, navigate to Compliance > DSARs. The main view displays all requests in a filterable table with real-time status indicators and deadline tracking.

Creating and Processing a DSAR

Step 1: Click + Add Request

Click + Add Request in the top-right corner to log a new data subject rights request.

Step 2: Fill in request details

Complete the following fields to fully document the incoming request:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Subject

      Email address or identifier of the data subject submitting the request

      user@example.com

    

    
      Request Type

      The specific data subject right being exercised

      Access Request, Erasure, Rectification, Portability

    

    
      Status

      Current handling status of the request

      Pending, In Progress, Completed

    

    
      Due Date

      Response deadline — automatically calculated based on the applicable regulation and receipt date

      2025-06-22

    

    
      Related Processes

      Link to relevant data processing activities in the Process Register

      Customer Data Processing

    

    
      Assignees

      Team members responsible for handling and responding to the request

      dan@company.com

    

    
      Response Time

      Legal response timeframe for the applicable regulation

      30 days (GDPR), 45 days (CCPA)

    

  

Step 3: Process the request

Work through the request by gathering the required personal data, verifying the data subject's identity, and preparing the response. Update the status field as work progresses to keep the record current and all assignees informed.

GDPR DSAR Deadline Tracking

The platform automatically calculates and tracks the response deadline for each request based on receipt date and applicable regulation. A visual progress bar shows how much time remains, with color-coded indicators providing at-a-glance urgency signals:

  - Green — Plenty of time remaining; request is on track

  - Yellow — Deadline approaching with less than 50% of response time remaining

  - Red — Deadline imminent or overdue; immediate action required

DSAR Secure Data Handling

The DSAR module applies enterprise-grade security controls to all personal data handled during the request process:

  - Files and attachments are encrypted at rest and in transit using AES-256 and TLS 1.2+

  - Access to request records and attached data is restricted to assigned team members only

  - All data access events are logged automatically for audit purposes

  - Completed response packages can be securely shared with the data subject when ready

Custom DSAR Intake Controls

Customize your DSAR intake form with custom fields to collect the specific information your organization needs to process requests efficiently. See the dedicated DSAR Custom Controls article for step-by-step configuration instructions.

DSAR Audit Trail for Regulatory Accountability

Every action related to a DSAR record is automatically logged — including creation, status changes, communications, file uploads, assignee changes, and completion. This provides a complete, timestamped, defensible record of your response process for supervisory authority review under GDPR Article 5(2) and Article 12 accountability requirements.

DSAR Performance Reporting

The DSAR Performance report in the Reporting & Analytics module provides operational insights into your DSAR program:

  - Average response times across all request types

  - Completion rates broken down by request type

  - Trending request volumes over time — identifying seasonal patterns or spikes

  - Overdue request analysis — highlighting systemic process issues requiring intervention

DSAR Handling Best Practices

Verify identity before processing any request

GDPR Article 12 allows organizations to request additional information to confirm a data subject's identity where there is reasonable doubt. Always document the verification method and outcome before sharing any personal data in a response.

Assign DSARs to specific team members immediately on receipt

Unassigned requests are the most common cause of missed DSAR deadlines. Log and assign every incoming request on the day it is received — ensuring accountability is established from the outset and the deadline clock is visible to the responsible team member.

Use deadline tracking to monitor all open requests

Review the DSAR register regularly and prioritize any requests showing yellow or red deadline indicators. Do not wait for automated reminders alone — an active weekly review prevents deadline breaches caused by unexpected complexity or delays.

Maintain detailed notes throughout the response process

Document every decision made during the DSAR response — including data searches conducted, exemptions considered, and the rationale for any refusals. Detailed notes create the audit-ready record needed to defend your response process to a supervisory authority.

Review DSAR performance metrics monthly

Use the DSAR Performance report to identify trends in response times, request volumes, and overdue rates. Monthly reviews allow compliance teams to spot process bottlenecks and implement improvements before they become systemic compliance failures.

Next Steps

  - Configure your DSAR intake form using DSAR Custom Controls to collect the information specific to your organization's request types

  - Monitor DSAR response times and completion rates through Reporting & Analytics

  - Set DSAR deadline reminders in the Compliance Calendar for proactive deadline management

Frequently Asked Questions

Does the module support CCPA requests as well as GDPR DSARs?

Yes. The DSAR Handling module supports requests under multiple privacy regulations — including GDPR (30-day response requirement) and CCPA (45-day response requirement). The applicable response timeframe is automatically calculated based on the regulation selected when the request is logged.

What happens if a DSAR response deadline is missed?

Failing to respond within the legal timeframe is a direct regulatory breach — under GDPR, this can trigger supervisory authority complaints and enforcement action. The platform's red deadline indicator and automated reminders are designed to prevent this, but if a deadline is missed, document the reason immediately and issue the response as quickly as possible with a written explanation to the data subject as required under GDPR Article 12(3).

Can DSARs be linked to specific processing activities in the Process Register?

Yes. The Related Processes field allows each DSAR to be linked to the relevant data processing activities documented in the Process Register — creating end-to-end traceability from the data subject's request to the processing activity that generated their personal data.

See Also

  - How to Handle Data Subject Access Requests (DSARs) – Step-by-Step Process

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Members Module – Role-Based Access Control, Team Ownership Assignment, and Accountability Tracking in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/managing-team-members-role-based-access-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T16:10:02.923+00:00
Reading Time: 5 minutes
Summary: Manage team member roles, assign compliance ownership, and maintain a full accountability audit trail using the Members module in Secure Privacy's Governance Solution.

The Members module in Secure Privacy's Governance Solution lets you manage team member access, assign ownership of tasks, risks, assessments, and processes, and maintain a complete audit trail of all responsibility changes. Role-based access controls ensure each team member can only access the areas relevant to their role — supporting both operational security and GDPR accountability across your organization.

Who Is This For?

  - Administrators managing user access, permissions, and team member onboarding and offboarding

  - Compliance managers assigning and tracking responsibilities across teams and departments

  - Privacy officers ensuring proper accountability structures are in place and documented for regulatory purposes

Accessing the Members Module

From the left sidebar in the Governance Solution, click Members. The main view displays all team members with their role, department, and current involvement across processes, tasks, risks, and impact assessments.

Adding a Team Member

Step 1: Click + Add Member

Click the + Add Member button in the top-right corner of the Members view.

Step 2: Enter member details

Enter the team member's email address. They will receive an invitation to join the organization on the Governance Solution platform.

Step 3: Assign a role

Select the appropriate role based on the team member's responsibilities and the level of access they require:

  
    
    
  
  
    
      Role

      Access Level

    

    
      Owner

      Full access to all modules, settings, and user management — typically assigned to the primary account administrator

    

    
      Admin

      Full access to all compliance modules — cannot manage organization-level settings or billing

    

    
      Member

      Access limited to items and modules specifically assigned to them — suitable for team members with defined, scoped responsibilities

    

  

Role-Based Access Control

Role assignments in the Members module directly govern what each team member can view and edit across the Governance Solution. Following the principle of least privilege — granting only the access each person needs for their role — reduces the risk of unauthorized changes to compliance records and supports GDPR data minimization principles as applied to internal system access.

Member Involvement Tracking

The Members table provides an at-a-glance view of each team member's current compliance responsibilities across the platform:

  - Processes: Number of processing activities they own or are involved in within the Process Register

  - Tasks: Number of compliance tasks currently assigned to them in Task Management

  - Risks: Number of risk register entries they are responsible for in Risk Management

  - Impact Assessments: Number of DPIAs or other assessments they participate in

Click on any team member to view the full details of their assignments and ownership across all modules.

Filtering and Exporting

Use the search bar to find members by name or email address. Apply Filters to narrow the view by role or department. Click Export to download the full member list for audit documentation, HR reporting, or access review purposes.

Compliance Accountability Audit Trail

The platform automatically tracks all member-related actions with timestamps — providing a complete, chronological record of who was responsible for what at any point in time:

  - When a member was added to or removed from the organization

  - Role changes and permission updates

  - Task assignments, completions, and reassignments

  - Process and risk ownership changes

This audit trail directly supports GDPR accountability requirements under Article 5(2) — demonstrating that named individuals were responsible for specific compliance obligations at each point in your program's history.

Members Module Best Practices

Follow the principle of least privilege

Assign each team member only the role and access level they need to perform their compliance responsibilities. Avoid assigning Owner or Admin roles to members who only need task-level access — reducing the risk of accidental or unauthorized changes to compliance records.

Review member roles quarterly

Team responsibilities change frequently. A quarterly review of all member roles and assignments ensures access levels still reflect current job functions — and identifies any members who may need their access updated or removed.

Remove access promptly when team members leave

Departing team members should have their access removed immediately — and their open tasks, risks, and process ownerships reassigned to active team members. Unowned compliance items create accountability gaps that may not be visible until a regulatory audit.

Use role-based workflow approvers

Configure approvers in Workflow & Automation by role rather than by named individual wherever possible. This ensures workflows continue functioning correctly when team members change roles or leave the organization — without requiring manual reconfiguration of approval chains.

Assign ownership to every item

Every process, system, risk, and task in the Governance Solution should have a clearly named owner. Unowned items reduce accountability, lower maturity scores across multiple dimensions, and create gaps that supervisory authorities may identify during regulatory inspections.

Next Steps

  - Assign team members as owners of processing activities in the Process Register

  - Set up and assign compliance tasks in Task Management to ensure clear accountability for all open actions

  - Configure role-based approvers in Workflow & Automation to future-proof your approval chains against team changes

Frequently Asked Questions

What happens to tasks and risks owned by a member when they are removed?

When a team member is removed from the organization, their tasks, risks, and process ownerships remain in the system but become unassigned. An administrator should reassign all open items to active team members promptly after removal to prevent accountability gaps and ensure compliance activities continue without interruption.

Can the same person hold multiple roles across different modules?

Each team member has a single platform role — Owner, Admin, or Member — that governs their access level across the Governance Solution. However, a single team member can be assigned ownership of multiple processes, tasks, risks, and assessments simultaneously, regardless of their platform role.

Is the member audit trail accessible to supervisory authorities?

The audit trail is an internal record within the Governance Solution. If required during a regulatory inspection, administrators can export member records and activity logs to demonstrate that named individuals held specific compliance responsibilities at particular points in time — supporting GDPR accountability documentation under Article 5(2).

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Compliance Automation – Automating Recurring GDPR Tasks, Workflows, and AI Suggestions in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/automating-recurring-compliance-tasks-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T15:54:56.476+00:00
Reading Time: 6 minutes
Summary: Automate recurring GDPR compliance tasks, configure event-triggered workflows, and use AI suggestions to close compliance gaps using Secure Privacy's Governance Solution.

Manual compliance tracking is time-consuming, error-prone, and difficult to scale as your privacy program grows. Secure Privacy's Governance Solution enables you to automate recurring compliance activities — from privacy policy reviews and risk register updates to DPIA follow-ups and system audits — so nothing falls through the cracks and your team can focus on higher-value compliance work.

Who Is This For?

  - Compliance managers who want to reduce manual tracking overhead and ensure recurring obligations are never missed

  - Privacy officers responsible for ensuring ongoing GDPR compliance activities happen on schedule across the organization

  - Operations teams supporting compliance processes and managing task assignments at scale

What Compliance Activities Can Be Automated?

The Governance Solution supports automation across three categories of recurring compliance activity:

Recurring task creation

Set compliance tasks to automatically regenerate on a defined schedule — eliminating the need for manual re-creation of routine obligations:

  - Privacy policy reviews — monthly or quarterly, depending on your regulatory environment

  - Risk register updates — quarterly reviews of open and in-progress risk records

  - DPIA reviews — annually or triggered when associated processing activities change

  - System inventory audits — quarterly or semi-annually to identify new, changed, or decommissioned systems

  - Training completion checks — annual verification that all staff have completed mandatory data protection training

Workflow-triggered tasks

Configure event-based workflows in the Workflow & Automation module that automatically create follow-up tasks when specific compliance events occur:

  - A DPIA is completed and requires follow-up risk mitigation actions

  - A risk assessment identifies a new high-risk item requiring immediate remediation

  - A system review reveals missing privacy or security controls

  - A compliance document expires and requires renewal or review

AI-generated compliance suggestions

The platform's AI capabilities proactively surface compliance gaps and recommended actions based on your data processing activities and program status:

  - Assessments that may be required based on new or changed processing activities

  - Policy reviews prompted by relevant regulatory changes or supervisory authority guidance

  - Risk mitigation strategies based on industry patterns and your current risk profile

  - Missing information or documentation gaps in your compliance program

Compliance Automation Setup

Step 1: Identify recurring compliance activities

List all compliance activities that occur on a regular schedule — including reviews, audits, training cycles, and deadline-driven regulatory obligations. This inventory forms the basis of your automation configuration.

Step 2: Create recurring tasks in the Compliance Calendar

In the Compliance Calendar, create tasks with recurrence settings configured. Specify the frequency, start date, and assignee for each recurring activity — and set smart reminders with appropriate lead times based on task priority and complexity.

Step 3: Configure event-triggered workflows

In Workflow & Automation, build workflows that create tasks automatically based on platform events. For example, configure a workflow that assigns a risk mitigation task to the relevant system owner whenever a new High-risk item is added to the risk register.

Step 4: Enable smart reminders

Configure notification settings to send deadline reminders to assignees as tasks approach their due dates. Set different lead times based on task type — allowing more preparation time for complex compliance activities such as DPIA reviews or annual audits.

Measuring Compliance Automation Impact

Track the effectiveness of your automation setup through Reporting & Analytics:

  - Task completion rates over time — identifying whether automation is improving follow-through on recurring obligations

  - Average response times for recurring compliance activities — measuring whether deadlines are being met consistently

  - Overdue task trends — flagging areas where automation settings or assignee coverage may need adjustment

  - Time saved compared to manual tracking — demonstrating the operational value of the automation program to leadership

Compliance Automation Best Practices

Start with your most frequent and most critical recurring tasks

Begin by automating the compliance activities that occur most often or carry the highest regulatory risk if missed — such as DSAR response deadlines, breach notification windows, and quarterly risk reviews. Add lower-frequency activities progressively.

Review automation settings quarterly

Compliance requirements evolve — new regulations, organizational changes, and updated processing activities can all affect which tasks need to be automated and at what frequency. Review your automation configuration quarterly to ensure it still reflects your current compliance obligations.

Treat AI suggestions as a starting point, not a final answer

AI-generated compliance suggestions are valuable for identifying gaps and prompting reviews — but they should always be reviewed by a qualified compliance professional before action is taken. Use them to augment your team's judgment, not replace it.

Monitor task completion rates actively

Automation creates tasks — but it cannot guarantee they are completed. Monitor completion rates through Reporting & Analytics and address low completion rates quickly, whether by adjusting assignees, lead times, or escalation settings in the workflow configuration.

Keep assignees current as team members change roles

When team members change roles or leave the organization, review all recurring tasks and workflow assignments to ensure they are reassigned promptly. Unowned automated tasks are one of the most common sources of missed compliance deadlines.

Next Steps

  - Set up your first recurring compliance task in the Compliance Calendar — starting with your most frequent regulatory obligation

  - Create an event-triggered workflow in Workflow & Automation to automate follow-up task assignment for high-risk items

  - Review automation effectiveness and task completion rates in Reporting & Analytics after your first full compliance cycle

Frequently Asked Questions

Can automation be configured to trigger tasks based on GDPR-specific deadlines such as DSAR response windows?

Yes. DSAR response deadlines and other GDPR-mandated timeframes can be managed through the DSAR module and surfaced in the Compliance Calendar — with automated task creation and smart reminders ensuring your team is notified well in advance of regulatory deadlines. Workflow triggers can also create escalation tasks if a DSAR approaches its deadline without being resolved.

What happens to automated tasks if an assignee leaves the organization?

Automated tasks assigned to a departed team member will continue to be created on schedule but will remain unassigned or assigned to an inactive account until manually updated. It is important to review all recurring task and workflow assignments whenever a team member changes roles or leaves — your account administrator can reassign tasks in bulk through the Task Management module.

How does the AI suggestion feature differ from workflow automation?

Workflow automation is rule-based — it triggers specific, predefined tasks when configured conditions are met. AI suggestions are proactive and advisory — the platform analyses your compliance data and surfaces recommended actions, potential gaps, or upcoming obligations based on patterns in your program. Both are complementary: workflows handle known, recurring obligations automatically, while AI suggestions help identify what you may not yet know you need to address.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Document Repository – Secure Compliance Document Storage, Version Control, and Audit Logging in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/using-document-repository-centralize-compliance-documents
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T15:52:57.294+00:00
Reading Time: 5 minutes
Summary: Store, version-control, and audit all compliance documents — including DPAs, privacy policies, and DPIA records — using the Document Repository in Secure Privacy's Governance Solution.

The Document Repository in Secure Privacy's Governance Solution provides a centralized, secure location for storing all compliance-critical documentation — including privacy policies, Data Processing Agreements, vendor contracts, DPIA records, and audit evidence. Version control, granular permission management, and full audit logging ensure complete accountability and regulatory audit readiness at all times.

Who Is This For?

  - Compliance teams maintaining policy and procedure libraries with version histories for regulatory accountability

  - Legal teams managing contracts, Data Processing Agreements, and data protection clauses

  - Auditors who need controlled access to supporting compliance documentation and evidence packages

Accessing the Document Repository

From the left sidebar in the Governance Solution, navigate to Data Management > Documents. The main view displays all documents in a searchable, sortable table.

Uploading a Compliance Document

Step 1: Click + Upload Document

Click the + Upload Document button in the top-right corner of the Document Repository view.

Step 2: Fill in document details

Complete the following fields to ensure the document is properly categorized and retrievable:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Document Name

      Clear, descriptive title following your organization's naming convention

      "Service Contract - Vendor A"

    

    
      Description

      Brief description of the document's purpose and scope

      "Service Contract Template with GDPR data protection clauses"

    

    
      Department

      The department that owns or is primarily responsible for the document

      Legal, Privacy, IT

    

    
      File

      The document file to upload

      service-contract.pdf, dpa-vendor-a.docx

    

  

Step 3: Set permissions

Configure who can view, edit, and download the document. Permissions can be set at the individual user or team level — ensuring sensitive compliance documents are only accessible to authorized personnel.

Compliance Document Management Features

Version control

Every document update creates a new version automatically. The complete version history is retained — allowing you to view how a document has changed over time and revert to a previous version if needed. This is critical for demonstrating compliance history to supervisory authorities and auditors, particularly for privacy policies and Data Processing Agreements.

Search and filtering

Use the search bar to find documents by name. Apply filters by department, document type, or date range to quickly locate specific files within a large compliance document library.

Audit logging

All document actions are automatically logged — including uploads, downloads, edits, permission changes, and deletions. This provides a complete, timestamped trail of who accessed or modified each document and when — supporting GDPR accountability under Article 5(2).

Export

Click Export to download a summary of your document library, including metadata and version information — useful for audit submissions, regulatory reporting, and internal governance reviews.

GDPR Compliance Document Types

The Document Repository is designed to store the full range of compliance documentation your organization needs to maintain and demonstrate GDPR compliance:

  - Privacy policies and their complete revision history

  - Data Processing Agreements (DPAs) with vendors and processors

  - Service contracts containing data protection and confidentiality clauses

  - Internal compliance procedures and operational guidelines

  - Training materials and staff completion records

  - Audit reports and evidence packages

  - DPIA documentation and approval records from the Impact Assessments module

Document Repository Best Practices

Establish a consistent naming convention

A clear, consistently applied naming convention — including document type, subject, and date — makes the repository searchable and audit-ready as it grows. Define and document your naming standard before uploading large volumes of existing documents.

Review and update documents at least annually

Compliance documents — particularly privacy policies, DPAs, and internal procedures — should be reviewed at least annually and updated whenever relevant regulations, processing activities, or vendor relationships change. Schedule review reminders in the Compliance Calendar to ensure nothing is missed.

Use department-level permissions

Configure permissions at the department level to ensure documents are only accessible to teams with a legitimate need — preventing unauthorized access to sensitive legal or compliance documentation while maintaining appropriate cross-team visibility.

Link documents to related processes, systems, and assessments

Connecting documents to their associated process records, system entries, and DPIA assessments in the Governance Solution creates end-to-end traceability — making it easy to locate supporting documentation for any compliance obligation during an audit or regulatory inspection.

Next Steps

  - Upload your organization's key compliance documents — starting with privacy policies, DPAs, and internal procedures

  - Link documents to their associated processes in the Process Register for full ROPA documentation traceability

  - Set up annual document review reminders in the Compliance Calendar to keep your document library current

Frequently Asked Questions

Can the Document Repository be used to store DPIA approval records for regulatory purposes?

Yes. DPIA documentation and approval records exported from the Impact Assessments module can be stored in the Document Repository — creating a centralized, version-controlled archive of all completed DPIAs. This provides a single location for all GDPR Article 35 compliance evidence, accessible to auditors and supervisory authorities on request.

What file formats are supported for document uploads?

The Document Repository supports standard compliance document formats including PDF and DOCX. If you encounter an unsupported format during upload, convert the file to a supported format before uploading. Contact Secure Privacy support if you have specific format requirements not covered by the current supported list.

How does audit logging in the Document Repository support GDPR accountability?

Every document action — upload, download, edit, permission change, and deletion — is logged with a timestamp and the identity of the user who performed the action. This creates a complete, tamper-resistant record of document access and modification history, directly supporting GDPR accountability requirements under Article 5(2) and providing evidence for supervisory authority inspections.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Enterprise Security and Data Protection – AES-256 Encryption, SSO, Multi-Entity Support, and Audit Trail in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-platform-data-security-encryption-enterprise
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:56:00+00:00
Updated: 2026-03-22T16:25:20.702+00:00
Reading Time: 5 minutes
Summary: Learn how Secure Privacy's Governance Solution protects compliance data with AES-256 encryption, SSO, role-based access control, GDPR data residency, and a comprehensive platform-wide audit trail.

Secure Privacy's Governance Solution is built with enterprise-grade security at every layer — protecting your compliance data with AES-256 encryption, role-based access controls, SSO integration, and a comprehensive audit trail. This article covers the platform's security architecture, data protection measures, multi-entity support, and enterprise deployment features for IT security, procurement, and compliance teams.

Who Is This For?

  - IT security teams evaluating the platform's security posture before enterprise deployment

  - Procurement and legal teams assessing data protection measures and SLA commitments

  - Compliance officers verifying that the platform's security architecture meets GDPR and internal governance requirements

AES-256 Data Encryption

All data stored and transmitted within the Governance Solution is protected with AES-256 encryption — the same standard used by financial institutions and government organizations:

Encryption at rest

All stored compliance data, documents, and attachments are encrypted using AES-256 — ensuring that data stored on the platform's infrastructure cannot be read even if physical storage is compromised.

Encryption in transit

All communications between users and the platform use TLS 1.2+ encryption — protecting data as it moves between browsers, APIs, and the platform's servers.

Backup encryption

All backup copies of platform data are encrypted to the same AES-256 standard as live data — ensuring backup archives cannot be accessed without authorization.

Multi-Entity Support

The Governance Solution supports complex organizational structures — allowing enterprise customers to manage multiple entities, subsidiaries, or regional operations from a single centralized account:

  - Manage separate compliance programs for each entity within a single platform instance

  - Compare privacy maturity scores and risk levels across all entities

  - Generate consolidated reports for the full organization or entity-specific reports for individual business units

GDPR Data Residency

Enterprise customers can specify data residency requirements to ensure compliance data is stored in the appropriate geographic region. This is particularly important for organizations subject to GDPR's data localization requirements or other regional data protection regulations that restrict where personal data and compliance records may be hosted. Contact your account manager to configure data residency for your organization.

Enterprise SSO and Role-Based Access Control

The platform enforces strict, layered access controls to ensure each team member can only access the compliance data relevant to their role:

Three-tier role system

Owner, Admin, and Member roles provide distinct access levels — from full platform and settings control at the Owner level to scoped task and module access at the Member level. See the Members module documentation for full role definitions.

Granular module and document permissions

Permissions can be configured at the individual module and document level — allowing fine-grained control over who can view, edit, or download specific compliance records within each module.

Single Sign-On (SSO) integration

The platform supports SSO integration with your existing identity provider — enabling centralized authentication management, enforcing your organization's password and MFA policies, and simplifying user provisioning and deprovisioning.

Audit logging of all access and permission changes

All access events, permission updates, and role changes are recorded in the platform's audit trail — providing a timestamped record of who had access to what and when.

Enterprise SLAs and Dedicated Support

Enterprise plans include a structured support and success package designed for organizations with critical compliance infrastructure requirements:

  - Dedicated support with guaranteed response times under a custom Service Level Agreement

  - Custom SLAs tailored to your organization's operational and regulatory requirements

  - Priority access to new platform features and updates before general release

  - Dedicated customer success manager for ongoing strategic guidance and issue escalation

Enterprise Onboarding and Training

Enterprise customers receive a structured onboarding and training program to ensure effective platform adoption across all user roles:

  - Guided onboarding with a dedicated implementation specialist covering configuration, data migration, and initial compliance program setup

  - Custom training programs tailored to different user roles — from platform administrators to module-level contributors

  - Access to documentation, video tutorials, and best practice guides

  - Ongoing training support as new features and modules are released

Custom Integrations

The Governance Solution supports custom integrations to connect with your organization's existing tools and enterprise systems. Common integration scenarios include:

  - SSO and identity provider integration — connect with Microsoft Entra ID, Okta, or other enterprise identity providers

  - Ticketing system integration — connect DSAR workflows to your existing service desk or ticketing tools

  - Document management synchronization — integrate with existing document management systems for centralized file control

  - Business intelligence export — export compliance reporting data to BI tools for custom dashboards and executive reporting

Platform-Wide Compliance Audit Trail

Every action performed in the Governance Solution is recorded in a comprehensive, tamper-resistant audit trail — providing complete visibility into all platform activity for internal governance and regulatory review:

  - User login and session activity

  - Data access and record modification events

  - Permission and role changes

  - Document uploads, downloads, and edits

  - Workflow approvals, rejections, and escalations

Next Steps

  - Contact your account manager to discuss enterprise features, data residency configuration, and custom SLA options

  - Review the Members module to configure role-based access controls for your organization

  - Set up multi-entity management if your organization manages multiple subsidiaries or regional entities

Frequently Asked Questions

Is the Governance Solution compliant with GDPR data residency requirements?

Yes. Enterprise customers can configure data residency to ensure compliance data is stored in the appropriate geographic region — supporting GDPR requirements for organizations that need data hosted within the EU or EEA. Contact your account manager to configure data residency for your deployment.

Does the platform support SSO with Microsoft Entra ID or other enterprise identity providers?

Yes. The Governance Solution supports SSO integration with major enterprise identity providers. SSO enables centralized authentication, enforces your organization's existing MFA and password policies, and simplifies user lifecycle management — including automatic deprovisioning when team members leave. Contact your account manager for integration setup guidance.

Can the audit trail be exported for supervisory authority inspections?

Yes. Platform audit trail records can be exported and presented to supervisory authorities as evidence of GDPR accountability — demonstrating who performed specific compliance actions, when access was granted or revoked, and how compliance records were managed over time. This directly supports Article 5(2) accountability obligations.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Impact Assessments Module – GDPR Article 35 DPIA Workflow, Risk Identification, and Approval Management in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/how-to-conduct-dpia-impact-assessments-module
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:53:00+00:00
Updated: 2026-03-22T11:55:07.396+00:00
Reading Time: 5 minutes
Summary: Complete GDPR Article 35 DPIAs using the Impact Assessments module in Secure Privacy's Governance Solution — with structured risk identification, mitigation tracking, approval workflows, and audit-ready exports.

The Impact Assessments module in Secure Privacy's Governance Solution provides a structured workflow for completing Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35. It guides your team through risk identification, mitigation documentation, and multi-step approval — producing audit-ready DPIA records for regulators, auditors, and internal stakeholders.

Who Is This For?

  - Data Protection Officers responsible for conducting and signing off on impact assessments under GDPR Article 35

  - Compliance teams ensuring DPIA requirements are identified and fulfilled before high-risk processing begins

  - Project managers launching new products, services, or systems that involve personal data processing

GDPR DPIA Requirements: When Is a DPIA Required?

Under GDPR Article 35, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms. This includes processing that involves:

  - Systematic and extensive profiling with significant effects on individuals

  - Large-scale processing of special category data or criminal offense data

  - Systematic monitoring of publicly accessible areas on a large scale

  - Use of new technologies that may introduce unforeseen privacy risks

  - Automated decision-making — including profiling — that produces legal or similarly significant effects on individuals

Creating a New DPIA Assessment

Step 1: Navigate to Impact Assessments

From the left sidebar in the Governance Solution, go to Compliance > Impact Assessments and click + New Assessment.

Step 2: Select the assessment type

Choose the type of assessment — DPIA or another privacy assessment type supported by the platform — based on the nature of the processing activity being reviewed.

Step 3: Complete the DPIA assessment form

The structured form guides you through all required GDPR Article 35(7) fields:

  
    
    
  
  
    
      Field

      Description

    

    
      Assessment Name

      A descriptive title identifying the processing activity or project being assessed

    

    
      Risk Level

      Automatically calculated based on your answers — Low, Medium, or High

    

    
      Status

      Current stage of the assessment — Draft, Pending Approval, Approved, or Rejected

    

    
      Data Categories

      Types of personal data involved in the processing activity (e.g., Personal Data, Location Data, Special Category Data)

    

    
      Last Review

      Date of the most recent review — used to track when the DPIA is due for reassessment

    

  

Step 4: Risk identification and mitigation

The platform automatically identifies potential risk areas based on the data categories and processing activities you describe. Review each flagged risk, document your mitigation measures, and record the controls being implemented — satisfying the mitigation documentation requirements of GDPR Article 35(7)(d).

Step 5: Submit for approval

Once complete, submit the assessment for approval. If a Workflow is configured for impact assessments, the DPIA will automatically route through the required approval chain — ensuring the DPO and any other required approvers review and sign off before processing begins.

Managing DPIA Records

Searching and filtering

Use the search bar and Filters to find assessments by name, type, risk level, status, or data categories — keeping your impact assessment register navigable as it grows.

Exporting assessments

Click Export to download assessment records in a format suitable for submission to supervisory authorities, sharing with auditors, or inclusion in internal compliance documentation.

Version history

All assessment changes are tracked with versioned records. View the full history of any DPIA to see how it has evolved — providing a complete audit trail of the assessment process from initial draft to final approval.

DPIA Best Practices

Conduct DPIAs before high-risk processing begins

GDPR Article 35 requires DPIAs to be completed before the processing activity starts — not retrospectively. Use the pre-screening trigger in the module to identify when a new project or system requires a DPIA as early as the planning stage.

Involve stakeholders early

Bring in IT, legal, and the DPO from the outset — not just at the approval stage. Early involvement ensures the DPIA reflects technical realities and that mitigation measures are feasible before design decisions are finalized.

Document all mitigation measures and track implementation

Every identified risk must be accompanied by documented mitigation measures. Link DPIA mitigation actions to the Risk Management module to ensure they are tracked to completion — not just recorded and forgotten.

Schedule regular DPIA reviews

DPIAs must be revisited when the associated processing activity changes. Schedule periodic reviews in the Compliance Calendar — particularly for long-running processing activities where technology, data categories, or risk profiles may evolve over time.

Use workflow automation for consistent approval processes

Configure the Workflow & Automation module with the Impact Assessment Approval template to enforce a consistent, documented review and sign-off process for every DPIA — eliminating ad hoc approval practices and ensuring audit trail completeness.

Next Steps

  - Link DPIA results to the Risk Management module for ongoing risk monitoring and mitigation tracking

  - Set up the Impact Assessment Approval workflow in Workflow & Automation to enforce structured DPIA review chains

  - Schedule periodic DPIA reviews in the Compliance Calendar to ensure assessments remain current as processing activities evolve

Frequently Asked Questions

Does the Impact Assessments module satisfy GDPR Article 35(7) documentation requirements?

Yes. The structured assessment form captures all fields required under GDPR Article 35(7) — including a systematic description of the processing, a necessity and proportionality assessment, risk identification, and mitigation measures. Completed assessments can be exported in audit-ready format for supervisory authority submission or regulatory review.

What happens if a DPIA identifies a high residual risk that cannot be mitigated?

If residual risk remains high after mitigation measures are applied, GDPR Article 36 requires prior consultation with the supervisory authority before processing begins. Your DPO should be notified immediately — and if you are using Secure Privacy's DPO as a Service, your assigned DPO will advise on whether prior consultation is required and manage the process.

Can DPIAs created in the module be linked to specific processing activities in the Process Register?

Yes. Impact assessments can be linked to related process records in the Process Register module, creating end-to-end traceability from the processing activity documented in your ROPA through to its associated DPIA — supporting comprehensive GDPR accountability documentation.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Applications & Systems Module – GDPR System Inventory, Risk Scoring, and Data Flow Visibility in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/managing-data-systems-owners-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:53:00+00:00
Updated: 2026-03-22T11:57:57.332+00:00
Reading Time: 4 minutes
Summary: Maintain a live GDPR system inventory, assign owners, track privacy controls, and monitor risk scores using the Applications & Systems module in Secure Privacy's Governance Solution.

The Applications & Systems module in Secure Privacy's Governance Solution gives your organization clear, real-time visibility into every system, application, and infrastructure component that processes personal data. Maintain a live system inventory, assign ownership, track privacy controls, and monitor risk scores — supporting GDPR Article 30 ROPA requirements and ongoing privacy and security governance.

Who Is This For?

  - IT administrators maintaining a complete inventory of all systems that process personal data across the organization

  - Privacy officers tracking which systems handle sensitive or special category information and their associated compliance status

  - Security teams monitoring system risk levels, privacy controls, and compliance review history

Accessing the Systems Module

From the left sidebar in the Governance Solution, navigate to Data Management > Systems. The main view displays a filterable, searchable table of all registered systems.

Building Your GDPR System Inventory

Manual entry

Click + Add System and complete the system record with the following fields:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Name

      System or application name

      "Salesforce CRM"

    

    
      Category

      Type of system

      CRM, Analytics, HR, Cloud Storage

    

    
      Type

      System deployment classification

      SaaS, On-Premise, Hybrid

    

    
      Status

      Current operational status of the system

      Active, Under Review, Decommissioned

    

    
      Launch Date

      Date the system was deployed or activated

      2024-01-15

    

    
      Impact

      Privacy impact level of the system

      High, Medium, Low

    

    
      Data Types

      Categories of personal data processed by the system

      Contact Info, Financial, Health

    

    
      Privacy Controls

      Technical controls currently in place for the system

      Encryption, Access Control, DLP

    

  

Bulk import

Click Import to upload multiple systems at once from a structured file. This is the recommended approach when migrating an existing system inventory from spreadsheets or other compliance tools.

System Owner Assignment

Every system should have a designated owner responsible for maintaining its compliance status and responding to privacy and security obligations. Assign owners from your organization's member list in the Members module. System owners automatically receive notifications about:

  - Upcoming review dates for their assigned systems

  - New risks linked to their systems in the Risk Management module

  - Tasks assigned to them in relation to their systems

System Risk Scoring

The Governance Solution generates a system-specific risk score for each registered system, calculated based on:

  - Types and sensitivity of personal data processed by the system

  - Privacy and security controls currently in place

  - Number and severity of risks linked to the system in the Risk Management module

  - Compliance status and review history — including how recently the system was last assessed

Filtering and Exporting the System Inventory

Use Filters to narrow the system inventory view by category, type, status, impact level, or data types. Click Export to download the full system inventory for audit submissions, regulatory reporting, or ROPA documentation purposes.

System Inventory Best Practices

Register all systems that process personal data — including third-party SaaS tools

Many GDPR compliance gaps originate from unregistered third-party applications. Ensure every SaaS tool, cloud service, and on-premise application that touches personal data is recorded in the inventory — including marketing platforms, HR systems, and analytics tools.

Review the system inventory quarterly

Systems are regularly added, changed, or decommissioned. A quarterly inventory review identifies new systems that have not yet been registered and flags decommissioned systems whose records should be updated — keeping your ROPA accurate and current.

Assign clear ownership for every system

Unowned systems create compliance blind spots. Every system in the inventory should have a named owner who is responsible for its review schedule, risk monitoring, and task completion — ensuring accountability is never ambiguous.

Link systems to related processes in the Process Register

Connecting system records to their associated processing activities in the Process Register creates end-to-end data flow visibility — from the system processing personal data through to the documented processing activity in your ROPA, and any linked risk assessments or DPIAs.

Next Steps

  - Link registered systems to processing activities in the Process Register for full ROPA traceability

  - Track system-specific privacy and security risks in the Risk Management module

  - Review system inventory status and risk distribution through Reporting & Analytics

Frequently Asked Questions

Does the system inventory support GDPR Article 30 ROPA requirements?

Yes. The Applications & Systems module captures the system-level detail that underpins an accurate Record of Processing Activities — including data categories processed, privacy controls in place, and system ownership. Linking system records to process entries in the Process Register creates the complete, structured ROPA documentation required under GDPR Article 30.

What is the difference between the Systems module and the Process Register?

The Systems module inventories the technical systems and applications that process personal data — capturing what the system is, who owns it, what data it handles, and what controls are in place. The Process Register documents the processing activities themselves — the purpose, lawful basis, data categories, and retention periods. The two modules complement each other: systems feed into processes, and together they form a complete ROPA.

Can the system risk score be used to prioritize DPIA pre-screening?

Yes. Systems with high impact ratings and elevated risk scores are strong candidates for DPIA pre-screening under GDPR Article 35. Your DPO can use the system risk score alongside the data categories and privacy controls recorded in the inventory to determine whether a full DPIA is required before or during a system's deployment or significant change.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Risk Management Module – GDPR Privacy Risk Register, Automated Scoring, and Mitigation Tracking in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/risk-management-identifying-scoring-mitigating-privacy-risks
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:53:00+00:00
Updated: 2026-03-22T12:18:52.344+00:00
Reading Time: 5 minutes
Summary: Build and maintain a GDPR privacy risk register using the Risk Management module in Secure Privacy's Governance Solution — with automated risk scoring, heat map visualization, AI analysis, and mitigation tracking.

The Risk Management module in Secure Privacy's Governance Solution helps your organization continuously identify, prioritize, and mitigate privacy risks across all data processing activities. Using an automated likelihood-impact scoring model, it surfaces your highest-priority risks, supports mitigation planning, and provides visual risk dashboards — enabling compliance teams to maintain a structured, audit-ready privacy risk register aligned with GDPR requirements.

Who Is This For?

  - Risk managers building and maintaining a privacy risk register across the organization

  - Compliance officers tracking risk exposure, remediation status, and overall risk posture

  - IT and security teams monitoring system-specific risks and the effectiveness of technical controls

Accessing Risk Management

From the left sidebar in the Governance Solution, navigate to Compliance > Risks. The module offers two views: List View for managing individual risk records, and Charts for visual risk analysis.

Building Your GDPR Privacy Risk Register

Step 1: Click + Add Risk

Click the + Add Risk button in the top-right corner of the Risk Management view.

Step 2: Define the risk

Complete the risk record with the following fields:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Name

      Clear, descriptive title for the risk

      "Non-Compliance with GDPR Article 13 Transparency Requirements"

    

    
      Department

      The department where the risk originates or is managed

      Legal, IT, Marketing

    

    
      Type

      Classification of the risk by source

      Process, Vendor, System

    

    
      Risk Level

      Severity level calculated by the automated scoring model

      High Risk, Medium Risk, Low Risk

    

    
      Status

      Current state of the risk

      Open, In Review, Mitigated, Closed

    

    
      Risk Factors

      Specific contributing factors that increase the risk likelihood or impact

      "Outdated privacy policy", "Lack of employee training"

    

  

Step 3: Link to related items

Connect the risk to related systems, processing activities, and owners. This creates end-to-end traceability across your compliance program — from the identified risk through to the system or process that generates it and the team member responsible for remediation.

Automated Risk Scoring Model

The platform automatically calculates a risk score based on two inputs:

  - Likelihood: How probable is it that the risk event will occur?

  - Impact: How severe would the consequences be for individuals' rights and freedoms or for the organization?

The combined score determines the overall risk level — High, Medium, or Low — and is used to prioritize remediation efforts and flag items that may require DPIA pre-screening under GDPR Article 35.

Risk Visualization and Heat Map

Switch to the Charts view for visual risk analysis across your organization:

  - Risk Heat Map: A visual distribution of all risks plotted by likelihood and impact — immediately showing where the highest concentrations of risk sit.

  - Risk by Department: A breakdown of risk exposure across teams and departments — supporting targeted remediation and management reporting.

  - Risk by Type: Distribution of risks across Process, Vendor, and System categories — identifying which risk sources require the most attention.

  - Trend Analysis: A view of how your overall risk posture is changing over time — demonstrating risk reduction progress to leadership and regulators.

AI-Powered Risk Analysis

Click the AI Analysis button to receive intelligent, data-driven suggestions about your risk register:

  - Risks that may need immediate attention based on score and status

  - Patterns and correlations across your risk register that may not be immediately visible

  - Recommended mitigation strategies based on industry best practices

  - Gaps in your current risk coverage that may leave compliance areas unmonitored

Mitigation Planning and Tracking

Document mitigation activities

For each identified risk, document the specific mitigation measures planned or already implemented — providing a written record of your organization's response to each privacy risk.

Assign mitigation tasks to team members

Link mitigation actions to named team members in the Task Management module, ensuring clear accountability for who is responsible for implementing each control.

Set deadlines and track progress

Assign target completion dates for each mitigation activity and monitor progress in real time — with overdue items flagged automatically in the risk register.

Monitor risk level changes as mitigations are implemented

As mitigation measures are completed, the risk score updates to reflect the reduced likelihood or impact — providing a live view of how your remediation efforts are improving your overall risk posture.

Troubleshooting

Risk score not updating

Ensure that both the Likelihood and Impact values have been set for the risk. The scoring model requires both inputs to calculate the overall risk level — leaving either field blank will prevent the score from generating.

Cannot link risk to a process

Verify that the process exists in the Process Register and has been saved. The Risk Management module can only link to process records that have been fully created in the Process Register. If the process is missing, create it there first.

Next Steps

  - Link high-risk items to Impact Assessments to determine whether a DPIA is required under GDPR Article 35

  - Create mitigation tasks directly in Task Management with assigned owners and deadlines

  - Schedule periodic risk reviews using the Compliance Calendar to keep your risk register current

  - Monitor risk trends and distribution through Reporting & Analytics for board and regulatory reporting

Frequently Asked Questions

How does the Risk Management module support GDPR DPIA pre-screening?

Risk records with High risk scores — particularly those linked to special category data, large-scale processing, or systematic monitoring — are strong indicators that a DPIA may be required under GDPR Article 35. Your DPO can use the risk register alongside the system inventory and process records to conduct a structured DPIA pre-screening assessment and document the reasoning.

Can risks be automatically generated from other modules?

Yes. Risks can be triggered automatically through the Workflow & Automation module — for example, when a new system is added with a High impact rating, or when a process record identifies special category data without a documented Article 9(2) condition. This reduces manual risk identification effort and ensures emerging risks are captured promptly.

How should the risk register be maintained for regulatory audit purposes?

The risk register should be reviewed and updated regularly — at minimum quarterly, and whenever processing activities or systems change significantly. All risk records, status changes, and mitigation updates are logged with timestamps in the audit trail, providing a complete, chronological record of your organization's privacy risk management activity for supervisory authority review.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Task Management Module – Compliance Task Tracking, Automated Assignment, and Audit Trails in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/how-to-use-task-management-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:52:00+00:00
Updated: 2026-03-22T11:52:06.429+00:00
Reading Time: 4 minutes
Summary: Assign, track, and audit compliance tasks across departments using the Task Management module in Secure Privacy's Governance Solution — with automated task creation, AI analysis, and full audit logging.

The Task Management module in Secure Privacy's Governance Solution helps your organization maintain accountability and avoid missed compliance actions across departments. Assign responsibilities, set due dates, link tasks to risks and processes, and monitor progress in real time — with a complete audit trail of all compliance activity for regulatory reporting and supervisory authority review.

Who Is This For?

  - Compliance managers coordinating tasks and deadlines across multiple teams and departments

  - Department heads tracking their team's compliance responsibilities and completion status

  - Privacy officers maintaining audit-ready records of completed compliance actions for GDPR accountability

Accessing Task Management

From the left sidebar in the Governance Solution, navigate to Compliance > Tasks. The main view displays all tasks in a sortable, filterable table.

Compliance Task Creation

Step 1: Click + Add Task

Click the + Add Task button in the top-right corner of the Tasks view.

Step 2: Fill in task details

Complete the following fields to fully define the compliance task:

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Task Name

      Clear description of the compliance action required

      "Update Privacy Policy for Q2 changes"

    

    
      Department

      The department responsible for completing the task

      Legal, Privacy, IT / Security

    

    
      Priority

      Urgency level of the task

      High, Medium, Low

    

    
      Status

      Current state of the task

      Pending, In Progress, Completed

    

    
      Due Date

      Deadline for task completion

      2025-06-30

    

    
      Assignee

      The person or team responsible for completing the task

      jane@company.com

    

    
      Related To

      Link the task to a process, system, or risk entry for end-to-end traceability

      Customer Data Processing

    

  

Step 3: Save the task

Click Save. The task will appear in the task list and become immediately visible to the assigned team member.

Managing Compliance Tasks

Filtering and searching

Use the search bar to find tasks by name. Click Filters to narrow results by department, priority, status, or due date range — keeping the task list focused on what is most relevant to your current review.

Exporting tasks

Click the Export button to download your task list for compliance reporting, audit submissions, or sharing with leadership and stakeholders.

AI analysis

Click the AI Analysis button to receive AI-generated insights about your task priorities, overdue items, and areas of your compliance program that may need additional attention.

Automated Compliance Task Creation

Tasks can be created automatically through three trigger mechanisms — reducing manual overhead and ensuring compliance actions are never missed:

  - Workflow triggers: When a step in the Workflow & Automation module is completed, the next task is automatically assigned to the relevant team member.

  - Risk triggers: When a new risk is identified in the Risk Management module, related remediation tasks are automatically generated and assigned.

  - Calendar deadlines: Recurring compliance tasks are automatically created based on the schedule configured in your Compliance Calendar.

Audit-Ready Task Trail

Every change to a task is logged with a timestamp — including creation, status updates, reassignments, and completion. This provides a complete, chronological audit history of all compliance activity across your organization, supporting GDPR accountability under Article 5(2) and providing documented evidence for regulatory inspections and internal audits.

Troubleshooting

Task not visible to assignee

Verify that the assigned team member has been added to the Members module and has the appropriate role permissions to view and interact with tasks. Contact your Secure Privacy account administrator if permissions need to be updated.

Cannot change task status

If the task is part of an active workflow, its status may be controlled by the workflow engine rather than edited manually. Check Workflow & Automation to confirm whether the task requires an approval step before it can be marked as complete.

Next Steps

  - Set up Workflow & Automation to trigger task creation automatically based on approval workflows and compliance events

  - Use the Compliance Calendar to visualize all upcoming task deadlines in a monthly view alongside other compliance obligations

  - Link tasks to Risk Management entries to maintain full traceability from identified risk to assigned remediation action

Frequently Asked Questions

Can tasks be linked to specific GDPR compliance obligations such as DSARs or DPIAs?

Yes. The Related To field allows tasks to be linked to processes, systems, or risk entries across the Governance Solution — creating end-to-end traceability between a compliance obligation and the action taken to address it. For DSAR and DPIA workflows, tasks can also be generated automatically through the Workflow & Automation module.

Who can see tasks assigned to other team members?

The task list view is accessible to all team members with access to the Task Management module. Filtering by assignee allows managers and compliance officers to review the full task load and completion status for any individual or department — supporting oversight without requiring manual status updates.

How does the AI Analysis feature help with compliance task management?

The AI Analysis feature reviews your current task list and generates prioritization suggestions — identifying overdue items, highlighting areas with high task concentration, and flagging compliance program areas that may need additional attention. It is designed to support rather than replace your team's judgment on compliance priorities.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Compliance Calendar – Deadline Tracking, Recurring Tasks, and Cross-Module Integration in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/using-compliance-calendar-track-deadlines-tasks
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:52:00+00:00
Updated: 2026-03-22T11:41:25.503+00:00
Reading Time: 4 minutes
Summary: Track GDPR compliance deadlines, schedule recurring tasks, and get cross-module visibility into DSAR, DPIA, and risk review dates using the Compliance Calendar in Secure Privacy's Governance Solution.

The Compliance Calendar in Secure Privacy's Governance Solution gives your privacy and compliance team a visual, centralized overview of all upcoming regulatory deadlines, recurring tasks, and key compliance dates. By pulling due dates from across the platform — including DSAR deadlines, DPIA review schedules, and risk assessment dates — it keeps teams aligned on what needs to happen and when.

Who Is This For?

  - Compliance managers tracking regulatory deadlines and recurring compliance obligations

  - Team leads monitoring task due dates and assignments across their departments

  - Privacy officers planning audit schedules, DPIA review cycles, and annual compliance activities

Accessing the Compliance Calendar

From the left sidebar in the Governance Solution, click Calendar. The calendar displays in monthly view by default, with navigation controls to move between months and years.

Adding and Viewing Tasks

Adding a task directly

Click + Add Task in the top-right corner, or click on any date cell to create a task for that specific day. Fill in the task details — including name, description, assignee, and priority level.

Viewing existing tasks

Tasks created in the Task Management module that have due dates assigned automatically appear on the calendar. Click any task to view its full details, update its status, or reassign it.

Recurring Compliance Tasks

Set up recurring tasks for compliance activities that occur on a regular schedule. The calendar automatically generates upcoming instances so they are always visible on the timeline:

  - Monthly — privacy policy reviews and consent record checks

  - Quarterly — risk assessments and executive compliance reporting

  - Annual — DPIA reviews, annual compliance audits, and staff training cycles

  - Custom intervals — organization-specific compliance activities at any frequency

Compliance Calendar Features

Smart reminders

Enable notifications to receive deadline reminders in advance. Configure the lead time — 1 day, 3 days, or 1 week — based on the task's priority and complexity to ensure nothing is missed.

Cross-module deadline integration

The Compliance Calendar automatically pulls due dates from across the Governance Solution, providing a unified view of all time-sensitive obligations:

  - DSAR response deadlines from the DSAR module

  - Risk review due dates from Risk Management

  - DPIA review schedules from Impact Assessments

  - Workflow escalation dates from Workflow & Automation

Team-wide visibility

All team members with access to the Governance Solution can view the shared calendar — giving the entire compliance team visibility into upcoming activities, preventing duplicate work, and improving cross-department coordination.

Compliance Calendar Best Practices

Review the calendar weekly

A weekly calendar review ensures your team stays ahead of approaching deadlines — particularly for GDPR obligations with fixed response windows such as DSAR replies and breach notifications.

Use recurring tasks for all standard compliance activities

Setting up recurring tasks for regular obligations — policy reviews, risk assessments, training cycles — eliminates manual tracking and ensures nothing drops off the schedule as team members change.

Set reminders with adequate lead time for high-priority items

For complex or high-priority compliance tasks, configure reminders at least one week in advance — allowing time to gather evidence, involve stakeholders, or escalate where needed before the deadline arrives.

Encourage team members to check their assigned tasks regularly

The calendar is most effective as a shared team tool. Encourage all team members to check their assigned tasks regularly and update status — keeping the calendar accurate as a live reflection of your compliance program's progress.

Next Steps

  - Connect your tasks to Workflow & Automation for automatic deadline scheduling and escalation

  - Set up recurring tasks for your organization's key regulatory deadlines and annual compliance review cycles

  - Use Reporting & Analytics to review task completion rates and identify patterns in missed or delayed compliance activities

Frequently Asked Questions

Does the Compliance Calendar automatically show GDPR response deadlines such as DSAR windows?

Yes. The calendar integrates directly with the DSAR module, Risk Management, Impact Assessments, and Workflow & Automation modules — automatically surfacing their due dates on the calendar without manual entry. This ensures GDPR-mandated response windows are always visible alongside your internally scheduled compliance tasks.

Can recurring tasks be set to custom intervals rather than standard monthly or quarterly cycles?

Yes. In addition to standard recurring intervals — monthly, quarterly, and annual — the calendar supports custom recurrence settings for organization-specific compliance activities that do not follow a standard schedule.

Who can see the tasks on the shared calendar?

All team members with access to the Governance Solution can view the shared compliance calendar. Task visibility is governed by the permissions assigned to each user — ensuring sensitive compliance activities are accessible only to the relevant team members while maintaining a shared overview of upcoming deadlines for the whole team.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Reporting & Analytics Module – GDPR Compliance Reports, Maturity Scoring, and Audit-Ready Exports in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/generating-reports-analytics-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:52:00+00:00
Updated: 2026-03-22T11:35:37.991+00:00
Reading Time: 4 minutes
Summary: Generate GDPR compliance dashboards, gap analysis reports, risk heat maps, and audit-ready PDF exports using the Reporting & Analytics module in Secure Privacy's Governance Solution.

The Reporting & Analytics module in Secure Privacy's Governance Solution turns your compliance data into actionable insights. Generate real-time compliance dashboards, compare privacy program maturity scores across entities, and export audit-ready reports for regulators, leadership, and stakeholders — all from a single centralized view.

Who Is This For?

  - Compliance managers preparing GDPR compliance reports for leadership or supervisory authorities

  - Privacy officers monitoring program maturity and risk status across multiple entities or organizations

  - Executives and board members who need high-level visibility into organizational compliance status

Accessing the Reporting Module

From the left sidebar in the Governance Solution, navigate to Reports. The module provides three views: All Reports, Company Reports, and Cross-Company Analytics.

Available GDPR Compliance Reports

Company Reports

  
    
    
  
  
    
      Report

      Description

    

    
      Compliance Dashboard

      Comprehensive real-time overview of compliance status across all Governance Solution modules

    

    
      Vendor Risk Assessment

      Vendor risk scores, certifications, and third-party compliance status

    

    
      DSAR Performance

      Data subject request response times, completion rates, and request volume trends

    

    
      System Inventory

      Complete inventory of systems processing personal data, with privacy and security attributes

    

    
      Gap Analysis

      Identify missing controls, incomplete documentation, and compliance gaps requiring remediation

    

    
      Risk Heat Map

      Visual representation of privacy risk distribution across the organization by likelihood and severity

    

    
      Executive Summary

      High-level compliance overview formatted for leadership and board presentations

    

  

Cross-Company Analytics

  
    
    
  
  
    
      Report

      Description

    

    
      Cross-Company Analytics

      Aggregated compliance metrics and benchmarking across all organizations managed in the platform

    

    
      Privacy Program Comparison

      Side-by-side comparative privacy program assessment across multiple organizations or entities

    

  

Privacy Program Maturity Comparison Across Entities

For organizations managing multiple entities, the maturity comparison report provides a structured, visual comparison of compliance status across each entity:

  - Overall compliance scores per entity

  - Maturity level classification — Reactive, Developing, or Proactive

  - Risk level indicators — High Risk, Medium Risk, or Low Risk

  - Category-by-category breakdown across Governance, Policies, Data Inventory, Individual Rights, Security, and Risk Management

  - Spider chart visualizations for quick side-by-side comparison

Audit-Ready Report Export

Click Export PDF on any report to generate a formatted, audit-ready document. All exported reports include:

  - Timestamp of report generation

  - Organization and entity details

  - Full data tables and visualizations

  - Compliance status indicators per module or category

Using Reports to Prepare for Regulatory Audits

When preparing for a supervisory authority inspection, regulatory audit, or internal compliance review, follow this recommended report sequence:

  - Generate the Compliance Dashboard for a complete status summary across all modules.

  - Export the Gap Analysis to demonstrate that identified compliance gaps are actively being addressed.

  - Include the Risk Heat Map to show documented risk awareness and prioritization.

  - Attach the Executive Summary as a management-level accountability overview.

Reporting Best Practices

Generate reports monthly

Monthly report generation allows your compliance team to track trends, identify emerging gaps, and demonstrate continuous improvement over time — building a documented compliance history.

Share the Executive Summary with leadership quarterly

Quarterly distribution of the Executive Summary to senior leadership and the board fulfils the DPO's reporting obligations under GDPR Article 39 and ensures data protection remains a board-level governance priority.

Use the Gap Analysis proactively

Run the Gap Analysis regularly — not just before audits — to identify and address compliance weaknesses before they become findings during a regulatory inspection.

Compare entities regularly if managing multiple organizations

Use the Privacy Program Comparison report to benchmark maturity levels across entities, identify outliers requiring additional attention, and standardize compliance practices across your organization portfolio.

Next Steps

  - Generate your first report export and share it with your compliance team

  - Use the Privacy Program Comparison to benchmark maturity scores across your entities

  - Schedule regular report generation as a recurring task in the Calendar module to maintain a consistent compliance reporting cadence

Frequently Asked Questions

Can exported reports be used as evidence for supervisory authority submissions?

Yes. All exported PDFs include generation timestamps, organization details, full data tables, and compliance status indicators — providing a documented, audit-ready record of your organization's compliance status at a specific point in time. These reports are designed to support GDPR accountability obligations under Article 5(2) and can be submitted to supervisory authorities or shared with auditors.

What is the difference between Company Reports and Cross-Company Analytics?

Company Reports focus on a single organization's compliance status across all modules — covering areas such as DSAR performance, risk distribution, and gap analysis. Cross-Company Analytics provide aggregated metrics and side-by-side comparisons across multiple organizations or entities managed within the platform — designed for privacy officers or compliance managers overseeing more than one organization.

How often should the Compliance Dashboard be reviewed?

The Compliance Dashboard should be reviewed at minimum monthly to track program status and identify changes in risk or gap levels. It should also be reviewed ahead of any scheduled audit, board presentation, or significant change to data processing activities.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Workflow & Automation Module – Compliance Approval Workflows, Escalations, and Audit Trails in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/setting-up-workflow-automation-governance-platform
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-09T17:52:00+00:00
Updated: 2026-03-22T11:47:16.806+00:00
Reading Time: 5 minutes
Summary: Build compliance approval workflows, automate task assignments, and maintain audit trails using the Workflow & Automation module in Secure Privacy's Governance Solution.

The Workflow & Automation module in Secure Privacy's Governance Solution lets you delegate work, automate task assignments, and enforce structured approval chains across your compliance program. Build custom multi-step workflows that route tasks to the right people, trigger escalations automatically, and maintain a complete audit trail of all decisions — ensuring consistent, documented review processes for DPIAs, risk assessments, and policy changes.

Who Is This For?

  - Compliance managers who need structured, auditable approval processes for DPIAs, risk reviews, and policy changes

  - Team leads who want to automate task assignments, escalations, and deadline reminders

  - Privacy officers who need to enforce consistent review processes across their team and ensure nothing is approved without the correct sign-off chain

Accessing Workflows

From the left sidebar in the Governance Solution, navigate to Automation > Workflows. The main view shows three tabs: Workflows, Assignments, and Approvals.

Creating a Compliance Workflow

Step 1: Create from scratch or use a template

Click + Create to build a workflow from scratch, or click Use Template to start from one of the pre-built compliance workflow templates:

  - System Assignment Review — A two-step approval process for assigning team members to systems in the Systems module.

  - Impact Assessment Approval — A multi-level approval workflow for DPIA and impact assessment sign-off.

  - Process Activity Assignment — A simple workflow for assigning data processing activities to responsible team members.

Step 2: Configure workflow steps

Each workflow consists of one or more steps. Configure the following settings for each step:

  
    
    
  
  
    
      Setting

      Description

    

    
      Step Name

      A descriptive label for the step (e.g., "Manager Review", "Final Approval")

    

    
      Step Type

      Review, Approval, or Completion

    

    
      Escalation (days)

      Number of days before the step automatically escalates if not completed

    

    
      Approvers

      Select specific users or assign by role — owner, admin, or member

    

    
      Require all approvers

      Whether all selected approvers must approve, or whether one approval is sufficient to advance the step

    

  

Step 3: Set the "Applies To" scope

Choose what the workflow applies to: System, Assessment, or Process. This determines which module actions will automatically trigger the workflow.

Step 4: Activate the workflow

Toggle the workflow status to Active. The workflow will now trigger automatically when the relevant action occurs in the configured module.

Managing Assignments and Approvals

Assignments tab

View all current workflow assignments across your team — including who is responsible for each step and the current completion status. Use this view to monitor workflow progress and identify any steps that are overdue or blocked.

Approvals tab

Review all pending approval requests in one place. Approvers can accept or reject items directly from this view, with the option to add comments — keeping a clear record of the decision and its rationale.

Workflow Automation Features

  - Automatic notifications: Team members receive alerts when a task or approval step requires their action — eliminating the need for manual follow-up.

  - Escalation timers: If a step is not completed within the configured timeframe, it automatically escalates to the next approver or a designated manager.

  - Smart reminders: The platform sends reminder notifications as deadlines approach, reducing the risk of steps being missed or delayed.

  - Audit logging: Every workflow action — including approvals, rejections, and escalations — is recorded with a timestamp, providing a complete audit trail for compliance documentation.

Workflow Best Practices

Keep workflows simple to start

Begin with two to three steps and add complexity only when your team has identified a genuine need. Overly complex workflows increase the risk of bottlenecks and reduce adoption.

Set realistic escalation timers

Configure escalation periods based on your team's typical response time for each step type. Too short and approvers will feel pressured; too long and bottlenecks go undetected.

Use role-based approvers wherever possible

Assigning approvers by role — rather than by named individual — ensures workflows continue functioning correctly when team members change roles or leave the organization.

Review workflow performance regularly

Monitor how workflows are performing through the Assignments tab and Reporting & Analytics — identifying steps where approvals are consistently delayed or where escalations are being triggered frequently.

Troubleshooting

Workflow not triggering

Verify that the workflow status is set to Active and that the Applies To scope matches the module where you expect it to trigger. A workflow scoped to "Assessment" will not trigger on System or Process actions.

Approver not receiving notifications

Confirm that the approver has an active account within your Secure Privacy organization and that notification settings are enabled in their user profile. Contact your account administrator if the issue persists.

Next Steps

  - Connect workflows to the Task Management module for automatic task creation on workflow completion

  - Use the Impact Assessment Approval template with the DPIA Management module to enforce structured GDPR Article 35 review processes

  - Monitor workflow activity and approval completion rates through Reporting & Analytics

Frequently Asked Questions

Can a workflow have different approvers for different steps?

Yes. Each step in a workflow is configured independently — including its approvers, step type, and escalation timer. This allows you to build multi-level approval chains where, for example, a manager reviews first and a DPO provides final sign-off in a subsequent step.

What happens when an escalation timer runs out?

When a step is not completed within the configured escalation period, the platform automatically escalates the task — notifying the next approver in the chain or a designated administrator, depending on your workflow configuration. All escalations are recorded in the audit log.

Can workflows be used to enforce DPIA approval processes under GDPR Article 35?

Yes. The Impact Assessment Approval template is specifically designed for DPIA workflows, supporting multi-level review and sign-off processes that ensure DPIAs are completed and approved before high-risk processing begins. Every approval step is logged, providing an auditable record of the DPIA review process.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Getting Started with Secure Privacy's Governance Solution – Initial Setup, Team Configuration, and Module Overview

URL: https://support.secureprivacy.ai/article/getting-started-with-privacy-governance-platform
Product: Privacy & AI Governance
Category: Getting Started
Published: 2026-03-09T17:52:00+00:00
Updated: 2026-03-22T16:48:31.899+00:00
Reading Time: 4 minutes
Summary: Set up Secure Privacy's Governance Solution in minutes — complete the Privacy Program wizard, invite team members, and configure GDPR compliance modules including ROPA, risk, DSAR, and DPIA management.

This guide walks you through the initial setup of Secure Privacy's Governance Solution — from completing the Privacy Program Setup wizard and inviting team members through to configuring your compliance modules. Follow these steps to move from onboarding to operational in minutes.

Who Is This For?

  - Privacy officers and compliance managers setting up a new GDPR governance program

  - IT administrators responsible for provisioning team access and configuring the platform

  - Legal teams centralizing compliance workflows and documentation in a single platform

Prerequisites

  - An active Secure Privacy account with a Governance Solution subscription

  - Admin-level access to your organization's Secure Privacy dashboard

Step 1: Complete the Privacy Program Setup Wizard

When you first access the Governance Solution, you are guided through a Privacy Program Setup wizard. This intake process asks a series of questions about your organization to automatically generate a tailored compliance structure.

The wizard asks you to:

  - Select your industry — SaaS, Healthcare, Financial Services, Education, and others

  - Define your data environment and primary data processing activities

  - Identify applicable regulations — GDPR, CCPA, HIPAA, and others

  - Specify your organizational structure and team size

Based on your answers, the platform automatically generates:

  - Process maps for your documented data processing activities

  - A prioritized set of compliance tasks and deadlines

  - Suggested risk assessments and impact evaluations for high-risk processing

  - Recommended policies and documentation templates aligned to your regulatory context

Step 2: Invite Team Members and Assign Roles

Navigate to Members in the left sidebar and click + Add Member. Invite team members by email and assign the appropriate role:

  
    
    
  
  
    
      Role

      Permissions

    

    
      Owner

      Full platform access including billing management and user administration

    

    
      Admin

      Full access to all compliance modules — cannot manage billing or organization settings

    

    
      Member

      Access limited to assigned modules, tasks, and processes

    

  

Each team member can be linked to specific processes, systems, tasks, and documentation — establishing clear ownership and accountability across your compliance program from the outset.

Step 3: Review the Compliance Dashboard

The Dashboard provides a real-time overview of your privacy program status, including:

  - Overall compliance score and privacy program maturity level

  - Pending tasks and upcoming regulatory deadlines

  - Open risks and their current severity levels

  - Recent activity across all Governance Solution modules

Step 4: Configure Your Governance Solution Modules

The Governance Solution includes ten integrated compliance modules. Start with the modules most relevant to your current priorities — you can enable and configure additional modules at any time:

  - Process Register: Document all data processing activities and maintain your GDPR Article 30 ROPA

  - Risk Management: Identify, score, and mitigate privacy risks across processing activities

  - Task Management: Assign, track, and automate compliance tasks across teams

  - DSAR Handling: Manage data subject access requests with deadline tracking and audit logging

  - DPIA Management: Conduct GDPR Article 35 Data Protection Impact Assessments with structured workflows

  - Systems Management: Inventory all systems processing personal data and track data flows

  - Document Repository: Centralize privacy policies, DPAs, and compliance documentation with version control

  - Compliance Calendar: Track deadlines, schedule recurring tasks, and monitor upcoming obligations

  - Reporting & Analytics: Generate compliance dashboards, maturity reports, and audit-ready exports

  - Workflow & Automation: Build custom multi-step approval workflows and automate compliance task creation

Next Steps

  - Add your first data processing activities in the Process Register to begin building your ROPA

  - Set up your Compliance Calendar with key regulatory deadlines and recurring compliance tasks

  - Run your first Risk Assessment to identify and prioritize your highest-risk processing activities

  - Upload existing policies and DPAs to the Document Repository for centralized, version-controlled access

Frequently Asked Questions

How long does initial setup take?

The Privacy Program Setup wizard typically takes 10–20 minutes to complete, depending on the complexity of your organization's data processing environment. Once submitted, the platform automatically generates your initial compliance structure — including process maps, task lists, and policy templates — so you can begin working immediately after the wizard is complete.

Can modules be configured after the initial setup?

Yes. All ten Governance Solution modules can be configured and expanded at any time after initial setup. You are not required to configure every module during onboarding — start with your highest-priority compliance areas and add additional modules as your program matures.

What happens if I select the wrong industry or regulations during the setup wizard?

The compliance structure generated by the wizard can be adjusted at any time after setup — including adding or removing applicable regulations, updating your organizational structure, and modifying auto-generated process maps. Contact your account manager or Secure Privacy support if you need assistance restructuring your initial program configuration.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# GDPR Enforcement & Fines: How a Data Protection Officer Reduces Your Risk

URL: https://support.secureprivacy.ai/article/handling-regulatory-fines-enforcement-dpo-advisory
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T15:01:00+00:00
Updated: 2026-03-26T01:28:54.526+00:00
Reading Time: 6 minutes
Summary: Facing a GDPR investigation or fine? Learn how a Data Protection Officer reduces enforcement risk, manages breach notification, and coordinates your response.

A supervisory authority investigation doesn't start with a fine — it starts with a single unresolved complaint, an unreported breach, or a data subject request that slipped through the cracks. By the time enforcement proceedings begin, the organization is already reacting under pressure, and the factors that determine whether a fine reaches €20 million or 4% of annual global turnover are largely shaped by decisions made (or not made) long before the investigation opened.
Many organizations attempt to manage GDPR compliance through a patchwork of legal advice, internal spreadsheets, and annual policy reviews. That approach leaves dangerous gaps: breach notification deadlines are missed, accountability records are thin, and when a supervisory authority asks for evidence of your technical and organizational measures, there's little to show. The result is a compliance posture that looks reactive — exactly what regulators penalize most heavily.
A qualified Data Protection Officer (DPO) changes that equation. Whether in-house or through an outsourced DPO service, a dedicated DPO builds the proactive compliance programme that keeps enforcement at bay, and coordinates every element of your response if a supervisory authority does come knocking.
This article explains how GDPR enforcement works, how administrative fines are calculated under GDPR Article 83, and — most importantly — how your DPO systematically reduces your exposure at every stage.
Who Is This Article For?
This guide is relevant to:
- Data Protection Officers (in-house or outsourced) building or reviewing a compliance programme

- Legal, compliance, and privacy teams assessing GDPR enforcement exposure

- Senior leaders and DPOs who want to understand how fines are calculated and what mitigates them

- Organizations that have received — or are concerned about receiving — a supervisory authority inquiry

Understanding GDPR Supervisory Authority Enforcement Powers
GDPR grants supervisory authorities — such as the ICO in the UK, the CNIL in France, and the BfDI in Germany — significant enforcement powers, including the ability to impose administrative fines of up to €20 million or 4% of annual global turnover, whichever is higher. These are not theoretical maximums: multi-million-euro fines have been issued across sectors including technology, healthcare, retail, and financial services.
Your DPO helps minimize the risk of enforcement action in the first place, and coordinates your organization's response if one occurs.
Types of GDPR Administrative Enforcement Actions
GDPR Supervisory Authority Enforcement Actions and Their Legal Basis
Action
GDPR Article
Description

Warnings
Article 58(2)(a)
A formal warning that intended processing operations are likely to infringe the GDPR.

Reprimands
Article 58(2)(b)
An official reprimand issued where a confirmed infringement has occurred.

Orders
Article 58(2)(c–g)
Binding orders to comply, rectify, restrict, or erase personal data, or to suspend data flows.

Administrative Fines
Articles 83–84
Financial penalties calculated based on the severity, nature, and scope of the infringement.

How GDPR Administrative Fines Are Calculated Under Article 83
Under GDPR Article 83(2), supervisory authorities weigh the following factors when determining the size of an administrative fine:
- Nature, gravity, and duration of the infringement.

- Whether the infringement was intentional or the result of negligence.

- Actions taken by the controller or processor to mitigate harm to data subjects.

- Degree of responsibility, taking into account technical and organizational measures in place.

- Any previous GDPR infringements by the same controller or processor.

- Degree of cooperation with the supervisory authority during the investigation.

- Categories of personal data affected by the infringement.

- How the infringement came to the attention of the supervisory authority.

- Adherence to approved codes of conduct or recognized certification mechanisms.

Several of these factors — documented technical and organizational measures, proactive cooperation, and adherence to recognized compliance frameworks — are directly shaped by the quality of your DPO programme.
How Your DPO Reduces GDPR Enforcement Risk
A qualified Data Protection Officer — whether in-house or through an outsourced DPO service — addresses enforcement risk through six core activities:
Step 1 — Proactive Compliance Monitoring
Continuously identifying and addressing potential issues before they escalate into violations or trigger regulatory scrutiny. Proactive monitoring is one of the strongest signals of good faith an organization can demonstrate to a supervisory authority.
Step 2 — Accountability Documentation
Maintaining comprehensive records of processing activities, Data Protection Impact Assessments (DPIAs), risk assessments, and compliance decisions to demonstrate good governance. Under GDPR's accountability principle, documentation is not optional — it is the evidence that distinguishes a compliant organization from one that merely claims to be.
Step 3 — Timely Breach Notification
Ensuring personal data breaches are reported to supervisory authorities within GDPR's 72-hour notification window, demonstrating good faith and transparency. Late or absent breach notification is one of the most common triggers for enforcement action and is treated as an aggravating factor in fine calculations.
Step 4 — Technical and Organizational Measures
Implementing and documenting appropriate security and privacy controls — including data minimization, access controls, encryption, and pseudonymization — to reduce both operational risk and regulatory liability under Article 83(2)(d).
Step 5 — Staff Training
Delivering regular data protection training across the organization to minimize the risk of human error — one of the most common root causes of GDPR breaches and the easiest compliance gap for a supervisory authority to identify.
Step 6 — Supervisory Authority Relations
Building a constructive, cooperative relationship with your lead supervisory authority to support positive regulatory engagement. Regulators consistently treat cooperative organizations more favourably when determining sanctions.
Responding to a GDPR Enforcement Action: Your DPO's Role
If a supervisory authority initiates enforcement proceedings, your DPO coordinates the full organizational response:
- Manages all formal communication with the supervisory authority on behalf of the organization.

- Coordinates internal evidence gathering and prepares a structured, accurate response.

- Advises on remediation measures to demonstrate cooperation and reduce the risk of maximum penalties.

- Works alongside legal counsel in preparing any formal appeal, submission, or regulatory response.

- Documents lessons learned and implements preventive measures to reduce the likelihood of future infringements.

Frequently Asked Questions About GDPR Enforcement & Fines
How large can a GDPR fine be?
GDPR administrative fines can reach up to €20 million or 4% of annual global turnover, whichever is higher, for the most serious infringements under Article 83(5). Less severe violations under Article 83(4) carry a lower tier of up to €10 million or 2% of global turnover. The actual fine issued depends on the factors set out in Article 83(2), including the nature of the infringement, cooperation with the supervisory authority, and whether appropriate technical and organizational measures were in place.
What triggers a GDPR enforcement investigation?
GDPR investigations are typically triggered by a complaint from a data subject, a notified personal data breach, media reporting, or a supervisory authority's own-initiative audit. Failure to respond to a data subject access request within the statutory timeframe and late or absent breach notification are among the most common initial triggers.
Does having a DPO reduce GDPR fines?
Having a qualified Data Protection Officer does not provide automatic immunity from fines, but it materially reduces enforcement risk in two ways. First, a DPO prevents many violations from occurring through proactive compliance monitoring, documentation, and training. Second, where an infringement does occur, the accountability records and cooperation measures a DPO maintains are mitigating factors that supervisory authorities weigh under Article 83(2) when setting fine levels.
What is the GDPR breach notification deadline?
Under GDPR Article 33, controllers must notify their lead supervisory authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals. Missing this deadline is treated as an aggravating factor when supervisory authorities calculate fines.
Can I use an outsourced DPO instead of hiring in-house?
Yes. GDPR Article 37(6) explicitly permits organizations to designate a DPO from outside the organization. An outsourced DPO service provides access to specialist data protection expertise without the cost of a full-time hire, and is a recognized and widely used model across EU and UK organizations of all sizes.
Related Articles
- When Is a Data Protection Officer Required Under GDPR?

- GDPR Personal Data Breach Notification: A Step-by-Step Guide

- Maintaining Records of Processing Activities (Article 30)

- Conducting a Data Protection Impact Assessment (DPIA)

---

# How Your DPO Supports GDPR Data Protection Certification — ISO 27001, ISO 27701 & Beyond

URL: https://support.secureprivacy.ai/article/dpo-guidance-data-protection-certifications-seals
Product: DPO as a Service
Category: DPO Operations
Published: 2026-03-09T15:01:00+00:00
Updated: 2026-03-26T01:31:24.67+00:00
Reading Time: 6 minutes
Summary: Learn which data protection certifications prove GDPR compliance — ISO 27001, ISO 27701, SOC 2 & more — and how your DPO guides you from gap analysis to audit.

When a client asks for proof of your data protection compliance — or a regulator requests evidence of lawful processing — a verbal assurance is rarely enough. Organizations that rely on internal checklists alone often find themselves scrambling ahead of vendor audits, struggling to produce the documentation that supervisory authorities and enterprise procurement teams now routinely demand.
Recognized data protection certifications change that dynamic. Under GDPR Articles 42–43, certification mechanisms, seals, and marks are actively encouraged as credible, independently verified evidence of compliant and secure data processing. Yet choosing between ISO 27001, ISO 27701, SOC 2, and GDPR-specific seals — and then actually preparing for the audit — can feel overwhelming without expert guidance.
That is where your Data Protection Officer (DPO) adds immediate, measurable value. Your DPO identifies the certifications that best match your industry, operations, and client requirements, then supports every stage of the journey: gap analysis, policy development, evidence preparation, and ongoing renewal. By the end of this article you will understand which data protection certifications matter most for GDPR compliance, what each one covers, and exactly how your DPO steers you from your current position to a successful certification outcome.
Who Is This Article For?
This guide is relevant to:
- Privacy and compliance managers building the business case for certification

- DPOs and legal teams advising on certification strategy and audit readiness

- IT and security leaders responsible for implementing the controls certifications require

- Business owners and executives whose clients or supply chain contractually require proof of GDPR compliance

The Role of Data Protection Certifications in GDPR Compliance
GDPR Articles 42–43 explicitly encourage the establishment of data protection certification mechanisms, seals, and marks to demonstrate compliance with the Regulation. A valid certification does not provide an absolute exemption from GDPR obligations, but it does constitute meaningful evidence of lawful processing and can serve as a mitigating factor in regulatory enforcement actions.
Your DPO advises on which certifications are most relevant to your organization and supports the full preparation process — from initial gap analysis through to audit readiness and long-term renewal.
Common Data Protection and GDPR Compliance Certifications
Overview of key data protection certifications and their relevance to GDPR compliance
Certification
Focus Area
Relevance to GDPR Compliance

ISO 27001
Information security management
Demonstrates robust security controls supporting GDPR compliance

ISO 27701
Privacy information management
Extension to ISO 27001 specifically addressing GDPR requirements for data controllers and processors

SOC 2 Type II
Service organization controls
Demonstrates security, availability, and confidentiality controls relevant to GDPR accountability

GDPR-Specific Seals
GDPR compliance
Approved certification bodies verify the GDPR compliance of specific processing operations

Cyber Essentials
Basic cybersecurity hygiene
UK government-backed scheme demonstrating baseline security controls aligned with GDPR security obligations

How Your DPO Supports GDPR Certification Readiness
Your Data Protection Officer guides your organization through each phase of the certification process — from identifying gaps to maintaining compliance after the audit.
Step 1 — Gap Assessment
Your DPO evaluates your current data protection and security practices against the specific requirements of your target certification, identifying the areas that need improvement before audit.
Step 2 — Roadmap Development
Based on the gap assessment, your DPO creates a structured, prioritized remediation plan — setting realistic milestones and resource requirements so you can progress toward certification without disrupting business operations.
Step 3 — Policy Development
Your DPO drafts or updates internal data protection policies, privacy notices, and operational procedures to meet the specific documentation requirements of the chosen certification framework.
Step 4 — Evidence Preparation
Certification auditors require organized, verifiable evidence of compliant practices. Your DPO collates documentation, processing records, risk assessments, and control evidence to satisfy auditor requirements.
Step 5 — Audit Support
Throughout the certification audit itself, your DPO provides expert guidance — responding to auditor queries, clarifying technical and legal points, and ensuring the process runs smoothly.
Step 6 — Ongoing Maintenance and Renewal
Certification is not a one-time event. Your DPO supports continuous compliance activities — periodic reviews, control updates, and renewal cycles — so that your certification remains valid and meaningful.
Benefits of Achieving Data Protection Certification
- Provides credible, independently verified evidence of GDPR compliance to supervisory authorities, and can serve as a mitigating factor in enforcement actions.

- Builds trust with customers, partners, and stakeholders by signalling a sustained commitment to data protection and privacy.

- Creates a structured framework for continuous security and privacy improvement — rather than point-in-time compliance.

- Satisfies vendor due diligence and data protection requirements increasingly imposed by enterprise clients and supply chains.

- Can reduce the frequency and scope of individual audits requested by business partners, lowering the compliance burden over time.

Choosing the Right GDPR Certification for Your Organization
No single data protection certification is right for every organization. Your DPO weighs the following factors when recommending the most appropriate certification path:
- Your industry sector and the data protection expectations of your customers and regulators.

- Your existing security and privacy maturity — and how much remediation work a given certification realistically requires.

- The resources available for certification preparation and long-term annual maintenance.

- Whether specific certifications (for example, ISO 27001 or SOC 2 Type II) are contractually required by your clients or supply chain partners.

- The geographic scope of your operations and any applicable data protection laws beyond the GDPR (for example, UK GDPR or sector-specific regulations).

Frequently Asked Questions
Does GDPR require organizations to hold a specific certification?
No. GDPR does not mandate any specific certification. However, Articles 42–43 actively encourage certification as a way to demonstrate compliance. Holding a recognized data protection certification — such as ISO 27701 or a GDPR-approved seal — provides credible evidence of lawful processing and can be a meaningful mitigating factor if a supervisory authority investigates your organization.
What is the difference between ISO 27001 and ISO 27701 for GDPR compliance?
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). ISO 27701 is an extension of ISO 27001 that adds privacy-specific controls, explicitly addressing the requirements of GDPR for both data controllers and processors. Organizations that already hold ISO 27001 certification can add ISO 27701 as a natural next step to strengthen their GDPR compliance posture.
How long does it take to achieve GDPR data protection certification?
Timelines vary depending on the certification type and your organization's starting maturity. ISO 27001 certification typically takes 6–18 months from gap assessment to first audit. Your DPO's gap assessment will give you a realistic, organization-specific estimate based on the remediation work required.
Can data protection certification replace individual client security audits?
Not always, but it significantly reduces the burden. Many enterprise clients and procurement teams accept recognized certifications — particularly ISO 27001 and SOC 2 Type II — as a substitute for, or a significant reduction in the scope of, their own vendor security assessments. Your DPO can help position your certification to satisfy specific client due diligence requirements.
What role does the DPO play in maintaining certification after the initial audit?
Certification is renewed periodically — typically annually for surveillance audits and every three years for full recertification under ISO standards. Your DPO supports ongoing compliance activities between audits: monitoring control effectiveness, updating policies when data protection laws or internal processes change, and ensuring your organization is always renewal-ready.
Related Articles
- What Does a Data Protection Officer Do? Roles and Responsibilities Explained

- How to Conduct a GDPR Gap Analysis Before Your Certification Audit[?]

- ISO 27701 and GDPR: How Privacy Information Management Certification Supports Compliance[?]

- Maintaining Records of Processing Activities Under GDPR Article 30

---

# DPO as a Service Plans Explained: Choose the Right GDPR Compliance Support for Your Organization

URL: https://support.secureprivacy.ai/article/dpo-as-a-service-pricing-and-plans-explained
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T15:01:00+00:00
Updated: 2026-03-26T01:26:37.998+00:00
Reading Time: 6 minutes
Summary: Compare Secure Privacy's Essential, Professional, and Enterprise DPO as a Service plans. Find the right outsourced Data Protection Officer for your GDPR compliance needs.

Do You Really Need a Data Protection Officer — and How Much Support Is Enough?
Under the GDPR, many organizations are legally required to appoint a qualified Data Protection Officer — and even those that aren't still face mounting pressure to demonstrate accountability, respond to data subject access requests, manage vendor risk, and document their processing activities. Getting that wrong can mean regulatory fines, enforcement action, and reputational damage that far outweighs the cost of proper compliance.
The instinct for most organizations is to hire an in-house DPO. But a full-time, qualified data protection officer is expensive, hard to recruit, and — for smaller organizations — simply out of proportion to the actual workload. The alternative of assigning the role to an existing employee typically results in an under-resourced, under-qualified function that satisfies the letter of the law while leaving real gaps. Neither option is ideal.
That's where outsourced DPO services change the equation. A DPO as a Service gives your organization a named, registered, qualified Data Protection Officer — along with structured GDPR compliance support — at a fraction of the cost of a full-time hire, and with none of the recruitment risk.
Secure Privacy offers three DPO as a Service plans — Essential, Professional, and Enterprise — each calibrated to a different level of organizational complexity, data processing volume, and compliance risk. By the end of this guide, you'll know exactly which plan fits your situation and what you'll receive under each tier.
Who Is This Guide For?
- Organizations that are legally required to appoint a DPO under GDPR Article 37 but want an external, outsourced solution

- Small and mid-sized businesses seeking affordable GDPR compliance support without the overhead of an in-house hire

- Enterprises managing complex, multi-jurisdictional data flows that need dedicated, round-the-clock DPO coverage

- Existing Secure Privacy customers evaluating whether to upgrade their current DPO as a Service plan

Choosing the Right DPO as a Service Plan
Each Secure Privacy DPO as a Service plan provides a named, qualified Data Protection Officer along with a core set of GDPR compliance services. The plans differ in the depth, frequency, and scope of support — allowing you to match the level of outsourced DPO coverage to your organization's specific risk profile, vendor complexity, and operational scale.
DPO as a Service Plan Comparison
Feature-by-feature comparison of Secure Privacy DPO as a Service plans: Essential, Professional, and Enterprise
Feature
Essential
Professional
Enterprise

Named DPO
Yes
Yes
Dedicated DPO + backup

DPO Registration
Yes
Yes
Yes

Compliance Gap Analysis
Annual
Semi-annual
Quarterly

DPIA Support
Up to 2/year
Up to 6/year
Unlimited

Staff Training
Annual session
Quarterly sessions
Custom program

Compliance Reporting
Quarterly summary
Monthly operational + quarterly executive
Full reporting suite

Breach Response
Business hours
Extended hours
24/7 emergency line

DSAR Advisory
Guidance
Guidance + review
Full management

Vendor Reviews
Up to 5/year
Up to 15/year
Unlimited

Platform Access
Basic
Full
Full + API

Which DPO as a Service Plan Is Right for Your Organization?
- Essential: Best suited to small organizations with straightforward data processing activities, a limited number of vendors, and minimal cross-border data transfers.

- Professional: Ideal for mid-sized organizations managing moderate data processing complexity, multiple third-party vendors, and some international data transfers requiring ongoing GDPR oversight.

- Enterprise: Designed for large or complex organizations with extensive data processing operations, numerous vendors, and multi-jurisdictional compliance requirements needing dedicated, round-the-clock outsourced DPO support.

What Every Secure Privacy DPO as a Service Plan Includes
Regardless of the plan you choose, all Secure Privacy DPO as a Service subscriptions include the following core GDPR compliance services:
1 — Formal DPO Appointment and Regulatory Registration
A qualified Data Protection Officer is formally appointed on your organization's behalf and registered with the relevant supervisory authority, satisfying GDPR Article 37 obligations.
2 — Ongoing GDPR Compliance Advisory and Proactive Monitoring
Your DPO provides continuous advisory support and proactively monitors your data processing activities for emerging compliance risks.
3 — Access to the Secure Privacy Data Governance Platform
All plans include access to the Secure Privacy compliance platform, centralizing your data governance documentation, consent records, and processing registers.
4 — Regulatory Updates and Impact Analysis
As data protection laws evolve — including GDPR amendments, ePrivacy developments, and jurisdiction-specific rulings — your DPO provides timely impact analysis for your organization.
5 — Annual GDPR Compliance Audit
A structured annual audit assesses and documents your organization's GDPR compliance posture, identifying gaps and recommending remediation steps.
6 — Data Subject Access Request (DSAR) Process Guidance
Your DPO advises on handling DSARs correctly and within statutory timescales, reducing the risk of regulatory complaints from data subjects.
7 — Personal Data Breach Notification Support
In the event of a personal data breach, your DPO supports your response process, including assessing notifiability and preparing documentation for supervisory authorities.
Getting Started with Secure Privacy DPO as a Service
Contact your Secure Privacy account manager or visit the DPO as a Service section in your dashboard to explore available plans and request a consultation. Custom plans are also available for organizations with specific regulatory requirements or operational structures. Our team will assess your current GDPR compliance position and recommend the outsourced DPO plan best aligned to your needs, risk exposure, and budget.
Frequently Asked Questions About DPO as a Service
Is a Data Protection Officer legally required under GDPR?
Under GDPR Article 37, a DPO is mandatory for public authorities, organizations that carry out large-scale systematic monitoring of individuals, and those that process special category data at scale. Many other organizations appoint a DPO voluntarily as a best-practice accountability measure. A DPO as a Service solution satisfies the formal appointment and registration requirement in all cases.
What is the difference between an in-house DPO and a DPO as a Service?
An in-house DPO is a full-time employee, which carries significant recruitment, salary, and retention costs. A DPO as a Service provides a named, qualified, externally registered Data Protection Officer on a subscription basis — delivering the same regulatory compliance coverage at a fraction of the cost, with no hiring risk. The GDPR explicitly permits organizations to fulfil the DPO requirement through a service contract.
Which Secure Privacy DPO as a Service plan is best for a small business?
The Essential plan is designed for small organizations with straightforward data processing activities, a limited vendor base, and minimal cross-border data transfers. It includes a named DPO, annual compliance gap analysis, up to two DPIAs per year, annual staff training, quarterly compliance reporting, and personal data breach support during business hours.
What does DPIA support mean in a DPO as a Service plan?
A Data Protection Impact Assessment (DPIA) is a structured process for identifying and mitigating privacy risks in high-risk processing activities. Your outsourced DPO assists in scoping, conducting, and documenting DPIAs. The number of DPIAs supported per year varies by plan: up to 2 under Essential, up to 6 under Professional, and unlimited under Enterprise.
Can I upgrade my DPO as a Service plan as my organization grows?
Yes. Secure Privacy DPO as a Service plans are designed to scale with your organization. You can upgrade from Essential to Professional or Enterprise at any point by contacting your Secure Privacy account manager. Custom plans are also available for organizations with unique regulatory or operational requirements.
Does Secure Privacy handle data breach notifications as part of the DPO service?
Yes. All Secure Privacy DPO as a Service plans include personal data breach notification support. Response availability scales by plan: business hours under Essential, extended hours under Professional, and a 24/7 emergency line under Enterprise — ensuring you meet the GDPR's 72-hour supervisory authority notification window regardless of when a breach occurs.
Related Articles
- What Is a Data Protection Officer and Do You Need One?

- How to Conduct a Data Protection Impact Assessment (DPIA)

- Managing Data Subject Access Requests Under GDPR

- GDPR Data Breach Notification: Requirements and Timelines

- Secure Privacy Data Governance Platform Overview

---

# DPO as a Service - FAQ: Qualifications, GDPR Compliance & Onboarding | Secure Privacy

URL: https://support.secureprivacy.ai/article/frequently-asked-questions-dpo-as-a-service
Product: DPO as a Service
Category: DPO Fundamentals
Published: 2026-03-09T15:01:00+00:00
Updated: 2026-03-26T01:23:55.519+00:00
Reading Time: 4 minutes
Summary: Get answers on outsourced DPO qualifications, GDPR Article 37 compliance, onboarding timelines, and multi-entity coverage. Secure Privacy DPO as a Service.

GDPR mandates a Data Protection Officer for many organizations — yet recruiting, retaining, and compensating a qualified in-house DPO is costly, slow, and increasingly competitive. Hiring junior staff and hoping they grow into the role creates compliance gaps that regulators notice. Relying on your existing legal or IT team spreads expertise too thin and leaves you exposed when a data breach or supervisory authority inquiry lands in your inbox.
Outsourced DPO services — sometimes called virtual DPO, fractional DPO, or DPO as a Service — solve this directly. Under GDPR Article 37(6), an external Data Protection Officer is fully lawful and carries exactly the same authority as an in-house appointment. Secure Privacy's DPO as a Service gives you a certified, experienced DPO from day one, without the recruitment overhead, at a predictable monthly cost.
This FAQ answers the questions organizations most commonly ask before appointing an external DPO — covering qualifications, regulatory compliance, onboarding timelines, multi-entity coverage, service continuity, and plan flexibility. By the end you'll know exactly what to expect from a managed DPO service and whether it's the right fit for your organization.
Who Is This Article For?
This FAQ is written for:
- Legal, compliance, and privacy teams evaluating whether an outsourced DPO satisfies GDPR requirements.

- CEOs and COOs at SMEs, scale-ups, and mid-market companies deciding between hiring in-house versus engaging a DPO service.

- Corporate groups and holding companies looking to appoint a single DPO across multiple legal entities.

- Existing Secure Privacy customers onboarding or managing their DPO as a Service subscription.

General Questions About DPO as a Service
What qualifications do Secure Privacy's DPOs hold?
All Secure Privacy DPOs hold recognized data protection certifications — such as CIPP/E, CIPM, or equivalent — and bring extensive practical experience in GDPR compliance across multiple industries and regulatory environments. Our DPOs maintain and deepen their expertise through continuous professional development, ensuring up-to-date knowledge of evolving data protection requirements.
Can an external DPO fulfill the GDPR legal requirement?
Yes. GDPR Article 37(6) explicitly states that the Data Protection Officer may be a staff member or fulfill their tasks on the basis of a service contract. External and outsourced DPOs are fully recognized and lawful under the regulation — making DPO as a Service a compliant and cost-effective alternative to hiring an in-house DPO.
How quickly can DPO as a Service be set up?
Standard onboarding typically takes 2–4 weeks, covering the initial consultation, compliance gap analysis, and formal DPO registration with your relevant supervisory authority. For organizations with urgent compliance deadlines, expedited onboarding is also available — contact your account manager to discuss timelines.
Scope and Coverage of the External DPO Service
Which data protection regulations does the outsourced DPO cover?
While GDPR is the primary regulatory focus, your assigned DPO also advises on a broader range of applicable data protection and privacy laws, including:
- EU member state data protection laws and national implementations.

- ePrivacy Directive requirements (cookies, electronic communications).

- UK GDPR and the Data Protection Act 2018 (post-Brexit).

- Other international data protection regulations relevant to your operations.

Can one external DPO cover multiple legal entities within our corporate group?
Yes. GDPR Article 37(2) allows a group of undertakings to appoint a single Data Protection Officer, provided the DPO is easily accessible from each establishment. Secure Privacy fully supports multi-entity and group-wide DPO arrangements, with structured coverage across all relevant legal entities.
What happens to our compliance program if our assigned DPO leaves Secure Privacy?
Service continuity is guaranteed. If your assigned DPO changes for any reason, a qualified replacement is appointed promptly, with a structured handover process to ensure no disruption to your GDPR compliance program, ongoing projects, or supervisory authority relationships.
Practical Questions About Working with an Outsourced DPO
Do we still need an internal privacy contact if we use an external DPO?
While not legally required under GDPR, we strongly recommend designating an internal privacy champion within your organization. This person coordinates day-to-day privacy activities, serves as the primary internal liaison with your external DPO, and helps ensure that data protection considerations are embedded across teams and processes.
How is client confidentiality maintained under a DPO as a Service arrangement?
Your DPO is bound by strict confidentiality obligations as required by GDPR Article 38(5), which prohibits the DPO from disclosing information obtained in the performance of their tasks. All Secure Privacy staff who handle client data are additionally subject to confidentiality agreements and appropriate security clearances, ensuring the highest standards of data privacy and professional discretion.
Can we upgrade or downgrade our DPO as a Service plan?
Yes. Plans can be adjusted at any renewal period to match your evolving compliance needs and organizational growth. If your requirements change significantly mid-term — for example, due to a merger, acquisition, or rapid expansion — contact your Secure Privacy account manager to discuss interim options.
Summary: Key DPO as a Service Questions at a Glance
Quick Reference — Common DPO as a Service Questions Answered
Question
Answer

Is an external DPO GDPR-compliant?
Yes — explicitly permitted under GDPR Article 37(6).

How long does onboarding take?
2–4 weeks standard; expedited onboarding available for urgent needs.

Can one DPO cover multiple group entities?
Yes — supported under GDPR Article 37(2).

Is service continuity guaranteed?
Yes — guaranteed with a structured DPO handover process.

Can we change our plan?
Yes — upgrade or downgrade at renewal, or mid-term by arrangement.

Related Articles
- What Does a Data Protection Officer Actually Do?

- Does My Organization Need a DPO Under GDPR?

- DPO as a Service Plans and Pricing

- GDPR Compliance Checklist for Businesses

---

# GDPR Accountability Principle: Compliance Documentation and DPO Responsibilities

URL: https://support.secureprivacy.ai/article/dpo-support-gdpr-accountability-documentation
Product: DPO as a Service
Category: DPO Compliance
Published: 2026-03-09T15:00:00+00:00
Updated: 2026-03-26T01:21:24.448+00:00
Reading Time: 6 minutes
Summary: Learn what GDPR Article 5(2) accountability requires, which documents your DPO must maintain, and how Secure Privacy keeps you audit-ready at all times.

A supervisory authority investigation doesn't announce itself in advance — and when it arrives, the first thing regulators ask for is evidence. Not a promise of compliance, not a policy document drafted three years ago and never revisited, but a complete, current, version-controlled record of every significant data processing decision your organization has made. For most organizations, that moment reveals the same uncomfortable reality: compliance knowledge lives in people's heads, documentation is scattered across shared drives, and there is no clear owner.
Many organizations attempt to solve this with generic spreadsheet templates or off-the-shelf policy bundles — only to find that those documents quickly fall out of sync with actual processing activities, leaving gaps that are hard to explain to a regulator and harder still to fix under time pressure.
The GDPR accountability principle requires a fundamentally different approach: structured, maintained, and demonstrable compliance — not just compliance on paper. That is precisely what a qualified Data Protection Officer (DPO), supported by a purpose-built platform like Secure Privacy, delivers. Together, they give your organization a living accountability framework — one where every required document exists, is kept current, and can be produced at a moment's notice.
By the end of this article you will understand exactly which GDPR accountability documents are legally required, what your DPO is responsible for maintaining, and how Secure Privacy's compliance platform makes the entire process manageable and audit-ready.
Who Is This Article For?
This guide is relevant to:
- Data Protection Officers (DPOs) building or maintaining a GDPR accountability framework

- Legal, compliance, and privacy teams preparing for supervisory authority reviews or internal audits

- CTOs, COOs, and senior management seeking to understand their organization's documentation obligations under GDPR Article 5(2)

- Organizations evaluating GDPR compliance software or a DPO-as-a-service solution

The GDPR Accountability Principle Explained (Article 5(2))
GDPR Article 5(2) establishes the accountability principle: organizations must not only comply with core data protection principles but must also be able to demonstrate that compliance through documented evidence. Your DPO ensures your organization maintains the documentation, records, and internal processes needed to meet this legal obligation — and to respond effectively if a supervisory authority requests proof of compliance.
In practice, this means accountability is not a one-time project. It is an ongoing discipline that requires consistent record-keeping, regular reviews, and a clear governance structure with defined ownership of each compliance document.
Required GDPR Accountability Documents and Your DPO's Responsibilities
The table below maps each key accountability document to its legal basis under the GDPR and the specific responsibility your DPO carries for that record.
Required GDPR Accountability Documents, Legal Basis, and DPO Responsibilities

Document
GDPR Requirement
DPO Responsibility

Records of Processing Activities (ROPA)
Article 30
Create, maintain, and regularly update.

Data Protection Impact Assessments (DPIAs)
Article 35
Advise on necessity, conduct, and review outcomes.

Privacy Policies and Notices
Articles 13–14
Draft, review, and update to reflect current processing activities.

Data Processing Agreements (DPAs)
Article 28
Review vendor agreements and advise on compliance requirements.

Breach Register
Article 33(5)
Maintain a complete log and document all personal data incidents.

Consent Records
Article 7(1)
Oversee consent collection, management, and withdrawal processes.

Legitimate Interest Assessments (LIAs)
Article 6(1)(f)
Conduct, document, and review to justify lawful processing basis.

Training Records
Article 39(1)(b)
Track staff training completion and report on awareness levels.

DSAR Response Log
Articles 15–22
Oversee data subject request handling and review response quality.

Best Practices for GDPR Accountability Documentation
Maintaining GDPR accountability documentation is an ongoing obligation, not a one-off exercise. The following practices help organizations keep their compliance records complete, current, and ready for regulatory scrutiny.
Centralize All Documentation
Store all accountability records in a single, accessible location to ensure they can be retrieved quickly during supervisory authority reviews or internal audits. A centralized GDPR compliance management system eliminates the risk of version conflicts and missing records.
Apply Version Control
Track changes to all documents over time so you can demonstrate the evolution of your compliance posture and identify when updates were made. Version history is especially important when responding to supervisory authority inquiries about past processing decisions.
Set Review Schedules
Assign a defined review frequency to each document type — ensuring records remain accurate, current, and aligned with actual processing activities. Annual reviews are a minimum; high-risk processing activities may warrant more frequent checks.
Write Clearly and Accurately
Accountability documentation must be understandable to both internal stakeholders and external regulators — avoid jargon and ensure factual accuracy throughout. Clear language also reduces the risk of misinterpretation during an audit.
Record Decision-Making Processes
Document not just compliance outcomes but the rationale and evidence behind key decisions — this is critical for demonstrating accountability under GDPR Article 5(2). Regulators want to see why you made a decision, not just what you decided.
Secure Access Controls
Store all accountability documentation with appropriate security measures and role-based access controls to protect sensitive information while keeping it accessible to authorized personnel. Restricting edit access prevents accidental overwrites of audit-critical records.
How Secure Privacy Supports GDPR Accountability
The Secure Privacy platform provides a centralized hub for all GDPR accountability documentation. Your DPO uses the platform to maintain, update, and provide structured access to all required records — ensuring they are organized, version-controlled, and readily available for supervisory authority review at any time.
By combining expert DPO oversight with purpose-built compliance technology, Secure Privacy helps your organization move from reactive compliance to a proactive, demonstrable accountability framework — one that satisfies regulators and protects the rights of your data subjects.
Frequently Asked Questions: GDPR Accountability
What is the GDPR accountability principle and what does it require?
The GDPR accountability principle, set out in Article 5(2), requires organizations to not only comply with data protection law but to actively demonstrate that compliance through documented evidence. This means maintaining accurate records of processing activities, impact assessments, consent logs, breach registers, and other accountability documentation — and making these available to supervisory authorities on request.
What documents do I need to prove GDPR compliance?
Key GDPR accountability documents include: Records of Processing Activities (ROPA) under Article 30, Data Protection Impact Assessments (DPIAs) under Article 35, privacy notices under Articles 13–14, data processing agreements under Article 28, a breach register under Article 33(5), consent records under Article 7, legitimate interest assessments, staff training records, and a log of data subject access request (DSAR) responses.
What happens if my organization cannot demonstrate GDPR compliance during an audit?
Failure to demonstrate compliance under GDPR Article 5(2) can result in significant fines — up to €20 million or 4% of global annual turnover, whichever is higher — as well as corrective orders from supervisory authorities. Beyond financial penalties, inadequate accountability documentation can undermine your defense in any data breach or data subject complaint investigation.
Does every organization need a Data Protection Officer (DPO) for GDPR accountability?
Under GDPR Articles 37–39, a DPO is mandatory for public authorities, organizations that carry out large-scale systematic monitoring of individuals, or those that process special category data at scale. Even where a DPO is not legally required, having a dedicated privacy function — or using a DPO-as-a-service solution — is strongly recommended to manage ongoing GDPR accountability obligations effectively.
How does Secure Privacy help with GDPR accountability documentation?
Secure Privacy provides a centralized compliance platform where your DPO can maintain, version-control, and manage all required GDPR accountability documents — from ROPA and DPIAs to consent records and breach registers. The platform is designed to make accountability documentation audit-ready at all times, reducing the burden on internal teams and ensuring nothing falls through the gaps.
Related Articles
- How to Build and Maintain Your Records of Processing Activities (ROPA)

- When Is a Data Protection Impact Assessment (DPIA) Required?[?]

- DPO Role and Responsibilities Under GDPR

- Managing Data Subject Access Requests (DSARs) Efficiently

- GDPR Breach Notification: Timelines, Requirements, and Templates[?]

---

# Privacy Risk Management Module – GDPR Risk Assessment, Mitigation Planning, and DPIA Support in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module--risks
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T10:08:19.474+00:00
Reading Time: 4 minutes
Summary: Use the Privacy Risk Management module in Secure Privacy's Governance Solution to assess, categorize, and mitigate privacy risks — with integrated DPIA support and audit-ready risk records.

The Privacy Risk Management module in Secure Privacy's Governance Solution provides a systematic approach to identifying, evaluating, and mitigating privacy risks across your organization's data processing activities. It enables privacy professionals to conduct structured risk assessments, develop mitigation strategies, assign ownership, and maintain continuous oversight — supporting GDPR compliance, Data Protection Impact Assessments (DPIAs), and broader privacy program governance.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR risk assessment and DPIA workflows

  - Compliance and legal teams identifying and tracking privacy risks across processing activities

  - IT and security teams managing technical risks associated with personal data processing systems

  - Risk owners and team members assigned to monitor and remediate identified privacy risks

Purpose and Functionality

The Privacy Risk Management module is a core component of Secure Privacy's Governance Solution, giving compliance teams a single, structured environment to document privacy risks, score their likelihood and impact, plan mitigations, and track remediation progress. By integrating risk management directly into the governance platform, it creates a clear, auditable chain from identified risk to mitigation — supporting DPIA requirements under GDPR Article 35 and the accountability principle under Article 5(2).

How to Use the Privacy Risk Management Module

  - Navigate to the Privacy Risk Management section from the main navigation menu in the Governance Solution.

  - Create a new risk entry and document the risk name, description, and the data processing activity it relates to.

  - Categorize the risk by type — Security, Compliance, or Operational — and score it using the likelihood and impact matrix.

  - Define mitigation measures to address the identified risk, including the controls to be implemented and their target completion date.

  - Assign the risk to a team member for ongoing management and accountability.

  - Monitor mitigation progress through the risk register and update status as actions are completed.

  - Review and reassess risks periodically or whenever the associated processing activity changes.

Available Features

  - Risk assessment and documentation: Create structured risk records with descriptions, categories, likelihood and impact scores, and links to relevant processing activities.

  - Risk categorization and prioritization: Classify risks by type and severity to focus remediation efforts on the highest-priority items first.

  - Mitigation planning: Document specific mitigation measures, assign deadlines, and track implementation status for each identified risk.

  - Assignment of responsibilities: Assign risk ownership to specific team members, ensuring clear accountability for monitoring and remediation.

Common Use Cases

  - Identifying and assessing privacy risks associated with data processing activities — supporting DPIA pre-screening and structured risk documentation under GDPR Article 35.

  - Developing and tracking mitigation plans to reduce identified risks to an acceptable level before or during processing.

  - Monitoring the ongoing status of risk mitigation efforts across the organization — with audit-ready records for supervisory authority review.

Troubleshooting

Cannot add a new risk

Verify that your account has the necessary permissions to create entries in the Privacy Risk Management module. Only users with the appropriate role can add new risks. Contact your Secure Privacy account administrator to review your access rights.

Cannot assign a risk to a team member

The team member must have an active user account within your Secure Privacy organization with the appropriate role assigned. Check that the intended assignee exists in the Members module and has the correct permissions. Contact your account administrator if the user account needs to be created or updated.

Frequently Asked Questions

How does the Privacy Risk Management module support GDPR DPIA requirements?

The module supports DPIA workflows by providing a structured environment for identifying risks to data subjects' rights and freedoms, scoring their likelihood and severity, and documenting mitigation measures — the core elements required under GDPR Article 35(7). Risk records created in the module can feed directly into DPIA documentation, providing an auditable trail from risk identification to mitigation sign-off.

Can risks be linked to specific systems or processing activities?

Yes. Risk entries can be linked to processing activities and systems documented elsewhere in the Governance Solution, creating end-to-end traceability from data processing activity to identified risk to mitigation measure — supporting both ROPA accuracy and DPIA completeness.

Who should be assigned as a risk owner?

Risk ownership should be assigned to the team member with operational responsibility for the processing activity or system the risk relates to — typically the system owner, department head, or technical lead. The DPO or privacy manager retains oversight responsibility across the risk register as a whole.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# How to Classify and Edit Cookies and Services in Secure Privacy – Cookie Classification Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-classify-and-edit-your-cookies-and-services
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T22:01:02.317+00:00
Reading Time: 3 minutes
Summary: [CMP v1] Learn how to edit cookie categories, service names, privacy policy links, and descriptions in Secure Privacy's Classification feature — and when to rescan to apply your changes.

Secure Privacy's Cookie Classification feature lets you review, edit, and recategorize the cookies and services detected on your website — including their category, service name, privacy policy link, and description. Changes to cookie classification are applied to your cookie declaration after a domain rescan.

Note: Any changes made to cookie classification will only be reflected in your cookie declaration after you trigger a website rescan from the Report section.

Who Is This For?

  - Website administrators reviewing and correcting cookie categories assigned by the Secure Privacy scanner

  - Compliance teams ensuring cookies are accurately classified as Essential, Analytics, Marketing, or other categories

  - Developers updating service names, privacy policy links, and cookie descriptions in the classification register

How to Access Cookie Classification

  - Log in to your Secure Privacy account and select the domain you want to work with by clicking the domain name selector and choosing the correct domain.

  - Click Classification in the left sidebar.

How to Edit the Category of a Cookie or Service

  - Locate the cookie or service you want to edit and click its Edit button.

  - Select the required Category from the dropdown list to match your compliance requirements and business logic.

Note on terminology: Host refers to the domain name of the website that places the specific cookie. Service is the widely recognized name or tag associated with that cookie — for example, "Google Analytics" or "Facebook Pixel."

  - In addition to the Category, you can also edit the Service name or tag, the Privacy Policy link, and the Description for the cookie. Click Save to apply your changes.

Important — Multiple categories: If a service shows a Multiple categories value, it means the individual cookies from that service provider have been assigned to different categories. This can cause unexpected behavior in your Consent tracker: if a visitor blocks one category but allows another from the same service provider, all cookies from that provider will be blocked — because the block action takes precedence over the allow action. Review and align the categories for all cookies from the same service provider to avoid this.

Frequently Asked Questions

Do I need to rescan after editing cookie classifications?

Yes. Changes to cookie classification are not reflected in your live cookie declaration until you trigger a website rescan from the Report section. Run a rescan after completing your classification edits to apply the updates.

What is the difference between Host and Service in the classification view?

The Host is the domain name of the website that sets the cookie — for example, analytics.google.com. The Service is the human-readable name associated with the cookie — for example, "Google Analytics." Editing the Service name updates how it appears in your cookie declaration to visitors.

What should I do if a cookie is assigned to the wrong category?

Click Edit next to the cookie or service and select the correct category from the Category dropdown. Common categories include Essential, Analytics, Marketing, Functional, and Unclassified. Save the change and rescan your domain to update your cookie declaration.

See Also

  - How to Block a Cookie in the Scan Report

  - How to Add a Custom Service or Cookie

  - Secure Privacy Pricing Plans Overview

---

# Calendar Module – Compliance Deadline Tracking and Task Management in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module--calendar
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T11:25:39.601+00:00
Reading Time: 4 minutes
Summary: Track compliance deadlines, schedule privacy tasks, and monitor ongoing initiatives using the Calendar module in Secure Privacy's Governance Solution — built for GDPR program management.

The Calendar module in Secure Privacy's Governance Solution is a centralized compliance task and deadline management tool — giving your privacy team a clear, visual overview of all upcoming compliance deadlines, recurring tasks, and regulatory requirements. It transforms complex compliance scheduling into an intuitive calendar experience that keeps your organization ahead of critical dates.

Who Is This For?

  - Data Protection Officers and privacy managers tracking compliance deadlines and recurring program tasks

  - Compliance teams scheduling privacy training sessions, audit reviews, and policy update cycles

  - Risk and governance teams monitoring the progress of ongoing compliance initiatives and mitigation deadlines

  - Team members assigned to time-sensitive compliance actions within the Governance Solution

Purpose and Functionality

The Calendar module consolidates all compliance-related tasks and deadlines from across the Governance Solution into a single, visual calendar interface. Whether you are tracking DSAR response deadlines, scheduling staff training, or monitoring risk mitigation target dates, the Calendar module ensures nothing is missed — providing a shared, organized view of your compliance program's time-sensitive obligations.

How to Use the Calendar Module

  - Navigate to the Calendar page from the main navigation menu in the Governance Solution.

  - View all scheduled tasks and compliance deadlines in the monthly calendar format.

  - Click on a specific date to see the full list of tasks scheduled for that day.

  - Drag and drop tasks to reschedule them to a different date as priorities change.

  - Add new compliance tasks directly from the calendar view without leaving the module.

Available Features

  - Monthly calendar view: A visual overview of all compliance tasks and deadlines organized by date — giving your team an immediate picture of what is coming up.

  - Task rescheduling via drag and drop: Easily move tasks to new dates by dragging and dropping them directly on the calendar — no need to open individual task records.

  - Task creation from calendar view: Add new compliance tasks directly from the calendar interface, with the selected date pre-populated as the due date.

  - Filtering by category or assignee: Filter the calendar view by task category or assigned team member to focus on the deadlines most relevant to your role or area of responsibility.

Common Use Cases

  - Tracking upcoming compliance deadlines — including DSAR response windows, breach notification timelines, and regulatory submission dates — to ensure nothing is missed.

  - Scheduling recurring privacy training sessions and annual compliance review cycles across the organization.

  - Monitoring the progress of ongoing compliance initiatives, risk mitigation target dates, and action plan deadlines from the Privacy Risk Management module.

Troubleshooting

Tasks are not displaying

Check that the correct filters are applied — if a category or assignee filter is active, tasks outside that filter will not appear. Clear all filters to see the full calendar view. If tasks are still missing, verify that they have been assigned a due date in the relevant module.

Cannot reschedule a task

Rescheduling tasks via drag and drop requires edit permissions for the task in question. Verify your user role with your Secure Privacy account administrator. If the task was created in another module — such as the Privacy Risk Management or Process Register module — it may need to be updated from its source record.

Frequently Asked Questions

Are tasks from other Governance Solution modules automatically visible in the Calendar?

Yes. Tasks and deadlines created across the Governance Solution — including mitigation deadlines from the Privacy Risk Management module and action items from compliance reviews — are surfaced in the Calendar module, providing a unified view of all time-sensitive compliance obligations in one place.

Can the Calendar be used to track GDPR-specific deadlines such as DSAR response windows?

Yes. Compliance deadlines — including DSAR response deadlines, breach notification timelines, and DPIA review dates — can be added and tracked in the Calendar module. Filtering by category allows your team to focus specifically on regulatory deadline types when needed.

Can tasks be assigned to specific team members from the Calendar view?

Tasks can be created from the Calendar view and assigned to team members with active accounts in the Governance Solution. For more detailed task configuration — including linking to process records or risk assessments — open the full task record in the relevant module after creation.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# How to Set Cookie Banner Target Audience in Secure Privacy – GDPR, CCPA, and LGPD Geographic Targeting

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-select-correct-target-audience-geotargeting
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:01:53.718+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to configure geographic target audience settings in Secure Privacy — show GDPR, CCPA, or LGPD cookie banners only to visitors from Europe, California, or Brazil.

Secure Privacy's Target Audience setting lets you show your cookie consent banner and Privacy Center only to visitors from the relevant geographic region — so GDPR banners display to European visitors, CCPA banners to California visitors, and LGPD banners to Brazilian visitors. This ensures your compliance tools are shown to the right audience without interrupting visitors from other regions.

Who Is This For?

  - Website owners and administrators configuring geographic targeting for their cookie consent banner

  - Compliance teams ensuring GDPR, CCPA, or LGPD banners display only to the relevant regional audience

  - Developers setting up multi-regulation compliance with region-specific banner visibility

How to Configure Cookie Banner Target Audience

  - Log in to your Secure Privacy account and click the relevant compliance module in the left sidebar — GDPR, CCPA, or LGPD.

  - Click the Targeting section tab and open the Target Audience dropdown.

  - Select the appropriate audience option for the active compliance module:
    
      - GDPR: Active for visitors from Europe

      - CCPA: Active for visitors from California

      - LGPD: Active for visitors from Brazil

    
    Note: The available audience options change depending on which compliance module you have selected in the left sidebar.
  

  - Click Save to apply the target audience setting.

Frequently Asked Questions

What happens to visitors outside the targeted region?

Visitors outside the targeted region will not see the cookie consent banner or Privacy Center for that compliance module. If you have multiple compliance modules active — for example, both GDPR and CCPA — each module displays its banner only to visitors within its respective target audience.

Can I show the cookie banner to all visitors regardless of location?

Yes. Select the Active for all visitors option from the Target Audience dropdown if you want the banner to display to every visitor regardless of their geographic location.

Do I need to configure targeting separately for each compliance module?

Yes. Target audience settings are configured independently for each compliance module — GDPR, CCPA, and LGPD each have their own Targeting section. Make sure to set and save the target audience for each module you have active in your account.

See Also

  - Automatic Cookie Blocking Explained

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# How to Check If Google Consent Mode Is Working: Testing the gcs Parameter, Consent Mode Inspector & dataLayer

URL: https://support.secureprivacy.ai/article/checking-the-google-consent-mode-implementation
Product: Consent Management
Category: Google Consent Mode
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-04-15T21:48:41.548+00:00
Reading Time: 5 minutes
Summary: Verify your Google Consent Mode setup by checking the gcs parameter in Google Analytics collect requests, using the Consent Mode Inspector, and inspecting the dataLayer. Step-by-step guide by Secure Privacy.

Summary: This guide explains how to verify that Google Consent Mode is correctly implemented and working on your website using Secure Privacy. You'll learn how to identify the gcs parameter in Google Analytics network requests, compare tag behavior with and without consent, and use browser tools like the Consent Mode Inspector and window.dataLayer to confirm consent signals are firing correctly.
Who Is This Guide For?
- Website administrators and developers verifying their Google Consent Mode integration after setup

- Technical marketers and analytics managers checking that Google Analytics and Google Ads tags respond correctly to user consent

- Compliance professionals confirming GDPR-compliant tag behavior before go-live

Before You Begin
- Google Consent Mode must already be implemented on your site (via Basic or Advanced Mode)

- You have access to your browser's Developer Tools (Chrome DevTools recommended)

- Your Secure Privacy consent banner is live and rendering correctly on the page

How Google Consent Mode Changes Google Analytics Tag Behavior
Before testing, it helps to understand what changes once Google Consent Mode is active. By default, Google Consent Mode blocks Google tags from creating or reading any cookies until the user grants consent—similar to fully blocking the script, but with one key difference: a cookieless "collect" ping is still sent to Google Analytics.
Previously, without Consent Mode, Secure Privacy blocked the entire Google Analytics script when a user hadn't consented, meaning no network requests were made. With Google Consent Mode active, a lightweight collect API call is sent immediately—but it contains a special gcs parameter that signals the user's consent status to Google.
Quick Reference: gcs Parameter Values
- G100 — Consent Denied (default state, no cookies set)

- G101 — Analytics consent Granted

- G111 — All consent types Granted

How to Check Google Consent Mode Is Working: No Consent State
To verify correct behavior before a user consents, follow these steps:
- Open your browser's Developer Tools (F12 or right-click > Inspect).

- Clear all cookies for the site (Application tab > Storage > Clear site data).

- Reload the page without interacting with the consent banner.

- Go to the Network tab and filter for collect.

You should see a collect request sent to Google Analytics. This confirms Google Consent Mode is active. Unlike a non-Consent Mode implementation, this request fires even without consent—but no cookies are created.
The Google Analytics collect request visible in the Network tab before user consent is given — a sign that Google Consent Mode is active.
To inspect the request in detail, click the collect call and review its parameters:
The gcs=G100 parameter in the collect request confirms Google Consent Mode is active and consent is currently Denied.
The highlighted gcs parameter with a value of G100 confirms that Google Consent Mode is active and the current consent state is Denied. No cookies will be set in this state.
Verifying Google Consent Mode After the User Grants Consent
Once a user provides consent via the Secure Privacy banner, Google Consent Mode updates its status to Granted. This triggers the following changes:
- Cookies are created by Google Analytics and any other consented Google tags.

- The next collect API request will include gcs=G101 (analytics consent granted) or gcs=G111 (all consent types granted).

After the user grants consent, the gcs parameter updates to G101 or G111, confirming consent has been registered by Google Consent Mode.
Note: If you inspect a site without Google Consent Mode, you will only see the collect request after the user consents (when the script is loaded), and the gcs parameter will be absent entirely. The presence of gcs is your confirmation that Google Consent Mode is active.
Faster Verification: Consent Mode Inspector Browser Extension
For a quicker visual check of consent state without digging through DevTools, use the Consent Mode Inspector by InfoTrust. This Chrome extension displays the current Google Consent Mode state for all consent types at a glance directly in your browser toolbar.
The Consent Mode Inspector by InfoTrust displays the live consent status for each category—a fast alternative to manual DevTools inspection.
Verifying Consent Mode Defaults via the dataLayer
Google Consent Mode defaults and subsequent consent updates are also logged directly in the dataLayer. You can inspect these in your browser console by entering:
window.parent.dataLayerThis will display the full history of consent events—including the initial default consent state set by your Secure Privacy configuration and any updates triggered by user interaction with the banner.
The window.parent.dataLayer console output showing Google Consent Mode default state and consent update events.
Frequently Asked Questions (FAQ)
How do I know if Google Consent Mode is working correctly?
Open Chrome DevTools, go to the Network tab, and filter for collect. If you see a collect request with a gcs parameter present, Google Consent Mode is active. A value of G100 means consent is denied; G101 or G111 means consent has been granted.
What does the gcs parameter mean in Google Analytics?
The gcs parameter is added by Google Consent Mode to every collect API request. It indicates the current consent state: G100 = Denied, G101 = Analytics Granted, G111 = All Granted. Its absence means Google Consent Mode is not implemented.
Why do I see a collect request even when the user hasn't consented?
This is expected behavior in Google Consent Mode (especially Advanced Mode). A cookieless "collect" ping is sent to enable conversion and behavioral modeling without setting cookies or identifying the user. This is different from a standard Google Analytics implementation, which only fires after consent.
What is the Consent Mode Inspector and how do I use it?
The Consent Mode Inspector by InfoTrust is a free Chrome browser extension that visually displays the current Google Consent Mode state for each consent category on any page. Install it, visit your site, and click the extension icon to see a live readout of granted and denied consent states.
How do I check consent mode events in the dataLayer?
Open your browser console and type window.parent.dataLayer. Look for consent events to see the default state set at initialization and any updates recorded after user interaction with your consent banner.
Need Further Assistance?
For additional help verifying your Google Consent Mode implementation, contact our support team at support@secureprivacy.ai.
For urgent or systemic escalations related to Google Consent Mode, contact our designated point of contact: Andrew Sidorkin. We aim to address all escalations within one business day.
For policy questions directed to Google, contact the Google EU User Consent Policy team at ddp-gdpr-escalations@google.com.

---

# How to Implement Google Consent Mode Advanced with Google Tag Manager — Secure Privacy GTM Setup Guide

URL: https://support.secureprivacy.ai/article/implementing-google-consent-mode-advanced-using-google-tag-manager-community-template
Product: Consent Management
Category: Google Consent Mode
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-04-06T20:29:30.091+00:00
Reading Time: 5 minutes
Summary: Set up Google Consent Mode Advanced using Secure Privacy's GTM template. Step-by-step guide covering GCM v2, default consent states, cookieless pings, and GDPR compliance.

Summary: Google Consent Mode (GCM) is a Google API that lets website owners integrate user consent choices directly into Google tag behavior—ensuring privacy compliance via tools like Google Tag Manager (GTM) or the global site tag. This tutorial covers Advanced Consent Mode setup using the Secure Privacy GTM Community Template, including GCM v2's ad_user_data and ad_personalization parameters.
With Secure Privacy, Google Consent Mode can be implemented in two ways:
- Basic Mode

- Advanced Mode (this tutorial)

Who Is This Guide For?
- Website administrators managing consent banners and tag configuration

- Developers & technical marketers integrating Google Analytics or Google Ads via GTM

- Compliance and privacy professionals ensuring GDPR, CCPA, and Google EU User Consent Policy adherence

Before You Begin: Prerequisites
- An active Secure Privacy account with your Domain ID ready

- Access to your site's Google Tag Manager container

- If you are an existing Secure Privacy user using the GTM-native approach: remove the Secure Privacy script from the <head> of your website before proceeding

- New users do not need to add the Secure Privacy script to the head tag

Why Use Google Consent Mode Advanced Mode?
Advanced Consent Mode gives you granular control over how Google tags behave based on each user's consent decision. For example, if a user declines analytics cookies, only aggregate, cookieless data is sent to Google—helping you balance privacy compliance with website performance measurement. Unlike Basic Mode, Advanced Mode enables conversion modeling and behavioral modeling even for non-consenting users, reducing data gaps in your analytics and advertising reporting.
GCM v2 expands support to five consent types—advertisement, analytics, functional, personalization, and security cookies—plus two new parameters: ad_user_data and ad_personalization.
How Secure Privacy Integrates with Google Consent Mode
Secure Privacy passes user consent choices directly to Google, ensuring your website only collects personal data with explicit user permission and falls back to aggregated, privacy-safe data when consent is declined. This keeps you compliant with GDPR and CCPA while maintaining user trust and advertising performance.
How to Set Up Google Consent Mode Advanced Using Google Tag Manager
Step 0: Set Up Google Tag Manager
Ensure Google Tag Manager is installed on your site before proceeding.
Step 1: Create a New Tag in Google Tag Manager
In your GTM container, navigate to Tags in the left sidebar, then click New.
Navigate to Tags in GTM and click New to create a new tag.
Step 2: Find the Secure Privacy Template in the Community Gallery
Click Tag Configuration, then select "Discover more tag types in the Community Template Gallery." Search for Secure Privacy in the gallery.
Search for "Secure Privacy" in the GTM Community Template Gallery.
Step 3: Add the Secure Privacy CMP Template to Your Workspace
Select the Secure Privacy CMP template from the results, then click Add to Workspace > Add.
Select the Secure Privacy CMP template and add it to your GTM workspace.
Step 4: Configure Your Secure Privacy Domain ID and Tag Settings
Insert your Secure Privacy Domain ID, configure any additional values as needed, and save the tag.
We have a quick giude on how to locate your Domain ID here.
Enter your Secure Privacy Domain ID and configure consent defaults.
Setting a Default Consent State (Recommended)
To configure a Default Consent Setting for each consent category:
- Click Add Setting.

- Select Granted or Denied from the dropdown for each consent category as required.

- Set the Region using ISO 3166-2 codes. Use all if you do not want to geo-target by region.

- Click Add to confirm.

Configure default Granted/Denied states per consent category and target region.
Step 5: Set the Trigger to "Consent Initialization – All Pages"
Under Triggering, select Consent Initialization – All Pages. This ensures the Secure Privacy consent signal fires before any other tags load—critical for correct Advanced Consent Mode behavior.
Set the trigger to "Consent Initialization – All Pages" for correct consent signal timing.
Step 6: Save and Publish
Click Save to finalize the tag configuration, then submit and publish your GTM container to make the integration live.
Optional: Blocking Third-Party Cookies in GTM
If your site loads third-party scripts through GTM, you may need to prevent those scripts from setting cookies when users have not granted consent. See: How to Block Cookies with Google Tag Manager.
Common Google Consent Mode Advanced Issues & Fixes
- Tag not firing as expected? Double-check the step order in GTM and confirm the trigger is set to Consent Initialization – All Pages—not a standard page view trigger.

- Consent choices not being reflected in Google tags? Verify your Secure Privacy Domain ID is entered correctly and that your consent categories are properly mapped in the tag configuration.

- Still not working? Check our troubleshooting knowledge base or contact the Secure Privacy support team directly.

Frequently Asked Questions (FAQ)
What is the difference between Basic and Advanced Google Consent Mode?
Basic Consent Mode blocks all Google tags until the user explicitly consents. Advanced Consent Mode loads tags immediately but sends only anonymous "cookieless pings" before consent is granted—enabling conversion and behavioral modeling while maintaining GDPR compliance. See our Basic vs. Advanced Consent Mode comparison guide.
Do I need to remove the Secure Privacy script from my site's <head> when using GTM?
Yes—if you are an existing Secure Privacy user switching to the GTM-native approach, remove the Secure Privacy script from your site's <head> to avoid conflicts. New users can skip this step.
What trigger should I use in GTM for Google Consent Mode?
Always use Consent Initialization – All Pages as the trigger. This guarantees the consent signal is sent before any other Google tags fire, which is required for Advanced Consent Mode to work correctly.
What are the new GCM v2 parameters and why do they matter?
GCM v2 adds ad_user_data and ad_personalization parameters, which give Google specific signals about whether a user has consented to their data being used for advertising personalization and audience targeting. These are required to maintain full ad functionality under Google's EU User Consent Policy.
Is Secure Privacy a Google-certified Consent Management Platform?
Yes. Secure Privacy is a Google-certified CMP, meeting Google's technical and policy standards for consent signal integration with Google tags, Analytics, and Ads.
Conclusion
By implementing Google Consent Mode Advanced with Secure Privacy's GTM Community Template, your website respects user consent decisions while remaining compliant with GDPR, CCPA, and Google's EU User Consent Policy. Advanced Mode ensures you retain the best possible analytics and advertising data through modeling—even when users decline consent.
Need Further Assistance?
Contact the Secure Privacy support team at support@secureprivacy.ai.
For urgent matters related to Google Consent Mode, email andrew@secureprivacy.ai — we aim to respond within one business day.
For policy questions directed to Google, contact the Google EU User Consent Policy team at ddp-gdpr-escalations@google.com.
See Also
- How to Block Cookies with Google Tag Manager

- Google Consent Mode – Basic Implementation Guide

- Ensuring Compliance with Google's EU User Consent Policy

- Basic vs. Advanced Google Consent Mode: Full Comparison Guide

---

# How to Integrate Google Consent Mode v2 with Secure Privacy – Installation Script and GTM Setup Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-secure-privacy--google-consent-mode-v2-integration-guide-no-gtm
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:20:13.559+00:00
Reading Time: 3 minutes
Summary: [CMP v1] Learn how to integrate Google Consent Mode v2 with Secure Privacy using the installation script or Google Tag Manager Template — including default consent settings and region-specific configuration.

Secure Privacy supports Google Consent Mode v2 — an API that connects Google tag behavior with visitor consent choices. When integrated with Secure Privacy, every consent decision a visitor makes is automatically signaled to Google, adjusting how tags such as Google Analytics and Google Ads behave based on whether consent was granted or declined.
Google Consent Mode v2 (GCM v2) introduces two additional parameters alongside ad_storage and analytics_storage: ad_user_data and ad_personalization — giving you granular control over how personal data is used for advertising and personalization purposes.
Who Is This For?
- Privacy managers and compliance officers implementing GDPR-compliant consent management with Google tags

- Developers integrating Secure Privacy with Google Consent Mode via the installation script or GTM

- Marketing teams balancing analytics accuracy with visitor privacy compliance

How Google Consent Mode v2 Works with Secure Privacy
Google Consent Mode manages five consent categories: advertisement, analytics, functional, personalization, and security — using the global site tag or Google Tag Manager (GTM).
When a visitor declines analytics cookies, Google tags do not use cookies to collect personally identifiable information. Instead, aggregated, cookieless data is used — bridging privacy compliance with accurate conversion measurement. When integrated with Secure Privacy, consent signals are passed to Google automatically every time a visitor updates their preferences.
Integration Methods
There are two ways to integrate Google Consent Mode with Secure Privacy:
- Implementation using the installation script (without Google Tag Manager Template) — covered in this guide below.

- Implementation using Google Tag Manager Template — covered in the dedicated GTM integration guide.

Method 1: Implementation Using the Installation Script (Without GTM Template)
Step 1: Enable Google Consent Mode in Secure Privacy
- Log in to your Secure Privacy dashboard, select the target domain.

- Navigate to Installation > Google Consent Mode tab.

- Toggle the Enable Google Consent Mode switch to activate it.

Step 2: Add Default Consent Settings
- In the Google Consent Mode settings, locate the Default Consent Settings section.

- To set region-specific defaults, use the Add Setting option and enter the relevant ISO 3166-2 region code (for example, DE for Germany or US-CA for California).

- Configure the default consent state for each parameter — ad_storage, analytics_storage, ad_user_data, and ad_personalization — for the specified region.

- Click Add to save the setting. Repeat for each region you need to configure.

- Press Save button to apply the changes.

Method 2: Implementation Using Google Tag Manager Template
For detailed instructions on integrating Google Consent Mode v2 with Secure Privacy using the Google Tag Manager Community Template, refer to the dedicated guide: Secure Privacy: Integrate Google Consent Mode Using GTM Template.
Frequently Asked Questions
How do I enable Google Consent Mode in Secure Privacy?
Log in to the Secure Privacy dashboard, navigate to Installation > Google Consent Mode, and toggle Enable Google Consent Mode on. The integration will begin passing consent signals to Google automatically once activated.
How do I configure consent defaults for different regions?
Use the Add Setting feature in the Default Consent Settings section. Enter the ISO 3166-2 region code for the target region and configure the default consent state for each parameter. This allows you to apply different default behaviors — for example, setting analytics_storage to denied by default for EU visitors — based on geolocation.
What is the difference between Google Consent Mode v1 and v2?
Google Consent Mode v1 used two parameters: ad_storage and analytics_storage. v2 adds ad_user_data and ad_personalization — providing finer control over how user data is used for advertising and personalization. Google requires v2 compliance for continued access to certain features in Google Ads and Analytics as of March 2024.
Where can I find the GTM Template integration guide?
The full Google Tag Manager Template implementation guide is available here: Secure Privacy: Integrate Google Consent Mode Using GTM Template.
See Also
- Implementing Google Consent Mode Using Google Tag Manager Template

- Automatic Cookie Blocking Explained

- How to Increase Your Compliance Score (Overall Rating)

---

# Documents Module – Secure Compliance Document Storage, Version Control, and Access Management in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module--documents
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T11:20:52.22+00:00
Reading Time: 3 minutes
Summary: Store, version-control, and manage access to compliance documents using the Documents module in Secure Privacy's Governance Solution — built for GDPR audit readiness.

The Documents module in Secure Privacy's Governance Solution is a secure, centralized repository for all compliance-critical documentation — from privacy policies and regulatory procedures to vendor contracts and training materials. It ensures your compliance assets are organized, accessible, version-controlled, and properly access-managed, supporting GDPR accountability and audit readiness across your organization.

Who Is This For?

  - Data Protection Officers and privacy managers maintaining a centralized compliance document library

  - Legal and compliance teams storing and controlling access to privacy policies, DPAs, and regulatory procedures

  - IT and information security teams managing vendor contracts and technical security documentation

  - HR and training teams storing staff data protection training materials and completion records

Purpose and Functionality

The Documents module gives compliance teams a single, secure location to store and manage every document that supports their privacy program. By centralizing document storage alongside access controls and version tracking, it eliminates scattered file storage, ensures only authorized personnel can access sensitive compliance assets, and provides an audit-ready record of your organization's compliance documentation at any point in time.

How to Use the Documents Module

  - Navigate to the Documents page from the main navigation menu in the Governance Solution.

  - Click Upload Document to add a new compliance document.

  - Complete the required fields — including document name, description, owner, and department.

  - Upload the document file.

  - Configure permissions to control which team members can view, edit, or delete the document.

Available Features

  - Secure document storage: Store all compliance-critical documents in an enterprise-grade secure repository, accessible only to authorized team members.

  - Version control: Maintain a full version history for each document — ensuring the current version is always identifiable and previous versions are retained for audit purposes.

  - Access control and permissions management: Define granular permissions per document — controlling who can view, edit, or delete each file based on role and department.

  - Search and filtering: Quickly locate documents by name, owner, department, or document type — keeping your compliance library navigable as it grows.

Common Use Cases

  - Storing and managing privacy policies, internal procedures, Data Processing Agreements, and regulatory compliance documents in a single controlled location.

  - Tracking staff data protection training materials and maintaining completion records as evidence of GDPR accountability under Article 5(2).

  - Providing organized, readily accessible evidence of compliance to supervisory authorities, auditors, and customers on request.

Troubleshooting

Cannot upload a document

Check the file size and format — the Documents module supports standard document formats and enforces file size limits. If your file exceeds the limit or is in an unsupported format, convert or compress it before uploading. If the issue persists, contact Secure Privacy support.

Cannot manage permissions

Managing document permissions requires administrative rights within the Documents module. Verify your user role with your Secure Privacy account administrator and request an update if needed.

Frequently Asked Questions

Can the Documents module store Data Processing Agreements and vendor contracts?

Yes. The Documents module is designed to store any compliance-critical document — including Data Processing Agreements, vendor contracts, privacy policies, DPIAs, and internal procedures. Permissions controls ensure sensitive contracts are only accessible to authorized team members.

How does version control work in the Documents module?

When a document is updated, the previous version is retained in the version history rather than overwritten. This ensures you always have access to prior versions for audit purposes — and can clearly identify which version of a policy or procedure was in effect at any given time.

Can documents stored in this module be used as evidence during a supervisory authority inspection?

Yes. The Documents module is designed to support audit readiness — providing a centralized, organized, and access-controlled record of your compliance documentation. Documents stored here can be retrieved quickly and presented to supervisory authorities, internal auditors, or customers as evidence of your organization's GDPR compliance program.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# Process Register Module – GDPR Article 30 ROPA Documentation and Data Processing Activity Management in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module--process-register
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T11:23:20.34+00:00
Reading Time: 4 minutes
Summary: Document and manage data processing activities with the Process Register module in Secure Privacy's Governance Solution — built for GDPR Article 30 ROPA compliance and audit readiness.

The Process Register module in Secure Privacy's Governance Solution is your central tool for documenting all data processing activities within your organization. Specifically designed to meet GDPR Article 30 Record of Processing Activities (ROPA) requirements, it ensures processing operations are accurately recorded, categorized, and linked to risk assessments — supporting compliance management, regulatory reporting, and audit readiness.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for maintaining GDPR Article 30 ROPA compliance

  - Compliance and legal teams documenting data processing activities and their associated lawful bases

  - IT and information security teams recording technical measures and retention periods for processing activities

  - Process owners and department leads responsible for documenting the processing activities within their area

Purpose and Functionality

The Process Register module gives privacy and compliance teams a structured, centralized environment for building and maintaining their Record of Processing Activities. Each process entry captures the full range of GDPR Article 30 required fields — including purpose, data categories, retention periods, lawful basis, and technical measures — while integrating with the Governance Solution's risk assessment tools for end-to-end compliance traceability.

How to Use the Process Register Module

  - Navigate to the Processes page from the main navigation menu in the Governance Solution.

  - Click Add Process to create a new data processing activity record.

  - Complete all required fields — including process name, processing purpose, data categories, data subject categories, retention period, lawful basis, and technical and organizational security measures.

  - Assign a process owner and department to establish clear accountability for the processing activity.

  - Link the process to any relevant risk assessments in the Privacy Risk Management module.

  - Save the process record — it will appear in your ROPA and be available for regulatory reporting and audit purposes.

Available Features

  - Detailed process documentation: Capture all GDPR Article 30 required fields for each processing activity — including purpose, legal basis, data categories, recipients, retention periods, and security measures.

  - Categorization of processing activities: Organize processes by department, data subject type, or processing category to keep your ROPA structured and navigable as it grows.

  - Assignment of responsibilities: Assign each process to an owner and department — ensuring clear accountability for maintaining and updating each processing activity record.

  - Risk assessment integration: Link process records directly to risk assessments in the Privacy Risk Management module, creating end-to-end traceability from processing activity to identified risk to mitigation.

Common Use Cases

  - Building and maintaining a complete, accurate Record of Processing Activities (ROPA) as required by GDPR Article 30 — ready for supervisory authority inspection at any time.

  - Identifying and assessing privacy risks associated with specific processing activities — feeding into DPIA pre-screening and the Privacy Risk Management module.

  - Demonstrating processing transparency and compliance accountability to supervisory authorities, auditors, and customers through organized, readily accessible process documentation.

Troubleshooting

Cannot add a new process

Verify that your account has the necessary permissions to create entries in the Process Register module. Only users with the appropriate role can add new processing activities. Contact your Secure Privacy account administrator to review and update your access rights.

Risk assessment integration is not working

Check that risk assessment records exist in the Privacy Risk Management module and that your account has the permissions needed to link records across modules. If the issue persists after verifying settings, contact Secure Privacy support with details of the process record and the risk you are attempting to link.

Frequently Asked Questions

Does the Process Register module satisfy GDPR Article 30 ROPA requirements?

Yes. The module is specifically designed to capture all fields required under GDPR Article 30(1) for controllers — including the name and contact details of the controller and DPO, processing purposes, data categories, data subject categories, recipients, international transfers, retention periods, and security measures. Records can be exported for regulatory reporting and supervisory authority submission.

Can multiple team members contribute to the same process record?

Yes. Process records can be assigned to an owner and department, and team members with appropriate permissions can edit and update records as processing activities evolve. Your DPO or privacy manager retains oversight of the register as a whole through the Governance Solution.

How often should process records be reviewed and updated?

Process records should be reviewed whenever the associated processing activity changes — including new data categories, updated retention periods, new recipients, or changes to technical security measures. A full ROPA review should also be conducted as part of your annual compliance audit to ensure all records remain accurate and current.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# How to Add a Custom Cookie or Service to Your Secure Privacy Scan Report – Manual Classification Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-how-do-i-add-a-custom-servicecookie
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:09:20.879+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to manually add a custom cookie or service to your Secure Privacy scan report using the Classification tab — ensuring accurate detection, classification, and blocking for all tracking technologies.

If a specific cookie or service is not automatically detected by Secure Privacy's scanning engine, you can manually add it to your scan report using the Classification tab. This ensures accurate detection, classification, and blocking for cookies that fall outside standard auto-detection — keeping your cookie declaration complete and your compliance posture current.

Who Is This For?

  - Website administrators adding custom or non-standard cookies not detected by the automatic scanner

  - Compliance teams ensuring all active cookies and services appear in the scan report and cookie declaration

  - Developers adding known third-party services that require manual classification and blocking configuration

How to Add a Custom Cookie or Service to Your Scan Report

  - Log in to your Secure Privacy dashboard and navigate to the Classification tab for your website.

  - Click Add Custom Cookie or Add Custom Service — depending on whether you are adding an individual cookie or a broader service.

  - Enter the required details — including the cookie or service name, category, description, and any relevant domain or URL information.

  - Save the entry. The custom cookie or service will now appear in your classification list.

  - Navigate to Scan Report > Rescan Website to apply your changes and verify the custom entry appears correctly in your updated scan report.

Keep Your Scan Report Accurate and Up to Date

Manually adding known cookies and services ensures your scan report, cookie declaration, and privacy policy accurately reflect all tracking technologies active on your website — including those not yet covered by Secure Privacy's automatic detection. Keeping your classification list current is essential for demonstrating GDPR and ePrivacy compliance to regulators and website visitors.

Frequently Asked Questions

Why might a cookie or service not be detected automatically?

Secure Privacy's scanner detects cookies based on its known service database. Custom-built tracking solutions, newer third-party services, or cookies set through non-standard implementations may not yet be in the automatic detection database. Manually adding them ensures they are classified, declared, and blocked correctly.

What information do I need to add a custom cookie?

You typically need the cookie name, the domain it is associated with, its category (e.g., Analytics, Marketing, Functional), and a brief description of its purpose. This information appears in your cookie declaration and helps visitors understand what each cookie does before giving or withholding consent.

Do I need to rescan after adding a custom cookie or service?

Yes. After saving a custom entry in the Classification tab, trigger a rescan from Scan Report > Rescan Website to apply the changes. The rescan ensures your updated classification is reflected in your live cookie declaration and blocking configuration.

See Also

  - How to Block a Cookie in the Scan Report

  - Understanding Cookie Classification in Secure Privacy

---

# How to Set Up a Privacy & Cookie Policy in Secure Privacy – Generate, Edit, Embed, and Manage Your Cookie Declaration

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-set-up-a-cookie-declaration-on-your-website
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T19:27:48.639+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Learn how to generate, customize, and embed a Privacy & Cookie Policy in Secure Privacy — including cookie declaration editing, section management, multi-language support, and three embed options.

The Privacy & Cookie Policy feature in Secure Privacy lets you generate, customize, and embed a GDPR-compliant privacy policy and cookie declaration on your website — automatically populated with cookie and plugin data from your latest scan results. This guide covers every available option: generating, editing, resetting, adding sections, managing languages, embedding, and enabling or disabling the policy.
Note: This feature is available on Plus, Business, and Enterprise plans. See all available features on the Secure Privacy pricing page.
Who Is This For?
- Website owners and administrators generating and managing a GDPR-compliant cookie policy with Secure Privacy

- Privacy officers editing cookie declaration text and adding custom sections for their organization

- Developers embedding the privacy and cookie policy on website pages using button, hyperlink, or full-page embed options

How to Generate Your Privacy & Cookie Policy
- Log in to your Secure Privacy account.

- Click Privacy & Cookie Policy in the left sidebar.

- Click Generate new privacy policy and then Next.

- Answer the questions by completing the required fields — these responses personalize your policy.

- Click Save all to generate your personalized Privacy & Cookie Policy.

Note: Cookie and plugin data inside the Privacy & Cookie Policy — such as content under "With whom we share the collected personal information" — is generated automatically from your latest scan results and updates whenever you rescan your domain.
How to Reset Your Privacy & Cookie Policy
- Log in to your Secure Privacy account.

- Click Privacy & Cookie Policy in the left sidebar, then click Generator.

- Click Reset my choices to revert all policy settings back to their defaults.

- Generate a new policy by answering the questions, completing required fields, and clicking Next.

How to Edit Text Inside the Cookie Declaration
- Log in to your Secure Privacy account.

- Click Privacy & Cookie Policy in the left sidebar, then click Preview and edit.

- Click the Cookie Declaration tab to switch to edit mode for your auto-generated cookie policy.

- Select the Language you want to edit before making any changes.

- Scroll to the section you want to edit and click on it.

- Click anywhere inside the text field to begin editing. The default text is pre-aligned with applicable legislation — only edit where legally necessary.

- Click the small green tick in the upper corner of the text field to save and confirm your changes.

Note: Cookie and plugin data within the Cookie Declaration — including auto-generated section names such as "Social media cookies" and "Analytics cookies" — cannot be edited manually. Only the description text within those sections is editable. These sections update automatically with each rescan.
How to Add a New Section to Your Cookie Declaration
- Log in to your Secure Privacy account.

- Click Privacy & Cookie Policy in the left sidebar, then click Preview and edit.

- Click the Cookie Declaration tab to switch to edit mode.

- Select the Language before proceeding.

- Click Add Section at the top of the editor to insert a new section at the beginning of the policy, or at the bottom to attach it at the end.

- In the Add Section modal window, enter a Heading and Description for the new section, then click Save.

Note: Moving sections within the policy is not currently supported but is planned for a future release.
How to Change Language or Add a New Language to Your Policy
- Log in to your Secure Privacy account and click Language in the left sidebar.

- Select the languages you want to add to your account.

- Check the Active languages list on the right to see which languages are already installed.

- Click Save to apply your language settings.

How Visitors Access Your Privacy & Cookie Policy on Your Website
After providing consent, visitors will see the Privacy & Cookie Center button in the bottom-left corner of your website. When clicked, a modal window opens where visitors can:
- Change the Language of the Privacy & Cookie Center displayed

- Access the Cookie Declaration under its corresponding tab

Note: The icon and color scheme of the Trust Badge can be configured in your dashboard and may differ from the default appearance.
Embed Options for Your Privacy & Cookie Policy
Secure Privacy provides three ways to embed your Privacy & Cookie Policy on your website. All embed options allow you to select the display language and preview the element before copying the code.
Option 1: Button embed
Displays a clickable button that opens your Privacy & Cookie Policy. Configure the button text and copy the shortcode to paste into the HTML or source code of your page.
Option 2: Hyperlink embed
Displays a text hyperlink to your Privacy & Cookie Policy. Configure the hyperlink text and copy the link code to paste into the HTML or source code of your page.
Option 3: Embed on website (full page)
Embeds your complete Privacy & Cookie Policy as a full-page element within a page on your website. Copy the embed code and paste it into the HTML or source code of your chosen page.
How to Enable or Disable the Cookie Declaration
- Log in to your Secure Privacy account and click Privacy & Cookie Policy in the left sidebar.

- Click Use on website.

- Toggle Enable cookie policy to enable (green) or disable (gray) the Cookie Declaration on your website or domain.

Frequently Asked Questions
Can I edit the auto-generated cookie category sections in the Cookie Declaration?
You can edit the description text within auto-generated sections, but the section names — such as "Analytics cookies" or "Social media cookies" — and the cookie/plugin data within them are generated automatically from your scan results and cannot be edited manually. These sections update whenever you rescan your domain.
What happens if I reset my Privacy & Cookie Policy?
Resetting reverts all your generator answers to their defaults. Any manually edited text in the Preview and edit section will be lost when you regenerate the policy. Save any custom content you want to keep before clicking Reset my choices.
Which plan do I need to use the Cookie Declaration feature?
The Privacy & Cookie Policy and Cookie Declaration features are available on Plus, Business, and Enterprise plans. See the full feature comparison on the Secure Privacy pricing page.
See Also
- Secure Privacy Pricing Plans Overview

- Website Visits vs Page Views vs Consent Explained

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Increase Your GDPR Compliance Score in Secure Privacy – Recommended Actions Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-increase-compliance-score-with-secure-privacy-cmp
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:11:19.384+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Learn how to improve your Secure Privacy Overall Rating by completing GDPR recommended actions — covering cookie blocking, consent banners, privacy policy, SSL, and data transfer compliance.

If your Overall Rating under the Report tab is low, Secure Privacy provides a prioritized list of Recommended actions for GDPR compliance for your website. Working through these actions — particularly items marked with a red X — is the fastest way to improve your GDPR compliance score and close the most critical gaps.

Who Is This For?

  - Website owners and administrators responsible for managing GDPR compliance on their sites

  - Compliance officers reviewing and improving their Secure Privacy Overall Rating

  - Web developers implementing cookie blocking, SSL, and consent banner configurations

How to Review Your GDPR Recommended Actions

Navigate to the Report tab in your Secure Privacy dashboard. The Recommended actions for GDPR on [your website] section highlights the steps needed to improve your compliance score. Focus first on items flagged with a red X — these indicate the highest-priority compliance gaps.

Configure Blocking on Unblocked Cookies

This action indicates that one or more cookies on your website are not being blocked before visitor consent is obtained. First, verify that your Secure Privacy installation is correctly set up for your website's technology stack.

If your installation is correct but blocking issues persist, follow the guide on blocking specific cookies or services to manually configure blocking for the affected services.

Personal Data Transmitted to Third Countries — Adequacy Check

The report flags whether personal data is being sent to countries outside the EU that may not meet the European Commission's adequacy requirements. Review the applicable guidance:

  - EDPS guidance on international data transfers

  - European Commission adequacy decisions

If data is being transmitted to a non-adequate country, ensure an appropriate transfer mechanism is in place — such as Standard Contractual Clauses — before the transfer continues.

Enable the Cookie Consent Banner on Your Website

A cookie consent banner is required under the ePrivacy Directive and GDPR to inform visitors about cookie use and obtain their prior consent before non-essential cookies are loaded. If this action is flagged, your banner may not be enabled or correctly configured.

For setup instructions, refer to the Knowledge Base article on cookie banners. Note that banner configuration options depend on your active compliance module.

Add a Preference Center to Display Services on Your Website

The Preference Center gives website visitors a centralized location to view all privacy documents, understand your data practices, and manage their consent choices. It also simplifies compliance management by consolidating all privacy-related information in one place.

Note: Preference Center settings are specific to each compliance module — configure it within the module applicable to your website.

Enable Privacy Policy on Your Website

A privacy policy is a legal requirement under GDPR, informing visitors about how their personal data is collected, processed, and stored. If this action is flagged, your privacy policy may not be enabled or displayed correctly on your website.

Enable SSL on Your Website

An SSL certificate encrypts data transmitted between your website and its visitors, verifies site ownership, prevents fraudulent site impersonation, and builds visitor trust. If this action is flagged, contact your website administrator or domain provider to obtain and install an SSL certificate for your domain.

Common Issues and Fixes

Low Overall Compliance Score

Ensure Secure Privacy is correctly installed on your website and that all recommended actions above have been completed. Incomplete actions — particularly unblocked cookies and missing consent banners — have the greatest impact on your Overall Rating.

Cookies not blocking correctly

Verify that your blocking setup matches your website technology stack. If auto-blocking is not covering specific cookies, use the manual tag blocking configuration in Classification > Tag Blocking. See the cookie blocking guide for step-by-step instructions.

International data transfer compliance issues

Confirm that all personal data transfers to third countries are covered by an appropriate GDPR Chapter V transfer mechanism — either an adequacy decision or Standard Contractual Clauses. Review the flagged transfers in your scan report and apply the correct safeguard for each.

Cookie consent banner not displaying

Check that the cookie banner is enabled in your compliance module settings and that the Secure Privacy script is correctly installed on your website. If the banner is configured but not appearing, verify there are no Content Security Policy (CSP) conflicts blocking the banner from loading.

Frequently Asked Questions

What does the Overall Rating in Secure Privacy measure?

The Overall Rating reflects your website's current GDPR compliance posture based on the scan results — including cookie blocking coverage, consent banner presence, privacy policy availability, SSL status, and international data transfer compliance. Each flagged action with a red X reduces your score and represents a specific compliance gap that needs to be addressed.

How often should I review my Recommended Actions?

Review your Recommended Actions whenever you make changes to your website — such as adding new plugins, third-party services, or marketing scripts. A full rescan should be triggered after any significant change, and a routine check is recommended at least quarterly as part of ongoing compliance management.

Will completing all recommended actions guarantee full GDPR compliance?

Completing all recommended actions significantly improves your compliance posture and closes the most common technical gaps. However, GDPR compliance is broader than technical configuration — it also encompasses internal policies, staff training, data processing documentation, and vendor management. The Secure Privacy recommendations address the website-level compliance layer.

See Also

  - How to Block a Cookie in the Scan Report

  - How to Change the CSS of Your Cookie Consent Banner

  - Ongoing Checkups: Best Practices

  - Automatic Cookie Blocking Explained

---

# Automatic Cookie Blocking Explained – How Secure Privacy Blocks Scripts, Pixels, and Iframes for GDPR Compliance

URL: https://support.secureprivacy.ai/article/cmp-v1-automatic-cookie-blocking-explained--secure-privacy-cmp
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:16:40.869+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Learn how Secure Privacy's automatic cookie blocking engine works — including v1 vs v2 blocking modes, how scripts, pixels, and iframes are blocked, and how to manually add custom blocking rules.

Secure Privacy's automatic cookie blocking engine scans your website, identifies all cookies and third-party services, and generates a domain-specific blocking configuration that prevents non-essential cookies from loading until visitor consent is given. This article explains how the blocking mechanism works, the available blocking modes, and how to manually add scripts, pixels, or iframes to your blocking configuration.

Who Is This For?

  - Website administrators setting up or reviewing automatic cookie blocking in Secure Privacy

  - Developers understanding the technical mechanism behind script, pixel, and iframe blocking

  - Compliance teams verifying that non-essential cookies are correctly blocked before visitor consent

How the Secure Privacy Cookie Blocking Engine Works

The Secure Privacy scanner crawls your website and identifies all cookies and third-party services. You can view the full results in the Scan Report inside your dashboard.

Based on the scan results, Secure Privacy generates a unique JavaScript file for each domain. This file contains the full list of scripts, pixels, and iframes to block — and is editable through the Classification screen in your dashboard:

Use the Classification screen to add or remove custom scripts from your blocking configuration. Each time you save, the JavaScript blocking file is updated with the latest list.

Automatic Cookie Blocking

When auto-blocking is enabled, Secure Privacy blocks all non-essential cookies from being set on a visitor's device until explicit consent is received. Essential cookies — those required for basic website functionality — are always permitted.

Blocking Modes Explained

Secure Privacy offers three blocking modes. Choose the mode that matches your website's compliance requirements:

  
    
    
    
  
  
    
      Blocking Mode

      Description

      Recommended For

    

    
      v2 Blocking (Current)

      Secure Privacy's current automatic blocking method. Prevents all non-essential cookies from being set until explicit user consent is given. Only cookies classified as essential — required for basic website functionality — are permitted without consent.

      All new users — recommended for maximum GDPR compliance

    

    
      v1 Blocking (Legacy)

      An older blocking mechanism maintained for backward compatibility with existing systems. Less robust and feature-rich than v2. Not recommended for new implementations.

      Existing installations using v1 only — migrate to v2 when possible

    

    
      Disabled Blocking

      No automatic blocking is applied. All cookies and services may load freely until the user actively intervenes. Used in manual blocking scenarios where the website owner manages blocking directly.

      Manual blocking configurations only

    

  

Prerequisites for Automatic Cookie Blocking

Auto-blocking relies on your scan results and cookie categorizations. If a cookie is undetected or uncategorized in your scan report, it will not be blocked automatically. Always trigger a fresh rescan of your website before enabling auto-blocking to ensure all cookies are detected and correctly categorized.

Technical Blocking Mechanism

Each cookie-setting script is tracked in your domain's unique JavaScript blocking file using the MutationObserver API — compatible with all major browsers including IE11. This observer monitors script loading patterns in real time and intercepts them before they execute, holding them until the visitor provides consent.

How Blocking Works for Scripts, Pixels, and Iframes

  - Pixels: When automatic blocking is enabled, all pixel trackers are blocked by default and only added to the HTML DOM after the visitor has given explicit consent for the relevant category. For example, a Facebook Pixel remains inactive until the user approves marketing cookies.

  - Scripts: Scripts are prevented from being injected into the HTML DOM until the user grants consent. For example, Google Analytics scripts will not load before approval — which may result in reduced analytics data until consent is given.

  - Iframes: Blocked iframes are managed via the Iframe tab in the blocking configuration settings. Secure Privacy automatically blocks these iframes and displays an overlay informing the visitor that the content is blocked, along with a consent button allowing them to enable it.

How to Manually Block a New Script, Pixel, or Iframe

If a specific script, pixel, or iframe is not covered by automatic blocking, use the Add Tag Blocking form in the Classification screen. Specify the type — Script, Iframe, or Pixel — and enter the source URL or domain to add it to your blocking configuration.

Frequently Asked Questions

What is the difference between v1 and v2 blocking in Secure Privacy?

v2 blocking is Secure Privacy's current, recommended blocking method. It uses a more advanced detection and interception mechanism that blocks all non-essential cookies before consent — including dynamically injected scripts. v1 blocking is a legacy method maintained for backward compatibility but lacks the robustness of v2. New users should always use v2 blocking.

Why are some cookies not being blocked automatically?

Auto-blocking only applies to cookies and services that have been detected and categorized in your scan report. If a cookie is not in your scan results — because it was added after your last scan or uses a non-standard implementation — it will not be blocked automatically. Trigger a rescan and check the Classification screen to ensure all active cookies are categorized. Use the Add Tag Blocking form to manually add any that are still missing.

Does disabling blocking mean cookies will load without consent?

Yes. When blocking is set to Disabled, Secure Privacy does not automatically restrict any cookies or services — all may load freely unless you have configured manual blocking for specific tags. This mode is only appropriate for websites using a fully manual blocking approach where the operator controls all cookie loading directly.

See Also

  - How to Set Up and Install Secure Privacy

  - Block Cookies Manually in Secure Privacy Scan Report

  - How to Increase Your Compliance Score (Overall Rating)

  - Do I Need to Block All Cookies?

---

# How to Set Up a Privacy Policy in Secure Privacy – Generate, Edit, Embed, and Manage Your GDPR Privacy Policy

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-set-up-a-privacy-policy-on-your-website
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T18:09:07.869+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Learn how to generate, customize, and embed a GDPR privacy policy using Secure Privacy — including text editing, section management, multi-language support, and three embed options.

The Privacy Policy generator in Secure Privacy lets you create, customize, and embed a GDPR-compliant privacy policy on your website — populated automatically with cookie and plugin data from your latest scan results. This guide covers every available configuration option: generating, editing, resetting, translating, and embedding your privacy policy.

Note: The Privacy Policy feature is available on Plus, Business, and Enterprise plans. See all available features on the Secure Privacy pricing page.

Who Is This For?

  - Website owners and administrators setting up a GDPR-compliant privacy policy with Secure Privacy

  - Privacy officers customizing policy text, sections, and languages for their organization

  - Developers embedding the privacy policy on website pages using button, hyperlink, or full-page embed options

How to Generate a Privacy Policy

  - Log in to your Secure Privacy account.

  - Click Privacy & Cookie Policy in the left sidebar.

  - Click Generate new privacy policy and then Next.

  - Answer the questions by completing the required fields — these responses are used to personalize your policy.

  - Click Save all to generate your personalized privacy policy.

Note: Cookie and plugin data inside the privacy policy — such as content under "With whom we share the collected personal information" — is generated automatically based on your latest scan results. This section updates whenever you rescan your domain.

How to Reset Your Privacy Policy

  - Log in to your Secure Privacy account.

  - Click Privacy & Cookie Policy in the left sidebar, then click Generator.

  - Click Reset my choices to revert all policy settings back to defaults.

  - Generate a new policy by answering the questions, completing the required fields, and clicking Next.

How to Edit Text Inside Your Privacy Policy

  - Log in to your Secure Privacy account.

  - Click Privacy & Cookie Policy in the left sidebar, then click Preview and edit.

  - Select the Language you want to edit before making any changes.

  - Click the section you want to edit.

  - Click anywhere inside the text field to begin editing. The default text has been pre-aligned with applicable privacy legislation — only make changes where legally necessary.

  - Click the small green tick in the upper corner of the text field to save and confirm your changes.

Note: System-generated sections — such as the cookie and plugin data under "With whom we share the collected personal information" — are populated automatically from scan results and cannot be edited manually.

How to Add a New Section to Your Privacy Policy

  - Log in to your Secure Privacy account.

  - Click Privacy & Cookie Policy in the left sidebar, then click Preview and edit.

  - Click Add Section at the top of the editor to insert a new section at the beginning of the policy.

  - Alternatively, click Add Section at the bottom of the policy text to attach the new section at the end.

Note: Moving sections within the policy is not currently supported, but is planned for a future release.

How to Change Language or Add a New Language

  - Log in to your Secure Privacy account and click Language in the left sidebar.

  - Select the languages you want to add to your account.

  - Check the Active languages list on the right to see which languages are already installed.

  - Click Save to apply your language settings.

How Visitors Access Your Privacy Policy on Your Website

Visitors on your website will see the Privacy Center button in the bottom-left corner of every page. When clicked, it opens a pop-up where visitors can:

  - Change the Language of the Privacy Center and policy displayed

  - View your full Privacy Policy under the corresponding tab

Embed Options for Your Privacy Policy

Secure Privacy provides three ways to embed your privacy policy on your website. All embed options allow you to select the display language and preview how the element will appear before copying the code.

Option 1: Button embed

Displays a clickable button that opens your privacy policy. Configure the button text and copy the shortcode to paste into the HTML or source code of your page.

Option 2: Hyperlink embed

Displays a text hyperlink to your privacy policy. Configure the link text and copy the link code to paste into the HTML or source code of your page.

Option 3: Embed on website (full page)

Embeds your complete privacy policy as a full-page element directly within a page on your website. Copy the embed code and paste it into the HTML or source code of your chosen page.

How to Enable or Disable Your Privacy Policy

  - Log in to your Secure Privacy account and click Privacy & Cookie Policy in the left sidebar.

  - Click Use on website.

  - Toggle Enable privacy policy to enable or disable the privacy policy on your website or domain.

Frequently Asked Questions

Can I edit the cookie and plugin data sections of my privacy policy?

No. The sections populated with cookie and plugin data — such as "With whom we share the collected personal information" — are generated automatically from your scan results and cannot be edited manually. To update this data, trigger a new website rescan from the Scan Report page.

What happens to my privacy policy if I reset my choices?

Resetting reverts all your policy generator answers to their defaults. Your previously generated policy will be replaced when you complete the generator again. Any manual text edits made in Preview and edit will be lost — ensure you have saved any custom content before resetting.

Which plan do I need to use the Privacy Policy feature?

The Privacy Policy generator and embed features are available on Plus, Business, and Enterprise plans. See the full feature comparison on the Secure Privacy pricing page.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Google Consent Mode: Basic vs Advanced — Complete Guide for GDPR & CCPA Compliance

URL: https://support.secureprivacy.ai/article/basic-vs-advanced-google-consent-mode-full-comparison-guide
Product: Consent Management
Category: Google Consent Mode
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-23T21:29:58.851+00:00
Reading Time: 6 minutes
Summary: Understand the difference between Google Consent Mode Basic and Advanced—cookieless pings, conversion modeling, GDPR compliance, and how Secure Privacy's certified CMP simplifies setup.

Summary: Google Consent Mode lets websites adjust how analytics and advertising tags behave based on each user's consent choices. This guide explains how Basic and Advanced Consent Mode differ in data collection, conversion modeling, privacy compliance, and tag behavior—and how Secure Privacy's Google-certified consent management platform (CMP) makes implementation seamless.

  
    Who Is This Guide For?

    This article is intended for website administrators, marketers, developers, compliance managers, and privacy officers who manage analytics, user privacy, and regulatory requirements under frameworks such as GDPR and CCPA.

  

  
    Key Takeaways

    
      - Basic Consent Mode blocks all Google tags until the user explicitly consents—maximum privacy, but significant analytics data gaps.

      - Advanced Consent Mode loads tags immediately and sends anonymous "cookieless pings" before consent, enabling conversion and behavioral modeling while remaining privacy-compliant.

      - Both modes help websites meet GDPR, CCPA, and Google's EU User Consent Policy requirements.

      - Secure Privacy is a Google-certified CMP that supports both modes with a code-free, guided setup.

    
  

  
    What Is Google Consent Mode?

    
      - Google Consent Mode is a privacy framework that integrates with your consent banner, giving your website precise control over how Google tags (Google Analytics, Google Ads, etc.) operate based on a user's consent decision.

      - It helps websites comply with privacy laws such as GDPR and CCPA, while still capturing valuable—even if limited—analytics and advertising insights through modeling.

    
  

  
    Understanding Google Consent Mode: Basic Mode

    
      - Simple Setup: Basic Consent Mode is quick and beginner-friendly. Minimal configuration makes it ideal for teams that want a straightforward, privacy-first solution without deep technical integration.

      - Strict Data Practices: Google tags only fire when users explicitly grant consent. If users do not consent, no data—including the consent status itself or any page events—is sent to Google. This ensures maximum user privacy, but results in significant analytics data blind spots.

      - Conversion Modeling (Limited): Google can provide broad conversion estimates for non-consenting users, but without behavioral data, important optimization insights are lost.

    
    For step-by-step setup instructions, see Implementing Google Consent Mode in Basic Mode.

  

  
    Understanding Google Consent Mode: Advanced Mode

    
      - Granular Tag Control: Advanced Consent Mode gives you full configuration of tag behavior for every user consent state—granted, denied, or pending. This allows customized compliance while maximizing data opportunities within privacy boundaries.

      - Preemptive Tag Loading: Google tags load as soon as a user lands on your site. If consent is not yet granted, only "cookieless pings"—tiny, non-identifying data packets—are sent to Google's servers, enabling privacy-compliant analytics while awaiting user action.

      - Enhanced Conversion & Behavioral Modeling: Advanced Consent Mode enables both conversion modeling and behavioral modeling, even when users do not consent—giving you aggregated insights for marketing optimization without violating privacy laws.

      - Conversion modeling uses existing consented data to estimate conversions for non-consenting users, providing a more complete picture of your marketing funnel's effectiveness.

      - Behavioral modeling analyzes aggregated user actions to understand browsing patterns and support website optimization. By understanding how users interact with your site, you can improve personalization and conversion rates—without identifying individuals.

    

    
      
      How Google tag behavior and data collection differ between Basic and Advanced Consent Mode.
    

    For expert setup using Google Tag Manager, see Implementing Google Consent Mode in Advanced Mode using Google Tag Manager.

  

  
    How Google Consent Mode Affects Analytics: Real-World Scenarios

    Scenario 1: Basic Consent Mode – User Does Not Consent

    
      - Tag Behavior: All Google tags are blocked entirely until the user grants consent.

      - Data Impact: No network requests—not even the consent status—are sent to Google. Your analytics and advertising tools will have significant data gaps, with only limited conversion modeling available and no user journey or engagement metrics.

      - Privacy Level: This is the strictest implementation, offering users total privacy at the cost of actionable analytics data.

    

    Scenario 2: Advanced Consent Mode – User Does Not Consent ("Cookieless Pings")

    
      - Tag Behavior: Google tags load on all pageviews. When a user denies consent, only "cookieless pings"—basic, functional, non-identifiable signals—are transmitted to Google's servers.

      - Data Impact: These pings enable enhanced conversion modeling and some behavioral analysis. While full consent-based data isn't available, you still gain pageview and funnel information to aid optimization and advertising—without breaching privacy laws.

      - Privacy Level: User anonymity and regulatory compliance are fully maintained, with significantly higher data utility than Basic Mode.

    
  

  
    Basic vs Advanced Google Consent Mode: Which Should You Choose?

    
      
        
          Feature
          Basic Consent Mode
          Advanced Consent Mode
        

      
      
        
          Setup complexity
          Low – beginner-friendly
          Moderate – code-free with Secure Privacy
        

        
          Tags fire without consent?
          No
          Yes (cookieless pings only)
        

        
          Conversion modeling
          Limited
          Enhanced
        

        
          Behavioral modeling
          Not available
          Available
        

        
          GDPR / CCPA compliant
          Yes
          Yes
        

        
          Analytics data gaps
          Significant
          Minimal
        

        
          Best for
          Strict privacy-first sites
          Data-driven marketing teams
        

      
    
    Always clearly inform users how their data is used and ensure compliance with all applicable privacy regulations, including GDPR and CCPA.

  

  
    Common Google Consent Mode Issues & Fixes

    
      - Google tags not firing: Verify your Secure Privacy consent banner integration and Google Tag Manager placement. Confirm that the consent mode signals are being passed correctly before tag execution.

      - Missing analytics or conversion data: Switch to Advanced Consent Mode to enable cookieless pings and improve reporting accuracy for non-consenting users.

      - Custom consent states not working: Review Secure Privacy's consent mode verification guide, or contact our support team for a personalized review.

    
  

  
    Frequently Asked Questions (FAQ)

    What is the difference between Basic and Advanced Google Consent Mode?

    Basic Consent Mode blocks all Google tags until a user explicitly consents, resulting in data gaps. Advanced Consent Mode loads tags immediately but only sends anonymous cookieless pings before consent is given, enabling better conversion and behavioral modeling while remaining GDPR-compliant.

    Is Google Consent Mode required for GDPR compliance?

    Google Consent Mode is not legally required by GDPR itself, but it is required by Google for advertisers using Google Ads and Analytics in the European Economic Area (EEA). It is a key part of meeting Google's EU User Consent Policy and maintaining ad personalization features.

    What are "cookieless pings" in Google Consent Mode?

    Cookieless pings are small, non-identifying data signals sent to Google when a user has not consented. They contain no personal data or cookies, but help Google model conversion activity and browsing patterns in an aggregated, privacy-safe way. They are only sent in Advanced Consent Mode.

    Is Secure Privacy a Google-certified Consent Management Platform?

    Yes. Secure Privacy is a Google-certified CMP, meaning it meets Google's technical and policy standards for consent signal integration with Google tags, Analytics, and Ads.

    Can I switch from Basic to Advanced Consent Mode later?

    Yes. You can upgrade from Basic to Advanced Consent Mode at any time. Secure Privacy's platform supports both modes and offers a code-free setup for Advanced Mode via Google Tag Manager.

  

  
    Need Further Help? Escalations & Google CMP Certification Support

    For additional support, contact our team at support@secureprivacy.ai.

    For urgent or systemic escalations related to Google Consent Mode, contact our designated escalation point: Andrew Sidorkin. We aim to respond to all escalations within one business day.

    For policy questions directed to Google, contact the Google EU User Consent Policy team at ddp-gdpr-escalations@google.com.

  

  
    See Also

    
      - Implementing Google Consent Mode in Basic Mode

      - Implementing Google Consent Mode in Advanced Mode using Google Tag Manager

      - Global Privacy Platform (GPP) Setup | Secure Privacy Guide

      - Secure Privacy — Google-Certified Consent Management Platform

      - Checking Your Google Consent Mode Implementation

---

# How to Enable the Detailed Cookie Banner in Secure Privacy – Advanced Cookie Consent Banner Setup

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-enable-detailedadvanced-cookie-banner-with-data-categories-shown
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:55:54.344+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to switch your Secure Privacy cookie consent banner from Simple to Detailed — giving website visitors full transparency into cookie categories in two easy steps.

The detailed cookie banner in Secure Privacy gives your website visitors full transparency into the cookies and services active on your site — displaying cookie categories and descriptions in an expanded view rather than a simple accept/decline prompt. Enabling it takes just two steps.

Who Is This For?

  - Website owners enabling the detailed cookie banner for greater visitor transparency

  - Compliance teams switching from a simple to an advanced cookie consent banner to meet GDPR granularity requirements

  - Developers and administrators configuring cookie banner type settings in Secure Privacy

How to Enable the Detailed Cookie Banner

Step 1: Navigate to Cookie Banner Settings

Log in to your Secure Privacy account. In the left sidebar, select GDPR (or the applicable compliance module), click the Cookie Banner tab, then click the Settings sub-tab.

Step 2: Switch the Banner Type from Simple to Detailed

The default cookie banner type is set to Simple. Click the Detailed option to switch to the advanced banner view, then click Save to apply the change.

The detailed cookie banner is now enabled. Visitors to your website will see the expanded banner with full cookie category descriptions, as shown below:

Frequently Asked Questions

What is the difference between the Simple and Detailed cookie banner?

The Simple banner displays a basic consent prompt with accept and decline options. The Detailed banner expands this to show individual cookie categories — such as Essential, Analytics, and Marketing — with descriptions of each category's purpose, giving visitors granular control over their consent choices. The Detailed banner supports stronger GDPR compliance by providing greater transparency at the point of consent.

Can I switch back to the Simple banner after enabling Detailed?

Yes. Return to GDPR > Cookie Banner > Settings and switch the banner type back to Simple, then save. The change takes effect immediately.

Does enabling the Detailed banner affect my compliance score?

Switching to the Detailed banner improves transparency — which is a positive signal for GDPR compliance. It gives visitors more granular consent options, which aligns with the GDPR principle that consent should be specific and informed.

See Also

  - How to Change the CSS of Your Cookie Consent Banner

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Secure Privacy Privacy Policy and Cookie Declaration Shortcode Reference Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-short-codes-list
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:22:12.012+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Complete reference guide for all Secure Privacy privacy policy and cookie declaration shortcodes — including plugin, cookie category, CCPA, GDPR, and consent status template variables.

This reference article lists all available shortcodes used by Secure Privacy's Privacy Policy and Cookie Declaration templates. These shortcodes are automatically populated with data from your account settings and latest scan results when your policy is generated. Use this reference to understand what each shortcode outputs and where it appears in your policy.

Who Is This For?

  - Privacy officers and compliance teams customizing their Secure Privacy privacy policy template

  - Developers editing or extending the generated privacy policy and cookie declaration content

  - Website administrators understanding what data each shortcode pulls into their published policy

Privacy Policy Shortcodes

The following shortcodes are used within the Privacy Policy template. Each is automatically populated based on your account configuration and scan results.

Privacy policy overview

[sp-website-or-app-name]

Collecting and processing your personal information

[sp-entity-type-para]

What categories of personal information we collect

[sp-personal-info-collected]

Why we collect personal information

[sp-why-we-collect-personal-info]

How we collect your personal data

[sp-gdpr-trust-badge]

Analytics plugins

[sp-wizard-analytics-plugins]

Social media plugins

[sp-wizard-social-media-plugins]

Advertisement plugins

[sp-wizard-advertisement-plugins]

Other plugins and cookies

[sp-wizard-essential-plugins]

[sp-wizard-preference-plugins]

[sp-wizard-customer-interaction-plugins]

[sp-unclassified-plugins]

[sp-av-plugins]

[sp-comments-plugins]

Payments

[sp-wizard-payments-plugins]

How visitors can exercise their rights as owners of personal information

[sp-supported-compliances]

[sp-how-to-excerise-personal-info]

CCPA

[sp-ccpa-trust-badge]

[sp-personal-data-sold-to]

[sp-personal-data-disclosed-to]

Location and transfer of personal information

[sp-plugins-used]

[sp-backup-time]

Security of personal information

[sp-technical-safeguards]

Protecting children's privacy

[sp-children-age]

Contact us

[sp-data-privacy-officer]

[sp-contact-information]

Cookie Declaration Shortcodes

The following shortcodes are used within the Cookie Declaration template. Cookie and service data is populated automatically from your latest scan results.

Cookie declaration overview

[sp-cookie-categories]

Essential cookies

[sp-essential-cookies]

Analytics cookies

[sp-analytics-cookies]

Customer interaction cookies

[sp-customer-interaction-cookies]

Social media cookies

[sp-social-media-cookies]

Advertising cookies

[sp-privacy-policy-link]

[list-of-advertising-cookies]

Preferences cookies

[sp-preferences-cookies]

Other cookies

[sp-comments-cookies]

[sp-av-cookies]

[sp-unclassified-cookies]

Consent status

[sp-domain-name]

[sp-consent-status]

[sp-gdpr-trust-badge]

Changes to this cookie declaration

[sp-entity-type-head]

[sp-date]

Frequently Asked Questions

What populates the shortcodes in the privacy policy?

Shortcodes are populated from two sources: your account settings — such as entity type, contact information, and DPO details — and your latest website scan results, which provide cookie, plugin, and service data. Triggering a rescan updates scan-dependent shortcodes automatically.

Can I add or remove shortcodes from the template?

The shortcodes listed here are part of the pre-built Secure Privacy privacy policy and cookie declaration templates. You can add custom text sections around them using the Preview and edit section in your dashboard, but the system-generated shortcode content cannot be manually edited.

What should I do if a shortcode is showing placeholder text instead of real data?

Placeholder text in a shortcode usually means the relevant account setting has not been completed or a rescan has not been run since the required data was added. Check your account settings for completeness and trigger a new website scan to refresh cookie and plugin data.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Change Your Domain Environment in Secure Privacy – Move from Dev or Staging to Production Without Extra Licenses

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-a-development-staging-or-test-domain-to-secure-privacy
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:39:05.613+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to switch your Secure Privacy domain between development, staging, and production environments without buying additional licenses — edit the domain URL and rescan in a few steps.

You do not need to purchase additional licenses to use Secure Privacy across development, staging, and production environments. By editing your domain name in the dashboard, you can move the same configuration — including your API key and all settings — between environments without any extra cost.

Who Is This For?

  - Developers testing Secure Privacy on a staging or development environment before going live

  - Website administrators switching a configured Secure Privacy domain from a dev or QA URL to production

  - Compliance teams managing Secure Privacy across multiple domain environments without buying additional licenses

How to Change Your Domain Environment in Secure Privacy

  - Log in to your Secure Privacy account. In the upper-left corner, click All Domains.

  - Find the domain you want to edit and click the Edit domain button in that row.

  - A modal window will appear allowing you to change the domain URL.

  - Enter your staging, testing, or development server URL — for example, dev.mydomain.com — and click Save.

You can now use Secure Privacy on the new domain with the same API key and installation configuration.

Note: After changing the domain URL, trigger a website rescan from the Report section to update the detected cookies and services to those on your staging or development environment — particularly if you have been adding or removing scripts there.

Once you have finished testing, edit the domain URL back from dev.mydomain.com to your production URL — for example, mydomain.com — to go live with your configured settings. Run another rescan after switching to production if your environments differ in any tracked services or scripts.

Frequently Asked Questions

Do I need a separate Secure Privacy license for my staging environment?

No. You can use the same license and API key across your development, staging, and production environments by simply editing the domain URL in the dashboard. Only one URL can be active per domain slot at a time.

Will my configuration be lost when I change the domain URL?

No. All your Secure Privacy settings — including banner configuration, classification, blocking rules, and language settings — are tied to the domain record, not the URL itself. Editing the domain URL retains all existing configuration.

Why should I rescan after changing the domain URL?

Your staging and production environments may have different cookies and third-party services active. A rescan after switching URLs ensures your scan report, blocking configuration, and cookie declaration accurately reflect what is running on the current environment rather than the previous one.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# User Management in Secure Privacy – Add Team Members, Assign Roles, and Manage Domain Access (Enterprise)

URL: https://support.secureprivacy.ai/article/cmp-v1-user-management
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:54:18.821+00:00
Reading Time: 3 minutes
Summary: [CMP v1] Learn how to manage users in Secure Privacy Enterprise — add team members, assign Account Owner, Admin, or Domain Admin roles, update domain access, and delete users.

Secure Privacy's user management feature lets account owners add team members, assign role-based access levels, manage domain administrator assignments, and remove users — all from the Users page in your dashboard.

Note: User management is available on the Enterprise plan only. See current plans and billing options on the Secure Privacy pricing page.

Who Is This For?

  - Account owners managing team member access across multiple domains in Secure Privacy

  - IT administrators assigning and updating user roles for compliance teams

  - Enterprise organizations managing granular domain-level access for different team members

User Roles and Access Levels

Secure Privacy provides three user roles, each with a different level of access:

  
    
    
    
  
  
    
      Role

      Access Level

      Restrictions

    

    
      Account Owner

      Full access to all domain configuration, account details, and billing data

      None

    

    
      Account Admin

      Full access to all features across all domains

      Cannot change billing or account details

    

    
      Domain Admin

      Full access to assigned domains only

      Billing and account details restricted; access limited to specified domains

    

  

How to Add a Team Member

  - Log in to your Secure Privacy account and click All Domains in the top bar.

  - Select Users in the left sidebar to view the list of active users on your account.

  - Click the green Add User button to open the add user modal.

  - Enter the User Email for the team member. A new Secure Privacy account will be created for this email and associated with your main account — a password reset link will be sent automatically.

  - Select the Access level (user role) for this team member.

  - Click Save to confirm.

How to Change a Team Member's User Role

  - Log in to your Secure Privacy account and click All Domains in the top bar.

  - Select Users in the left sidebar.

  - Click the Edit link in the Role column next to the relevant user's email to open the edit modal.

  - Use the Access dropdown to select the new role for this user.

  - For Domain Admin users, you may also select which specific domains they should have access to.

  - Click Save to confirm the changes.

How to Change the Administrator of a Domain

Note: Account Owner and Account Admin roles have access to all domains by default — the steps below apply only to Domain Admin users, where domain access must be explicitly assigned.

  - Log in to your Secure Privacy account and click All Domains in the top bar.

  - Select Users in the left sidebar.

  - Click the Edit link in the Website Access column for the relevant Domain Admin user.

  - Click Add Domain to assign a domain to this user.

  - Select the domain from the dropdown menu.

  - Click Save to confirm.

  - To remove a domain from this user's access, click the red cross next to the domain name.

How to Delete a User

Note: Users with the Account Owner or Account Admin role cannot be deleted directly. Downgrade their access level to Domain Admin first, then follow the steps below to remove them.

  - Log in to your Secure Privacy account and click All Domains in the top bar.

  - Select Users in the left sidebar.

  - Click the red cross icon next to the user's email address to initiate deletion.

  - Click OK in the confirmation popup to complete the deletion.

Frequently Asked Questions

Can I delete an Account Owner or Account Admin directly?

No. Account Owner and Account Admin roles are protected from direct deletion. To remove one of these users, first downgrade their role to Domain Admin using the Edit Role process, then delete them using the red cross icon on the Users page.

Can a Domain Admin manage multiple domains?

Yes. When editing a Domain Admin user's Website Access, you can assign multiple domains to them using the Add Domain button — repeating the selection for each domain they should administer.

What happens when I add a new team member — do they receive a notification?

Yes. When you add a new team member by email, Secure Privacy creates a new account for that email address and automatically sends a password reset link to allow them to set their credentials and log in.

See Also

  - Secure Privacy Pricing Plans Overview

  - Cross-Domain Consent Setup – Secure Privacy Enterprise

  - Website Visits vs Page Views vs Consent Explained

---

# How to Install Secure Privacy on Weebly – Add Cookie Consent Script via Header Code

URL: https://support.secureprivacy.ai/article/cmp-v1-installing-secure-privacy-legacy-on-weebly
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:56:55.405+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to install the Secure Privacy cookie consent script on your Weebly website — add the script to your Header Code in Weebly's SEO settings in a few simple steps.

This guide explains how to install the Secure Privacy script on a Weebly website — adding it to the Header Code section via Weebly's SEO settings so the cookie consent banner loads on every page of your site.

Who Is This For?

  - Weebly website owners installing Secure Privacy's cookie consent banner on their site

  - Compliance teams adding GDPR or CCPA cookie consent functionality to a Weebly-hosted website

  - Web administrators completing the Secure Privacy setup checklist for a Weebly domain

How to Install Secure Privacy on Weebly

  - Log in to your Secure Privacy account and navigate to the Installation page for your target domain.

  - Copy the Secure Privacy installation script (including the <script> tags).

  - Log in to your Weebly Admin Dashboard.

  - From the top navigation bar, click Settings.

  - In the left panel, click SEO.

  - Paste the Secure Privacy script into the Header Code text area. Make sure you do not remove or overwrite any existing code already in this field.

  - Click Save, then publish your site. The Secure Privacy script is now installed and will load on all pages of your Weebly website.

Frequently Asked Questions

Does the Secure Privacy script need to be added to every page on Weebly?

No. Adding the script to the Header Code field in Weebly's SEO settings applies it globally — it will load on every page of your site automatically, without needing to add it to individual pages.

What if I already have other code in the Header Code field?

Paste the Secure Privacy script alongside any existing code in the Header Code field — do not replace or delete what is already there. The scripts can coexist without conflict as long as the Secure Privacy script is placed in the header.

How do I verify the script is installed correctly after publishing?

After publishing, visit your Weebly website and check whether the Secure Privacy cookie banner appears. You can also go to the Report page in your Secure Privacy dashboard and run a rescan to confirm the script is detected on your domain.

See Also

  - How to Set Up and Install Secure Privacy – Step-by-Step Checklist

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# How to Install Secure Privacy on Any Platform – HTML, WordPress, Shopify, Wix, GTM, HubSpot, and More

URL: https://support.secureprivacy.ai/article/cmp-v1-howto-setup-install-secure-privacy-on-your-cms
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T22:15:02.034+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Step-by-step instructions for installing Secure Privacy on HTML, WordPress, Shopify, Wix, HubSpot, GTM, Squarespace, Joomla, Magento, Weebly, and Adobe DTM.

This guide covers how to install the Secure Privacy script across all major website platforms and CMS tools. Select your platform from the list below for step-by-step installation instructions.
Important: Regardless of platform, always place the Secure Privacy script at the very top of the <head> section of your webpage — before any other third-party scripts. You can always find your installation script under Domain > Installation in your Secure Privacy dashboard.
Who Is This For?
- Website owners and developers installing Secure Privacy on their website or CMS platform

- Compliance teams completing the Secure Privacy setup checklist across different website technologies

- Agencies deploying Secure Privacy cookie consent across client websites built on various platforms

1. HTML
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- Open your index.html file or any HTML file you want to make compliant.

- Paste the Secure Privacy script at the top of the <head> section — before any other scripts.

- Save and publish your site.

2. HubSpot
- Navigate to your HubSpot website and open it in Edit mode.

- Go to Settings > Advanced Options.

- Paste your Secure Privacy script into the Additional Code Snippets field.

- Click Publish to save your changes.

3. Weebly
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- Log in to your Weebly Admin Dashboard.

- From the top navigation bar, click Settings.

- In the left panel, click SEO.

- Paste the Secure Privacy script (including the <script> tags) into the Header Code text area — do not replace or remove any existing code.

- Click Save, then publish your site.

4. Google Tag Manager (GTM)
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- In your GTM container, go to Tags > New > Custom HTML Tag.

- Paste the Secure Privacy script into the HTML field.

- Set the trigger to All Pages, give the tag a name (e.g., Secure Privacy Script), and click Save.

5. Wix
- Log in to your Wix Dashboard and click Manage Website in the side menu.

- Go to Tracking & Analytics in Site Manager.

- Click + New Tool and select Custom from the dropdown menu.

- Paste your Secure Privacy installation script into the custom code field.

- If you have multiple domains, select the relevant domain.

- Enter a name for the custom code — for example, Secure Privacy.

- Under Add Code to Pages, select All pages — load code on each new page.

- Under Place Code in, select Head.

- Save your changes.

6. Shopify
Note: Shopify does not allow external scripts in the checkout flow. Secure Privacy can only be used on your Storefront and the Order Confirmation page.
- Log in to your Shopify account.

- Click Online Store > Themes.

- Click the Actions button and select Edit Code (HTML/CSS).

- Under Layout, select your active theme's theme.liquid file.

- Locate the closing </head> tag. Note: some themes use variations such as {/head}, [/header], or [/head] — these work the same way.

- Paste the Secure Privacy script immediately before the closing </head> tag.

- Save the file.

7. Squarespace
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- Go to the Settings (gear icon) of your Squarespace account.

- From the Settings menu, click Advanced, then navigate to Code Injection.

- Paste your script (including the <script> tags) into the Header field. For scripts like Secure Privacy CMP that need to load before anything else for compliance reasons - the Header is required — not the Footer.

- Click Save. The script will now load on every page of your Squarespace site.

Note: Code Injection is available on Business plans and above. It is not available on the Personal plan.
8. WordPress
Note: Administrator-level access is required to modify website settings in WordPress.
- Log in to your WordPress admin panel and go to Plugins > Add New.

- Install a plugin that allows adding scripts to the page header — for example, the free Insert Headers and Footers plugin.

- Once installed, open the plugin and confirm the Head and Footer tab is active.

- In the Page Section Injection / On Every Page input field, paste your Secure Privacy script on the very first line — this ensures Secure Privacy loads before any other cookies or plugins can fire.

- Scroll down and click Save to apply the changes. Your Secure Privacy script is now installed on your WordPress website.

9. Joomla
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- Log in to your Joomla Administration panel.

- Click Template Manager, then click the Templates tab.

- Locate the template your site is using and click its title.

- Click Edit Main Page Template.

- Locate the <head> section and insert your Secure Privacy script immediately below the opening <head> tag.

- Click Save & Close. Your Secure Privacy script is now installed.

10. Magento
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- In the Magento Admin menu, go to System > Configuration.

- In the left panel, select Design.

- Expand the HTML Head section.

- Paste the Secure Privacy script into the Miscellaneous Scripts text box.

- Click Save Config.

11. Adobe Dynamic Tag Manager (DTM)
- Log in to your Secure Privacy account and copy the installation script from Domain > Installation.

- In Adobe DTM, paste the script and remove the opening <script> tags as required by DTM's custom code format.

- Save the rule.

- Your Secure Privacy script is now installed via Adobe DTM.

Frequently Asked Questions
Why must the Secure Privacy script be placed at the top of the <head> section?
Placing the script at the very top of the <head> tag ensures it initializes before any other third-party scripts, pixels, or tags can load — preventing non-essential cookies from being placed before the visitor gives consent. A script loaded later in the page may allow cookies to fire before the blocking engine is active.
Where do I find my Secure Privacy installation script?
Your unique installation script is always available in your Secure Privacy dashboard under Domain > Installation. Select the domain you are installing for and copy the full script including the <script> tags.
How do I verify the script is installed correctly?
After installing and publishing your site, navigate to the Report page in your Secure Privacy dashboard and run a website rescan. If the script is correctly installed, the scan will detect it and begin populating your cookie report. You can also check your browser's developer tools to confirm the Secure Privacy script is loading in the page source.
See Also
- Secure Privacy Setup and Installation Checklist

- Automatic Cookie Blocking Explained

- Secure Privacy Pricing Plans Overview

---

# How to Add Multiple Languages to Your Cookie Banner in Secure Privacy – Multilingual Consent Setup Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-enable-multiple-languages
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:27:44.49+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to enable multiple languages for your Secure Privacy cookie consent banner — select from over 70 pre-translated languages and save them to your domain in three steps.

Secure Privacy supports over 70 languages out of the box — with pre-translated cookie banners and privacy widgets that automatically display in the correct language based on each visitor's browser settings. You can enable multiple languages per domain in a few steps.

Who Is This For?

  - Website owners serving visitors from multiple countries who need multilingual cookie consent banners

  - Compliance teams ensuring cookie banners display in visitors' preferred language for GDPR transparency requirements

  - Administrators managing language settings across one or more domains in Secure Privacy

How to Add Languages to Your Cookie Banner

  - Log in to your Secure Privacy account.

  - Navigate to the Language tab in the left sidebar.

  - Select the languages you want to enable on your website and click Save. Your selected languages are now active for your domain.

To verify your saved languages, click any tab under GDPR (or your active compliance module) in the left sidebar — your selected languages will appear in the language selector.

Frequently Asked Questions

How does Secure Privacy determine which language to show a visitor?

Secure Privacy detects the visitor's preferred language from their browser settings and displays the cookie banner and privacy widgets in the matching language — provided that language has been enabled for your domain. If the visitor's browser language is not in your active language list, the banner defaults to your primary language.

Can I enable different languages for different domains?

Yes. Language settings are configured per domain. Log in to the account for each domain separately and select the languages appropriate for that domain's audience.

Can I edit the translated text for a specific language?

Yes. Once a language is enabled, you can edit the banner text for that language version using the Edit Text section under your active compliance module. Select the language from the language dropdown before making edits to ensure you are updating the correct translation.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Impact Assessments Module – GDPR Article 35 DPIA Management, Risk Integration, and Approval Workflows in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module--impact-assessments
Product: Privacy & AI Governance
Category: DSARs
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T16:36:04.877+00:00
Reading Time: 4 minutes
Summary: Conduct and document GDPR Article 35 DPIAs using the Impact Assessments module in Secure Privacy's Governance Solution — with structured templates, risk integration, and approval workflow support.

The Impact Assessments module in Secure Privacy's Governance Solution is your comprehensive platform for conducting, managing, and documenting Data Protection Impact Assessments (DPIAs) in full compliance with GDPR Article 35. It guides organizations through systematic privacy impact evaluation — covering risk analysis, stakeholder consultation, mitigation planning, and multi-step approval — ensuring high-risk data processing activities are assessed and documented before processing begins.

Who Is This For?

  - Data Protection Officers responsible for conducting and signing off on DPIAs under GDPR Article 35

  - Compliance teams ensuring DPIA requirements are identified and fulfilled for high-risk processing activities

  - Project managers and product teams launching new systems or features that process personal data at scale

  - Legal and governance teams demonstrating GDPR compliance accountability to supervisory authorities

Purpose and Functionality

The Impact Assessments module provides a structured, template-driven environment for completing all elements required under GDPR Article 35(7) — from describing the processing activity and assessing necessity and proportionality through to documenting identified risks and the mitigation measures in place. Completed DPIAs are stored with full version history and can be exported in audit-ready format for regulatory submission or internal review.

How to Use the Impact Assessments Module

  - Navigate to Compliance > Impact Assessments from the left sidebar in the Governance Solution.

  - Click + New Assessment and select the assessment type — DPIA or another supported privacy assessment type.

  - Complete the structured DPIA form — including assessment name, data categories, processing purpose, necessity assessment, and risk level.

  - Review the automatically identified risk areas based on the data categories and processing activities you have described. Document mitigation measures for each flagged risk.

  - Document the assessment process and outcomes — ensuring all GDPR Article 35(7) required fields are completed before submission.

  - Submit the assessment for approval. If a workflow is configured, the DPIA routes automatically through the required approval chain.

  - Monitor the assessment status — Draft, Pending Approval, Approved, or Rejected — and action any reviewer feedback before final sign-off.

Available Features

  - DPIA template: A structured, GDPR Article 35(7)-compliant assessment form that guides users through all required elements — from processing description and necessity assessment through to risk identification and mitigation documentation.

  - Risk assessment integration: Automatic risk identification based on documented data categories and processing activities, with direct links to the Risk Management module for end-to-end traceability.

  - Approval workflow: Integration with the Workflow & Automation module to route completed DPIAs through a configurable multi-step approval chain — ensuring DPO and stakeholder sign-off is documented before processing begins.

Common Use Cases

  - Conducting DPIAs for new or changed high-risk processing activities before deployment — satisfying the mandatory pre-processing requirement of GDPR Article 35.

  - Documenting the full assessment process and outcomes in an audit-ready format for supervisory authority review and internal governance records.

  - Demonstrating GDPR compliance accountability through structured, versioned DPIA records linked to the associated processing activities in the Process Register.

Troubleshooting

Cannot create a new assessment

Verify that your account has the necessary permissions to create entries in the Impact Assessments module. Only users with the appropriate role can initiate new assessments. Contact your Secure Privacy account administrator to review and update your access rights.

Approval workflow is not triggering or sending notifications

Check that a workflow has been configured and activated for Impact Assessments in the Workflow & Automation module, and that the Applies To scope is set to Assessment. Also confirm that approvers have notification settings enabled in their user profiles. If the issue persists, contact Secure Privacy support.

Frequently Asked Questions

Does the module satisfy GDPR Article 35(7) documentation requirements?

Yes. The DPIA form captures all fields required under GDPR Article 35(7) — including a systematic description of the processing and its purposes, a necessity and proportionality assessment, an evaluation of risks to data subjects' rights and freedoms, and the measures envisaged to address those risks. Completed assessments can be exported for supervisory authority submission.

Can a DPIA be linked to a specific processing activity in the Process Register?

Yes. Impact assessments can be linked to the associated processing activity in the Process Register, creating end-to-end traceability from your ROPA through to the DPIA conducted for that activity — supporting comprehensive GDPR accountability documentation under Article 5(2).

What triggers a requirement to conduct a DPIA?

Under GDPR Article 35, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms. This includes systematic profiling with significant effects, large-scale processing of special category data, systematic monitoring of publicly accessible areas, use of new technologies, and automated decision-making that produces legal effects. Your DPO can conduct a pre-screening assessment using the module to determine whether a full DPIA is required for a specific processing activity.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Systems Module – Data Processing System Inventory, Data Flow Mapping, and Risk Assessment in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module---applications-amp-systems
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T10:04:35.527+00:00
Reading Time: 4 minutes
Summary: Use the Systems module in Secure Privacy's Governance Solution to inventory data processing systems, map data flows, and integrate risk assessments for GDPR compliance.

The Systems module in Secure Privacy's Governance Solution provides a centralized inventory of all systems, applications, and infrastructure components that process personal data within your organization. It supports systematic documentation of data processing systems, automated data flow mapping, and integrated risk assessment — helping privacy and compliance teams maintain GDPR compliance, manage their privacy program, and support cybersecurity governance.

Who Is This For?

  - Data Protection Officers and privacy managers building and maintaining a GDPR-compliant systems inventory

  - IT and information security teams documenting data flows and assessing system-level privacy risks

  - Compliance teams using system records to support ROPA maintenance and DPIA processes

  - System owners and technical leads responsible for registering and maintaining system documentation

Purpose and Functionality

The Systems module is a core component of Secure Privacy's Governance Solution, enabling organizations to maintain a complete and current record of every system that touches personal data. By centralizing system documentation alongside data flow mapping and risk assessment tools, it provides the foundation for an accurate Record of Processing Activities (ROPA) and supports proactive privacy risk management across the organization.

How to Use the Systems Module

  - Identify the system owner and technical lead responsible for the system being documented.

  - Navigate to the Systems page from the main navigation menu in the Governance Solution.

  - Add a new system entry and complete the required fields — including system name, owner, data categories processed, and storage location.

  - Map data flows associated with the system to document how personal data moves into, through, and out of the system.

  - Link the system to relevant risk assessments to capture and track any privacy or security risks identified.

  - Review and update system records whenever the system changes — including new integrations, data category changes, or vendor updates.

Available Features

  - System inventory: Maintain a complete, searchable register of all systems processing personal data across your organization.

  - Data flow mapping: Document and visualize how personal data flows between systems, departments, and third parties.

  - Risk assessment integration: Link system records directly to privacy and security risk assessments, enabling end-to-end traceability from system to risk to mitigation.

Common Use Cases

  - Maintaining a comprehensive record of all systems processing personal data — supporting ROPA accuracy under GDPR Article 30.

  - Identifying data flows and storage locations across the organization to support data mapping exercises and DPIA pre-screening.

  - Assessing the security and privacy risks associated with each system as part of an ongoing privacy risk management program.

Troubleshooting

Cannot add a new system

Verify that your account has the necessary permissions to create new entries in the Systems module. Only users with the appropriate admin or contributor role can add systems. Contact your Secure Privacy account administrator to review your access rights.

Data mapping feature is not working

Check your system settings and confirm that data mapping is enabled for your organization's Governance Solution instance. If the issue persists, contact Secure Privacy support with details of the system record you are working with.

Frequently Asked Questions

How does the Systems module support GDPR Article 30 ROPA requirements?

The Systems module provides the system-level detail that underpins an accurate Record of Processing Activities. By documenting which systems process personal data, what categories of data they handle, and how data flows between them, the module gives your DPO and compliance team the information needed to maintain a complete and current ROPA — a core GDPR Article 30 obligation.

Can the Systems module be used to support DPIA pre-screening?

Yes. System records — including data categories, processing purposes, and linked risk assessments — provide the factual foundation for DPIA pre-screening under GDPR Article 35. When a new system is added or an existing one significantly changed, the documented data flows and risk links support the DPO's assessment of whether a full DPIA is required.

Who should be responsible for maintaining system records?

System records should be maintained jointly by the system owner — who is accountable for the system's use of personal data — and the technical lead who understands the system's architecture and data flows. The privacy or compliance team should review records periodically to ensure they remain accurate and aligned with the organization's ROPA.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# DSAR Module – GDPR Data Subject Access Request Management, Deadline Tracking, and Audit Trail in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module---dsars
Product: Privacy & AI Governance
Category: DSARs
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T16:38:05.948+00:00
Reading Time: 4 minutes
Summary: Manage GDPR data subject access requests end-to-end using the DSAR module in Secure Privacy's Governance Solution — with deadline tracking, automated reminders, secure document exchange, and full audit logging.

The DSAR module in Secure Privacy's Governance Solution provides a comprehensive platform for managing and responding to Data Subject Access Requests in full compliance with GDPR requirements. It streamlines the entire DSAR lifecycle — from initial request receipt and identity verification through to final response delivery — ensuring timely compliance with GDPR's one-month response deadline while maintaining a complete audit trail and secure document handling throughout.

Who Is This For?

  - Data Protection Officers and privacy managers responsible for GDPR data subject rights compliance

  - Compliance and legal teams managing the full DSAR response workflow across departments

  - Operations and customer service teams receiving and processing incoming data subject requests

  - IT teams responsible for locating and extracting personal data in response to access requests

Purpose and Functionality

The DSAR module gives compliance teams a single, structured environment for tracking every data subject rights request from receipt to resolution — covering access requests, erasure requests, rectification, restriction, data portability, and objection. Automated deadline tracking, notification reminders, and secure document exchange ensure your organization consistently meets GDPR Article 12's one-month response requirement and maintains a documented, audit-ready record of all DSAR activity.

How to Use the DSAR Module

  - Navigate to Compliance > DSARs from the left sidebar in the Governance Solution.

  - Click + New Request to log an incoming data subject rights request. Record the request type, the data subject's details, the date of receipt, and the applicable response deadline.

  - Verify the identity of the requester and document the verification method and outcome before proceeding.

  - Assign the request to the relevant team member or department responsible for locating and compiling the response data.

  - Track the progress of the request and document all actions taken — including data searches, internal consultations, and any decisions on applicable exemptions.

  - Prepare the response and use the secure document exchange feature to deliver the response to the data subject safely.

  - Mark the request as complete once the response has been sent. The module logs the completion timestamp and outcome for audit purposes.

Available Features

  - DSAR request tracking: A centralized register of all incoming data subject rights requests — with status, request type, assigned owner, receipt date, and GDPR deadline visible at a glance.

  - Automated notifications and deadline reminders: The platform sends automatic reminders to assignees as the one-month GDPR response deadline approaches — reducing the risk of missed deadlines and regulatory breaches.

  - Secure document exchange: Deliver response packages to data subjects through a secure, controlled channel — maintaining data security and creating a documented record of response delivery.

Common Use Cases

  - Managing and responding to data subject access requests within GDPR's one-month deadline — with automated reminders ensuring nothing is missed.

  - Documenting all actions taken throughout the DSAR response process — creating an audit-ready record for supervisory authority review and accountability demonstrations under GDPR Article 5(2).

  - Demonstrating consistent compliance with data subject rights obligations — including access, erasure, rectification, and objection — through a centralized, structured workflow.

Troubleshooting

Cannot create a new DSAR

Verify that your account has the necessary permissions to create entries in the DSAR module. Only users with the appropriate role can log new requests. Contact your Secure Privacy account administrator to review and update your access rights.

Notifications are not being sent

Check that notification settings are enabled in the user profile of the assigned team member. Also confirm that the request has a valid assignee and a response deadline set — the automated reminder system requires both to trigger notifications. If the issue persists, contact Secure Privacy support.

Frequently Asked Questions

Does the DSAR module track the GDPR one-month response deadline automatically?

Yes. When a new request is logged with a receipt date, the module automatically calculates the GDPR Article 12 one-month response deadline and displays it in the request record. Automated reminders notify the assigned team member as the deadline approaches — helping ensure your organization consistently meets its legal response obligations.

Can the DSAR module handle all types of data subject rights requests, not just access requests?

Yes. The module supports the full range of GDPR data subject rights requests — including access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and objection (Article 21). Each request type can be logged, tracked, and documented within the same workflow.

How does the audit trail in the DSAR module support GDPR accountability?

Every action taken on a DSAR record — including receipt logging, assignment, status changes, exemption decisions, and response delivery — is recorded with a timestamp and the identity of the user who performed the action. This creates a complete, chronological compliance record that can be produced for supervisory authority review, demonstrating that each request was handled in line with GDPR Article 12 requirements.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# How to Embed Your Privacy Policy on a WordPress Page Using Secure Privacy

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-a-privacy-policy-text-in-wordpress
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:15:15.833+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to add your Secure Privacy privacy policy to a WordPress page — using the Text editor or an HTML widget in any page builder, in a few simple steps.

This guide explains how to embed your Secure Privacy Privacy Policy directly on a WordPress page — using either the WordPress text editor or an HTML widget in a page builder. The embed code loads your policy content dynamically, so it stays up to date automatically as your scan results change.

This guide assumes the Secure Privacy script is already installed on your website. If not, complete the installation before proceeding.

Who Is This For?

  - WordPress website owners adding a dedicated privacy policy page using Secure Privacy

  - Website administrators embedding privacy policy text via the WordPress editor or a page builder

  - Compliance teams ensuring a GDPR-compliant privacy policy is visible on their WordPress site

How to Embed Your Privacy Policy on a WordPress Page

  - 
    Log in to your Secure Privacy account and navigate to Privacy Policy > Use on Website > Direct Text Embedding.

  

  - Copy the embed code shown on the screen.

  - Log in to your WordPress admin panel and open the page where you want the Privacy Policy to appear.

  - Open the page in edit mode.

  - Switch to the Text tab (or Code Editor in the block editor) to insert HTML directly.

  - Paste the embed code in the position where you want the Privacy Policy text to display.

  - Click Save (or Update). Your Privacy Policy text will now appear on the page.

Embedding with a WordPress Page Builder

If you are using a custom page builder such as Elementor, Divi, or WPBakery, you can use an HTML widget or Custom HTML block to add the embed code to any section of your page — without switching to the Text tab.

Add a Custom HTML widget to the page, paste the Secure Privacy embed code into the widget content area, and save the page. Your Privacy Policy will appear in that section of your layout.

Frequently Asked Questions

Does the embedded privacy policy update automatically when my cookies change?

Yes. The embed code loads your policy content dynamically from Secure Privacy. Auto-generated sections — such as cookie and plugin data — update automatically whenever you rescan your domain. You do not need to update the embed code on your WordPress page after a rescan.

Can I use this embed method with the WordPress block editor (Gutenberg)?

Yes. In the WordPress block editor, add a Custom HTML block to your page and paste the Secure Privacy embed code inside it. Save the page and the privacy policy text will appear in that block's position on the page.

What if my page builder does not have an HTML widget?

Most major WordPress page builders — including Elementor, Divi, WPBakery, and Beaver Builder — include a Custom HTML or HTML widget option. If yours does not, switch to the WordPress Text or Code Editor view to paste the embed code directly into the page's HTML source.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Add Custom Links to Your Cookie Banner in Secure Privacy – Privacy Center, Accept, and Reject Button Links

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-custom-links-to-a-cookie-banner
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:17:46.172+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to add custom hyperlinks to your Secure Privacy cookie consent banner — insert links to your privacy policy, cookie declaration, or any URL in a few simple steps.

Secure Privacy's cookie banner supports custom links — allowing you to add hyperlinks to the Privacy Center text, Accept button, Reject button, or any other editable banner text. This guide explains how to insert a custom link using the banner text editor.
Who Is This For?
- Website administrators adding custom hyperlinks to their Secure Privacy cookie consent banner

- Compliance teams linking to a privacy policy, cookie declaration, or other relevant pages from within the banner

- Developers customizing cookie banner text with specific URLs for Accept, Reject, or Privacy Center actions

How to Add a Custom Link to Your Cookie Banner
- Log in to your Secure Privacy account and navigate to your Cookie Banner page.

- Click on the text section you want to edit to open it in the text editor.

- Click the Add Custom Link button in the editor toolbar.

- In the popup that appears, enter the following details:
- Link text: The visible text that will be displayed as the hyperlink

- URL: The destination address the link should point to

- Click Add Link to insert the link into the banner text.

- Click Save. Secure Privacy will automatically convert the shortcode into a live hyperlink on your cookie banner.

Frequently Asked Questions
What types of links can I add to the cookie banner?
You can add any standard URL — including links to your privacy policy page, cookie declaration, external regulatory resources, or internal website pages. Custom links can be added to any editable section of the cookie banner, including the Privacy Center text and button labels.
Will the link open in a new tab or the same tab?
Link behavior depends on how the shortcode is generated. If you need links to open in a new tab, check the link settings in the Add Custom Link popup — some versions of the editor include a target option for this. If not, you can apply this via custom CSS or by contacting Secure Privacy support.
Can I add multiple custom links to the same banner section?
Yes. Repeat the process for each link you want to add within the same text section — click the text to edit, use the Add Custom Link button for each link, and save when all links have been inserted.
See Also
- How to Change the CSS of Your Cookie Consent Banner

- Secure Privacy Pricing Plans Overview

- Website Visits vs Page Views vs Consent Explained

---

# How to Set Up Cross-Domain Consent in Secure Privacy – Share Cookie Consent Across Multiple Domains

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-enable-cross-domain-consent-in-secure-privacy
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T21:44:47.471+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to enable cross-domain consent in Secure Privacy — group multiple domains under a shared consent record so visitors only need to consent once across your entire domain portfolio.

Cross-domain consent in Secure Privacy allows you to collect and share visitor consent across multiple domains or subdomains using a single cookie banner — so users do not need to give consent again when navigating between sites in the same group. Watch the demo to see how it works:

Who Is This For?
- Website administrators and developers managing multiple domains that share the same audience and consent requirements

- Marketing teams reducing consent friction for visitors navigating between related websites or subdomains

- Enterprise organizations implementing consistent consent management across a portfolio of domains using Secure Privacy

Important Legal Considerations
When propagating the same consent record across multiple domains, ensure your implementation complies with applicable privacy laws and regulations — including GDPR and ePrivacy requirements. It is strongly recommended to consult your legal team to verify that cross-domain consent sharing meets the jurisdictional requirements for each domain in the group.
How to Enable Cross-Domain Consent in Secure Privacy
- Install the Secure Privacy script on all domains that will be part of the same consent group.

- In your Secure Privacy dashboard, go to All Domains and open the Settings page.

- Scroll right to locate the Domain Consent Group column.

- Edit the Domain Consent Group value for each domain that should share consent.

- Ensure the group label is identical for all domains in the group — for example, GroupA. The label is case-sensitive.

- Save your changes. Cross-domain consent is now active for all domains in the group.

Common Issues and Fixes
Consent not syncing across domains
Verify that the Secure Privacy script is correctly installed and loading on all domains in the consent group. A missing or incorrectly placed script on any domain will prevent consent from syncing to that domain.
Group label mismatch
Confirm that the Domain Consent Group label is exactly the same across all domains in the group — including capitalization and spacing. Even a minor difference will prevent the domains from being recognized as part of the same group.
Frequently Asked Questions
How many domains can be added to a single consent group?
There is no fixed limit on the number of domains in a consent group. Assign the same group label to as many domains as needed. Ensure the Secure Privacy script is installed on every domain in the group for consent to sync correctly.
Does cross-domain consent work across subdomains as well as separate domains?
Yes. Cross-domain consent can be configured to share consent between entirely separate domains as well as between a root domain and its subdomains — provided all are assigned the same Domain Consent Group label and have the Secure Privacy script installed.
Is cross-domain consent compliant with GDPR?
Cross-domain consent sharing can be GDPR-compliant in certain circumstances — but this depends on the specific domains involved, their privacy policies, and how consent was originally obtained. Always consult your legal team before enabling cross-domain consent to confirm it meets the requirements applicable to your organization and jurisdictions.
See Also
- Implementing Google Consent Mode Using Google Tag Manager

- How to Set Up and Install Secure Privacy

- Cross-Domain Consent Setup in Secure Privacy Enterprise

---

# How to Customize the Data Request Form in Secure Privacy – Tab Title, Controls, Notifications, and Email Templates

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-change-your-dsar-data-subject-access-requests-form
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:55:21.719+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Learn how to customize Secure Privacy's Data Request Form — rename the tab, edit control elements, configure notifications, set up email templates, and enable or disable the form for GDPR, CCPA, and LGPD.

The Data Request Form in Secure Privacy allows visitors to submit GDPR, CCPA, and LGPD data subject rights requests directly from your website. This guide covers all available customization options — from renaming the form tab and editing control element text through to configuring notification messages, email templates, and enabling or disabling the form entirely.

Who Is This For?

  - Privacy officers and compliance teams customizing the Data Request Form for their organization's legal requirements

  - Website administrators enabling and configuring DSAR form settings in Secure Privacy

  - Developers managing form control elements, validation, and automated email templates

How to Rename the Data Request Form Tab Title

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar as applicable.

  - Click Preference Center — you will be taken to the Edit Text tab.

  - Select the Language you want to edit from the drop-down menu.

  - Click the Data Request Form tab to switch into edit mode and update the tab title text to match your legal requirements.

  - Click the green tick (above and to the right of the edited text) to apply the change.

  - Click Save.

How to Edit Text Content on Form Control Elements

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar.

  - Click Data Request Form — you will be shown the Edit Text tab.

  - Select the Language you want to edit from the drop-down menu.

  - Click any control element to switch into edit mode and update the text to match your legal requirements.

  - Click the green tick to apply the change to that element.

  - Click Save when you have finished all edits.

How to Edit or Delete a Control Element on the Data Request Form

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar.

  - Click Data Request Form — you will be shown the Edit Text tab.

  - Select the Language from the drop-down menu.

  - Click the Edit link on any control element to open the Edit Control modal window.

  - Update the Label text to match your legal requirements.

  - Use the Validation option to make the field Required — the form will not submit until the visitor completes this field.

  - Click the green Save button to apply your changes.

  - To remove the field entirely, click the red Delete control button.

How to Modify Notification Messages for the Data Request Form

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar.

  - Click Data Request Form — you will be shown the Edit Text tab.

  - Click the Edit notification messages link.

  - Select the Language you want to edit from the drop-down menu.

  - Update any notification message text to match your requirements.

  - Click the green Save button to apply your changes.

How to Enable or Disable the Data Request Form

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar.

  - Click Data Request Form — you will be shown the Edit Text tab.

  - Click the Settings link to access configurable parameters for your form.

  - Use the Enable Data Request Form toggle to enable or disable the form for your domain.

  - Enable Verify users email to require visitors to confirm their email address before the request is submitted — this helps verify the requester's identity.

  - Set Send data request emails to to the email address of the person in your organization who processes data export, removal, and other requests.

  - Click the green Save button to apply your changes.

How to Customize Automated Emails Sent to Data Request Form Submitters

  - Log in to your Secure Privacy account and select GDPR, CCPA, or LGPD from the left sidebar.

  - Click Data Request Form — you will be shown the Edit Text tab.

  - Click the Email Templates link.

  - Select the Language you want to edit from the drop-down menu. Note: The page includes field template placeholders you can insert to personalize email content.

  - Edit the Request received template to customize the email sent to your company when a data request is submitted, including the data provided by the requester.

  - Edit the User verification template to customize the email verification message sent to the visitor to confirm their identity before the request is processed.

  - Click the green Save button to apply your changes.

Frequently Asked Questions

Can I configure the Data Request Form differently for GDPR, CCPA, and LGPD?

Yes. Each compliance module — GDPR, CCPA, and LGPD — has its own Data Request Form configuration. Navigate to the relevant module from the left sidebar and configure the form, control elements, notification messages, and email templates independently for each regulation.

Can I make specific form fields mandatory?

Yes. When editing a control element, use the Validation option to set it as Required. The form will not submit until the visitor completes all required fields — useful for ensuring you receive the information needed to process the request.

What is the difference between the "Request received template" and the "User verification template"?

The Request received template is the email sent to your organization when a data request is submitted — it contains the request details provided by the visitor. The User verification template is the email sent to the visitor containing an identity verification link, which they must click to confirm their identity before the request is processed.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# How to Edit Your Cookie Banner Text in Secure Privacy – No Developer Skills Required

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-edit-the-cookie-banner-text
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:50:36.984+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to edit your Secure Privacy cookie consent banner text — update wording, adjust font formatting, add hyperlinks, and manage multiple languages directly from your dashboard.

Secure Privacy makes it easy to edit your cookie banner text without any developer skills. Using the built-in text editor, you can update banner copy, adjust formatting, change the language, and add hyperlinks — all from your dashboard.

Who Is This For?

  - Website owners and administrators updating the text displayed in their Secure Privacy cookie consent banner

  - Compliance teams customizing banner wording to align with legal requirements or organizational tone

  - Marketing teams editing cookie banner text without needing developer access

How to Edit Your Cookie Banner Text

Step 1: Log in to Secure Privacy

Log in to your Secure Privacy account with your credentials.

Step 2: Navigate to the Cookie Banner

In the left sidebar, select your compliance module — for example, GDPR or CCPA — then click Cookie Banner.

Step 3: Edit Your Banner Text

You will land on the Cookie Banner Edit Text screen. Click on the text section you want to edit to open it in the editor.

Use the language selector in the right-side menu to choose which language version you are editing. The editor provides the following formatting options:

  - Font size: Small, Normal, or Large

  - Font formatting: Bold, Italic, or Underline

  - Hyperlinks: Link text to any relevant page on your website

Step 4: Save Your Changes

When you have finished editing, click the green tick in the upper-right corner of the text field to confirm and save your changes. Your banner text will update automatically.

Frequently Asked Questions

Can I edit banner text for multiple languages?

Yes. Use the language selector in the right-side menu of the Edit Text screen to switch between installed languages and edit the banner text for each one separately. Make sure to save each language version using the green tick before switching.

Will my text edits affect all pages of my website?

Yes. Banner text changes apply globally across all pages where the Secure Privacy script is installed. Once saved, the updated text appears on your cookie banner on every page.

Can I revert to the default banner text after editing?

Default banner text is pre-aligned with applicable privacy legislation. If you have made changes you want to undo, you will need to manually re-enter the original text. It is recommended to note the default wording before making significant edits.

See Also

  - How to Change the CSS of Your Cookie Consent Banner

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# Members Module – Privacy Team Role Management in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module---members
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T09:59:38.107+00:00
Reading Time: 3 minutes
Summary: Manage privacy team roles, access controls, and contact information using the Members module in Secure Privacy's Governance Solution — built for GDPR program accountability.

The Members module in Secure Privacy's Governance Solution provides a centralized view of all team members and their responsibilities within your privacy program. It streamlines team management through role-based access controls, contact management, and organizational hierarchy — ensuring privacy responsibilities are clearly defined, assigned, and visible across your organization.
Who Is This For?
- Privacy program administrators managing team member access and responsibilities

- Data Protection Officers overseeing the organizational structure of their privacy team

- IT administrators configuring role-based access controls within the Secure Privacy platform

- Compliance managers maintaining an accurate directory of privacy team contacts and roles

Purpose and Functionality
The Members module is essential for maintaining accountability within your privacy program. It gives administrators a single place to manage who is responsible for data protection tasks, control what each team member can access, and keep contact information current — supporting clear communication and audit-ready role documentation.
How to Use the Members Module
- Navigate to the Members page from the main navigation menu.

- View the full list of team members and their assigned roles within the privacy program.

- Add new members to your organization as needed.

- Edit member details — including department, role, and contact information — to keep records current.

Available Features
- Team member directory: A centralized list of all individuals with roles in your privacy program, with contact details and role assignments visible at a glance.

- Role-based access control: Define what each team member can view and edit within the Secure Privacy platform based on their role and responsibilities.

- Contact information management: Keep team member contact details accurate and accessible for internal coordination and DPO communication.

Common Use Cases
- Managing and documenting team member responsibilities within the privacy compliance program

- Providing a clear, current overview of the organization's privacy team structure for audits and governance reviews

- Facilitating communication and collaboration among team members working across different areas of the compliance program

Troubleshooting
Cannot add a new member
Verify that your account has administrative rights for the Members module. Only users with the appropriate admin role can add new team members. Contact your account administrator if you need your permissions updated.
Cannot edit member details
Check your user permissions — editing member details requires a role with write access to the Members module. If you believe your permissions are incorrect, contact your Secure Privacy account administrator.
Frequently Asked Questions
Who can add or remove members in the Members module?
Only users with administrative rights within the Secure Privacy platform can add, remove, or edit team members. If you need to make changes but do not have the required permissions, contact your organization's Secure Privacy account administrator.
Does the Members module control what each user can access across the platform?
Yes. The Members module includes role-based access control, which determines what each team member can view and edit across Secure Privacy's Governance Solution modules. Roles should be assigned based on each member's actual responsibilities within the privacy program.
Can the Members module be used to document DPO and privacy team roles for audit purposes?
Yes. Maintaining an accurate and current Members directory — with clearly assigned roles and contact information — supports GDPR accountability by providing documented evidence of who is responsible for privacy program functions. This is particularly relevant for demonstrating organizational accountability under GDPR Article 5(2).
See Also
- Secure Privacy Pricing Plans Overview

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

- Website Visits vs Page Views vs Consent Explained

---

# Privacy Program Module – Compliance Maturity Assessment and Gap Tracking in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-solution-core-module---privacy-program
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T10:14:38.31+00:00
Reading Time: 4 minutes
Summary: Assess and track your privacy compliance maturity using the Privacy Program module in Secure Privacy's Governance Solution — with structured checklists, gap identification, and progress reporting.

The Privacy Program module in Secure Privacy's Governance Solution is a strategic assessment platform designed to evaluate, track, and improve your organization's privacy compliance maturity. It provides structured evaluation frameworks that help identify compliance gaps, measure progress against industry standards, and develop actionable roadmaps for building a robust, audit-ready privacy program.

Who Is This For?

  - Data Protection Officers and privacy managers assessing and improving their organization's overall privacy program maturity

  - Compliance teams tracking progress against GDPR requirements and internal privacy program benchmarks

  - Senior leadership and boards seeking visibility into privacy compliance status and gap remediation progress

  - Privacy professionals building structured compliance roadmaps and accountability documentation

Purpose and Functionality

The Privacy Program module gives privacy and compliance teams a centralized, structured way to assess where their organization currently stands on privacy compliance — and what needs to happen to reach the next maturity level. By working through a customizable checklist of privacy program elements, teams can identify gaps, assign notes and actions, and track progress over time — all within the Secure Privacy Governance Solution.

How to Use the Privacy Program Module

  - Navigate to the Privacy Program page from the main navigation menu in the Governance Solution.

  - Review the checklist of privacy program elements covering key compliance areas.

  - Mark each element as Completed or Not Completed based on your organization's current status.

  - Add notes and comments to individual elements to document context, evidence, or next steps.

  - Use the progress tracking view to monitor overall maturity and identify which areas require the most attention.

  - Revisit and update the checklist regularly as your compliance program evolves.

Available Features

  - Customizable privacy program checklist: A structured list of privacy program elements that can be tailored to your organization's regulatory requirements and maturity goals.

  - Progress tracking and reporting: A real-time view of completion status across all checklist elements — providing a clear picture of current compliance maturity and outstanding gaps.

  - Notes and comments: Add context, evidence links, or action notes to individual checklist items to support accountability and audit documentation.

Common Use Cases

  - Assessing your organization's current privacy compliance maturity and benchmarking it against GDPR requirements and industry best practices.

  - Identifying gaps in your privacy program that require remediation — feeding into your DPO's compliance roadmap and annual audit findings.

  - Tracking progress towards defined compliance goals over time — with a documented record of improvements for supervisory authority accountability purposes.

Troubleshooting

Checklist is not displaying correctly

Ensure your browser is up to date — the Governance Solution is optimized for current browser versions. Try refreshing the page or clearing your browser cache. If the issue persists, contact Secure Privacy support.

Cannot save progress

Check your user permissions — saving and updating checklist items requires write access to the Privacy Program module. Contact your Secure Privacy account administrator if you believe your permissions need to be updated.

Frequently Asked Questions

How does the Privacy Program module differ from the Privacy Risk Management module?

The Privacy Program module is a maturity assessment tool — it helps you evaluate how complete and effective your overall privacy program is across key compliance areas. The Privacy Risk Management module focuses specifically on identifying, scoring, and mitigating individual privacy risks tied to processing activities. The two modules complement each other: program gaps identified in the Privacy Program module may generate specific risks to be managed in the Risk Management module.

Can the checklist be customized to reflect our specific regulatory requirements?

Yes. The Privacy Program module's checklist is customizable, allowing your team to tailor the elements assessed to your organization's applicable regulations, internal policies, and maturity framework — whether you are primarily focused on GDPR, additional national requirements, or a broader international privacy program.

Can the Privacy Program module be used to prepare for a supervisory authority audit?

Yes. The module's progress tracking and notes functionality create a documented record of your compliance program status — including what has been implemented, what is in progress, and what remediation is planned. This documentation supports GDPR accountability under Article 5(2) and can be referenced during supervisory authority inspections or internal compliance reviews.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# Secure Privacy Governance Solution – Overview, Core Modules, Setup, and Getting Started

URL: https://support.secureprivacy.ai/article/privacy-compliance-platform-overview
Product: Privacy & AI Governance
Category: Governance Solution
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T11:30:10.808+00:00
Reading Time: 4 minutes
Summary: Explore Secure Privacy's Governance Solution — a centralized privacy compliance platform with modules for ROPA, DPIA, risk management, DSARs, and document management. Learn how to get started.

Secure Privacy's Governance Solution is a comprehensive privacy compliance platform designed to help organizations manage GDPR compliance, data subject rights, privacy risk assessments, and documentation — all from a single centralized system. This guide provides an overview of the platform, system requirements, initial setup, and links to detailed guidance for each core module.

Who Is This For?

  - Privacy compliance officers and Data Protection Officers managing organizational GDPR programs

  - Legal and governance professionals building and maintaining a structured privacy compliance framework

  - Organizations seeking a centralized platform for privacy risk management, ROPA, DPIAs, and DSAR handling

What the Governance Solution Includes

The platform provides tools across the full privacy compliance lifecycle:

  - AI-Powered Onboarding: Set up your privacy program quickly with tailored AI-generated recommendations based on your organization's practices.

  - Process Register: Document and manage all data processing activities in line with GDPR Article 30 ROPA requirements.

  - Risk Assessments: Identify, score, and mitigate privacy risks across processing activities.

  - Compliance Tasks: Track and manage compliance actions, deadlines, and recurring obligations.

  - DSAR Management: Handle data subject access requests with automated tracking and workflow support.

  - Impact Assessments: Conduct and manage Data Protection Impact Assessments (DPIAs) under GDPR Article 35.

  - Systems Inventory: Maintain a complete inventory of all systems processing personal data and map data flows.

  - Document Management: Securely store, version-control, and manage access to compliance-critical documents.

  - Members Matrix: Visualize team member responsibilities and involvement across the privacy program.

  - Reporting and Analytics: Generate compliance reports to demonstrate accountability to regulators and stakeholders.

System Requirements

To use the Governance Solution, you will need:

  - A modern web browser — Chrome, Firefox, Safari, or Edge

  - A stable internet connection

  - A valid user account with appropriate permissions

Initial Setup and Configuration

Initial setup and configuration of the Governance Solution is performed by the Secure Privacy implementation team. To get started, contact sales@secureprivacy.ai to initiate implementation and onboarding.

AI-Powered Onboarding (Recommended)

Once your account is provisioned, the recommended way to configure your privacy program is through the AI-Powered Setup:

  - Select the AI-Powered Setup option to allow the AI to analyze your organization and automatically configure your privacy program.

  - Complete the onboarding questionnaire to provide the AI with information about your data processing practices and compliance context.

Once setup is complete, you will be directed to the dashboard where you can begin adding processes, tasks, risk assessments, and other compliance elements.

Core Modules

The Governance Solution is organized into nine core modules. Each has a dedicated support article with step-by-step guidance:

  - Calendar: Track compliance deadlines, schedule tasks, and monitor progress with an intuitive visual calendar. Learn more about the Calendar module.

  - Process Register: Document all data processing activities and maintain GDPR Article 30 ROPA compliance. Learn more about the Process Register module.

  - Documents: Centralize compliance documents with secure storage, version control, and access management. Learn more about the Documents module.

  - Privacy Program: Assess and track your organization's privacy compliance maturity against a structured checklist framework. Learn more about the Privacy Program module.

  - Risks: Identify, score, and mitigate privacy risks with integrated risk management tools. Learn more about the Risks module.

  - Impact Assessments: Conduct and manage GDPR DPIAs with streamlined assessment workflows. Learn more about the Impact Assessments module.

  - Applications & Systems: Inventory all systems processing personal data and track data flows across your organization. Learn more about the Applications & Systems module.

  - DSARs: Manage data subject access requests with automated tracking and deadline management. Learn more about the DSARs module.

  - Members: Manage privacy team members, roles, contact information, and responsibilities across your compliance program. Learn more about the Members module.

Frequently Asked Questions

How do I get started with the Governance Solution?

Initial setup is managed by the Secure Privacy implementation team. Contact sales@secureprivacy.ai to initiate implementation and onboarding for your organization.

What are the system requirements for using the platform?

You need a modern web browser (Chrome, Firefox, Safari, or Edge), a stable internet connection, and a valid user account with the appropriate permissions for your role.

Where can I find detailed guidance for each module?

Each core module has a dedicated support article linked in the Core Modules section above. Each article includes step-by-step usage instructions, available features, common use cases, and troubleshooting guidance.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

---

# How to Add Custom Controls to Your DSAR Form in Secure Privacy – Step-by-Step Guide

URL: https://support.secureprivacy.ai/article/customizing-the-data-request-form-using-dsar-custom-controls-in-secure-privacy
Product: Privacy & AI Governance
Category: DSARs
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T16:31:58.9+00:00
Reading Time: 3 minutes
Summary: Learn how to add custom controls to your Secure Privacy DSAR form — configure labels, input types, and required fields to tailor the data subject access request experience for your organization.

Secure Privacy's DSAR form custom controls give you the flexibility to tailor your data subject access request form so end users only see and complete the fields relevant to their specific request. Customizing the form and response templates aligns the DSAR process with your organization's workflows and branding — creating a cleaner, more professional experience that builds trust and streamlines data collection.
This article explains how to add and configure custom controls in the Secure Privacy DSAR form editor.
Who Is This For?
- Privacy and compliance teams customizing DSAR forms to match organizational workflows

- Website administrators configuring the data request form within Secure Privacy templates

- Data Protection Officers ensuring DSAR forms collect the right information for each request type

How to Add Custom Controls to Your DSAR Form
- Navigate to the Templates tab. After logging in to your Secure Privacy dashboard, click Templates in the top navigation bar. This tab lists all available privacy templates for different regions.

- Select the desired template. Scroll through the template list to find the one you need. Click into its settings to open the configuration options in the side panel.

- Go to the Data Request Form section. Inside the template, locate the left-side panel and click Data request form. This section controls the user-facing form visitors will use to submit requests to access or erase their data.

- Enter Edit Mode. Click Edit in the top-right corner of the form preview. The form editor opens, allowing you to modify existing fields and add new ones. Confirm the Enable data request form toggle is turned on (green), then navigate to the Text tab.

- Add a custom control. Within the Text tab, scroll down and click + Add control, then select the control type you need. The control is inserted into the form where you can configure it to meet your specific requirements.

- Organize form fields. Drag and drop fields to rearrange them in the required order. To remove a control, hover over it and click the trash icon.

- Save your changes. When you are satisfied with the form, click Save in the top-right corner of the editor. Secure Privacy applies your changes and updates the live data request form on your site immediately.

Example: Adding a Custom "Right to Erase" Field
To illustrate how custom controls work, here is how to add a "Right to Erase" field that collects a visitor's email address:
- Click + Add control in the Text tab and select a text input control.

- In the settings panel, set Label to "Right to Erase".

- Set Input type to Text.

- Enter "Enter your email address" as the placeholder text.

- Enable Is required if this field must be completed before the form can be submitted.

This is how the configuration looks in the editor:
After saving, the new field appears in the DSAR form that visitors see on your website:
Use this method to add any additional fields your organization requires — adjust the label, input type, and placeholder to suit each specific request type.
Frequently Asked Questions
Can I add custom controls to DSAR forms for multiple regions?
Yes. Custom controls can be added to any template available in your Secure Privacy account — including region-specific templates. Navigate to each template separately and configure the Data Request Form controls to match the requirements for that region's applicable privacy regulations.
Can I make a custom field mandatory?
Yes. When configuring a custom control, enable the Is required toggle in the settings panel. This prevents visitors from submitting the form without completing that field — useful for fields that are essential for processing the specific request type.
Will changes to the DSAR form take effect immediately on my website?
Yes. Once you click Save in the form editor, Secure Privacy applies your changes and the updated form is immediately live on your site — no additional deployment steps are required.
See Also
- How to Handle Data Subject Access Requests (DSARs)

- Secure Privacy Pricing Plans Overview

- Website Visits vs Page Views vs Consent Explained

---

# How to Manually Block Cookies Not Blocked Automatically in Secure Privacy – Tag Blocking Setup Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-block-cookies-manually-in-secure-privacy-scan-report
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T16:58:39.6+00:00
Reading Time: 3 minutes
Summary: [CMP v1] Learn how to identify unblocked cookies in your Secure Privacy Scan Report and manually configure tag blocking for scripts, pixels, and iframes using the Classification settings.

Most cookies and trackers are automatically detected and blocked by Secure Privacy's blocking engine. However, certain cookies may not be blocked automatically due to specific website setups or non-standard script configurations. This guide explains how to identify unblocked cookies in your scan report and configure manual cookie blocking using Secure Privacy's Tag Blocking feature.

Who Is This For?

  - Website administrators and developers identifying and resolving cookies not blocked automatically by Secure Privacy

  - Compliance teams verifying that all non-essential cookies require prior consent before loading

  - Implementation teams configuring tag blocking for scripts, pixels, and iframes not covered by auto-blocking

Step 1: Locate Cookies Not Blocked Automatically

Go to the Report page in your Secure Privacy dashboard. Scroll down to the detected cookies section and look for cookies marked with a red X in the Blocking column. These indicate cookies or services that are not currently being blocked automatically and require manual configuration.

Step 2: Identify the Script, Pixel, or iframe Source

Consult your implementation or development team to determine the source script, pixel, or iframe responsible for the unblocked cookie or service. You will need the source URL or domain associated with the service to configure blocking in the next step.

Step 3: Apply Manual Blocking Configuration

In the Secure Privacy dashboard, navigate to Classification > Tag Blocking. Add the service you want to block by specifying:

  - The type — Script, Iframe, or Pixel

  - The source URL or domain associated with the service

Step 4: Rescan Your Website to Verify Blocking

Once the Tag Blocking configuration is saved, run a website rescan from the Scan Report page. After the scan completes, check whether the previously unblocked service now shows as successfully blocked in the Blocking column.

Summary

  - Identify unblocked cookies by looking for red X indicators in the Blocking column of your Scan Report.

  - Find the related script, pixel, or iframe source responsible for the unblocked service.

  - Manually configure blocking for that source in Classification > Tag Blocking.

  - Rescan your website to confirm the service is now successfully blocked.

Frequently Asked Questions

Why are some cookies not blocked automatically by Secure Privacy?

Secure Privacy's auto-blocking engine covers the majority of commonly detected scripts and services. However, some cookies may not be automatically blocked due to non-standard script implementations, custom-built tracking solutions, or services that Secure Privacy has not yet detected and classified for your specific website setup. Manual Tag Blocking allows you to close these gaps.

What information do I need to add a service to Tag Blocking?

You need to know the type of tag — Script, Iframe, or Pixel — and the source URL or domain associated with the service. Your development or implementation team can usually identify this from the page source or network requests visible in the browser's developer tools.

How long does a rescan take, and when should I run it?

Rescan times vary depending on website size and complexity. Run the rescan after saving your Tag Blocking configuration to verify the service is now blocked. If the red X is still showing after the rescan, double-check that the source URL or domain entered in Tag Blocking exactly matches the one identified in the scan report.

See Also

  - Do I Need to Block All Cookies?

  - How to Classify and Edit Your Cookies and Services

  - Ongoing Checkups: Best Practices

  - How Do I Add a Custom Service or Cookie?

---

# How to Select a Scan Location and Rescan Your Website in Secure Privacy – EU and US Cookie Detection Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-trigger-website-scan-for-us-location--secure-privacy
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:07:57.79+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to select EU or US scan locations and trigger a website rescan in Secure Privacy to verify and update cookies and services detected in your cookie declaration.

Secure Privacy supports website rescanning from two geographic locations — the EU and the US — allowing you to verify and update the services and cookies detected in your privacy policy and cookie declaration based on where your visitors are located. This guide explains how to select a scan location and trigger a rescan.
Who Is This For?
- Website administrators verifying cookie detection from EU and US scan locations

- Compliance teams ensuring cookie declarations reflect region-specific tracking behavior

- Developers updating scan location settings after implementing changes to their website

How to Select a Scan Location and Trigger a Website Rescan
- Log into your Secure Privacy account and select the domain you want to work with.

- Navigate to the Scan report section in the left sidebar, click on the Settings tab.

- From the Scan Location dropdown, select United States, tap Save to apply the changes.

- Switch to the Latest Scan Report tab and click Rescan Website to start a new scan using the updated location. Note: Currently, only two scan locations are supported: European Union and United States.

Note: The rescan will detect cookies and services as they appear to visitors from the selected geographic location. Results may differ between EU and US scans depending on region-specific tracking scripts active on your website.
Frequently Asked Questions
Why does the scan location affect which cookies are detected?
Some third-party services and advertising platforms serve different scripts or trackers to visitors depending on their geographic location. Scanning from both EU and US locations allows you to identify region-specific cookies that may only appear for visitors in one region — ensuring your cookie declaration is accurate for all your audiences.
How often should I rescan my website?
Rescanning is recommended whenever you make changes to your website — such as adding new plugins, third-party services, or marketing scripts. Regular rescans (at minimum quarterly) also help ensure your cookie declaration stays current as third-party vendors update their tracking behavior.
Do I need to rescan from both EU and US locations?
If your website serves visitors from both regions, scanning from both locations is recommended to ensure your cookie declaration captures all services active for each audience. Region-specific advertising or analytics tools may only be visible in scans from the relevant geographic location.
See Also
- How to Increase Your Compliance Score (Overall Rating)

- How to Block a Cookie in the Scan Report

- Secure Privacy Cookie Classification Guide

---

# How to Rescan Your Website in Secure Privacy – Update Cookie Detection and Scan Report

URL: https://support.secureprivacy.ai/article/cmp-v1--website-rescan-guide--secure-privacy
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:13:28.982+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to trigger a website rescan in Secure Privacy to update your cookie scan report, refresh blocking coverage, and keep your cookie declaration accurate and compliant.

Cookie detection, classification, and blocking in Secure Privacy are based on the most recent scan data for your website. Triggering a website rescan updates your scan report with the latest cookies and services detected — ensuring your cookie declaration, blocking configuration, and compliance score reflect your website's current state.
Who Is This For?
- Website administrators updating their Secure Privacy scan report after making changes to their website

- Compliance teams verifying cookie detection and blocking coverage after adding or removing third-party services

- Developers confirming that manual blocking configurations or cookie classification changes have taken effect

How to Rescan Your Website in Secure Privacy
- Log in to your Secure Privacy dashboard and navigate to the Scan Report tab for your website.

- Click the green Rescan Website button to initiate a new scan.

- Wait for the scan to complete. Once finished, the updated results — including newly detected cookies, blocking status, and compliance score — will be reflected in your scan report.

Frequently Asked Questions
When should I rescan my website?
Trigger a rescan whenever you make changes that may affect cookie detection — including adding or removing third-party plugins, updating marketing scripts, changing tag manager configurations, or modifying your Secure Privacy blocking and classification settings. A routine rescan at least quarterly is also recommended as part of ongoing compliance management.
How long does a rescan take?
Scan duration depends on the size and complexity of your website. Most scans complete within a few minutes. If the scan is taking significantly longer than expected, contact Secure Privacy support at support@secureprivacy.ai.
Will the rescan update my cookie declaration automatically?
Yes. Once the rescan is complete, your cookie declaration is updated to reflect the newly detected cookies and services — ensuring your published declaration stays accurate and aligned with your website's current tracking technologies.
Need Assistance?
If you have questions or need support, contact us at support@secureprivacy.ai.
See Also
- How to Increase Your Compliance Score (Overall Rating)

- How to Block a Cookie in the Scan Report

- How to Classify and Edit Your Cookies and Services

---

# Secure Privacy Setup and Installation Checklist – GDPR Cookie Consent Configuration Step by Step

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-setup-and-install-secure-privacy--stepbystep-checklist
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T17:31:05.283+00:00
Reading Time: 5 minutes
Summary: [CMP v1] Follow the complete Secure Privacy setup checklist — covering script installation, tag blocking, cookie categorization, consent banner configuration, and privacy policy integration for GDPR compliance.

This step-by-step checklist covers everything you need to install and configure Secure Privacy v1 [CMP v1] on your website — from script installation and cookie blocking setup through to banner text, consent buttons, privacy policy integration, and compliance score verification. Follow each step in order to ensure a complete and GDPR-compliant Secure Privacy implementation.
Who Is This For?
- Website administrators managing privacy compliance and cookie consent configuration

- Web developers integrating the Secure Privacy script and blocking setup

- Privacy officers and marketers verifying GDPR, CCPA, and LGPD compliance on their websites

Secure Privacy Setup Checklist
1. Verify the Secure Privacy script is installed correctly
Go to the Installation page in your Secure Privacy dashboard and copy the installation script. Paste the code at the top of the <head> tag in your website or CMS code view — ensure it loads before any other third-party scripts to guarantee blocking takes effect from the first page load.
2. Set up your tag blocking configuration
If your implementation team has identified specific script, iframe, or pixel sources that require blocking, add them in the Tag Blocking tab under Classification. This ensures those sources are held until visitor consent is given.
3. Review and configure target audience settings
Select the appropriate target audience for each active compliance module. This determines which visitors see your consent banner based on their geographic location:
- GDPR: Active for visitors from Europe

- CCPA: Active for visitors from California

- LGPD: Active for visitors from Brazil

4. Check your overall compliance rating and follow recommended actions
Review your latest scan report in the Report tab. Aim for a 100% compliance rating — items marked with a red X represent the highest-priority gaps. Work through the recommended actions to improve your score.
5. Review and categorize detected cookies
Navigate to the Classification tab and verify that every detected cookie and service is assigned to the correct category — Essential, Functional, Analytics, or Marketing. Miscategorized cookies can affect both your compliance score and your blocking behavior.
For more information on cookie categories, see the cookie categories support article.
6. Review and update cookie banner text
Ensure your cookie banner clearly communicates the purpose of each cookie category to visitors. Use plain, accessible language — for example:
- Essential cookies: "We place essential cookies to enable our website to function correctly."

- Analytical cookies: "We place analytical cookies to gather aggregated statistical information about visitors."

- Advertising cookies: "We place advertisement cookies to optimize our marketing campaigns towards visitors."

7. [GDPR] Confirm both Accept and Decline buttons are present on the banner
GDPR requires that visitors have an equally prominent option to decline non-essential cookies as they do to accept them. If the Decline button is not visible on your banner, enable it by navigating to GDPR > Cookie Banner > Settings and setting Reject button type to Show as button.
8. Verify only essential cookies are placed before consent is given
Open your browser's developer tools and check the Application tab to inspect cookies placed before any consent interaction. Only essential cookies should be present at this stage. If non-essential cookies are loading before consent, revisit Steps 2, 3, and 4 to identify and resolve the blocking gap.
9. Enable privacy policy and cookie declaration on your website
A privacy policy and cookie declaration are required under GDPR to provide visitors with transparent information about your data practices. Enable both using the following guides:
- How to set up a Privacy Policy on your website

- How to set up a Cookie Declaration on your website

10. [Optional — Enterprise] Configure the Scan Behind Login feature
For Enterprise accounts, the Scan Behind Login feature allows Secure Privacy to scan pages behind user authentication — such as logged-in dashboards or members-only areas — ensuring cookies in restricted areas are also detected and managed.
See the Authenticated Scans via Scan Behind Login setup guide for configuration instructions.
Common Issues and Fixes
Script not running on the website
Ensure the Secure Privacy script is inserted at the very top of the <head> tag — before any other scripts — and clear all server and browser caches after installation. A script loaded too late in the page may allow non-essential cookies to set before the blocking engine initializes.
Tag blocking not working for specific services
Verify that all required sources are correctly listed and saved in the Tag Blocking tab under Classification. Double-check that the source URL or domain entered exactly matches the one identified in your scan report.
Accept and Decline buttons missing from the banner
Navigate to GDPR > Cookie Banner > Settings and confirm the Reject button type is set to Show as button. If the setting is already correct but the button is still not appearing, check for custom CSS overrides that may be hiding the element.
Frequently Asked Questions
Where exactly should the Secure Privacy script be placed on my website?
The script must be placed at the top of the <head> tag on every page of your website — before any other third-party scripts, tags, or analytics code. This ensures the blocking engine initializes before any cookies can be set. If you are using a CMS, paste the script in the header code injection area or through your tag manager as the first tag to fire.
How do I know if non-essential cookies are loading before consent?
Open your browser's developer tools, clear all cookies, reload the page without interacting with the consent banner, and check the Application > Cookies section. Only cookies classified as Essential should appear. If you see Analytics, Marketing, or Functional cookies loading before consent, revisit your tag blocking configuration and re-run the scan.
Do I need to complete all steps to pass GDPR compliance?
For full GDPR compliance, steps 1 through 9 are all required — script installation, blocking, audience targeting, cookie categorization, banner text, Accept/Decline buttons, pre-consent cookie verification, and privacy policy/cookie declaration. Step 10 is optional and applies only to Enterprise accounts with authenticated page areas.
See Also
- How to Block Cookies in Complex GTM Triggers

- Implementing Google Consent Mode (Advanced) Using Google Tag Manager

- Ensuring Compliance with Google's EU User Consent Policy

Have more questions? Contact us at support@secureprivacy.ai.

---

# How to Set Up Manual Script and iframe Blocking in Secure Privacy – Cookie Consent Implementation Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-howto-setup-manual-blocking
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-26T21:30:47.025+00:00
Reading Time: 3 minutes
Summary: [CMP v1] Learn how to set up manual cookie and tracker blocking in Secure Privacy — including script type rewriting and iframe prior consent blocking for YouTube, Vimeo, and other third-party embeds.

Secure Privacy offers two types of cookie and tracker blocking — automated blocking and manual blocking. This article explains how to set up manual blocking for scripts and iframes, including how to rewrite script attributes and implement prior consent blocking for embedded third-party content such as YouTube and Vimeo.
Who Is This For?
- Website administrators implementing manual cookie and tracker blocking with Secure Privacy

- Developers rewriting script and iframe attributes to hold cookies until visitor consent is given

- Compliance teams ensuring third-party embeds do not set cookies before prior consent is obtained

Manual Script and Cookie Blocking
To block cookies and trackers from loading until a visitor provides consent, you need to modify the attributes of script tags on your website. Follow these steps:
- For pixel or image trackers: Rename the src attribute to data-src on the image tag. This prevents the tracker from firing until consent is given.

- For script tags: Use script type rewriting. Change the type attribute of the script tag so that the browser does not execute it automatically.
A normal Google Analytics script tag looks like this:
<!-- Insert your original script tag here -->
After applying script type rewriting, it should look like this:
<!-- Insert your rewritten script tag with updated type attribute here -->

For a step-by-step walkthrough using Wix.com as an example, watch the video tutorial on manual script blocking.

Manual iframe Blocking Setup
This section covers the scenario where iframes embedded on your website — such as YouTube or Vimeo videos — set cookies or trackers that require the visitor's prior consent before loading.
Secure Privacy will block the iframe from loading until the visitor has provided consent for the relevant plugin. Once consent is given, the content loads automatically.
How to implement prior consent for iframes
Using YouTube as an example, follow these steps to apply prior consent blocking to an embedded iframe:
- Apply the attribute sp-consent="PLUGIN NAME" to the iframe tag on your website. The plugin name must exactly match the name shown in your Secure Privacy Scan Report.

- Change the src attribute to data-src to prevent the iframe from loading until consent is received.

For example, the original YouTube iframe:
<!-- Insert your original iframe tag with src attribute here -->
Changes to the following (with src renamed to data-src and the sp-consent attribute applied):
<!-- Insert your updated iframe tag with data-src and sp-consent="Youtube" here -->
In this example, the plugin name is Youtube — verify the exact name in your Secure Privacy Scan Report before applying.
Note 1: YouTube offers an alternative domain — www.youtube-nocookie.com — that does not set HTTP cookies. However, this domain sets persistent "super cookies" in the browser's HTML localStorage, which also require prior consent. Manual blocking is still required.
Note 2: Manual iframe blocking is required even if you are using Secure Privacy's auto-blocking feature. Auto-blocking currently only applies to iframes created dynamically by JavaScript — such as advertising iframes injected by a script. For iframes embedded directly in your page HTML — such as YouTube video embeds — you must follow the manual blocking steps described in this article.
Frequently Asked Questions
What is the difference between automated and manual blocking in Secure Privacy?
Automated blocking detects and blocks scripts and dynamically injected iframes without requiring changes to your page code. Manual blocking requires you to modify the attributes of script and iframe tags directly in your HTML — renaming src to data-src and adding the sp-consent attribute. Manual blocking is required for iframes embedded directly in page HTML, including most YouTube and Vimeo embeds.
Where do I find the plugin name to use in the sp-consent attribute?
The plugin name is listed in your Secure Privacy Scan Report. Navigate to your Secure Privacy dashboard and open the Scan Report for your domain — the exact plugin name to use in sp-consent="PLUGIN NAME" is shown against each detected tracker or third-party embed.
Does using youtube-nocookie.com mean I don't need to block the YouTube iframe?
No. While youtube-nocookie.com does not set HTTP cookies, it stores persistent data in the browser's HTML localStorage — which also constitutes tracking and requires prior consent under the ePrivacy Directive and GDPR. Manual blocking must still be applied even when using the nocookie domain.
See Also
- Secure Privacy Pricing Plans Overview

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

- Website Visits vs Page Views vs Consent Explained

---

# How to Embed Your Privacy Policy Text Directly on a Web Page Using Secure Privacy

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-privacy-policy-text-on-a-website
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T19:30:07.778+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to embed your Secure Privacy privacy policy as inline text on any web page — copy the embed code from your account and paste it into your HTML page body in five steps.

This guide explains how to embed your Secure Privacy Privacy Policy as direct text on any page of your website using the embed code from your account. This is one of three available embed options — alongside the button and hyperlink methods — and displays the full privacy policy text inline on the page.
This guide assumes the Secure Privacy script is already installed on your website. If not, complete the installation before proceeding.
Who Is This For?
- Website administrators and developers embedding privacy policy text directly on a webpage

- Compliance teams adding a dedicated privacy policy page to their website using Secure Privacy

- Anyone using the Secure Privacy Privacy Policy Generator who wants to display policy text inline rather than via a button or link

How to Embed Your Privacy Policy Text on a Web Page
- Log in to your Secure Privacy account and navigate to Privacy & Cookie Policy > Use on Website > Direct Text Embedding.

- Copy the embed code shown on the screen.

- Open the web page where you want the privacy policy text to appear — in your HTML editor, CMS, or page builder.

- Paste the HTML embed code anywhere inside the <body> section of your page where you want the privacy policy text to display.

- Save your page. Your Privacy Policy text will now appear inline on the page wherever you pasted the embed code.

Frequently Asked Questions
What is the difference between the Direct Text Embedding option and the Button or Hyperlink embed options?
The Direct Text Embedding option displays your full privacy policy text inline on the page — visible to visitors without any clicking. The Button embed displays a clickable button that opens the policy in a pop-up, and the Hyperlink embed displays a text link. Use Direct Text Embedding when you want a dedicated privacy policy page with the full policy text visible on load.
Does the embedded privacy policy update automatically when my scan results change?
Yes. The embed code loads your policy content dynamically from Secure Privacy — so auto-generated sections such as cookie and plugin data update automatically whenever you rescan your domain, without needing to update the embed code on your page.
Where in the page should I paste the embed code?
Paste the embed code anywhere inside the <body> tag of your HTML page where you want the privacy policy text to appear. For a dedicated privacy policy page, paste it in the main content area. In most CMS platforms, use the HTML or source code editing mode to add it to the page body.
See Also
- Secure Privacy Pricing Plans Overview

- Website Visits vs Page Views vs Consent Explained

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Add a Privacy Policy Button to Your WordPress Website Using Secure Privacy

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-a-privacy-policy-button-on-a-wordpress-menu
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:28:55.773+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to add a Secure Privacy privacy policy button to your WordPress website — copy the embed shortcode, choose a button color, and add it to your menu in a few steps..

This guide explains how to add a Privacy Policy button to your WordPress menu using Secure Privacy's embed code — so visitors can access your privacy policy from your site's navigation at any time.
Note: This guide assumes the Secure Privacy script is already installed on your website. If not, complete the installation before proceeding.
Who Is This For?
- WordPress website owners adding a privacy policy button to their site navigation

- Compliance teams ensuring a GDPR-compliant privacy policy link is always accessible to visitors

- Website administrators embedding Secure Privacy policy buttons via WordPress menu shortcodes

How to Add a Privacy Policy Button to Your WordPress Website
- Log in to your Secure Privacy account and navigate to Privacy Policy > Use on Website > Embedding Code.

- Select the background color you prefer for your privacy policy button.

- Copy the embed shortcode shown.

- Log in to your WordPress admin panel and go to Appearance > Menus.

- Select the menu where you want the button to appear and open the Custom Links or Shortcode option.

- Paste the HTML shortcode into the appropriate field.

- Click Save Menu. Your Privacy Policy button will now appear in the selected menu on your website.

Frequently Asked Questions
Can I change the color of the privacy policy button after adding it?
Yes. Return to Privacy Policy > Use on Website > Embedding Code in your Secure Privacy account, select a new background color, copy the updated shortcode, and replace the existing shortcode in your WordPress menu.
Where will the privacy policy button appear on my website?
The button appears in whichever WordPress menu you add the shortcode to — typically the primary navigation menu, footer menu, or any custom menu displayed in your theme. Position it in the menu location most visible and accessible to your website visitors.
Can I add the privacy policy button to a widget area instead of a menu?
Yes. You can paste the embed shortcode into a Text or Custom HTML widget in any WordPress widget area — such as the sidebar or footer — using the same shortcode copied from your Secure Privacy account.
See Also
- Secure Privacy Pricing Plans Overview

- Website Visits vs Page Views vs Consent Explained

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Add a Privacy Policy Link to Your Website Using Secure Privacy – Hyperlink Embed Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-add-a-privacy-policy-link-on-a-website
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:33:36.917+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to add a privacy policy hyperlink to your website using Secure Privacy's embed code — switch to Hyperlink mode, copy the link code, and paste it into your page HTML in a few steps.

This guide explains how to add a privacy policy hyperlink to any page on your website using Secure Privacy's link embed code — giving visitors a clickable text link that opens your privacy policy directly.

Note: This guide assumes the Secure Privacy script is already installed on your website. If not, complete the installation before proceeding.

Who Is This For?

  - Website owners and administrators adding a privacy policy link to their site using Secure Privacy

  - Developers embedding a privacy policy hyperlink in page footers, forms, or content areas

  - Compliance teams ensuring a GDPR-compliant privacy policy link is accessible to visitors across the website

How to Add a Privacy Policy Hyperlink to Your Website

  - Log in to your Secure Privacy account and navigate to Privacy & Cookie Policy > Use on Website.

  - Switch the embed type to Hyperlink.

  - Copy the Link code shown.

  - Open the web page where you want the privacy policy link to appear — in your HTML editor, CMS, or page builder.

  - Paste the HTML code anywhere inside the <body> section of your page where you want the link to display — for example, in the footer or below a contact form.

  - Save your page. Your privacy policy link will now appear and be clickable for visitors.

Frequently Asked Questions

Can I customize the link text displayed to visitors?

Yes. Before copying the Link code, update the Hyperlink text field in the Secure Privacy embed settings to display the text you want visitors to see — such as "Privacy Policy" or "View our Privacy Policy."

Where is the best place to add the privacy policy link on my website?

The most common locations are the page footer — where it is visible on every page — and alongside consent forms, checkout pages, and sign-up flows where visitors are providing personal data. Adding it in these locations helps meet GDPR transparency requirements at the point of data collection.

Does the link need to be updated when my privacy policy changes?

No. The hyperlink embed code loads your policy content dynamically from Secure Privacy, so the link always points to your current, up-to-date policy. You do not need to update the embed code on your page after making changes to your policy.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Change the Cookie Banner Font Source in Secure Privacy – Google CDN vs Browser Default

URL: https://support.secureprivacy.ai/article/cmp-v1-how-do-i-change-the-font-for-the-cookie-banner
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:43:11.338+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to change the font source for your Secure Privacy cookie consent banner — switch between Google CDN and Browser Default in the Colors and Styling settings to resolve CSP issues or avoid third-party font requests.

By default, Secure Privacy's cookie consent banner uses the Raleway font loaded from Google's CDN. You can change the font source to use browser default fonts instead — useful if your Content Security Policy blocks external CDN requests or if you prefer not to load fonts from Google's servers.

Who Is This For?

  - Website administrators customizing the font source for their Secure Privacy cookie consent banner

  - Developers resolving Content Security Policy (CSP) issues caused by Google CDN font loading

  - Privacy-conscious website owners who prefer not to load third-party fonts from Google's infrastructure

How to Change the Cookie Banner Font Source

The Font Source setting offers two options:

  - Google — loads the Raleway font from Google's CDN (default)

  - Browser Default — uses the visitor's browser default font, with no external CDN request

To change the font source:

  - Log in to your Secure Privacy dashboard and navigate to your cookie banner settings.

  - Open the Colors and Styling sidebar menu.

  - Locate the Font Source option and select either Google or Browser Default.

  - Click the green Save button to apply the change.

Frequently Asked Questions

Why would I switch from Google CDN to Browser Default for the font source?

The most common reason is a Content Security Policy (CSP) that blocks external font requests from Google's CDN — which can cause the banner to display incorrectly or trigger console errors. Switching to Browser Default eliminates the external CDN dependency. It also avoids making a network request to Google's servers on page load, which can be relevant for visitors in regions with stricter privacy expectations around Google services.

Will switching to Browser Default change how my cookie banner looks?

Yes, slightly. The Raleway font used by default has a specific appearance. Switching to Browser Default means the banner will use the visitor's browser system font instead — which varies by browser and operating system. If visual consistency is important, test the banner appearance after making the change.

Do I need to rescan or make any other changes after updating the font source?

No. Changing the font source only affects how the banner's font is loaded in the visitor's browser. It does not affect your cookie scan results, blocking configuration, or compliance score. The change takes effect as soon as you click Save.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# How to Add Custom CSS to Your Cookie Consent Banner in Secure Privacy

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-change-the-css-of-your-cookie-consent-banner
Product: Consent Management
Category: Secure Privacy Legacy
Published: 2026-03-06T12:44:00+00:00
Updated: 2026-03-22T20:46:23.785+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to add or replace custom CSS for your Secure Privacy cookie consent banner — paste your styles into the CSS box, choose whether to override or replace default styles, and save in a few steps.

Secure Privacy supports full custom CSS for your cookie consent banner — allowing you to override default styles or apply a completely new stylesheet to match your website's branding. This guide explains how to add, replace, and manage custom CSS for your banner in a few steps.

Who Is This For?

  - Web developers customizing the appearance of the Secure Privacy cookie consent banner with CSS

  - Website administrators applying custom fonts or styles to the cookie banner to match their brand

  - Designers replacing the default banner CSS with a fully custom stylesheet

How to Add Custom CSS to Your Cookie Consent Banner

  - In your Secure Privacy dashboard, navigate to Banners > Cookie Banner > Add Custom CSS.

  - Paste your CSS into the CSS text box provided.

  - If you want to completely replace the default banner CSS with your own stylesheet, check the Replace Default CSS option. Leave this unchecked if you only want to override specific properties.

  - Click Save.

  - Your CSS will be applied to the cookie banner immediately.

Important Notes

  - Overriding specific properties: If you only want to change a few styles — such as colors, font size, or button radius — leave Replace Default CSS unchecked. Your custom CSS will be added on top of the existing default styles, applying only the properties you have specified.

  - Replacing all CSS: Check Replace Default CSS only when you are supplying a completely new stylesheet for the banner. This removes the default styles entirely and applies only your custom CSS.

  - Importing external stylesheets and fonts: You can use @import inside the CSS text box to load external stylesheets or web fonts — for example, importing a custom font from Google Fonts or your own CDN.

Frequently Asked Questions

What is the difference between adding custom CSS and replacing the default CSS?

Adding custom CSS without checking Replace Default CSS applies your styles on top of Secure Privacy's default banner styles — useful for changing specific properties like colors or padding. Checking Replace Default CSS removes all default styles and applies only your custom stylesheet — use this when you want complete control over the banner's appearance from scratch.

Can I use @import to load custom fonts in the cookie banner?

Yes. Add your @import statement at the top of the CSS text box to load an external font or stylesheet. For example, you can import a Google Font to use in the banner — just ensure the font URL is allowed by your website's Content Security Policy.

Will custom CSS affect the cookie banner across all pages of my website?

Yes. Custom CSS applied in the Banner Settings is loaded as part of the Secure Privacy script and applies to the cookie banner on every page where the script is active.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Secure Privacy Volume Discounts – Custom Consent Storage Pricing for Multiple Domains and High Traffic

URL: https://support.secureprivacy.ai/article/secure-privacy-volume-discounts--custom-consent-storage-pricing
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:23:11.236+00:00
Reading Time: 2 minutes
Summary: Learn how Secure Privacy volume discounts work for multiple domains and high monthly visitor counts — book a consultation call to receive a custom consent storage pricing quote.

Secure Privacy offers volume discounts for organizations managing consent storage across multiple domains or with high monthly visitor counts. Pricing is tailored based on your specific domain count and consent storage requirements — book a call to receive a personalized quote.

Who Is This For?

  - Website owners managing multiple domains who need consolidated consent storage pricing

  - Marketing managers estimating consent storage requirements based on monthly visitor traffic

  - Compliance officers planning consent storage capacity across their organization's web properties

  - Sales prospects evaluating Secure Privacy volume pricing for enterprise or agency use

How to Get a Volume Discount on Consent Storage

  - 
    Assess your needs. Determine how many domains you manage and your estimated monthly visitor count per domain — this information is used to calculate your consent storage requirements and applicable discount.

  

  - 
    Book a demo or consultation call. Schedule a personalized call directly via Calendly:

    Book a call with the Secure Privacy team

  

  - 
    Receive a custom quote. After the call, you will receive a tailored pricing quote based on your consent storage needs and volume. If you have additional questions before or after the call, contact the sales team at sales@secureprivacy.ai.

  

  - 
    Contact support for any questions. The Secure Privacy support team is available at support@secureprivacy.ai to assist with any questions before, during, or after the pricing process.

  

Frequently Asked Questions

How are volume discounts calculated?

Volume discounts are based on two factors: the number of domains you manage and your total monthly visitor traffic across those domains. Together, these determine your consent storage requirements — and the applicable discount tier. Provide these details during your consultation call for an accurate quote.

Can I speak directly with Secure Privacy leadership about pricing?

Yes. You can book a call directly via Calendly for a personal consultation on volume pricing and consent storage needs.

What if I have questions after the demo or quote?

The Secure Privacy support team is available at support@secureprivacy.ai to help with any follow-up questions about your quote, plan configuration, or consent storage requirements.

See Also

  - Secure Privacy – Google-Certified Consent Management Platform

  - Ensuring Compliance with Google's EU User Consent Policy

  - Domain Licensing Model Explained

---

# How to Add Custom CSS to Your Cookie Banner and Preference Center in Secure Privacy

URL: https://support.secureprivacy.ai/article/add-custom-css-for-branding--secureprivacy-guide
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:58:58.264+00:00
Reading Time: 3 minutes
Summary: Learn how to add custom CSS to your Secure Privacy cookie banner and preference center — step-by-step guide to accessing the Designs tab and applying brand-consistent styling.

Adding custom CSS to your Secure Privacy cookie banner and preference center lets you align the consent UI with your brand identity — going beyond the default design templates to create a cohesive, visually consistent user experience. This guide walks through how to access and apply custom CSS in the Designs section of your Secure Privacy dashboard.

We recommend involving web development professionals to ensure your CSS is conflict-free and does not interfere with banner functionality.

Who Is This For?

  - Web designers applying brand-consistent styling to the Secure Privacy cookie banner and preference center

  - Marketing teams optimizing the visual appearance of cookie consent UI for user experience

  - Developers implementing advanced custom styles beyond what default design settings provide

Why Use Custom CSS for Your Cookie Banner?

Seamless brand integration

Custom CSS allows your cookie consent banner and preference center to match your website's typography, color palette, and visual style — so the consent UI feels like a native part of your site rather than a third-party overlay.

Advanced customization beyond default templates

While Secure Privacy's default design settings cover the most common styling needs, custom CSS gives you full control over spacing, layout, hover states, animations, and any other visual property that default settings do not expose.

Professional implementation reduces risk

Involving a web developer when writing custom CSS helps prevent conflicts with existing stylesheets, ensures cross-browser compatibility, and avoids unintended changes to banner functionality.

How to Add Custom CSS to Your Cookie Banner or Preference Center

Step 1: Log in to Secure Privacy

Log in to your Secure Privacy account at cmp.secureprivacy.ai/login.

Step 2: Navigate to the Designs tab

In your control panel, click the Designs tab.

Step 3: Select the design to modify

Choose the design you want to apply custom CSS to.

Step 4: Locate the Custom CSS section

  - For Cookie Banner CSS: Go to Cookie Banner settings, select Color, then click Custom CSS.

  - For Preference Center CSS: Navigate to Preference Center, then select Custom CSS.

Step 5: Paste and save your CSS

Paste your CSS code into the Custom CSS text area and click Save to apply the changes.

Frequently Asked Questions

Can I add any CSS without breaking banner functionality?

Custom CSS gives you full styling flexibility, but poorly written or conflicting CSS can interfere with banner display or functionality. Validate your CSS before saving, test thoroughly after applying, and involve a web developer if you are making significant layout or structural changes. Avoid overriding critical class names that control banner behavior.

When will my CSS changes appear on the live site?

Changes typically take effect immediately after saving. If the updated styles are not appearing, clear your browser cache and any CDN or site cache, then reload in an incognito window to see the latest version.

Can I add custom CSS to both the Cookie Banner and the Preference Center separately?

Yes. Custom CSS is configured independently for the Cookie Banner (via Cookie Banner > Color > Custom CSS) and the Preference Center (via Preference Center > Custom CSS). You can apply different stylesheets to each without affecting the other.

See Also

  - Customizing Your Cookie Consent Banner Design

  - Upload a Custom Logo to Your Banner

  - Managing Designs in Secure Privacy

  - Best Practices for Web Accessibility and Design

---

# How to Block Cookies in GTM Triggers Using User Consent Conditions

URL: https://support.secureprivacy.ai/article/block-cookies-in-complex-gtm-triggers--consentbased-tagging
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T01:18:29.12+00:00
Reading Time: 3 minutes
Summary: Step-by-step guide to blocking cookies in Google Tag Manager triggers using a custom consent check variable. Ensure GDPR compliance by preventing tags from firing without user consent.

When implementing Google Tag Manager (GTM) consent management, ensuring that tags and triggers respect user cookie consent is essential for GDPR, ePrivacy, and other privacy-regulation compliance. This guide walks you through how to block cookies in GTM triggers by adding a consent condition — preventing any tag from firing until explicit user consent has been collected by your Consent Management Platform (CMP).
Who Is This Guide For?
- GTM administrators responsible for tag governance and consent compliance

- Web developers implementing tag management and cookie-blocking logic

- Digital marketers managing analytics, advertising, and tracking tags under consent requirements

How to Block Cookies in GTM Triggers Based on User Consent
Step 1: Create a User-Defined Variable for the Consent Check
- In GTM, go to Variables > New.

- Name the variable using the format:
Check [Plugin_name] consentNote on placeholders: Throughout this guide, [Plugin_name] (square brackets) denotes a value you replace with your actual service or plugin name. Do not use double curly braces ({{ }}) in variable names or code you author — GTM will interpret that syntax as a live variable reference and fail to resolve it.

- Set Variable Type to Custom JavaScript.

- Enter the following code, replacing [Plugin_name] with your exact service name:
function() {
  return sp.checkConsent("[Plugin_name]");
}
- The plugin name is case-sensitive — match it exactly as it appears in your CMP or cookie scan report, for example - for the service "Google Analaytics" it would look like this - 
function() {
  return sp.checkConsent("Google Analaytics");
}
- Save the variable.

Step 2: Verify the Plugin Name Matches Your CMP
- Copy the service or plugin name directly from your cookie scan or CMP dashboard to avoid typos.

- Confirm spelling and capitalisation match exactly — a mismatch will cause the consent check to always return false.

Step 3: Add the Consent Condition to Your GTM Trigger
- Navigate to Triggers in GTM.

- Open the trigger you want to gate (e.g., a custom event trigger or click trigger).

- Add a new trigger condition using the variable you created:
Check [Plugin_name] consent — equals — true
- This condition ensures the trigger — and any tag attached to it — only fires when the user has granted consent for that specific service.

Step 4: Publish Your GTM Container
Save the trigger and publish your GTM container. Tags governed by this trigger will now respect user consent: cookies are blocked and tags remain dormant until the user actively consents through your CMP.
Frequently Asked Questions
My tag still fires without consent — what could be wrong?
- Confirm the plugin name inside sp.checkConsent("[Plugin_name]") matches your CMP entry exactly, including capitalisation.

- Verify the Custom JavaScript variable returns a strict boolean true or false — not a string or undefined value.

- Check that all trigger conditions evaluate to true simultaneously; a single failing condition will prevent the trigger from firing correctly.

- Ensure you have not used {{ }} double-curly-brace notation in your variable code or name, as GTM will try to resolve this as a built-in variable reference.

How do I test whether the consent condition is working in GTM?
- Use GTM Preview Mode to inspect which triggers fire and which are blocked in real time.

- Toggle consent on and off in your CMP and confirm the tag fires only when consent is granted.

- Check the Variables pane in Preview Mode to confirm your consent variable returns the expected boolean value.

See Also
- Implementing Google Consent Mode (Advanced) using Google Tag Manager

- Basic vs. Advanced Google Consent Mode: A Deep Dive into Data Collection

- Ensuring Compliance with Google's EU User Consent Policy

---

# How to Rescan Your Website in Secure Privacy – Update Cookie Detection and Compliance Status

URL: https://support.secureprivacy.ai/article/perform-website-rescan--secureprivacy-howto
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:04:11.327+00:00
Reading Time: 2 minutes
Summary: Learn how to trigger a website rescan in Secure Privacy to update your cookie scan report, refresh blocking rules, and keep your cookie declaration accurate after site changes.

Secure Privacy's cookie and service blocking relies on your most recent scan results. Whenever you add new third-party services, update your website, or change your tracking configuration, triggering a website rescan ensures your blocking rules and cookie declaration stay accurate and current.

Who Is This For?

  - Website administrators keeping their Secure Privacy scan report and cookie declaration up to date

  - Compliance teams verifying that cookie blocking reflects the latest services deployed on their site

  - Developers monitoring cookie and tracker detection after making changes to website scripts or tag configurations

How to Rescan Your Website in Secure Privacy

  - Log in to your Secure Privacy account and select the domain you want to rescan.

  - Click the Scan Report tab in the left sidebar.

  - Click the Rescan Website button to initiate a new scan.

Once the scan completes, your scan report, compliance score, cookie declaration, and blocking configuration will be updated to reflect the latest detected cookies and services on your domain.

Frequently Asked Questions

How often should I rescan my website?

Trigger a rescan whenever you make changes that could affect cookie or service detection — such as adding or removing third-party scripts, updating your tag manager configuration, installing new plugins, or changing marketing tools. A routine rescan at least quarterly is also recommended as part of ongoing compliance management.

How long does a website rescan take?

Most rescans complete within a few minutes. The exact time depends on the size and complexity of your website — larger sites with many pages or third-party scripts may take slightly longer. You can check the Scan Report tab for the updated results once the scan is finished.

Will the rescan update my cookie declaration automatically?

Yes. Once the rescan is complete, your cookie declaration is automatically updated to reflect the newly detected cookies and services — ensuring your published declaration stays accurate without needing to make manual edits.

See Also

  - Include or Exclude Pages from Scanning

  - How to Trigger a Website Scan for a US Location

  - Authenticated Secure Privacy Website Scans

---

# How to Add a Cookie Consent Banner to Your Odoo Website with Secure Privacy

URL: https://support.secureprivacy.ai/article/-integrate-secure-privacy-with-odoo--quick-setup-guide
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-04-03T00:05:12.84+00:00
Reading Time: 9 minutes
Summary: Step-by-step guide to integrating Secure Privacy with Odoo. Add a GDPR & CCPA cookie consent banner to your Odoo website using Odoo Studio's Custom Code section.

Running an Odoo website puts powerful e-commerce, CRM, and content tools at your fingertips — but it also means you're collecting visitor data, setting cookies, and processing personal information the moment someone lands on your site. That makes GDPR, ePrivacy, and CCPA compliance not optional, but mandatory — and regulators are actively issuing fines to businesses that treat privacy as an afterthought.
Many Odoo website owners discover this the hard way. They assume the platform handles compliance automatically, or they enable Odoo's built-in cookie bar and consider the job done. The problem: Odoo's native cookie bar — while a useful starting point — does not meet the full requirements of the EU's GDPR and ePrivacy Directive. It lacks granular consent categorisation, prior-consent third-party script blocking, and documented consent records that a regulatory audit would demand.
The cleaner path is to integrate a dedicated consent management platform (CMP) directly into your Odoo website. Secure Privacy is built for exactly this: it delivers a fully compliant cookie consent banner, automatic cookie scanning, prior-consent script blocking, a verifiable consent log, and support for GDPR, CCPA/CPRA, LGPD, and ePrivacy — all injectable into any Odoo site in minutes via a single script.
In this guide you will learn how Odoo 19 handles privacy natively, where those built-in tools fall short, and how to install Secure Privacy on your Odoo website site-wide — no developer required.
Who Is This Guide For?
This guide is for:
- Odoo website owners and administrators who need to display a compliant cookie consent banner and meet privacy regulations such as GDPR, CCPA, or ePrivacy.

- Odoo e-commerce operators running shops that serve visitors from the EU, UK, or California.

- Businesses evaluating their Odoo privacy setup and wondering whether Odoo's native tools are sufficient.

- Developers or IT administrators looking for the recommended method to inject a third-party script site-wide in Odoo 19.

You will need access to Odoo Studio (available on Odoo Enterprise and Odoo Online Standard plans and above) and a Secure Privacy account with your installation script ready.
Odoo 19's Built-In Privacy Options — and Their Limitations
Odoo 19 ships with a native Cookies Bar that provides a baseline privacy layer for your website. Understanding what it does — and what it doesn't — is essential before deciding how to implement full compliance.
What Odoo 19's Native Cookie Bar Does
To enable it, go to Website → Configuration → Settings → Tracking & SEO and toggle on Cookies Bar. When active, Odoo will:
- Display a consent banner to first-time visitors.

- Block embedded third-party services (social media, video players, Google services) by default until the visitor consents.

- Create a /cookie-policy page listing default cookies and their purposes.

- Support Google Consent Mode v2, allowing GA4 and Google Ads signals to function in a consent-aware mode.

Where Odoo's Native Cookie Bar Falls Short
For many Odoo websites, the native cookie bar alone is not enough to satisfy GDPR and ePrivacy requirements. Odoo's own user community has raised several documented gaps:
- No verifiable consent log — GDPR requires you to prove that a specific visitor consented, at what time, and to what. Odoo does not store an auditable consent record per visitor.

- Limited granular categories — advanced marketing or analytics setups require fine-grained consent categories beyond Odoo's defaults.

- Third-party script blocking is partial — only services explicitly listed are blocked; custom tracking tags added via Odoo Studio or external integrations may fire without consent.

- No multi-regulation support — Odoo's banner is EU-oriented; it does not automatically adapt its logic for CCPA (US), LGPD (Brazil), or other regional frameworks.

- No cookie auto-scan — you must manually maintain the cookie policy page as your site's tech stack changes.

If your Odoo website operates in multiple markets or runs any marketing or advertising technology, a dedicated CMP is the appropriate solution.
Why a Dedicated Cookie Consent Platform Goes Further
A dedicated consent management platform (CMP) like Secure Privacy is purpose-built for regulatory compliance in a way that a general-purpose platform's built-in feature cannot match. Key advantages:
- Automatic cookie scanning — Secure Privacy continuously scans your Odoo website and auto-populates the cookie declaration, so your consent banner always reflects what your site actually sets.

- Prior-consent script blocking — marketing pixels, analytics tags, and third-party scripts are blocked from executing until the visitor grants consent, not just flagged.

- Documented consent records — every consent event is logged with a timestamp, visitor identifier, and consent version, giving you the audit trail GDPR Article 7 demands.

- Multi-regulation logic — a single implementation handles GDPR, CCPA/CPRA, ePrivacy, LGPD, and more, adapting the banner display to the visitor's detected jurisdiction.

- Google Consent Mode v2 integration — Secure Privacy signals consent state to Google's advertising and analytics stack, protecting your ad attribution while staying compliant.

Prerequisites
- An active Odoo account with Odoo Studio access (Odoo Enterprise or Odoo Online Standard plan and above).

- A Secure Privacy account with a domain configured and your cookie consent installation script ready. (Create a free account at secureprivacy.ai if you don't have one yet.)

- Administrator or website editor permissions within your Odoo instance.

How to Install Secure Privacy on Your Odoo 19 Website
The method below uses Odoo Studio's Custom Code section — the recommended no-code route for pasting a site-wide JavaScript script in Odoo 19. The script is injected across every page of your website automatically.
Step 1 — Log In to Odoo and Open Studio
Log in to your Odoo account. From the main menu, navigate to the Apps page and select Studio.
Navigate to the Apps page and open Odoo Studio.
Step 2 — Open the Website Widget Inside Odoo Studio
Inside Odoo Studio, locate and open the Website widget. This is the module that controls your Odoo website's settings and code injection.
Open the Website widget in Odoo Studio to access site-wide settings.
Step 3 — Navigate to Configuration > Websites
In the top navigation bar of the Website widget, click Configuration and select Websites from the dropdown.
Select Websites from the Configuration menu in Odoo Studio.
Step 4 — Select Your Odoo Website
You will see a list of all websites configured in your Odoo instance. Select the website where you want to install the Secure Privacy cookie consent banner.
Select the correct Odoo website from the list.
Step 5 — Paste the Secure Privacy Script into Custom Code and Save
Scroll down to the Custom Code section. Paste your Secure Privacy cookie consent installation script into the field, then click Upload to save.
Paste the Secure Privacy installation script into the Custom Code field, then click Upload.
🎉 Done! Secure Privacy is now installed on your Odoo website. The cookie consent banner will display to visitors according to your Secure Privacy account settings — across every page, site-wide.
What Happens After Installation
Once the script is live, Secure Privacy automatically:
- Scans your Odoo website for cookies and third-party trackers and populates your cookie declaration.

- Displays the consent banner to new visitors and returning visitors whose consent has expired.

- Blocks non-essential scripts from firing until the visitor grants consent for the relevant category.

- Logs each consent event with a timestamp, banner version, and visitor token — creating your GDPR audit trail.

- Signals consent to Google via Google Consent Mode v2, so your GA4 and Google Ads data remains compliant and as complete as possible.

You can verify the banner is active by opening your Odoo website in a private/incognito browser window (logged out of Odoo) — the consent prompt should appear on the first page load.
Troubleshooting — Common Issues & Fixes
Custom Code Section Is Not Visible in Odoo Studio
Make sure you have the required Odoo Studio permissions and that your Odoo plan includes Studio access. Some Odoo themes do not expose the Custom Code field by default — contact your theme provider or check your Odoo subscription level. If Studio is not available on your plan, a developer can inject the script site-wide via a custom Odoo module that inherits the website.layout QWeb template.
Cookie Consent Script Is Not Executing
Double-check that the Secure Privacy installation script is correctly pasted and saved in the Custom Code section. Clear your browser cache and reload. Always test in a private/incognito window while logged out of Odoo — Odoo suppresses some scripts for authenticated admin users.
Cookie Banner Is Not Showing on the Website
Log in to your Secure Privacy account and verify that cookie consent is enabled for your domain. Confirm the domain URL in your Secure Privacy settings exactly matches your Odoo website URL — including whether it uses www or not.
Script Installed But Banner Appears on Some Pages Only
The Custom Code section in Odoo Studio injects the script globally across your website. If the banner is missing on specific pages, check whether those pages use a different template or theme layout that may not inherit the main website.layout. Contact Secure Privacy support if the issue persists.
Frequently Asked Questions
Does Odoo 19 have a built-in cookie consent banner?
Yes. Odoo 19 includes a native Cookies Bar (found at Website → Configuration → Settings → Tracking & SEO → Cookies Bar) with Google Consent Mode v2 support. However, the native bar has documented compliance gaps — it does not maintain a verifiable per-visitor consent log, does not auto-scan for new cookies, and does not adapt its consent logic to multiple regional frameworks (CCPA, LGPD, etc.). A dedicated CMP like Secure Privacy closes those gaps.
How do I add a cookie consent script to my Odoo website site-wide?
The recommended no-code method is via Odoo Studio: go to Apps → Studio → Website widget → Configuration → Websites → select your site → scroll to the Custom Code section → paste your script → click Upload. The script is then injected across every page automatically.
Is Odoo GDPR compliant out of the box?
Odoo provides a foundation — a native cookie bar, a cookie policy page, and Google Consent Mode v2 signals — but full GDPR compliance requires a verifiable consent log, prior-consent script blocking for all trackers, and documented data processing records. These are not fully covered by Odoo out of the box, which is why many operators integrate a dedicated CMP.
Do I need Odoo Studio to add a cookie consent banner?
Odoo Studio is the recommended no-code route. It requires an Odoo Studio licence (included in Odoo Enterprise and higher Online plans). Alternatively, a developer can inject scripts via a custom Odoo module that inherits the website.layout QWeb template — but this requires development access and server-side deployment.
Does Secure Privacy support Odoo's multi-website setup?
Yes. Repeat the installation steps for each website in your Odoo instance. Each site will need its own Secure Privacy installation script configured for its specific domain in your Secure Privacy account.
Will adding the Secure Privacy script slow down my Odoo website?
No. The Secure Privacy cookie consent script is lightweight and loads asynchronously, so it does not block page rendering or negatively impact your site's performance or Core Web Vitals scores.
Which privacy regulations apply to my Odoo website?
If you serve visitors from the EU or UK, GDPR and the ePrivacy Directive apply. For California visitors, CCPA/CPRA applies. For Brazilian visitors, LGPD applies. Most Odoo e-commerce and SaaS websites serve visitors from multiple regions and therefore need to comply with several frameworks simultaneously — which is where a multi-regulation CMP like Secure Privacy is essential.
See Also
- Onboard with Secure Privacy via CMS Plugins (Shopify, WordPress)

- Customise Your Website's Cookie Banner Using Templates

- Add Custom CSS for Cookie Banner Branding

- How to Perform a Website Rescan

- How to Add a GDPR Cookie Consent Banner to Your Magento Store with Secure Privacy

- How to Install a GDPR & CCPA Cookie Consent Banner on Shopify with Secure Privacy

---

# Form W-8BEN – Who Needs to Submit It, Validity Period, and Where to Get Help via Secure Privacy

URL: https://support.secureprivacy.ai/article/what-is-the-w8ben-and-what-is-its-purpose
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:27:05.858+00:00
Reading Time: 3 minutes
Summary: Learn what Form W-8BEN is, who needs to submit it, how long it remains valid, and how to get assistance with submission through Secure Privacy support.

Form W-8BEN is a U.S. IRS tax form used to establish foreign (nonresident alien) status under Chapter 3 of the U.S. tax code. Nonresident aliens receiving income from U.S. sources are generally subject to a 30% withholding tax — and submitting Form W-8BEN to the withholding agent or payer is required to document that status. This article explains who needs to submit the form, how long it remains valid, and where to find official IRS guidance.

Note: This article provides general informational guidance only and is not tax or legal advice. Consult a qualified tax professional for advice specific to your situation.

Who Is This For?

  - Nonresident aliens receiving U.S.-sourced income subject to withholding who need to certify their foreign status

  - Account holders of Foreign Financial Institutions (FFIs) documenting themselves as nonresident aliens

  - Secure Privacy customers or partners outside the United States who have been asked to provide Form W-8BEN

Who Needs to Submit Form W-8BEN?

You must submit Form W-8BEN to the withholding agent or payer if you are:

  - A nonresident alien who is the beneficial owner of income subject to U.S. withholding tax, or

  - An account holder of a Foreign Financial Institution (FFI) documenting yourself as a nonresident alien

How Long Is Form W-8BEN Valid?

Form W-8BEN is generally valid from the date it is signed through the last day of the third succeeding calendar year — approximately three years. For example, a form signed in 2024 remains valid through 31 December 2027. The form becomes invalid earlier if any of the information on it changes due to a change in circumstances.

Official IRS Resources

For full instructions and official guidance on Form W-8BEN, visit the IRS website: IRS Instructions for Form W-8BEN

Frequently Asked Questions

When should I submit Form W-8BEN?

Submit Form W-8BEN before or at the time you receive U.S.-sourced income subject to withholding — and whenever a withholding agent or payer requests it to certify your nonresident alien status. Do not wait until after income has been received, as withholding may already have been applied.

How long is Form W-8BEN valid?

The form is valid for the calendar year in which it is signed plus three subsequent calendar years. If your circumstances change — such as a change in country of residence or tax treaty eligibility — you must submit a new form promptly to avoid incorrect withholding.

What happens if my information on the form changes?

If any information on your submitted Form W-8BEN becomes incorrect due to a change in circumstances — such as a change of address, name, or treaty eligibility — you must submit a new, updated Form W-8BEN to your withholding agent within 30 days of the change to avoid potential withholding penalties.

Need Assistance?

If you require Form W-8BEN or need help regarding its submission in connection with your Secure Privacy account, contact the support team at support@secureprivacy.ai.

See Also

  - Privacy Compliance Platform Overview

  - How to Handle Data Subject Access Requests (DSARs)

  - Google EU User Consent Policy Compliance Guide

---

# Where Is Secure Privacy Data Stored? – EU Data Residency, Infrastructure Providers, and GDPR Compliance

URL: https://support.secureprivacy.ai/article/-where-is-my-data-stored--secureprivacy-data-location
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T18:44:58.88+00:00
Reading Time: 2 minutes
Summary: Learn where Secure Privacy stores your data — exclusively within the EU using Microsoft Azure (Netherlands) and Amazon AWS (Germany) — and how storage complies with GDPR requirements.

Secure Privacy owns or controls access to all infrastructure hosting your service data. This article explains where your data is stored, which cloud providers are used, and how data storage is managed in compliance with EU data protection law — including GDPR data residency requirements.

Who Is This For?

  - Compliance officers evaluating data residency and sovereignty requirements for GDPR compliance

  - IT and security teams assessing cloud infrastructure and subprocessor arrangements

  - Customers and prospects who need to confirm that their data is stored within the European Union

Data Storage Location

All Secure Privacy service data is stored exclusively within the European Union. Production data centers are located in Germany. No service data is transferred to or stored outside the EU.

Infrastructure Providers

Secure Privacy uses the following EU-based cloud service providers for service data storage:

  
    
    
    
  
  
    
      Location

      Provider

      Type

    

    
      Netherlands

      Microsoft Azure

      Cloud Service Provider

    

    
      Germany

      Amazon AWS

      Cloud Service Provider

    

  

Compliance and Security

All data storage adheres to EU data protection laws, including GDPR. Secure Privacy strictly controls access to all infrastructure to ensure your service data remains safe, confidential, and compliant. Full details on infrastructure subprocessors and service data storage are documented in the Infrastructure Subprocessors – Service Data Storage section of Secure Privacy's Terms of Service.

Frequently Asked Questions

Is my data stored outside the European Union?

No. All Secure Privacy service data is stored solely within EU-based data centers — in the Netherlands (Microsoft Azure) and Germany (Amazon AWS). No service data is transferred to or hosted outside the EU.

Which cloud service providers does Secure Privacy use?

Secure Privacy uses Microsoft Azure (Netherlands) and Amazon AWS (Germany) as infrastructure subprocessors for service data storage. Both are used exclusively within the EU and are subject to the data protection obligations described in Secure Privacy's Terms of Service and Data Processing Addendum.

Where can I find the full list of Secure Privacy's subprocessors?

The full list of infrastructure subprocessors and service-specific subprocessors is published at secureprivacy.ai/subprocessors and referenced in the Terms of Service.

See Also

  - Managing Data Privacy with Secure Privacy

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Terms of Service

---

# GDPR Cookie Categories Explained – Essential, Analytics, Advertising, Preferences, and Social Media Cookies

URL: https://support.secureprivacy.ai/article/why-essential-cookies-are-selected-by-default
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T20:17:40.152+00:00
Reading Time: 4 minutes
Summary: Understand the five GDPR cookie categories in Secure Privacy — Essential, Preferences, Analytics, Advertising, and Social Media — including which require consent and why granular consent is required.

Under GDPR, cookie consent must be granular and specific — your website visitors need to know which categories of cookies you use, what purposes they serve, and have the ability to consent to or deny each category independently. This article explains the GDPR cookie categories used in Secure Privacy's Privacy Preference Center and Cookie Declaration, and why essential cookies are exempt from the consent requirement.

Secure Privacy automatically updates your Privacy Preference Center and Cookie Declaration based on scan results. Cookie categorization is handled automatically, but you can change the category for any cookie at any time using the Classification feature.

Who Is This For?

  - Website owners and administrators managing GDPR cookie consent categories in Secure Privacy

  - Compliance officers and legal teams understanding which cookies require granular consent

  - Marketing teams and developers configuring cookie classification and consent banner categories

Why Cookie Consent Must Be Granular Under GDPR

GDPR requires that consent for cookies be specific to the purpose for which each cookie is used. A visitor who consents to Social Media cookies — for example, Twitter sharing buttons — must give a separate, explicit consent for Media Player cookies such as YouTube embeds. Bundling all non-essential cookies into a single consent request does not satisfy GDPR's granularity requirement.

Cookie Categories in Secure Privacy

Essential Cookies

Essential cookies are strictly necessary for the basic functionality of your website and cannot be switched off in Secure Privacy. They are set as a result of actions visitors take — such as logging in, filling in forms, or navigating between pages — and are required to maintain a user session, track the current page, or identify which account a user is accessing from. Blocking essential cookies typically breaks core website functionality.

Under the Cookie Law and GDPR, essential cookies and strictly necessary cookies are treated as the same category — and do not require user consent.

Preferences Cookies

Unlike essential cookies, preferences cookies supplement and extend website functionality but are not strictly necessary for the site to operate. They may be set by first- or third-party providers added to enhance features — for example, enabling video playback or remembering display settings. Blocking cookies in this category may affect the operation of some or all of the associated services.

Analytics and Customer Interaction Cookies

Analytics cookies track and analyze user behavior — counting visits, analyzing traffic sources, measuring average time spent on pages, and identifying which sections of the website are most and least active. The data collected is aggregated and anonymous. Customer interaction cookies support survey and questionnaire functionality and do not contain personally identifiable information unless the visitor actively opts in to have it stored.

Both analytics and customer interaction cookies require explicit consent under GDPR before they can be activated.

Advertising Cookies

Advertising cookies are typically third-party cookies placed by ad networks or vendors. If you display ads on your website, those third-party ad owners may track your visitors and build user profiles through cookies to deliver personalized and relevant advertisements. Under GDPR, liability for third-party advertising cookies placed on your domain rests with you as the website owner — exercise caution when enabling advertising cookies from external vendors.

Social Media Cookies

If your website includes subscribe, like, or share buttons that connect to any social media platform, you are using social media cookies. These cookies can track a user's browser activity across other websites and build profiles of interests — influencing the content and messages they see on other sites. Disabling this category blocks all social sharing button functionality and related embedded tools.

Frequently Asked Questions

Why can't essential cookies be switched off?

Essential cookies are required for your website to function — without them, core features such as login sessions, form submissions, and page navigation break. Under GDPR and the Cookie Law, strictly necessary cookies are exempt from the consent requirement because they are essential to delivering the service the visitor has explicitly requested. Secure Privacy reflects this by making the Essential category non-optional in the preference center.

Do analytics cookies require consent under GDPR?

Yes. Although analytics data is typically aggregated and anonymous, analytics cookies still track user behavior and require explicit prior consent under GDPR before they can be set. Secure Privacy blocks analytics cookies until consent is given and records the consent event in the audit log.

Can I change the category assigned to a specific cookie?

Yes. While Secure Privacy automatically categorizes detected cookies, you can override any category assignment using the Classification tab in your dashboard. After changing a category, trigger a website rescan to apply the update to your live cookie declaration and preference center.

See Also

  - How to Classify and Edit Your Cookies and Services

  - Do I Need to Block All Cookies?

  - Ensuring Prior Consent for Non-Essential Cookies (GDPR Compliance)

---

# How to Install Secure Privacy on Weebly (Cookie Consent Setup Guide)

URL: https://support.secureprivacy.ai/article/installing-secure-privacy-on-weebly
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T22:50:34.553+00:00
Reading Time: 5 minutes
Summary: Make your Weebly site GDPR & CCPA compliant in minutes. Follow our step-by-step guide to install a Secure Privacy cookie consent banner via Weebly's header code.

If your Weebly website collects any data from visitors — through analytics, embedded forms, social sharing buttons, or ad pixels — you are legally required to display a cookie consent banner under GDPR, UK GDPR, CCPA, and a growing list of global privacy regulations. Ignoring this obligation puts you at risk of fines and, more immediately, erodes the trust of visitors who expect transparent data practices.
Weebly is an excellent website builder, but it does not ship with a built-in, fully compliant cookie consent solution. Many site owners resort to generic free banners that lack proper consent logging, geo-targeting, or automatic cookie scanning — leaving them technically non-compliant even when a banner is displayed.
Secure Privacy closes that gap. It handles consent collection, consent storage, automatic cookie categorisation, and multi-regulation support out of the box — and it connects to Weebly through a single script tag, with no coding required.
By the end of this guide, your Weebly site will display a fully customised, legally compliant cookie consent banner — live, tested, and ready to protect both your visitors and your business.
Who Is This Guide For?
- Weebly website owners who need to meet GDPR, UK GDPR, CCPA, or other privacy regulation requirements

- Business owners and marketers who have already signed up for Secure Privacy and need to connect it to their Weebly site

- Developers managing a client's Weebly site who need a fast, reliable cookie consent integration

Before You Begin
- An active Secure Privacy account with your Weebly domain added

- Admin access to your Weebly site's dashboard

- Approximately 5 minutes

Step-by-Step: Installing Secure Privacy on Weebly
- Log in to your Secure Privacy account.
Visit your Secure Privacy dashboard and sign in with your credentials.

- Copy your installation script.
Go to the Installation page for your target domain. Locate the Secure Privacy installation script and copy the entire code snippet, including the <script> opening and </script> closing tags.

- Log in to your Weebly Admin Dashboard.
Open Weebly and navigate to the dashboard for the site you want to make GDPR-compliant.

- Open Settings.
From the top navigation bar, click Settings.

- Navigate to SEO.
In the left panel, click SEO to open the site-wide code injection options.

- Paste the Secure Privacy script into the Header Code field.
Locate the Header Code text area and paste the full Secure Privacy script there. Important: do not delete or overwrite any code that is already present in this field — paste below any existing content.

- Click Save.
Click the Save button to apply your changes.

- Publish your site.
Click Publish to push the changes live. Your Secure Privacy cookie consent banner will now appear on your Weebly website.

What Happens After Installation?
Once published, Secure Privacy automatically scans your site for cookies and trackers, categorises them, and presents visitors with a consent banner that matches your configured regulations (GDPR, CCPA, and others). Consent records are stored securely in your Secure Privacy dashboard, giving you an auditable log of compliance — something a basic free banner cannot provide.
You can return to your Secure Privacy dashboard at any time to customise the banner's appearance, adjust the consent categories, update your cookie policy, or switch between regulation modes — without touching your Weebly site again.
Troubleshooting
The cookie banner is not appearing after I publish
First, clear your browser cache and reload the page in a private/incognito window — your own browser may have cached a previous version of the site. If the banner still does not appear, return to Settings → SEO → Header Code in Weebly and confirm the full script is present, including both the opening <script> and closing </script> tags.
I can see the script in Header Code but the banner doesn't show on all pages
Code added via Weebly's Header Code field is injected site-wide by default. If certain pages appear unaffected, ensure the page is published (not just saved as a draft) and that no page-level custom code is overriding the header.
I accidentally removed code that was already in the Header Code field
Check your browser history or Weebly's revision history to recover any overwritten code. Going forward, always paste the Secure Privacy script below any existing content in the Header Code area, never replacing it.
Frequently Asked Questions
Do I need a cookie consent banner on my Weebly website?
Yes — if your Weebly site has visitors from the EU, UK, California, or other regulated jurisdictions, privacy laws such as GDPR and CCPA require you to obtain informed consent before setting non-essential cookies or tracking technologies.
Does Weebly have a built-in GDPR cookie consent tool?
No. Weebly does not include a native, fully compliant cookie consent solution. A dedicated tool like Secure Privacy is needed to handle consent collection, logging, and automatic cookie discovery.
How do I add a cookie banner to Weebly?
Paste your Secure Privacy script tag into the Header Code field found under Settings → SEO in your Weebly Admin Dashboard, then save and publish. The banner will appear on your site immediately.
Will the Secure Privacy script slow down my Weebly site?
No. The Secure Privacy script is lightweight and loads asynchronously, so it does not block page rendering or negatively affect your site's performance.
Can I install Secure Privacy on Weebly without any coding knowledge?
Yes. The entire process involves copying a script from your Secure Privacy dashboard and pasting it into a text field in Weebly's settings. No coding or technical expertise is required.
Where do I find the Secure Privacy installation script?
Log in to your Secure Privacy account, select your domain, and navigate to the Installation page. Your unique script tag is displayed there, ready to copy.
Related Installation Guides
- How to Install Secure Privacy on WordPress

- How to Install Secure Privacy on Shopify

- How to Install Secure Privacy on Wix

- How to Install Secure Privacy on Squarespace

- How to Set Up Your Cookie Policy with Secure Privacy

---

# How to Comply with Google's EU User Consent Policy Using Secure Privacy – Banner Setup and GDPR Requirements

URL: https://support.secureprivacy.ai/article/installing-cookie-banner-compliant-with-googles-eu-user-consent-policy
Product: Consent Management
Category: Google Consent Mode
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T21:12:25.294+00:00
Reading Time: 4 minutes
Summary: Learn how to meet Google's EU User Consent Policy requirements using Secure Privacy — enable the Google-compliant consent banner in Templates and Domain Settings in three steps.

Google's EU User Consent Policy requires websites using Google advertising and analytics products to obtain explicit user consent for cookies, local storage, and ad personalization — in compliance with GDPR and ePrivacy regulations across the European Economic Area (EEA) and the UK. This guide explains the policy requirements and how to enable a Google EU UCP-compliant consent banner in Secure Privacy.

Who Is This For?

  - Website owners using Google AdSense, AdManager, or AdMob who must comply with Google's EU User Consent Policy

  - Compliance officers ensuring GDPR and ePrivacy consent requirements are met for Google advertising products

  - Developers and administrators configuring the Google-compliant consent banner in Secure Privacy

Google's EU User Consent Policy — Key Requirements

  - Explicit user consent: Consent is required before setting cookies, accessing local storage, or enabling ad personalization.

  - Third-party disclosure: Websites must clearly inform visitors about third parties — including Google — that access their data.

  - Transparency: Clear information must be provided about how personal data is processed and for what purposes.

Steps to Maintain Compliance with Google's EU Policy

If you use Google AdManager, AdSense, or AdMob, follow these steps to ensure compliance:

Review your consent implementation

Audit your website or app to confirm that your user consent mechanisms, consent banner wording, and data disclosures align with Google's EU User Consent Policy requirements.

Implement a robust consent mechanism

Ensure visitors can easily provide, manage, and withdraw their consent for data collection and advertising personalization — with granular options for each consent category.

Update your privacy notices

Transparently list all data recipients and processing purposes in your privacy policy — including Google services and any other third parties receiving visitor data.

Monitor and audit continuously

Regularly review your consent processes and third-party integrations to identify and close compliance gaps as your technology stack evolves.

How to Enable the Google EU UCP Compliant Banner in Secure Privacy

  - 
    Log in to your Secure Privacy account and navigate to the Templates tab at cmp.secureprivacy.ai/templates. Find the Google template and enable it.

  

  - 
    Navigate to your domain's Domain Settings and confirm the Google template is enabled for the target domain.

  

  - Click Save to apply the changes. The selected domain will now display the Google EU UCP compliant consent banner.

Banner Requirements Built into Secure Privacy

The Google EU UCP compliant banner in Secure Privacy already includes the following requirements out of the box:

  - Fully configurable through a user-friendly interface — no custom code required

  - Explains data collection for ad personalization and measurement in visitor-facing language

  - Links to Google's privacy and data processing information

  - Includes an affirmative consent option — consent signals match the visitor's choice (granted or denied) and are correctly passed to Google via Consent Mode

Enforcement

Websites not complying with Google's EU User Consent Policy may face restrictions on advertising features — including limited access to remarketing, conversion tracking, and ad personalization. To restore full functionality, implement a compliant consent notice and configure your consent mode signals accordingly.

Additional Resources

  - Google's EU User Consent Policy Help Page — comprehensive overview, FAQs, and implementation guidance from Google

  - Legal consultation: Engage with a qualified legal professional to ensure your implementation meets GDPR and ePrivacy obligations specific to your organization

Common Issues and Fixes

Visitors are not seeing the cookie consent banner

Verify that the Google template is enabled in both the Templates tab and your Domain Settings. Also confirm that the Secure Privacy script is correctly installed and loading on all pages of your website, and that the banner targeting is not restricting display to a region that excludes your test location.

Privacy notices have insufficient disclosure

Update your privacy policy and cookie declaration to fully disclose all data recipients — including Google Ads, Google Analytics, and any other third-party services — along with the purposes for which their data is processed. Secure Privacy's auto-generated cookie declaration pulls this information from scan results.

Consent is not being properly recorded or passed to Google

Check your Consent Mode configuration in the Secure Privacy dashboard to ensure consent signals are correctly mapped and being pushed to the dataLayer. Verify the integration with Google Tag Manager or your gtag.js implementation is receiving and applying the consent status before any Google tags fire.

Need Assistance?

Contact Secure Privacy support at support@secureprivacy.ai for general questions. For urgent Google Consent Mode escalations, contact Andrew Sidorkin directly — the team aims to respond within one business day.

For policy questions directed to Google, contact the Google EU User Consent Policy team at ddp-gdpr-escalations@google.com.

See Also

  - Implementing Google Consent Mode Advanced Using GTM

  - How to Add a Custom Service or Cookie

  - Should You Block All Cookies? GDPR Cookie Categories Explained

  - Ensuring Prior Consent for Non-Essential Cookies

---

# IAB Transparency and Consent Framework (TCF) Explained – GDPR Compliance Risks and Secure Privacy's Alternative Approach

URL: https://support.secureprivacy.ai/article/-iab-tcf-explained--google-consent-mode-integration--secure-privacy
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:55:07.785+00:00
Reading Time: 5 minutes
Summary: Learn what the IAB Transparency and Consent Framework (TCF) is, its GDPR compliance risks, and how Secure Privacy's Google Consent Mode Advanced offers a user-centric alternative for cookie consent management.

The IAB Transparency and Consent Framework (TCF) is the advertising industry's standardized method for managing user consent across publishers, advertisers, and Consent Management Platforms under GDPR. This guide explains how IAB TCF works, its key requirements, the compliance concerns raised by Data Protection Authorities, and how Secure Privacy's approach — using Google Consent Mode Advanced — offers a more user-centric alternative for GDPR-compliant consent management.

Who Is This For?

  - Website owners and publishers evaluating whether to implement IAB TCF or an alternative consent management approach

  - Compliance officers assessing the GDPR compliance risks associated with IAB TCF

  - Ad tech and marketing teams managing consent signals for advertising and analytics vendors

What Is the IAB Transparency and Consent Framework (TCF)?

The IAB TCF sets a standardized method for cooperation between online publishers, advertisers, and Consent Management Platforms (CMPs) to meet GDPR transparency and consent requirements. It enables consent signals to be shared between first parties, third parties, and CMPs — so that each vendor in the ad tech ecosystem receives the correct consent status for each user.

Key Players in the IAB TCF Ecosystem

  - Publishers: Website owners who display advertising and collect user data for analytics and personalization.

  - Vendors: Third parties — such as advertisers, ad networks, and analytics providers — that process user data under publisher consent.

  - CMPs: Services like Secure Privacy that help publishers collect, record, and signal user consent in compliance with the IAB TCF standard.

Note: Several Data Protection Authorities (DPAs) have raised formal concerns about whether IAB TCF fully complies with GDPR — including enforcement actions and legal proceedings against IAB Europe directly.

Key Considerations and Compliance Risks of IAB TCF

  - Limited user control: The framework's vendor-centric design may limit website owners' direct control over what user data is collected and by whom — with consent decisions delegated to a vendor-managed list.

  - Transparency and UX trade-offs: IAB TCF's strict UI requirements often result in large, text-heavy cookie banners that can overwhelm visitors and reduce consent quality.

  - Compliance uncertainties: Multiple DPAs have challenged IAB TCF's GDPR adherence:

    
      - Belgian DPA fines IAB Europe €250,000 for GDPR violations

      - Legal proceedings concerning IAB Europe and GDPR compliance — Court of Justice of the EU

    
  

IAB TCF Banner and Preference Center Requirements

IAB TCF mandates specific UI and functionality for cookie banners to ensure uniform consent collection across all publishers using the framework. Required elements include:

  - A prominent, separately displayed consent banner

  - Clear explanation of data storage and processing purposes

  - Information about all third-party vendors and their standard processing purposes

  - A link to the full IAB vendor list

These requirements make TCF-compliant banners substantially larger and more text-heavy than standard cookie consent banners. Modifications to the banner design may risk non-compliance with TCF certification requirements.

The preference center — accessible via the banner's Customize button — includes two tabs:

  - Ad Settings: Visitors can control consent for individual listed vendors and specific processing purposes.

  - Settings: Secure Privacy's standard multi-category cookie consent controls — covering Essential, Analytics, Marketing, and other categories.

Secure Privacy's User-Centric Approach to GDPR Compliance

Secure Privacy offers a GDPR-compliant consent management approach that does not depend on IAB TCF — prioritizing user clarity, website owner control, and adaptability to evolving regulations:

  - Full control for website owners: Direct management of cookie deployment and consent options — without delegating control to a vendor-managed framework.

  - Streamlined consent UX: Intuitive, concise cookie banners that maintain transparency without overwhelming visitors with vendor lists and processing purpose text.

  - Google Consent Mode Advanced integration: Future-proof GDPR compliance and conversion measurement capability — independent of IAB TCF certification.

  - Adaptable to changing regulations: Secure Privacy's framework updates as privacy laws evolve — covering GDPR, CCPA, LGPD, and 50+ other regulations.

Conclusion: IAB TCF vs. Secure Privacy's Approach

IAB TCF provides a standardized framework for the ad tech ecosystem — but its vendor-centric design, complex UI requirements, and unresolved GDPR compliance questions present real risks for publishers. Secure Privacy's approach — using Google Consent Mode Advanced rather than IAB TCF — prioritizes user privacy, website owner control, and robust GDPR compliance without the compliance uncertainties associated with the IAB framework.

Frequently Asked Questions

Why are IAB TCF cookie banners so large and text-heavy?

IAB TCF mandates that all certified CMPs display specific information about vendors, processing purposes, and user rights — and these requirements are strictly enforced. The resulting banners are necessarily more complex than standard GDPR consent banners. If the verbose banner design is affecting your user experience and conversion rates, Secure Privacy's streamlined consent approach — using Google Consent Mode instead of IAB TCF — provides a cleaner, more user-friendly alternative without sacrificing compliance.

Does IAB TCF guarantee GDPR compliance?

Not unconditionally. While IAB TCF is designed to facilitate GDPR compliance, multiple supervisory authorities — including the Belgian DPA — have found that the framework itself violates GDPR in specific respects. Organizations using IAB TCF should stay current with DPA guidance and enforcement decisions, and consider whether their specific implementation meets GDPR requirements beyond TCF certification alone.

Can I use Secure Privacy without implementing IAB TCF?

Yes. Secure Privacy supports both IAB TCF and non-TCF consent management approaches. For publishers who do not need TCF for advertising purposes, Secure Privacy's Google Consent Mode Advanced integration provides a fully compliant, simpler alternative — without the UI complexity or compliance risks associated with TCF.

See Also

  - Secure Privacy: Google-Certified Consent Management Platform

  - Basic vs. Advanced Google Consent Mode: Full Comparison

  - Global Privacy Platform (GPP) Setup in Secure Privacy

---

# What Is GDPR? A Simple Guide to GDPR Compliance

URL: https://support.secureprivacy.ai/article/what-is-gdpr
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-26T21:33:03.701+00:00
Reading Time: 2 minutes
Summary: Learn what GDPR is, who it applies to, what personal data means, and how to improve GDPR compliance for your website and business.

The General Data Protection Regulation (GDPR) is the European Union’s data privacy law that governs how organizations collect, use, store, and share the personal data of people in the EU. If your business runs a website, uses cookies, or processes customer data, understanding GDPR is essential for compliance.
This page gives you a quick overview of GDPR and links to the most important topics, including who GDPR applies to, what counts as personal data, GDPR penalties, international data transfers, data breaches, and how to make your website GDPR compliant.
What Is GDPR?
GDPR is a privacy and data protection regulation created by the European Union. It sets rules for how organizations handle personal data and gives individuals more control over their information. GDPR can apply even if your business is not based in the EU, as long as you offer goods or services to EU residents or monitor their behavior online.
Why GDPR Matters for Websites and Businesses
GDPR affects how businesses manage website tracking, cookie consent, privacy notices, user rights, and data security. It is especially important for companies that collect leads, run analytics, use advertising cookies, or process customer information through forms, accounts, or online services.
- It helps protect user privacy and personal data

- It requires transparency about data collection and use

- It can affect cookie banners, consent records, and privacy policies

- Non-compliance can lead to complaints, investigations, and fines

Key GDPR Topics
Use the resources below to explore the most common GDPR questions and compliance issues:
- Why GDPR matters

- Who GDPR applies to

- GDPR penalties and fines

- What personal data means under GDPR

- Transferring data outside the EU

- Who enforces GDPR

- Do you need a Data Protection Officer (DPO)?

- Does GDPR apply to small and medium-sized businesses?

- What to do in case of a data breach

- How to make your organization GDPR compliant

Common GDPR Questions
Who does GDPR apply to?
GDPR can apply to organizations inside and outside the EU if they process the personal data of EU residents in certain situations.
What counts as personal data?
Personal data can include names, email addresses, IP addresses, location data, cookie identifiers, and other information that can identify a person directly or indirectly.
What are the penalties for GDPR non-compliance?
Penalties vary depending on the nature and severity of the violation, but GDPR is known for significant potential fines and strict enforcement expectations.
How can I make my website GDPR compliant?
Common steps include reviewing your data collection practices, using a compliant cookie consent banner, updating your privacy policy, managing user consent correctly, and keeping records of consent where required.
Learn More About GDPR Compliance
For a more detailed explanation of GDPR requirements and practical steps for website compliance, read our full GDPR compliance guide.

---

# Secure Privacy Pricing Plans: Compare Consent Management Features and Choose the Right Plan

URL: https://support.secureprivacy.ai/article/secure-privacy-pricing-plans--consent-management-platform
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:18:36.809+00:00
Reading Time: 3 minutes
Summary: Compare Secure Privacy pricing plans, consent limits, and features to choose the right consent management plan for GDPR and privacy compliance.

Choosing the right consent management plan is important for GDPR, CCPA, and ePrivacy compliance. Secure Privacy offers flexible pricing plans for businesses of different sizes, from small websites that need a basic cookie banner to enterprise teams managing millions of monthly consents.
This guide compares the Secure Privacy pricing plans, explains what each tier includes, and helps you choose the best plan for your compliance, traffic, and customization needs.
Who Is This Secure Privacy Pricing Guide For?
This guide is useful for:
- Website administrators managing cookie consent and privacy compliance

- Developers implementing a consent management platform (CMP)

- Marketers overseeing consent tracking and data privacy workflows

- Business owners comparing GDPR-compliant privacy solutions

Secure Privacy Pricing Plans Compared
Secure Privacy offers several consent management pricing tiers so businesses can choose the features and scale they need. The plans range from essential compliance tools to enterprise-level functionality with dedicated support and advanced security options.
Free Plan
The Free Plan is designed for small or new websites that need core consent management features.
- Google Consent Mode V2 support

- Global Privacy Control (GPC)

- Up to 500 monthly consents

- Basic cookie banner setup

Small Plan
The Small Plan includes everything in the Free Plan, plus more flexibility for branding and user management.
- Branding and design customization

- Multi-language cookie banner support

- Increased monthly consent limits

- Multiple user accounts

Business Plan
The Business Plan is built for growing companies that need a broader compliance toolkit and more reporting features.
- All Small Plan features

- Cross-domain consent management

- Extensive privacy policy templates

- Privacy Policy generator and DSAR tools

- Advanced consent reporting and analytics

Advanced Plan
The Advanced Plan is intended for enterprise teams that need greater scalability, stronger access control, and dedicated support.
- All Business Plan features

- Service Level Agreement (SLA)

- Enterprise Single Sign-On (SSO)

- Behind-login page scanning

- Unlimited user accounts

- Up to 5 million consents per month

- Dedicated Account Manager

- Audit Logs

How to Choose the Right Consent Management Plan
If you are comparing Secure Privacy plans, focus on the features you need today and the scale you expect in the future.
- Assess your compliance needs: Consider which regulations apply to your business, such as GDPR, CCPA, or LGPD.

- Review your traffic volume: Your monthly consent volume can help determine which plan fits your website best.

- Compare customization options: If you need branded banners, multiple languages, or advanced workflows, a higher-tier plan may be a better fit.

- Plan for growth: Choose a plan that can support future traffic, more domains, and additional team members.

Secure Privacy Pricing and Billing Information
- Pricing is billed monthly per domain.

- Each domain requires its own license at the same subscription level.

- All paid plans include a 30-day free trial so you can test features before committing.

Need a Custom Consent Management Quote?
If your organization needs a custom pricing plan or has privacy compliance requirements beyond the listed tiers, contact the Secure Privacy sales team at sales@secureprivacy.ai to request a custom quote.
Frequently Asked Questions About Secure Privacy Pricing Plans
What happens if I exceed my monthly consent limit?
Contact Secure Privacy support to discuss a plan upgrade or options for handling higher consent volumes.
Can I switch Secure Privacy pricing plans at any time?
Yes. You can upgrade or downgrade your consent management plan at any time from your account.
Are multiple domains covered under one plan?
No. Pricing is per domain, and each domain requires its own license. All domains on an account must be on the same subscription level.
Which Secure Privacy plan is best for enterprise use?
The Advanced Plan is best suited for enterprise organizations that need features such as SSO, audit logs, SLA coverage, dedicated support, and higher monthly consent capacity.
See Also
- How to Add Custom CSS for Improved Design and Branding

- Cross-Domain Consent Feature for Enterprise Users

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

- Setup DSAR Forms in Secure Privacy

- Embed Privacy Policies Easily

- Single Sign-On (SSO) Configuration: Integration with Microsoft Entra ID

---

# How to Embed Privacy Policies on Your Website Using Secure Privacy – Dashboard and Individual Policy Embed Guide

URL: https://support.secureprivacy.ai/article/embed-privacy-policies-easily--secure-privacy
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:43:07.37+00:00
Reading Time: 3 minutes
Summary: Learn how to embed Secure Privacy privacy policies on your website — use the Policies dashboard to embed all policies at once, or embed individual policies on specific pages with a few steps.

Embedding your privacy policies directly on your website ensures visitors can access compliance information seamlessly — without leaving your site. Secure Privacy provides two straightforward embedding methods: embedding all policies at once from the Policies dashboard, or embedding individual policies on specific pages. This guide explains both options step by step.
Who Is This For?
- Website administrators integrating Secure Privacy privacy policies into their site HTML

- Compliance officers ensuring privacy and cookie policies are publicly accessible and embedded correctly

- Developers implementing policy embeds across single-language or multilingual websites

Two Ways to Embed Your Policies
Method 1: Embed All Policies from the Policies Dashboard
Use this method to embed all your policies in one place — ideal for displaying a consolidated policy page on your website.
- Log in to your Secure Privacy dashboard and navigate to the Policies section.

- Click the Embed button.

- A popup will appear displaying the embed code for all your policies.

- Select a default language for your policies if needed. Visitors will still be able to switch to their preferred language on your site.

- Copy the embed code and paste it into the HTML of your webpage where you want the policies to appear.

Method 2: Embed Individual Policies on Specific Pages
Use this method to display different policies on different pages — for example, embedding only your cookie declaration on your cookie policy page.
- From the Policies dashboard, select the specific policy you want to embed.

- Click Embed in the left sidebar of the policy's settings page.

- Copy the embed code provided.

- Paste the code into your webpage's HTML at the position where you want the policy to display.

- Select a default language if needed — particularly useful for multilingual websites.

Important Note
If your website already links directly to your policy pages hosted on Secure Privacy, embedding is optional — linked policies will automatically integrate within your Preference Center and remain accessible to visitors through the privacy widget without requiring additional embed code.
Frequently Asked Questions
My embedded policy is not displaying on the page — what should I check?
Verify that the embed code has been placed correctly within the <body> section of your webpage HTML — not in the <head>. After confirming placement, clear your browser cache and your website's server or CDN cache, then reload the page in an incognito window to check whether the policy appears.
The language settings are not applying correctly — how do I fix this?
Confirm that you have selected the correct default language in the embed popup before copying the code. Also check the visitor's browser language settings — Secure Privacy displays the policy in the visitor's browser language by default where a matching translation is available. If the wrong language is still showing, re-generate the embed code with the correct default language selected and replace the existing embed code on your page.
Can I embed the same policy on multiple pages?
Yes. Copy the individual policy embed code and paste it into the HTML of as many pages as needed. The same embed code can be reused across multiple pages without any configuration changes.
See Also
- Mastering the Policies Page for Effective Policy Management

- Mastering the Template Policies Page for Effective Policy Management

- The Policies Page: A Deep Dive into Privacy and User Data Collection

- Using Tables in the Secure Privacy Policy Editor

---

# Supported Privacy Laws & Global Compliance Coverage — Consent Management Platform

URL: https://support.secureprivacy.ai/article/template-coverage--gdpr-ccpa-pipeda-amp-50-regulations
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T17:41:16.071+00:00
Reading Time: 5 minutes
Summary: Explore 56+ supported privacy laws including GDPR, CCPA & LGPD. Full coverage across 6 regions, 27 languages, and both opt-in & opt-out consent models for global compliance.

Our privacy compliance platform provides comprehensive coverage for major data protection laws worldwide. Whether you need to manage GDPR cookie consent in Europe, comply with US state privacy laws like CCPA, or meet data protection requirements across Asia-Pacific, the Middle East, or Latin America, this guide outlines every supported regulation, geographic coverage area, and language to help you address your global compliance needs.
Who Is This For?
This guide is intended for website owners, privacy officers, legal teams, and developers who need to understand which data protection laws and consent management features are available on the platform — and how to configure them for their specific jurisdictions.
Key Highlights
- 56 active privacy law templates covering major global data protection regulations

- Geographic coverage spanning Europe, North America, Asia-Pacific, the Middle East, Africa, and Latin America

- 27 languages supported including all major world languages

- Two consent models (opt-in and opt-out) properly categorized by jurisdiction

Supported Data Privacy Laws by Region
Europe
EU GDPR (General Data Protection Regulation)
- Coverage: All 30 EU/EEA countries — Ireland, France, Germany, Spain, Italy, the Netherlands, and others

- Languages: 25 languages supported — English, French, German, Spanish, Italian, Dutch, and all official EU languages

- Consent Type: Opt-in consent required

- Data Retention: 12 months

UK DPA (Data Protection Act 2018)
- Coverage: United Kingdom

- Languages: English

- Features: Full cookie banner, preference center, and contextual consent support

Switzerland FADP (Federal Act on Data Protection)
- Coverage: Switzerland

- Languages: English, French, German, Italian

- Consent Type: Opt-in consent required

Eastern Europe
- North Macedonia ZZLP: English and Macedonian support

- Serbia ZZPL: English and Serbian support

- Belarus LPDP: English and Belarusian support

- Turkiye KVKK: English and Turkish support

- Ukraine Privacy Law: English and Ukrainian support (opt-out consent model)

North America
Canada
- PIPEDA: Covers all Canadian provinces and territories

- Quebec Law 25: Specific coverage for Quebec

- Languages: English and French for both regulations

United States — State Privacy Laws
The platform supports comprehensive cookie consent and privacy compliance coverage across all US states, with dedicated templates for states that have enacted their own data privacy laws:
States with Dedicated Privacy Laws:
- California CCPA (with Spanish support)

- Virginia CDPA

- Colorado CPA

- Connecticut DPA

- Tennessee IPA

- New Jersey CDPB

- Iowa DPA

- Utah CPA

- Indiana CDPA

- Montana CDPA

- Oregon CPA

- Delaware PDPA

- Texas DPSA

- Kentucky CDPA

- New Hampshire CDPA

- Maryland ODPA

- Vermont DPA

- Minnesota CDPA

- Nebraska DPA

All Other US States and Territories:
- A general template covering the remaining 35 US states and territories

- Bilingual support (English and Spanish)

Middle East & Africa
- UAE PDPL: English and Arabic support

- Saudi Arabia DPL: English and Arabic support

- Oman PDPL: English and Arabic support

- Israel PPL: English and Hebrew support

- Egypt DPL: English and Arabic support

- Morocco DPL: English and Arabic support

- South Africa POPIA: English and Afrikaans support

- Kenya DPA: English only

Asia-Pacific
- China PIPL: English and Chinese support

- Japan APPI: English and Japanese support

- South Korea PIPA: English and Korean support

- Thailand PDPA: English and Thai support

- Singapore PDPA: English and Malay support

- Malaysia PDPA: English and Malay support

- Hong Kong PDPO: English and Chinese support

- Philippines DPA: English and Tagalog support

- Vietnam PDPA: English and Vietnamese support

- Australia APP: English only (opt-out consent model)

- New Zealand Privacy Act 2020: English only (opt-out consent model)

- India DPDPA: English and Hindi support

Latin America
- Brazil LGPD: English and Brazilian Portuguese support

- Panama LSPDP: English and Spanish support

- Colombia DPL: English and Spanish support

- Argentina PLDP: English and Spanish support

Platform Features for Privacy Compliance
Standard Features Available Across Most Regulations
- Cookie Banner: Customizable consent banners aligned with local legal requirements

- Widget Support: Embedded privacy widgets for seamless user experience

- Preference Center: User-friendly privacy preference management

- Contextual Consent: Context-aware consent collection at the point of data capture

Consent Models: Opt-In vs. Opt-Out
Opt-in Consent — Required for most international data protection laws, including GDPR, CCPA-equivalent regulations, and most Asian, African, and Latin American privacy laws.
Opt-out Consent — Used primarily for:
- US state privacy laws (except some newer state laws)

- Australia APP

- New Zealand Privacy Act 2020

- Ukraine

Data Retention Periods
- 12 months: Standard retention period for most international privacy laws

- No retention: US state privacy laws (immediate processing / no storage requirement)

Multilingual Support — 27 Languages
The platform supports 27 languages across all supported regions to ensure legally compliant, locally relevant privacy notices:
- European Languages: English, French, German, Spanish, Italian, Dutch, Portuguese, and all official EU languages

- Asian Languages: Chinese, Japanese, Korean, Thai, Vietnamese, Hindi, Malay, Tagalog

- Middle Eastern & African Languages: Arabic, Hebrew, Afrikaans

- Other Languages: Russian, Turkish, Ukrainian, Belarusian, Serbian, Macedonian

Special Considerations
Contextual Consent Limitations
Most privacy templates support contextual consent collection. However, several newer US state privacy laws have contextual consent disabled by default, including: Tennessee, New Jersey, Iowa, Utah, Indiana, Montana, Oregon, Delaware, Texas, Kentucky, New Hampshire, Maryland, Vermont, Minnesota, and Nebraska.
Disabled Templates (Default)
- EU GDPR (with Google disclaimer): Currently disabled by default

- Global Coverage Template: A comprehensive template covering 240+ countries — currently disabled by default

Getting Started with Privacy Compliance
- Identify Your Jurisdiction: Determine which data protection laws apply to your business based on where your users are located.

- Review Language Requirements: Ensure you're providing privacy notices in the appropriate local languages.

- Configure Consent Type: Set up the correct consent model (opt-in vs. opt-out) based on the applicable laws in each region.

- Enable Required Features: Activate cookie banners, preference centers, and other required privacy compliance features.

Frequently Asked Questions
Which privacy laws does the platform support?
The platform currently supports 56 active privacy law templates, including the EU GDPR, UK DPA, CCPA (California), Brazil LGPD, China PIPL, India DPDPA, and many more across Europe, North America, Asia-Pacific, the Middle East, Africa, and Latin America.
Does the platform support both opt-in and opt-out consent?
Yes. The platform handles both consent models. Opt-in consent is used for GDPR and most international regulations; opt-out consent is configured for US state privacy laws, Australia APP, and New Zealand's Privacy Act 2020.
How many languages are supported for privacy notices?
The platform supports 27 languages, covering all major European, Asian, Middle Eastern, and African languages to ensure locally compliant privacy disclosures.
How often are privacy law templates updated?
Templates are regularly updated to reflect the latest changes in privacy legislation and are actively maintained for production use. Subscribe to the changelog for notifications on template updates.
Support & Updates
All privacy compliance templates are regularly updated to reflect changes in data protection legislation and are actively maintained for production use.
Subscribe to changelog.secureprivacy.ai for updates, including privacy law template changes.
For implementation guidance or additional questions, please contact our support team at support@secureprivacy.ai.

---

# Block Adobe Experience Cloud ID Service Cookies for GDPR Compliance

URL: https://support.secureprivacy.ai/article/block-adobe-experience-cloud-id-cookies--gdpr-compliance
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T00:41:41.325+00:00
Reading Time: 3 minutes
Summary: Stop Adobe Experience Cloud ID Service from setting cookies without consent. Follow our step-by-step guide to enable GDPR-compliant opt-in in Adobe Experience Platform Data Collection.

The Adobe Experience Cloud ID Service sets cookies automatically in user browsers — without waiting for consent. To meet GDPR cookie consent requirements, you must configure the extension to block these cookies until a user explicitly opts in. This guide walks you through exactly how to enable opt-in within Adobe Experience Platform Data Collection (formerly Adobe Launch / Adobe Tags) to ensure GDPR-compliant cookie behavior.

  Why You Need to Block Adobe Experience Cloud ID Service Cookies for GDPR

  
    - By default, the Adobe Experience Cloud ID Service places tracking cookies on every visitor's browser — regardless of consent.

    - Under GDPR, non-essential cookies must not fire before a user gives explicit, informed consent.

    - Enabling the opt-in feature prevents the ID Service from setting cookies until consent is collected by your Consent Management Platform (CMP).

  

  How to Block Adobe Experience Cloud ID Service Cookies (Step-by-Step)

  
    - Open the Adobe Experience Platform Data Collection interface (Adobe Launch / Adobe Tags).

    - Select Extensions from the left-hand menu.

    - Locate and open the Experience Cloud ID Service extension settings.

    - Scroll to the Opt In section and set Enable Opt In? to Yes.

    - Save and publish your changes. Cookies will now be blocked until the user provides GDPR-compliant consent.

  

  
    
    Setting "Enable Opt In?" to Yes in the Experience Cloud ID Service extension blocks cookies until GDPR consent is given.
  

  Best Practices for GDPR-Compliant Adobe Cookie Blocking

  
    - Confirm that Enable Opt In? is set to Yes and the extension is published to your live environment.

    - Test across multiple browsers to verify that Adobe cookies do not fire before consent is granted.

    - Integrate this setting with a certified Consent Management Platform (CMP) — such as Secure Privacy — to ensure full GDPR compliance.

    - Keep the Experience Cloud ID Service extension updated to the latest version to avoid known consent-handling bugs.

  

  
    Who Should Use This Guide?

    
      - Website compliance officers responsible for GDPR and ePrivacy readiness.

      - Privacy-focused developers configuring Adobe tags and consent flows.

      - Digital marketers managing Adobe Experience Cloud services who need to ensure cookie consent compliance.

    
  

  
    Frequently Asked Questions (FAQ)

    
      Why are Adobe Experience Cloud cookies still loading after enabling opt-in?
      First, clear your browser cache and hard-reload the page. Then confirm you have published the latest library version in Adobe Data Collection. If the issue persists, check that no other tag rules are triggering the ID Service before consent fires.

    

    
      The opt-in setting is not working on some pages — what should I check?
      Review the path exclusions inside the extension configuration. If certain pages are excluded from your tag container, the opt-in logic may not run. Ensure your consent event is firing correctly on those pages.

    

    
      Does enabling opt-in affect Adobe Analytics or Adobe Target as well?
      Yes. When opt-in is enabled at the ID Service level, it can gate downstream Adobe solutions (Analytics, Target, Audience Manager) from setting cookies until consent is received, depending on how your solution integrations are configured.

    
  

  
    See Also

    
      - Ensuring Prior Consent for Non-Essential Cookies – GDPR Compliance

      - Secure Privacy Now a Google-Certified Consent Management Platform

---

# How to Customize Your Cookie Consent Banner Design in Secure Privacy – Position, Colors, Buttons, and Custom CSS

URL: https://support.secureprivacy.ai/article/enhance-the-look-of-your-website-with-customized-cookie-banners-design
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:02:22.803+00:00
Reading Time: 3 minutes
Summary: Learn how to customize the Secure Privacy cookie consent banner — configure banner position (bar, corner, middle), adjust colors, style Accept/Decline buttons, and apply custom CSS.

The Design > Cookie Banner page in Secure Privacy gives you full control over your cookie consent banner's appearance — including position, padding style, custom CSS, colors, and button styling. This guide walks through every available design setting so you can create a banner that matches your brand and provides a clear consent experience for visitors.

Who Is This For?

  - Website administrators and designers customizing the Secure Privacy cookie banner appearance

  - Developers applying custom CSS or advanced color configuration to the consent banner

  - Compliance and UX teams ensuring the cookie banner is visible, accessible, and brand-consistent

How to Access Cookie Banner Design Settings

Log in to your Secure Privacy account and navigate to Design in the dashboard. Select the design you want to modify, then open the Cookie Banner section to access all available customization options.

Banner Position Options

Secure Privacy provides several pre-defined banner position designs — each can be customized further using the color and CSS settings below.

Bar Position

The bar position displays the cookie banner as a horizontal bar across the top or bottom of the viewport. Two bar design variants are available, balancing visibility with a clean, non-intrusive appearance.

Bar with Padding

The bar with padding option adds spacing around all sides of the banner, giving it a floating, elevated appearance that draws attention without covering page content.

Corner Position

The corner position places the banner in a corner of the viewport — unobtrusive and easily spotted. This option integrates naturally into most website layouts without interrupting the main content area.

Middle Position

The middle position places the banner as a centered overlay on the page — highly visible and ideal for designs where consent must be clearly acknowledged before the visitor continues browsing.

Advanced Customization

Custom CSS

For full design control, apply custom CSS to the cookie banner. Custom CSS lets you override or extend default styles — adjusting layout, typography, spacing, animations, or any other visual property to match your website's design system precisely.

Color Settings

Adjust banner colors to match your brand palette. Available color controls include:

  - Background color

  - Border color

  - Text color — headings, body text, links, and hover states

Accept, Decline, and Customize Button Styling

Each consent button — Accept, Decline, and Customize — can be styled independently. Available options include:

  - Fill style: Filled background or stroke (outline) only

  - Corner style: Smooth, sharp, or rounded corners

  - Colors: Background color, hover background color, text color, and hover text color — configured separately for each button

Preview

Before publishing your design, use the preview feature to see how the banner will appear on desktop, tablet, and mobile devices. Switch to full screen for the most accurate visualization. Note that the preview provides an approximate representation and may not be 100% identical to the live banner on all browsers and devices.

Frequently Asked Questions

Can I use a different position for mobile vs. desktop?

The banner position setting applies globally across all devices. To apply device-specific positioning, use custom CSS with media queries to override the default positioning for specific screen sizes.

Will custom CSS override all default banner styles?

By default, custom CSS is applied on top of the existing banner styles — only the properties you specify are overridden. To replace all default styles entirely, enable the Replace Default CSS option in the Custom CSS settings. Use this only if you are supplying a complete custom stylesheet for the banner.

Can I style the Accept and Decline buttons differently from each other?

Yes. The Accept, Decline, and Customize buttons each have their own independent styling controls — including fill style, corner style, background color, hover color, and text color. Configure each button separately to achieve the visual hierarchy you need for your consent UI.

See Also

  - How to Add Custom CSS to Your Cookie Consent Banner

  - Upload a Custom Logo to Your Banner

  - Managing Designs in Secure Privacy

---

# Secure Privacy Laws Report Updates – Improved Data Mapping, Visitor Tracking, Geolocation Detection, and UI Fixes

URL: https://support.secureprivacy.ai/article/laws-report-enhancements
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:27:29.804+00:00
Reading Time: 2 minutes
Summary: Secure Privacy's Laws Report now features region-based data mapping, expanded visitor tracking, improved geolocation detection, and UI fixes for icons and regional display consistency.

Secure Privacy has introduced a series of improvements to the Laws Report — enhancing data mapping accuracy, expanding visitor tracking coverage, improving geolocation detection, and delivering a more consistent UI across all regions and templates.

Who Is This For?

  - Compliance teams using the Laws Report to monitor consent activity and regional visitor data

  - Website administrators reviewing regional compliance coverage and report accuracy

  - Privacy officers using Secure Privacy reporting to demonstrate regulatory compliance across jurisdictions

What's New in the Laws Report

Refactored data mapping logic

Previously, the Laws Report chart was mapped using template names — which could produce inconsistent or misleading visualizations when templates were renamed or restructured. The updated implementation maps data based on predefined geographic regions, delivering cleaner, more meaningful chart visualizations that accurately reflect where visitor interactions are occurring.

Visitor tracking update

The Laws Report now tracks visitor data rather than consent data alone. This broader tracking scope is supported by improved backend logic — providing more accurate reporting and enabling region-specific insights into both visitor volume and consent behavior across jurisdictions.

Geolocation detection improvements

Region detection has been enhanced to more accurately classify visitors by geographic area. For example, visitors from India are now correctly mapped under the Asia region — ensuring regional reporting is accurate and that compliance coverage gaps are correctly identified in the report.

UI and UX Enhancements

  - Fixed icon mapping: Resolved icon mapping issues that affected newly created or recently modified templates — icons now display correctly for all active template configurations.

  - Fallback icons for unmapped regions: Added fallback icons for regions without a specific template association, ensuring UI consistency across all report views regardless of regional coverage gaps.

  - Improved region-based display handling: Enhanced how region-based data is rendered in the report interface — improving visibility and usability when reviewing multi-region compliance data.

Frequently Asked Questions

Will these changes affect my existing Laws Report data?

The refactored data mapping logic changes how data is visualized — mapping by predefined region rather than template name — but does not alter your underlying consent records. Historical data may appear differently organized in the updated chart view, but no consent records have been modified.

Why does the report now show visitor data instead of only consent data?

Tracking visitor data alongside consent data gives a more complete picture of your compliance posture — showing not just how many consent interactions were recorded, but how many visitors were present in each region and whether they were presented with the appropriate consent banner. This enables more accurate identification of coverage gaps.

What should I do if a region is still displaying incorrectly in my Laws Report?

If you notice incorrect region classification or missing icons after these updates, contact Secure Privacy support at support@secureprivacy.ai with details of the affected region and template configuration.

See Also

  - How to Increase Your Compliance Score (Overall Rating)

  - Customize Your Cookie Banner Using Templates

  - Secure Privacy Pricing Plans Overview

---

# How to Install the Secure Privacy Plugin on Joomla – Cookie Consent Setup Guide

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-joomla
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T00:17:13.467+00:00
Reading Time: 3 minutes
Summary: Step-by-step guide to installing the Secure Privacy cookie consent plugin on Joomla. Configure GDPR compliance, enable the extension, and verify your setup in minutes.

This guide walks you through installing the Secure Privacy plugin on Joomla — a flexible, open-source CMS used to power millions of websites worldwide. Whether you are new to Secure Privacy or adding a new domain to an existing account, this step-by-step tutorial will help you configure the Joomla cookie consent plugin for full GDPR, CCPA, and ePrivacy compliance.
Who Is This Guide For?
- Website administrators managing a Joomla site

- Web developers implementing cookie consent and privacy compliance

- Marketers managing user consent, cookie banners, and tracking settings

Step 1 – Get Your Secure Privacy Script Code
- After activating your Secure Privacy account, you will be prompted to choose an installation method.

- Select Joomla.

- Copy the script code displayed on screen and save it somewhere accessible.

- Keep this tab open and open a new tab to proceed with the Joomla plugin installation.

Step 2 – Install the Secure Privacy Joomla Plugin
- Download the Secure Privacy Joomla Plugin (.zip).

- Log in to your Joomla administrator panel (typically at www.yourjoomlawebsite.com/administrator) and navigate to System.

- Under Install, click Extensions. An upload area will appear.

- Click Browse for file and upload the downloaded .zip plugin file.

- On a successful upload, Joomla will display: Installation of the plugin was successful. Click Manage Extensions.

- Search for Secure Privacy and click the icon in the Status column to enable the extension. A confirmation message will appear.

- Go back to System and click Plugins under Manage.

- Use the search box to find Secure Privacy.

- Click the plugin name to open its configuration. Paste the script code you copied from Secure Privacy into the Installation Script field.
Note: If you are adding a new domain from the Secure Privacy Dashboard, copy the script from the Installation screen of that domain.

- Save your changes. Joomla will confirm with a Plugin saved. message.

Adding a new domain? If you are following this guide while adding a new domain from the Secure Privacy dashboard, return to the Secure Privacy screen after saving and click Test Installation to verify the setup for that domain.
Step 3 – Verify the Installation in Secure Privacy
- Switch back to the Secure Privacy onboarding tab.

- Click Test Installation to verify the Joomla plugin is correctly connected.

- A toast notification at the bottom-left of the screen will confirm a successful Joomla cookie consent plugin installation.

Common Issues & Fixes
Plugin does not appear after installation
Make sure the .zip file uploaded without errors and that Joomla displayed the installation success message. Try re-uploading if needed.
Unable to enable the plugin
Check your user permissions in Joomla and confirm you have full administrator access before attempting to enable extensions.
Installation script is not working
Verify that the exact script code from Secure Privacy was pasted without any modifications or extra spaces, then save the plugin configuration again.
Frequently Asked Questions
Does Joomla support GDPR cookie consent out of the box?
Joomla does not include a built-in GDPR cookie consent solution. The Secure Privacy plugin adds a fully configurable cookie banner and consent management layer to your Joomla site.
Is the Secure Privacy Joomla plugin free?
Secure Privacy offers a free trial. After the trial period, a paid subscription is required to continue using cookie consent and privacy compliance features on your Joomla site.
Can I use this plugin on multiple Joomla domains?
Yes. Each domain requires its own script code generated from the Secure Privacy dashboard. Repeat the installation steps for each additional domain.
Where do I find my Secure Privacy script code?
Your unique script code is shown on the Installation screen inside the Secure Privacy dashboard, either during initial onboarding or when adding a new domain.
See Also
- How to block cookies in complex GTM triggers (consent-based tagging)

- How to install Secure Privacy on WordPress

- Implementing Microsoft UET Consent Mode with Secure Privacy

---

# How to Allowlist the Secure Privacy Scanner IP Addresses – Bypass Bot Protection for Accurate Compliance Scanning

URL: https://support.secureprivacy.ai/article/allowlist-secureprivacyai-scanner-in-firewalls-cdns
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T22:23:29.752+00:00
Reading Time: 2 minutes
Summary: Learn how to allowlist Secure Privacy's scanner IP addresses in your firewall, CDN, or WAF — ensuring accurate cookie and consent banner scanning without bot protection blocks. Request the current list via support@secureprivacy.ai

Modern bot protection systems — including Cloudflare, AWS WAF, and similar platforms — can challenge or block automated traffic, including legitimate compliance scanners. The Secure Privacy scanner needs reliable, uninterrupted access to your website to detect consent banners, cookies, trackers, and privacy signals accurately. The recommended approach is to create an IP-based allowlist using the scanner IP addresses provided by Secure Privacy.

Who Is This For?

  - Website administrators and DevOps teams managing firewall, CDN, or WAF rules that may block automated traffic

  - Compliance teams troubleshooting failed or incomplete Secure Privacy scans caused by bot protection challenges

  - Security teams configuring allowlist rules for the Secure Privacy scanner IP addresses

How It Works

  - What you configure: An allowlist rule in your firewall, CDN, or WAF that permits the Secure Privacy scanner's IP addresses to bypass bot challenges and strict rate limits.

  - What Secure Privacy provides: A current list of scanner IP addresses — available on request by emailing support@secureprivacy.ai.

Quick Start: Allow the Secure Privacy Scanner in 3 Steps

  - 
    Request the scanner IP list. Email support@secureprivacy.ai with the subject line "Scanner IP allowlist". Include your domain(s) and environments — for example, production and staging.

  

  - 
    Create an allow rule. In your firewall, CDN, or WAF, create a rule that allows or bypasses bot protection for the provided scanner source IPs.

  

  - 
    Verify the scan. Run a scan from your Secure Privacy dashboard — or ask support to trigger one — and confirm that no challenges or blocks occur.

  

Tip: Place the allowlist rule near the top of your rule set so it takes precedence over generic bot protection and rate-limit policies.

Frequently Asked Questions

Why do I need to allowlist the Secure Privacy scanner?

Bot protection systems cannot distinguish between malicious crawlers and legitimate compliance scanners. Allowlisting the Secure Privacy scanner's IP addresses ensures accurate privacy and compliance scanning without triggering human verification challenges or false blocks that would produce incomplete scan results.

How do I get the current scanner IP addresses?

Email support@secureprivacy.ai with the subject "Scanner IP allowlist". The support team will provide the up-to-date IP list and can notify you of any future changes upon request.

Do the scanner IP addresses change?

Rarely, but yes — the scanner IPs can change. If your scans begin failing or returning incomplete results, re-request the current IP list from support and update your allowlist rule accordingly.

Will allowlisting the scanner IPs weaken my site security?

No. You are only granting access to a specific, known set of IP addresses — not opening your site to general automated traffic. Keep the allowlist rule narrowly scoped to the provided IPs and maintain all existing bot protection and security policies for all other traffic.

Need Help?

Contact the Secure Privacy support team at support@secureprivacy.ai — we are happy to assist with IP requests, rule configuration guidance, or troubleshooting failed scans.

See Also

  - Secure Privacy Setup and Installation Checklist

  - Secure Privacy Pricing Plans Overview

  - How to Increase Your Compliance Score (Overall Rating)

---

# How to Display Your Company Logo in the Secure Privacy Preference Center

URL: https://support.secureprivacy.ai/article/how-to-enable-your-custom-logo-in-the-secure-privacy-preference-center
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T22:34:04+00:00
Reading Time: 2 minutes
Summary: Show your company logo in the Secure Privacy Preference Center. Follow these simple steps to enable the Display Header Logo toggle and create a branded consent experience.

Summary: This guide walks you through how to display your company logo in the Secure Privacy Preference Center, creating a more consistent, on-brand consent experience for your website visitors. The logo shown in the Preference Center is the same one configured under your global Secure Privacy account settings.
Who Is This Guide For?
- Website owners and marketers who want a branded consent Preference Center that reflects their company identity

- Designers and developers configuring the visual appearance of Secure Privacy's CMP for a specific domain

- Compliance managers ensuring the Preference Center presents a trustworthy, professional user interface

  How to Display Your Logo in the Secure Privacy Preference Center

  
    - 
      Log In to Your Secure Privacy CMP Dashboard

      Begin by logging in to your Secure Privacy CMP dashboard.

    

    - 
      Navigate to the Designs Tab

      Once logged in, go to the Designs tab in your dashboard navigation.

      
        
        Navigate to the Designs tab in your Secure Privacy CMP dashboard.
      
    

    - 
      Select the Design You Want to Modify

      Click on the specific design you wish to update. This is typically the design associated with your domain.

    

    - 
      Open Preference Center Settings

      Within your selected design, navigate to the Preference Center settings section.

    

    - 
      Enable the "Display Header Logo" Toggle

      Locate the toggle labeled "Display Header Logo" and enable it to activate your company logo in the Preference Center header.

      
        
        Enable the "Display Header Logo" toggle in Preference Center settings to show your brand logo.
      
    

  

  
    📌 Important: Where Does the Logo Come From?

    The logo displayed in the Preference Center is the same logo configured under the Settings tab in your overall Secure Privacy account. If you have not yet uploaded a logo, or need to update it, follow the Upload Custom Logo guide before enabling this toggle.

  
Frequently Asked Questions (FAQ)
Where does the Preference Center logo come from?
The logo displayed in your Preference Center is pulled from the logo you have already uploaded under the Settings tab of your Secure Privacy account. You cannot set a separate logo for the Preference Center alone—it uses your global account logo.
What if I haven't uploaded a logo yet?
You'll need to upload your company logo first via the Upload Custom Logo guide in your Secure Privacy settings before the Display Header Logo toggle will show anything.
Can I show different logos on different domains?
Each design in Secure Privacy is associated with a specific domain. If you have separate designs per domain, the logo displayed will follow whichever logo is set at the account level. Contact support@secureprivacy.ai if you need per-domain logo customization guidance.
Will enabling the logo affect my cookie banner as well?
No. The "Display Header Logo" toggle only applies to the Preference Center. Cookie banner appearance is managed separately within the Cookie Banner section of your design settings.
See Also
- Upload a Custom Logo — Personalize the Appearance of Banners

- Secure Privacy — Google-Certified Consent Management Platform

---

# Secure Privacy Partner Program – Refer, Resell, and Earn with a GDPR Consent Management Platform

URL: https://support.secureprivacy.ai/article/partner-with-secure-privacy-and-elevate-your-business-with-data-privacy-expertise
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:23:42.301+00:00
Reading Time: 2 minutes
Summary: Join the Secure Privacy Partner Program to earn commissions or resell GDPR and CCPA compliance tools. Two programs available: Referral and Solution Provider.

The Secure Privacy Partner Program gives agencies, consultants, and technology providers a structured way to earn revenue by reselling or referring a leading GDPR and CCPA consent management platform. Whether you want to refer clients and earn commissions or fully manage privacy compliance on their behalf, there is a program built for your business model.

Why Join the Secure Privacy Partner Program?

  - Turn data privacy into a competitive advantage: Differentiate your services by offering clients a trusted, regulation-ready consent management solution.

  - Earn commissions and product discounts: Generate recurring revenue through referrals and receive attractive discounts on Secure Privacy's tools.

  - Strengthen client trust: Demonstrate your commitment to data privacy by integrating Secure Privacy into your service offering.

Choose the Right Partner Program for Your Business

Referral Program

The simplest way to earn with Secure Privacy. Share your unique affiliate link and earn commissions for every customer who signs up through your referral.

  - No sales management required

  - Commission earned per successful referral

  - Ideal for bloggers, consultants, and marketers

Solution Provider Program

A full reseller and support model for agencies and service providers who manage compliance on behalf of their clients.

  - Manage sales, support, and client invoicing directly

  - Dedicated account management and sales resources

  - Rights to use the Secure Privacy partner logo

  - Ideal for digital agencies, IT consultancies, and privacy professionals

Secure Privacy Partner Benefits

  - Revenue opportunities: Earn commissions and access discounts on Secure Privacy's consent management solutions.

  - Marketing support: Use co-branded marketing materials and resources to promote Secure Privacy to your clients and network.

  - Dedicated account management: Get expert assistance from a dedicated partner account manager and sales team.

  - Technical expertise: Access Secure Privacy's deep knowledge base on GDPR, CCPA, ePrivacy, and global privacy compliance.

  - Brand recognition: Strengthen your reputation by associating with a trusted, globally recognized data privacy platform.

Trusted by Leading Organizations Worldwide

Secure Privacy is trusted by businesses of all sizes — including Fortune 500 companies — to manage cookie consent, safeguard visitor data, and maintain compliance with global privacy regulations. As a partner, you bring that same credibility to your clients.

Frequently Asked Questions

What is the difference between the Referral Program and the Solution Provider Program?

The Referral Program is commission-based — you share a link and earn when someone signs up. The Solution Provider Program is a full reseller model where you manage the client relationship, provide support, and handle invoicing directly.

How do I become a Secure Privacy partner?

You can apply to join the partner program directly through the Secure Privacy partner page. Once approved, you will receive access to your partner portal, affiliate link, and onboarding resources.

Become a Secure Privacy Partner Today

Join a growing network of privacy-focused partners and help your clients achieve GDPR and CCPA compliance. Apply to the Secure Privacy Partner Program and start building a revenue stream around data privacy.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# Website Visits vs Page Views vs Consent Explained – Web Analytics and GDPR Compliance Glossary

URL: https://support.secureprivacy.ai/article/website-visits-vs-page-views-vs-consent-explained
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T12:58:52.78+00:00
Reading Time: 4 minutes
Summary: Learn the difference between website visits, page views, and user consent — and why GDPR and CCPA make consent the legal foundation of responsible data collection with Secure Privacy.

Understanding the difference between website visits, page views, and user consent is essential for anyone managing web analytics, marketing measurement, or privacy compliance. This guide explains each concept clearly — and why Secure Privacy treats consent as the foundation of responsible, lawful data collection under GDPR and CCPA.

Who Is This For?

  - Website owners and marketers interpreting web analytics and understanding how visits, page views, and consent relate to each other

  - Compliance officers explaining the difference between behavioral metrics and legally required consent records

  - Developers and analysts configuring consent-aware tracking and understanding what data can be collected at each consent state

What Is a Website Visit?

A website visit — also called a session — begins when a user starts interacting with your website and ends when they leave or remain inactive for approximately 30 minutes. A single visit can include multiple page views, events, and interactions across different pages.

For example: if a user finds your blog through a search engine and clicks the link, their entire time browsing your site counts as one website visit — regardless of how many pages they view during that session.

What Is a Page View?

A page view is recorded each time a user loads or reloads a specific webpage — regardless of whether it is within the same session or a new one. Navigating across multiple pages during a single visit generates multiple page views.

For example: if a visitor reads five blog posts during one session, each page load counts as a separate page view — giving a total of five page views for that one website visit.

What Is User Consent?

Consent refers to a user's explicit agreement to allow data collection, cookie usage, or personal data processing on a website. Unlike visits and page views — which are behavioral metrics — consent is a legal requirement under regulations including GDPR and CCPA.

For example: when a visitor from California accepts a cookie banner asking permission for analytics and advertising data use, they have given valid consent for those specific purposes. Without that consent, data collection must be restricted to essential cookies only.

Why User Consent Is More Important Than Visit or Page View Counts

Website visits and page views provide valuable insight into visitor behavior — but they cannot legitimize data collection on their own. Consent is what makes data collection lawful and ethical. Secure Privacy is built around this principle: ensuring that consent is collected correctly, recorded in a tamper-proof audit log, and respected across all tracking and analytics tools before any non-essential data is gathered.

Summary

Website visits measure how users engage with your site over time. Page views count individual page loads within and across sessions. Consent determines whether you are legally permitted to collect and process the data generated by those visits and page views. Together, understanding these three elements supports both effective marketing measurement and ongoing compliance with GDPR, CCPA, and other applicable privacy laws.

Frequently Asked Questions

Can a page view happen without a website visit?

No. A page view always occurs within the context of a website visit or session. Every page load is part of an active or new session — there is no mechanism by which a page view is recorded outside a session context in standard web analytics.

What happens to data collection if a user does not give consent?

Without consent, data collection must be limited to cookies and processing that is strictly necessary for the website to function — such as session management and security cookies. Non-essential cookies — including analytics, advertising, and social media trackers — must not be set until valid consent is obtained. Collecting non-essential data without consent is a violation of GDPR and CCPA and can result in significant fines. Secure Privacy enforces this automatically through its cookie blocking engine.

How does Secure Privacy record consent alongside visit and page view data?

Secure Privacy records every consent interaction — including accepts, declines, and preference changes — in a secure, timestamped audit log. This consent record is separate from behavioral analytics data and is stored in compliance with GDPR's accountability requirements, providing auditable proof of consent for each visitor interaction.

See Also

  - Navigate and Utilize Your Consent Dashboard: An In-depth Guide

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - How to Add a Custom Service or Cookie

---

# How to Set Up Contextual Consent in Secure Privacy: Templates, sp-consent Attribute & GDPR Compliance

URL: https://support.secureprivacy.ai/article/formatting-and-utilizing-a-contextual-consent-page-template
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T23:10:24.195+00:00
Reading Time: 6 minutes
Summary: Set up contextual consent in Secure Privacy to block iframes and images until users consent. Customize templates, add the sp-consent attribute, and stay GDPR compliant — step-by-step guide.

Summary: Contextual consent gives users a fair, transparent way to understand and agree to the specific use of their personal data before content such as embedded videos, maps, or iframes is loaded. This guide walks through how to set up and customize a Contextual Consent page in Secure Privacy using the Templates feature — including enabling the feature, configuring message and button text, previewing across devices, and implementing the sp-consent attribute on your page.

  
    Who Is This Guide For?

    
      - Website administrators managing GDPR and CCPA-compliant consent flows for embedded content

      - Developers implementing the sp-consent attribute on img or iframe elements

      - Marketers and compliance managers customizing contextual consent messaging and button text to reflect their brand

    
  

  
    What Is Contextual Consent?

    Contextual consent is a privacy mechanism that blocks embedded third-party content — such as YouTube videos, Google Maps, or social media iframes — from loading until the user explicitly agrees to the data sharing that content involves. Rather than relying solely on a cookie banner, contextual consent presents a targeted, in-context prompt at the point where the content would appear, giving users a clear and informed choice.

    This approach supports compliance with GDPR, CCPA, and other privacy regulations by ensuring personal data is only shared with third parties after active, specific user consent.

  

  
    How to Access the Contextual Consent Template in Secure Privacy

    To locate and configure the Contextual Consent feature:

    
      - Log in to your Secure Privacy account

      - Click Templates in the main navigation bar

      - Select the template you want to modify

      - Switch to the Contextual Consent tab

    

    
      
      Navigate to Templates, select your template, and open the Contextual Consent tab in your Secure Privacy dashboard.
    
  

  
    Contextual Consent Template Features

    
      Enable Contextual Consent

      The Enable Contextual Consent toggle activates the contextual consent functionality for your selected template. Once enabled, interactive consent buttons and overlay widgets will appear to your website users directly over any pixel or iframe service that requires consent before loading.

    

    
      Preview Your Contextual Consent Page

      Secure Privacy's three-way preview simulates how your contextual consent overlay appears across different device types — desktop, tablet, and mobile. Note that the preview is an approximate indicator; for the most accurate representation, switch to full-screen view to see the page exactly as your users will.

      Click the EDIT button at any time to switch to editing mode, where you can adjust text, button labels, and settings. This flexibility ensures your contextual consent page always accurately reflects your brand values and privacy commitment.

      
        
        Use the three-way preview to check your contextual consent overlay across device sizes, then switch to full-screen for the most accurate view.
      
    

    
      Language Settings

      All Secure Privacy templates are preconfigured and pre-translated, giving users a localized consent experience out of the box. To add or remove a supported language, navigate to Templates > Settings.

    

    
      Message Settings: Customizing Consent Text

      Under Text in the Message Settings panel, you can fully customize the copy displayed on your contextual consent overlay. Write clear, concise, and informative text that explains what data is being shared and why — reinforcing your brand's commitment to data transparency and user privacy.

    

    
      Button Text: Call-to-Action Labels

      Button text controls the labels shown on each consent action button — such as "Accept," "Decline," or "Learn More." These labels should be direct and action-oriented, clearly communicating what each choice means for the user's data. Under GDPR, consent and refusal options must be equally prominent and unambiguous.

      
        
        Customize your consent overlay message text and button labels in the Message Settings panel.
      
    
  

  
    How to Install Contextual Consent: Adding the sp-consent Attribute

    To activate contextual consent blocking on a specific embedded element, add the sp-consent attribute to any <img> or <iframe> tag on your page. This tells Secure Privacy to intercept that element and display the contextual consent overlay until the user grants permission.

    Example — blocking an iframe (e.g., a YouTube embed):

    <iframe
  src="https://www.youtube.com/embed/your-video-id"
  sp-consent
  width="560"
  height="315"
  frameborder="0"
  allowfullscreen>
</iframe>

    Example — blocking an image pixel:

    <img src="https://example.com/tracking-pixel.png" sp-consent />

    Important: The sp-consent attribute is required on every element you want contextual consent to govern. Do not skip this step — without it, the element will load without triggering the consent overlay.

    
      Update Cookie Classification for Contextual Consent Elements

      After adding the sp-consent attribute to your tags, ensure that the corresponding img or iframe elements are correctly categorized in your Domain Settings > Classification tab. Proper classification ensures the contextual consent overlay is triggered by the correct consent category (e.g., marketing, functional) as defined in your template.

      
        
        Categorize your img and iframe elements correctly under Domain Settings > Classification to ensure the right consent overlay is triggered.
      
    
  

  
    Frequently Asked Questions (FAQ)

    What is contextual consent and how is it different from a cookie banner?

    A cookie banner asks for broad consent when a user first visits your site. Contextual consent works differently — it blocks specific embedded elements (like videos or maps) from loading and displays a targeted consent prompt directly where that content would appear. This gives users granular, in-context control over individual data-sharing events, which is particularly important under GDPR for third-party embeds.

    Which HTML elements does the sp-consent attribute work on?

    The sp-consent attribute can be added to any <img> or <iframe> element on your page. Common use cases include YouTube or Vimeo video embeds, Google Maps iframes, social media widgets, and third-party tracking pixels.

    Do I need to classify my iframe and img elements in Domain Settings?

    Yes. After adding sp-consent to your tags, you must ensure the corresponding elements are correctly categorized under Domain Settings > Classification. Without proper classification, the contextual consent overlay may not trigger for the correct consent category.

    Can I customize the contextual consent overlay to match my brand?

    Yes. Within Templates > Contextual Consent, you can customize the overlay message text, button labels, and language settings. You can also apply custom CSS for further visual alignment with your brand identity.

    Is contextual consent required for GDPR compliance?

    Contextual consent is not explicitly mandated by name under GDPR, but the regulation does require that personal data is only shared with third parties after specific, informed, and active user consent. Embedding third-party content that loads tracking scripts without prior consent can constitute a GDPR violation. Contextual consent is a recognized best-practice mechanism for achieving compliance with this requirement.

  

  
    Conclusion

    Secure Privacy's Contextual Consent feature gives you a powerful, brand-customizable way to manage user consent for embedded third-party content — helping you meet GDPR and CCPA obligations while keeping the user experience transparent and friction-free. By enabling the feature in your template, adding the sp-consent attribute to the right elements, and classifying them correctly, you can deploy a fully compliant contextual consent flow with minimal development effort.

  

  
    See Also

    
      - Customize Cookie Banner Design — Secure Privacy Guide

      - How to Add Custom CSS for Improved Design and Branding

      - Basic vs. Advanced Google Consent Mode: Full Comparison Guide

      - Secure Privacy — Google-Certified Consent Management Platform

---

# Secure Privacy Partner Program – Referral and Solution Provider Options Explained

URL: https://support.secureprivacy.ai/article/establish-a-profitable-partnership-with-secure-privacy
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:26:13.514+00:00
Reading Time: 2 minutes
Summary: Join the Secure Privacy Partner Program as a Referral or Solution Provider partner. Earn commissions or invoice clients directly while promoting GDPR compliance tools.

The Secure Privacy Partner Program gives consultants, agencies, and solution providers two ways to earn by promoting a trusted GDPR and CCPA consent management platform: a commission-based Referral Program and a full Solution Provider model. This article explains both program types and how to apply.

Why Partner with Secure Privacy?

Secure Privacy is a leading data privacy platform trusted by businesses worldwide to manage cookie consent and comply with global privacy regulations. As a partner, you gain access to:

  - Enterprise-grade privacy technology to add to your product or service portfolio

  - Generous revenue share commissions or direct client invoicing

  - Partner training, co-marketing opportunities, and sales lead referrals

  - Dedicated support from Secure Privacy's partner team

Partner Program Types

Referral Partner

Best for consultants, industry experts, and marketers. Share your unique referral link and earn commissions for every customer you drive to Secure Privacy. No sales management or support responsibilities required.

Solution Provider Partner

Best for agencies and businesses with the capacity to manage sales and client support. Invoice your customers directly, manage the full relationship, and benefit from dedicated account management and Secure Privacy's sales resources.

How to Become a Secure Privacy Partner

  - Visit the Secure Privacy partner page and complete the application form.

  - Secure Privacy's team will review your application and follow up to discuss partnership opportunities.

  - Once approved, access your partner portal to get your referral link, onboarding materials, and account manager details.

You can also access the partner program directly from within your Secure Privacy account:

Ready to Join?

Apply to the Secure Privacy Partner Program and start earning by helping businesses achieve privacy compliance.

Frequently Asked Questions

What is the difference between a Referral Partner and a Solution Provider?

Referral Partners share a link and earn commissions per signup — no client management needed. Solution Providers manage the full sales and support relationship with their clients and invoice them directly.

Who can apply to become a Secure Privacy partner?

Any consultant, agency, industry expert, or business with the ability to promote or manage privacy compliance solutions is welcome to apply. Both program types are open to new applicants.

How do I access the partner program from my existing account?

Log in to your Secure Privacy account and look for the Partner Program link in your account dashboard, as shown in the screenshot above.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

  - Website Visits vs Page Views vs Consent Explained

---

# How to Change the Data Retention Period for a Legal Template in Secure Privacy

URL: https://support.secureprivacy.ai/article/modifying-data-retention-period-for-legal-templates
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T13:53:28.788+00:00
Reading Time: 4 minutes
Summary: Step-by-step guide to changing the data retention period for legal templates in Secure Privacy. Covers GDPR, CCPA, and 50+ jurisdictions with default retention values.

The data retention period setting in Secure Privacy controls how long consent data collected by a legal template is stored. This guide walks through how to navigate to a template's settings, select a retention period (12 months, 6 months, or Do not store), and apply the change to specific domains — helping you stay aligned with GDPR, CCPA, and other applicable privacy regulations.
Who Is This For?
- Privacy and compliance managers configuring data retention for GDPR, CCPA, or other legal templates

- Website administrators adjusting consent data storage settings per jurisdiction

- DPOs reviewing and enforcing data minimisation policies across multiple domains

Step 1 — Log in and open the Templates page
- Log in to your Secure Privacy account using your credentials.

- Once logged in, navigate to the Templates page via the top navigation bar.

Step 2 — Access the template's Settings tab
- On the Templates page, locate the legal template for which you want to modify the data retention period.

- Open the template and navigate to its Settings tab. The data retention period setting is listed there.

Step 3 — Choose the data retention period
Click the dropdown menu and select one of the three available data retention options:
12 months
Consent data collected by this template is retained for 12 months before being automatically deleted.
6 months
Consent data collected by this template is retained for 6 months. This is the default for EU GDPR templates, reflecting the data minimisation principle under Article 5(1)(e).
Do not store
No consent data collected by this template is retained. This is the default for all US state privacy law templates (CCPA, CDPA, CPA, and others), where storage of consent records is not required.
Compliance note: Review applicable privacy laws and regulations before changing the retention period for any template. Retention periods should reflect the principle of data minimisation — storing consent data only as long as necessary for the purpose it was collected.
Step 4 — Apply and save the changes
- If you want the updated retention period to apply to specific domains only, select the relevant domains from the dropdown list provided.

- Once you have selected the retention period and any applicable domains, save the changes to update the template settings.

Default Data Retention Periods by Legal Template
The table below shows the preconfigured default retention period for each legal template in Secure Privacy. These defaults are set based on common regulatory practice for each jurisdiction and can be changed at any time from the template's Settings tab.
A value of 0 means the template defaults to Do not store — no consent data is retained. This applies to all US state privacy law templates.
Default data retention periods for Secure Privacy legal templates (in months; 0 = Do not store)

Template
Default retention (months)

EU GDPR
6

UK DPA
12

Norway DPA
12

Switzerland FADP
12

North Macedonia ZZLP
12

Serbia ZZPL
12

Russia FLDP
12

Belarus LPDP
12

Turkiye KVKK
12

Canada PIPEDA
12

Quebec Law 25
12

India DPDPA
12

UAE PDPL
12

Dubai DIFC DPL
12

Saudi Arabia DPL
12

Oman PDPL
12

China PIPL
12

Israel PPL
12

Thailand PDPA
12

Australia APP
12

New Zealand Privacy Act 2020
12

Philippine DPA
12

South Korea PIPA
12

Malaysia PDPA
12

Hong Kong PDPO
12

South Africa POPIA
12

Singapore PDPA
12

Vietnam PDPA
12

Japan APPI
12

Kenya DPA
12

Egypt DPL
12

Morocco DPL
12

Brazil LGPD
12

Panama LSPDP
12

Colombia DPL
12

Argentina PLDP
12

EU GDPR (with Google disclaimer)
12

[US] California CCPA
0

[US] Virginia CDPA
0

[US] Colorado CPA
0

[US] Connecticut DPA
0

[US] All Other States
0

[US] Tennessee IPA
0

[US] New Jersey CDPB
0

[US] Iowa DPA
0

[US] Utah CPA
0

[US] Indiana CDPA
0

[US] Montana CDPA
0

[US] Oregon CPA
0

[US] Delaware PDPA
0

[US] Texas DPSA
0

[US] Kentucky CDPA
0

[US] New Hampshire CDPA
0

[US] Maryland ODPA
0

[US] Vermont DPA
0

[US] Minnesota CDPA
0

[US] Nebraska DPA
0

Frequently Asked Questions
Why does the EU GDPR template default to 6 months instead of 12?
The EU GDPR template defaults to 6 months to reflect the data minimisation principle under GDPR Article 5(1)(e), which requires that personal data is kept no longer than necessary. Storing consent records for 6 months is considered sufficient for most compliance audit purposes under GDPR. You can extend this to 12 months from the template's Settings tab if your organisation's data retention policy requires it.
Why do US state privacy law templates default to "Do not store"?
US state privacy laws such as CCPA, CDPA, and CPA do not require organisations to retain a record of cookie consent in the same way that GDPR does. The default of "Do not store" (shown as 0 in the table) reflects this. If your legal or compliance team requires consent records to be kept, you can change this setting to 6 or 12 months.
Can I apply a different retention period to specific domains only?
Yes. In Step 4, after selecting the retention period, use the domain dropdown to apply the change to one or more specific domains rather than all domains using that template.
Can I set a custom data retention period (e.g. 3 months or 24 months)?
Currently, Secure Privacy supports three preset options: 12 months, 6 months, and Do not store. Custom durations outside these options are not available in the template settings.
Does changing the retention period affect data already collected?
The retention period setting applies to data collected going forward. Review your organisation's data handling policies and consult with your DPO to determine how previously collected consent data should be managed when changing retention settings.

---

# How to Upload a Custom Logo to Your Secure Privacy Cookie Banner and Preference Center

URL: https://support.secureprivacy.ai/article/upload-custom-logo--personalize-the-appearance-of-banners
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:15:28.886+00:00
Reading Time: 2 minutes
Summary: Learn how to upload a custom logo to Secure Privacy in three steps — replace the default logo in your cookie banner and preference center with your own branded image.

Uploading a custom logo to your Secure Privacy design replaces the default logo in your cookie banner and preference center — ensuring consistent, branded presentation that blends with your website's visual identity. This guide walks through the upload process in three steps.

Who Is This For?

  - Website administrators and designers personalizing the Secure Privacy cookie banner with their organization's logo

  - Compliance teams ensuring the cookie consent UI matches their website's brand identity

  - Anyone setting up a white-labeled consent experience using Secure Privacy's custom logo feature

How to Upload a Custom Logo

Step 1: Access the Designs page

  - Log in to your Secure Privacy account.

  - Navigate to the Designs page from the top navigation bar.

  - Search for or select the design you want to modify with a custom logo.

Step 2: Upload your logo

  - Within the selected design, open the Settings tab and locate the Logo section.

  - Click Select new image.

  - In the file selection dialog, locate and select your logo file.

  - Ensure the file is in PNG or JPG format and approximately 100px × 100px in dimensions for best results.

  - Click Upload and wait for the upload to complete.

Step 3: Verify the logo upload

  - After the upload completes, a preview of your logo will appear in the Logo section — confirm it displays correctly.

  - Check that the logo appears as expected in the banner preview across desktop, tablet, and mobile.

Note: Due to CDN caching, you may not see the updated logo immediately on your live site. If the new logo is not appearing, try viewing the site using a VPN with a different location, or clear your browser cache and reload.

Your custom logo will now replace the default Secure Privacy logo in the cookie banner and preference center on all assigned domains.

Frequently Asked Questions

What file formats and dimensions are supported for the custom logo?

The custom logo must be in PNG or JPG format. For best results, use an image approximately 100px × 100px — this ensures the logo renders clearly across the cookie banner and preference center without distortion or excessive white space.

Why is my updated logo not showing on the live site?

CDN caching may delay the logo update from appearing immediately. To verify the upload was successful, check the preview in your Designs settings. To see the live change sooner, try accessing the site from a different location using a VPN, or clear your browser cache and hard refresh the page.

Can I use different logos for different domains?

Yes. Logos are configured at the design level — if you have separate design configurations assigned to different domains, you can upload a different custom logo to each design independently.

See Also

  - Design Settings in Secure Privacy

  - How to Add Custom CSS to Your Cookie Consent Banner

  - Customizing Your Cookie Banner Design

---

# How to Include or Exclude Pages from Secure Privacy Website Scanning – Scan Settings Guide

URL: https://support.secureprivacy.ai/article/-include-or-exclude-pages-from-scanning--secureprivacy
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:15:23.398+00:00
Reading Time: 2 minutes
Summary: Learn how to customize your Secure Privacy scan by adding or removing specific pages — configure the Include and Exclude lists in Scan Report Settings and rescan to apply changes.

Secure Privacy lets you customize which pages are included in or excluded from your website scans — helping you focus cookie detection on key areas of your site and exclude irrelevant or redundant pages from your reports. This guide explains how to configure the scan page list and apply the changes.

Who Is This For?

  - Website administrators customizing scan coverage to match their site's structure and compliance priorities

  - Compliance officers tracking cookie and service detection on specific website sections

  - Developers managing privacy scans for complex or large websites where full scanning is not practical

How to Include or Exclude Pages from Secure Privacy Scanning

  - Log in to your Secure Privacy account and select the domain you want to manage.

  - Click Scan Report in the left sidebar.

  - Switch to the Settings tab.

  - Locate the Include or Exclude Pages from Scanning section.

  - Add page URLs to the Include list to ensure those pages are always scanned, or to the Exclude list to prevent them from being scanned.

  - Click Save to apply your changes.

  - Return to the Scan Report tab and click Rescan Website to run a new scan with the updated page list.

Frequently Asked Questions

Can I include or exclude multiple pages at once?

Yes. You can paste multiple URLs into the Include or Exclude list — enter each URL on a separate line. All listed URLs will be applied when you save and trigger a rescan.

How long does a rescan take after updating the page list?

Most rescans complete within a few minutes. The exact time depends on the number of pages being scanned and the complexity of your website. Larger sites with many pages or third-party scripts may take slightly longer.

What is the difference between the Include list and the Exclude list?

The Include list specifies pages that should always be scanned — useful for ensuring key pages like your homepage, checkout, or contact pages are always checked for cookies. The Exclude list specifies pages to skip during scanning — useful for removing admin panels, login pages, or other areas where cookie detection is not relevant to your compliance reporting.

See Also

  - Scan Report Settings in Secure Privacy

  - A Guide to Scanning Your Website for Regulatory Compliance

  - How to Trigger a Website Scan for a US Location

---

# Secure Privacy Design Settings – Remove Branding, Custom Logo, Font, and Domain Configuration Guide

URL: https://support.secureprivacy.ai/article/design-settings-in-secure-privacy-customize-privacy-toolkit
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:13:27.455+00:00
Reading Time: 3 minutes
Summary: Learn how to configure Secure Privacy Design Settings — remove branding, set a custom title, choose font source and family, upload a custom logo, and assign designs to domains.

Secure Privacy's Design Settings let you customize the visual identity of your cookie banner and preference center — including removing Secure Privacy branding, setting a design title, choosing font source and family, uploading a custom logo, and assigning the design to specific domains. This guide explains each available setting.
Who Is This For?
- Website administrators customizing the Secure Privacy cookie banner and preference center to match their brand

- Designers configuring typography, logos, and visual identity settings across Secure Privacy designs

- Compliance teams managing domain-specific design assignments in Secure Privacy

How to Access Design Settings
- Log in to your Secure Privacy account.

- Click the Designs tab in the top navigation menu.

- Select the design you want to configure.

Once the design is open, you will see the following settings:
Design Settings Explained
Remove Secure Privacy Branding
Toggle this switch to remove Secure Privacy branding elements from your cookie banner and preference center — providing a seamless, fully white-labeled experience for your website visitors.
Note: Branding removal is not available during the trial period. It becomes available on paid plans or after immidiate upgrade.
Title
Enter a descriptive title for this design configuration. The title is used for internal identification in your dashboard — helping you distinguish between designs when managing multiple configurations or visual styles.
Font Source
Choose where the font for your cookie banner, preference center, and other privacy elements is loaded from:
- System (Browser Default): Uses the visitor's browser or OS default font — no external font request is made. This is the recommended option if your Content Security Policy restricts external resources.

- Google: Loads the selected font from Google Fonts CDN, providing access to a wider range of typefaces.

Font Family
Select the specific font family to use for text within your privacy elements. Available options depend on the font source selected. Choose the typeface that best matches your website's visual identity and readability standards.
Custom Logo
Upload a custom logo image to replace the default Secure Privacy logo in your cookie banner and preference center — ensuring consistent branding across your website. For detailed upload instructions, see the custom logo upload guide[?].
Domains
Assign this design configuration to one or more domains associated with your Secure Privacy account. Click the domain dropdown to select which domain(s) should use this design — allowing you to apply different visual configurations to different websites or environments from a single account.
Frequently Asked Questions
Can I apply different design settings to different domains?
Yes. The Domains setting within each design configuration lets you assign that design to specific domains. If you manage multiple domains in Secure Privacy, create separate design configurations and assign each to the appropriate domain using the domain dropdown.
Why can't I remove Secure Privacy branding during the trial?
Branding removal is a paid plan feature and is not available during the trial period. Once you upgrade to a paid plan, the Remove Secure Privacy Branding toggle becomes available and can be enabled immediately.
Will changing the font source affect my Content Security Policy?
Yes. Selecting Google as the font source loads fonts from Google's CDN — which requires that your Content Security Policy allows connections to fonts.googleapis.com and fonts.gstatic.com. If your CSP restricts external resources, use the System (Browser Default) font source to avoid CSP conflicts.
Need Assistance?
Contact the Secure Privacy support team at support@secureprivacy.ai if you have questions about design settings or need help configuring your integration.
See Also
- How to Upload a Custom Logo[?]

- How to Add Custom CSS to Your Cookie Consent Banner

- Customizing Your Cookie Banner Design

---

# How to Create a Privacy Policy in Secure Privacy – Generator Fields, Options, and GDPR Requirements Explained

URL: https://support.secureprivacy.ai/article/the-policies-page-a-deep-dive-into-privacy-and-user-data-collection
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T13:49:43.084+00:00
Reading Time: 6 minutes
Summary: Learn how to generate a GDPR-compliant privacy policy using Secure Privacy — complete guide to all 20 generator fields including legal basis, DPO, third-party processors, and security measures.

The Privacy Policy section in Secure Privacy allows you to either link an existing privacy policy or generate a new one using Secure Privacy's built-in policy generator. This guide explains both options and walks through every field in the generator — from legal basis and entity type through to third-party services, security measures, and DPO details — so you can create a comprehensive, GDPR-compliant privacy policy for your website or app.

Who Is This For?

  - Website owners and administrators creating or linking a privacy policy for their domain in Secure Privacy

  - Compliance officers and legal teams configuring privacy policy generator inputs for GDPR and CCPA compliance

  - Developers setting up the Privacy Policy tab within the Secure Privacy Preference Center

Option A: Link Your Existing Privacy Policy

If you already have a privacy policy published on your website, you can link it directly in Secure Privacy. Enter the URL where your policy is hosted — this link will be displayed to visitors in the Privacy Policy tab inside the Preference Center UI.

Option B: Generate a New Privacy Policy with Secure Privacy

If you do not have an existing privacy policy, use Secure Privacy's built-in generator to create one. Complete the questionnaire below — each field contributes to a specific section of your generated policy.

1. Cookie and Privacy Policy Generator

Select the generator option to pre-configure your Privacy and Cookie Policy using the input fields. Your responses are used to automatically populate the relevant sections of the generated policy document.

2. Language

Select the language in which the policy content should be generated and displayed to your website visitors.

3. Where Will the Policy Be Used?

Specify whether the policy is for a website, a mobile app, or both. Provide your website URL and site name — these will appear throughout the generated policy.

4. Legal Basis for Data Processing

Specify the lawful basis under which you collect and process personal data — consult your legal team before completing this field. Options typically include consent, contract, legitimate interests, legal obligation, public interest, or vital interests. This information is required under GDPR Article 13.

5. Entity Type

Specify whether your website is operated by a business or an individual. Business options include corporations, limited liability companies, non-profits, partnerships, and sole proprietorships. This determines aspects of how the policy is worded and what disclosures are required.

6. Personal Information Collected

Clearly specify what categories of personal data you collect — including names, contact information, location data, and digital identifiers such as IP addresses. Transparency about what is collected is a core GDPR requirement under the right to information.

7. Purpose of Data Collection

Describe why you collect personal data. Common purposes include service operation and maintenance, customer support, analytics, technical issue detection, and marketing communications. Each stated purpose will appear as a processing purpose in your generated policy.

8. Data Location and Storage

Specify where personal data is stored and processed — including the geographic location of your servers or data processors. This is particularly important for GDPR compliance when data is transferred outside the EU/EEA.

9. Payment Processors

If your website processes payments, disclose the payment services you use — such as Stripe, Google Pay, Apple Pay, or others. These are third-party processors that handle financial personal data on your behalf.

10. Analytics Tools

List the analytics tools you use to monitor site traffic and user activity — such as Google Analytics, HotJar, or Kissmetrics. Each tool you disclose will be included in the relevant section of your generated policy.

11. Advertising Service Providers

If you display advertising on your website, disclose the ad tools and platforms used — such as Google Ads, Heap Analytics, or Calendly. Advertising tools typically involve significant personal data processing and must be transparently disclosed in your policy.

12. Third-Party Service Providers (Data Processors)

List any third-party service providers — also known as data processors — that process personal data on your behalf. Examples include Google Analytics, Microsoft Azure, and Cloudflare. GDPR requires that data processors be identified in your privacy policy.

13. Social Plugins

Specify whether you use social media tools or plugins on your website — such as Facebook Like buttons, Twitter embeds, or LinkedIn share buttons. Social plugins typically set their own cookies and process visitor data.

14. Backup Practices

Disclose whether you maintain backups that contain personal data. Transparent disclosure of backup practices reassures users that their information is stored responsibly and securely.

15. Security Measures

Describe the technical and organizational security measures in place to protect personal data — such as IP anonymization, encryption, data masking, access controls, and regular security audits. These disclosures strengthen user trust and satisfy GDPR Article 32 requirements.

16. Contact Information

Provide clear contact options for users who have questions or concerns about your privacy policy — including an email address, contact form URL, phone number, or postal address. GDPR requires that contact details be included in your privacy notices.

17. Data Protection Officer

Specify whether your organization has a Data Protection Officer (DPO) and provide their contact details if applicable. Under GDPR Article 37, a DPO is mandatory for certain organizations — and their contact details must be publicly disclosed in your privacy policy.

18. Disclosure of Personal Information to Third Parties

Specify whether you disclose user personal information to third parties and, if so, which parties. Users have a right under GDPR to know whether their data is shared, and with whom, before providing consent.

19. Selling Personal Information

Specify whether you sell personal information to third parties — and if so, name those parties. This disclosure is particularly important for CCPA/CPRA compliance, where users have a right to opt out of the sale of their personal data.

20. Do Not Track Responses

Specify whether your website responds to browser-level "Do Not Track" (DNT) signals. Disclosing your DNT policy provides users with a clear understanding of your commitment to browser privacy preferences.

After completing all fields, scroll back to the top of the section and click Save to generate your privacy policy.

Frequently Asked Questions

Do I need to complete every field in the generator?

You should complete every field that is relevant to your website's data practices. Leaving fields blank where they are applicable may result in an incomplete policy that does not meet GDPR transparency requirements. Fields covering legal basis, contact information, and data categories are particularly important and should always be completed.

Can I edit the generated policy after it is created?

Yes. Once generated, the policy can be edited using Secure Privacy's block-based Policy Editor — allowing you to adjust any section, add custom text, or insert tables. Remember to replace all placeholder text in square brackets with your actual business information before publishing.

How often should I update my privacy policy?

Your privacy policy should be updated whenever there is a material change to your data practices — such as adding a new analytics tool, changing your data storage location, appointing or changing a DPO, or when new regulations come into effect that affect your processing activities. An annual review is also recommended as part of your compliance audit cycle.

See Also

  - How to Embed Your Policies on Your Website

  - Using Tables in the Secure Privacy Policy Editor

  - Secure Privacy Pricing Plans Overview

---

# How to Customize Your Cookie Banner Design in Secure Privacy – New Design, Banner, Widget, and Preference Center Setup

URL: https://support.secureprivacy.ai/article/a-guide-to-design-and-personalize-your-banner-cookies-and-preference-center
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:18:13.182+00:00
Reading Time: 3 minutes
Summary: Learn how to create and customize a Secure Privacy design — configure cookie banner position and colors, floating widget style, preference center tabs, and assign designs to domains.

Secure Privacy's Designs feature gives you full control over the appearance of your cookie banner, widget, and preference center — from creating a new design and assigning it to domains through to customizing banner position, colors, widget style, and preference center layout. This guide walks through each step of the design setup process.

Who Is This For?

  - Website administrators creating and configuring Secure Privacy designs for their domains

  - Designers and developers customizing cookie banner position, color, widget style, and custom CSS

  - Compliance teams assigning specific design configurations to different domains in Secure Privacy

Step 1: Create a New Design

Click the Designs link in the top navigation bar of your Secure Privacy dashboard, then select Add a New Design. In the dialog that appears, you can:

  - Give the design a descriptive name for easy identification

  - Select which domains the design should apply to

  - Choose a font — either from Google Fonts or the system fonts provided by Secure Privacy

Once the design is named and configured, select the domains from your account that this design should be applied to.

Step 2: Customize Your Cookie Banner

In your design's settings, navigate to the Cookie Banner section in the left sidebar. Two sub-sections are available:

  - Design tab: Controls where and how the cookie banner appears on your website — including banner position (bar, corner, or middle), padding style, and the option to add custom CSS for advanced styling.

  - Color tab: Allows you to set banner background color, text colors, button colors, hover states, and border colors to match your brand palette.

Step 3: Customize Your Widget

Open the Widget section in the left sidebar to configure the privacy widget that appears persistently on your website. The following widget types are available:

  - Floating: The most customizable option — configure the widget's type (icon, text, or icon + text), style, design (position, shape, logo), and color

  - Button: A simple, non-configurable button widget

  - Hyperlink: A minimal text link widget with no additional configuration

Step 4: Customize Your Preference Center

Open the Preference Center section to configure how the privacy preference center appears to visitors. Available settings include enabling or disabling the preference center, customizing tab names (Settings, Privacy Policy, Cookie Declaration, Data Request), editing cookie category names and descriptions, and updating button and UI string labels — all configurable per language.

Frequently Asked Questions

Can I apply the same design to multiple domains?

Yes. When creating or editing a design, use the domain assignment selector to apply the configuration to one or more domains associated with your Secure Privacy account. Each domain can only have one design active at a time.

Can I have different cookie banner designs for different domains?

Yes. Create separate design configurations for each domain that requires a different visual setup, and assign each design to its respective domain in the domain selection panel.

Where can I find more detailed guidance on each design section?

Each design component has its own dedicated guide — see the See Also section below for links to the cookie banner design, widget configuration, preference center settings, and custom CSS guides.

See Also

  - Customizing Your Cookie Banner Design

  - Design Settings in Secure Privacy

  - How to Add Custom CSS to Your Cookie Consent Banner

  - Upload a Custom Logo to Your Banner

---

# Global Privacy Control (GPC) in Secure Privacy – Automatic Browser Privacy Signal Detection and Cookie Restriction

URL: https://support.secureprivacy.ai/article/global-privacy-control-gpc-feature--secure-privacy
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-31T21:15:28.264+00:00
Reading Time: 13 minutes
Summary: Learn how Secure Privacy's Global Privacy Control (GPC) feature automatically detects browser privacy signals and restricts non-essential cookies — enabled by default for all users.

Privacy regulations like CCPA/CPRA now require websites to honor browser-level opt-out signals — and failing to do so exposes your business to compliance risk even when your cookie banner appears fully functional. Visitors are increasingly using tools like Global Privacy Control (GPC) and Do Not Track (DNT) to communicate their privacy preferences automatically, without clicking through every consent popup they encounter across the web.
Manual workarounds — custom scripts, server-side flag checks, or assembling disparate plugins — are brittle, difficult to audit, and rarely keep pace with evolving regulatory expectations. They also don't scale across the full range of browsers and privacy signal standards now in use.
Secure Privacy's cookie consent platform detects and honors GPC and DNT signals automatically. The moment a visitor with GPC enabled lands on your site, non-essential cookies are blocked — no additional configuration, no code changes, no ongoing maintenance. This guide explains how GPC and DNT work, how to configure browser signal support in Secure Privacy, and how to verify that signals are correctly detected and respected on your website.
Who Is This For?
- Website owners and privacy officers who need to demonstrate CCPA/CPRA opt-out compliance through browser-level signals

- Developers verifying that GPC and Do Not Track signals are correctly detected and honored by Secure Privacy's cookie banner

- Compliance teams looking to configure browser signal indicators and audit their cookie consent setup across regions

What Is Global Privacy Control?
Global Privacy Control (GPC) is an open technical standard developed in 2020 by a coalition of privacy advocates, browser vendors, and technology companies — including the Electronic Frontier Foundation, Mozilla, DuckDuckGo, and Automattic — as a practical mechanism for consumers to express privacy preferences at scale. Rather than requiring a user to opt out of data collection on each website individually, GPC transmits a Sec-GPC: 1 HTTP request header and sets the navigator.globalPrivacyControl JavaScript property to true across every site a visitor browses.
GPC is legally recognized as a valid opt-out signal under CCPA/CPRA in California. The California Attorney General and California Privacy Protection Agency (CPPA) have confirmed that businesses must honor GPC signals as equivalent to a formal "Do Not Sell or Share My Personal Information" request. Several European data protection authorities are also evaluating browser-based signals as a mechanism for expressing consent preferences under ePrivacy and GDPR frameworks.
Browsers and extensions with native or extension-based GPC support include Firefox, Brave, DuckDuckGo Privacy Browser, and the Global Privacy Control Inspector extension for Chrome.
What Is Do Not Track (DNT)?
Do Not Track (DNT) is an earlier browser privacy signal, introduced between 2009 and 2011, that requests websites and third-party services refrain from tracking a user's browsing behavior. DNT is transmitted via the DNT: 1 HTTP request header when a user enables it through their browser's privacy settings.
Unlike GPC, DNT carries no binding legal recognition — compliance has always been voluntary, and most major advertising networks chose not to honor it. As a result, DNT is now considered a legacy privacy signal: widely supported across browsers but lacking the regulatory weight that GPC carries under CCPA/CPRA. Nonetheless, respecting DNT remains a meaningful privacy-first gesture and is included in Secure Privacy's browser signal support for comprehensive coverage across all visitor privacy preferences.
How Secure Privacy Implements Browser Privacy Signals
Secure Privacy's cookie consent platform detects incoming GPC and DNT signals from visitor browsers in real time. When a GPC signal is detected, the banner restricts all cookies to essential-only — blocking non-essential tracking, analytics, and advertising cookies — without requiring any manual interaction from the visitor. DNT signals are similarly detected and can be surfaced to visitors through the configurable browser signals indicator on your consent banner.
This automated detection ensures user privacy preferences are honored immediately, consistently, and across every page of your website — with zero custom code required on your part.
Benefits of Browser Signal Support in Secure Privacy
Automatic CCPA/CPRA opt-out compliance
GPC support directly addresses the CCPA/CPRA requirement to honor browser-level opt-out signals — reducing compliance risk without manual configuration or ongoing legal interpretation on your part.
Immediate privacy protection for GPC-enabled visitors
Visitors with GPC active receive automatic privacy protection the moment they arrive — non-essential tracking is restricted before a single cookie loads, with no banner interaction required on their end.
Fully automated signal detection — no custom code
GPC and DNT detection is built into Secure Privacy's cookie consent script. There are no third-party integrations to maintain, no server-side logic to write, and no risk of detection breaking during future browser updates.
Visible privacy signal indicators on your banner
Secure Privacy's browser signals indicator displays detected GPC and DNT status directly on your cookie consent banner, giving privacy-conscious visitors transparent confirmation that their browser-level preferences are being respected.
Demonstrated commitment to user privacy
Automatically honoring GPC and DNT signals demonstrates to visitors and regulators that your website takes privacy rights seriously — reducing friction for privacy-conscious users and building long-term trust in your brand.
How to Configure Browser Signals in Secure Privacy
Browser signal support — covering both Global Privacy Control (GPC) and Do Not Track (DNT) — is managed from the Browser Signals settings panel in your Secure Privacy account. Both signals are enabled by default; the panel gives you full control over each signal and lets you configure how detected signals are displayed to visitors on your consent banner.
The Browser Signals settings panel in Secure Privacy — toggle GPC and DNT support independently and configure how the privacy signal indicator appears on your cookie banner.
Browser Signals Settings
The Browser Signals Settings section controls which privacy signals your cookie banner detects and honors:
Global Privacy Control (GPC)
When enabled, the Secure Privacy cookie banner automatically detects the Sec-GPC: 1 header sent by GPC-enabled browsers and restricts all cookies to essential-only. This setting fulfills the CCPA/CPRA obligation to honor browser-level opt-out signals and is enabled by default for all Secure Privacy accounts. No additional configuration is required after the Secure Privacy script is installed on your website.
Do Not Track (DNT)
When enabled, Secure Privacy detects the DNT: 1 header sent by visitors who have enabled Do Not Track in their browser. DNT is treated as a legacy privacy signal — its detected status is surfaced through the browser signals indicator on your banner. Enabling DNT support demonstrates a privacy-first approach for visitors using older privacy tools and browsers that do not yet support GPC natively.
Browser Signals Indicator
The Browser Signals Indicator displays the detected status of GPC and DNT in a visible location on your cookie consent banner, giving visitors immediate, transparent confirmation that their browser-level privacy preferences have been detected. You can configure the display location:
- Banner — The indicator appears as a small overlay directly on the consent banner, showing real-time GPC and DNT status for the current visitor.

- Hidden — The indicator is not shown to visitors, but GPC and DNT signal detection and enforcement remain fully active in the background.

The browser signals indicator on a Secure Privacy cookie banner — showing detected GPC (Disabled) and Do Not Track (Disabled) status for the current visitor session when signals are not active.
How to Verify GPC Is Working on Your Website
After enabling browser signal support in Secure Privacy, use the Global Privacy Control Inspector browser extension to confirm that GPC signals are active in your browser, being detected by your server, and correctly supported by your cookie consent banner. This is the recommended testing method for verifying GPC compliance on any website.
The Global Privacy Control Inspector extension confirms three-layer GPC status: enabled in the browser, detected by the server, and supported by the website's cookie consent solution.
Step 1 — Install the Global Privacy Control Inspector Extension
Search for Global Privacy Control Inspector in the Chrome Web Store or your browser's extension marketplace and install it. The extension is available for Chrome and Chromium-based browsers. Once installed, the GPC Inspector icon will appear in your browser toolbar.
Step 2 — Enable GPC in Your Browser
To simulate a visitor with GPC active, ensure GPC is enabled in your browser. Browsers with native GPC support include Brave and Firefox (via privacy settings) and the DuckDuckGo Privacy Browser, which activates GPC by default. For Chrome, the DuckDuckGo Privacy Essentials extension will enable GPC. The GPC Inspector will confirm whether GPC is currently active in your session.
Step 3 — Navigate to Your Website
With the extension installed and GPC enabled, open a new tab and navigate to your website. Load a page where the Secure Privacy cookie banner script is active — typically your homepage or any page included in your standard page template.
Step 4 — Open the GPC Inspector Panel
Click the Global Privacy Control Inspector icon in your browser toolbar. The extension panel will open and display three key status indicators for the current page: whether GPC is enabled in your browser, whether the server detects the GPC signal in the request, and whether the website supports GPC in its consent implementation.
Step 5 — Verify All Three Indicators Are Active
A correctly configured site will show all three GPC Inspector indicators as active — GPC enabled in the browser, detected by the server, and supported by the website. The first two indicators depend on the visitor's browser. The third — site support — is entirely on the website owner's side, and requires two things: the Secure Privacy script correctly installed and the GPC toggle enabled, and a machine-readable declaration file hosted at a specific location on your domain.
The GPC Well-Known File
The GPC specification requires websites that support GPC to publish a publicly accessible JSON file at the following fixed path on their domain:
https://yourdomain.com/.well-known/gpc.jsonThis file tells browsers, extensions like the GPC Inspector, and automated compliance scanners that your website formally declares it will honor GPC signals. Without it, the third indicator ("supported by website") will remain inactive — even if Secure Privacy is correctly installed and GPC detection is fully functional.
File Template
Create a plain text file named gpc.json with the following content:
{
  "gpc": true,
  "lastUpdate": "YYYY-MM-DD"
}- "gpc": true — declares that this site supports and honors the Global Privacy Control signal.

- "lastUpdate" — the ISO 8601 date (YYYY-MM-DD) on which this declaration was last reviewed or updated. Replace with today's date and update it whenever your GPC policy changes.

Where to Place the File
The file must be reachable at exactly /.well-known/gpc.json from your domain root — for example, https://www.yourdomain.com/.well-known/gpc.json. How you deploy it depends on your hosting setup:
- Static sites / file hosting — Create a .well-known/ folder at the root of your web server's public directory and place gpc.json inside it. Ensure the folder and file are publicly readable.

- WordPress — Upload the file via FTP/SFTP to /public_html/.well-known/gpc.json, or use a plugin that manages /.well-known/ routes.

- Shopify / hosted platforms — Use a URL redirect or a custom app to serve the file at the required path, as some hosted platforms restrict direct file system access.

- Nginx — Add a location block to serve the .well-known directory: location /.well-known/ { root /var/www/html; }

- Apache — Place the file in your document root under .well-known/. If .htaccess blocks dotfiles, add an exception: Files ~ "^\.well-known"> Allow from all </Files>

Required Serving Conditions
- The file must return HTTP status 200 — not a redirect, not a 404.

- It must be served with Content-Type: application/json.

- It must be accessible without authentication — the GPC Inspector and compliance crawlers fetch it as an unauthenticated GET request.

- If your site runs on multiple subdomains, each subdomain that processes personal data should host its own /.well-known/gpc.json file.

Once the file is live, reload your website in the browser with the GPC Inspector open. The third indicator should update to show your site as actively declaring GPC support. If it remains inactive, paste your file URL directly into a browser tab to confirm it returns valid JSON with a 200 status.
Step 6 — Check the Consent Banner Indicator (Optional)
If you have configured the Browser Signals Indicator to display on your cookie banner, verify that the banner shows the correct GPC and DNT signal status for this visit. With GPC enabled in your browser, the banner indicator should reflect that GPC is active and your site is honoring the preference. If the indicator is set to Hidden, signal detection is still active — it simply will not be displayed to visitors.
Tip: For aggregate data on how frequently visitors to your site send GPC signals, review your consent records in the Secure Privacy consent dashboard. Consent interactions triggered by GPC signals are logged alongside standard cookie banner interactions, giving you a full picture of opt-out signal volume across your audience.
Frequently Asked Questions
Is GPC legally required under GDPR?
GPC is not explicitly mandated by GDPR, but it is legally recognized as a valid opt-out signal under CCPA/CPRA in California. Several EU data protection authorities are evaluating browser-based privacy signals as a mechanism for expressing consent preferences under ePrivacy and GDPR frameworks. Automatically respecting GPC is a privacy-first best practice regardless of your specific regulatory obligations.
Does GPC replace the cookie consent banner for all visitors?
No. GPC is an additional layer of privacy protection, not a replacement for the cookie consent banner. It restricts cookies automatically for visitors who have sent a GPC signal, but the standard Secure Privacy consent banner remains active for all visitors who have not. Both mechanisms work together to provide full consent management coverage across your entire audience.
What is the difference between Global Privacy Control and Do Not Track?
Global Privacy Control (GPC) is a newer, legally recognized opt-out standard with binding regulatory status under CCPA/CPRA in California — businesses are legally required to honor it. Do Not Track (DNT) is a legacy browser signal introduced around 2009 that requests websites refrain from tracking browsing behavior, but compliance has always been voluntary and DNT carries no binding legal recognition. Both signals are detected and surfaced by Secure Privacy, but GPC carries significantly stronger compliance weight.
Which browsers support Global Privacy Control natively?
Browsers with native GPC support include Brave, Firefox (via privacy settings), and DuckDuckGo Privacy Browser. Chrome and other Chromium-based browsers can support GPC through the Global Privacy Control Inspector extension or the DuckDuckGo Privacy Essentials extension. GPC browser adoption continues to grow as regulatory recognition expands globally.
Do I need to configure anything to enable GPC in Secure Privacy?
No additional setup is required. GPC detection is enabled by default for all Secure Privacy accounts. Your cookie banner will automatically detect and respond to GPC signals from visitor browsers as soon as the Secure Privacy script is installed on your website. You can review and manage browser signal settings — including GPC, DNT, and the banner indicator — from the Browser Signals panel in your account settings.
How do I know if visitors are sending GPC signals to my website?
Use the Global Privacy Control Inspector browser extension to test GPC detection from your own browser session. For aggregate data on GPC signal frequency across all your site visitors, review your consent records in the Secure Privacy consent dashboard — consent interactions triggered by GPC signals are logged alongside standard cookie banner interactions.
Need Help?
Contact Secure Privacy support at support@secureprivacy.ai for questions about GPC, Do Not Track, browser signal configuration, or any other Secure Privacy feature.
See Also
- Global Privacy Platform (GPP) Setup

- Basic vs. Advanced Google Consent Mode

- Implementing Meta Consent Mode with Secure Privacy

- Single Sign-On (SSO) Configuration: Integration with Microsoft Entra ID

---

# How to Trigger a Website Scan for a US Location in Secure Privacy – Regional Scan Settings Guide

URL: https://support.secureprivacy.ai/article/trigger-website-scan-for-us-location--secure-privacy
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:17:49.813+00:00
Reading Time: 1 minutes
Summary: Learn how to set the scan location to United States in Secure Privacy and trigger a rescan — ensuring your cookie declaration reflects cookies and services seen by US-based visitors.

Secure Privacy allows you to trigger website scans from two geographic locations — the EU and the United States. Scanning from a US location detects cookies and services that are specifically served to US-based visitors, ensuring your cookie declaration and privacy policy accurately reflect the tracking technologies seen by that audience.

Who Is This For?

  - Website administrators managing regional cookie compliance for US and EU audiences

  - Developers and digital marketers verifying cookie detection differs between US and EU visitor locations

  - Compliance officers needing region-specific scan results for accurate cookie declarations

How to Trigger a Website Scan for a US Location

  - Log in to your Secure Privacy account and select the domain you want to work with.

  - Navigate to the Scan Report section in the left sidebar.

  - Click the Settings tab.

  - From the Scan Location dropdown, select United States.

  - Click Save to apply the location setting.

  - Return to the Scan Report tab and click Rescan Website to start a new scan from the US location.

Note: Secure Privacy currently supports two scan locations: European Union and United States. Select the location that matches the audience you want to verify cookie detection for.

Common Issues and Fixes

Scan location does not update after saving

Confirm you clicked Save after selecting the new scan location from the dropdown. The location setting is not applied until saved — selecting it from the dropdown alone does not change the active scan location.

Rescan does not start after changing location

After saving the new location setting, you must manually navigate back to the Scan Report tab and click Rescan Website to trigger the scan. The rescan does not start automatically when the location is changed.

See Also

  - How to Perform a Website Rescan

  - Where Is My Data Stored?

  - Scan Report Settings in Secure Privacy

---

# How to Design and Customize Your Secure Privacy Preference Center: Colors, Buttons & Custom CSS

URL: https://support.secureprivacy.ai/article/tailoring-your-preference-center-for-an-engaging-user-experience
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T23:23:14.553+00:00
Reading Time: 6 minutes
Summary: Customize your Secure Privacy Preference Center with background colors, text, button styles, and custom CSS. Step-by-step design guide with WCAG contrast tips and GDPR compliance best practices.

Summary: A well-designed Preference Center reinforces your brand identity and gives users a clear, trustworthy way to manage their consent choices. This guide walks through all of Secure Privacy's Preference Center design and customization options — including color configuration, button styling, preview modes, and custom CSS — so you can create a consent experience that is visually consistent with your website and compliant with GDPR requirements.

  
    Who Is This Guide For?

    
      - Website administrators and designers customizing the visual appearance of their Secure Privacy Preference Center

      - Developers applying custom CSS to align the Preference Center with their brand's design system

      - Marketers and compliance managers ensuring a consistent, professional consent experience across their site

    
  

  
    How to Access the Preference Center Design Editor

    To begin customizing your Preference Center design in Secure Privacy:

    
      - Log in to your Secure Privacy account

      - Navigate to the Design section in the top toolbar of your dashboard

      - Select the design template you want to preview or modify

      - Proceed to the Preference Center subsection

    

    
      
      Navigate to Design in your Secure Privacy dashboard, select your template, and open the Preference Center subsection.
    
  

  
    Preference Center Design Configuration

    Within the Preference Center section, the Design tab is your primary control panel for visual customization. It currently includes a preview mode and custom CSS capability, with additional configuration options planned for future releases.

    
      
      The Preference Center Design tab — your starting point for customizing the visual appearance of your consent Preference Center.
    

    
      Preview Across Desktop, Tablet, and Mobile

      The Preview feature lets you see how your Preference Center will appear across different device screen sizes — desktop, tablet, and mobile — before publishing any changes. Note that the preview is approximate; switch to full-screen view for the most accurate representation of how your users will experience the page.

    

    
      Custom CSS for the Preference Center

      The Custom CSS option gives developers complete control over Preference Center styling beyond the visual editor. Use it to apply brand-specific color schemes, typography, spacing, margins, and layout adjustments — ensuring your Preference Center is visually consistent with the rest of your website.

      Key benefits of using Custom CSS for your Preference Center include:

      
        - Full control over design elements not exposed in the visual editor

        - Design consistency across your consent UI, cookie banner, and site-wide brand system

        - Ability to import and apply custom web fonts (e.g., via Google Fonts)

      
      For guidance on writing Custom CSS for Secure Privacy components, see How to Add Custom CSS for Improved Design and Branding.

    
  

  
    Preference Center Color and Button Settings

    Click Next Step on the Design tab to open the Color tab, where you can configure every color element of your Preference Center. Each sub-section controls a distinct visual layer of the page.

    
      
      The Color tab in the Preference Center design editor — configure background, text, and button colors to match your brand.
    

    
      Background Color

      Choose a background color and dropdown background color that aligns with your brand's color scheme. Consistent background colors create a seamless visual connection between the Preference Center and your main website design.

    

    
      Text Colors: Heading, Body, and Links

      The Text section controls three color elements:

      
        - Heading color — the color for section titles and headings within the Preference Center

        - General text color — body copy and descriptions

        - Link color — clickable links such as your Privacy Policy

      
      Choose colors that complement your brand palette while maintaining strong readability. WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 between text and its background. Verify your choices using the WebAIM Contrast Checker.

    

    
      Primary Button & Secondary Button Styling

      Both the Primary and Secondary consent buttons can be styled independently. Available options for each include:

      
        - Fill style: Filled (solid background) or Stroke (outline only)

        - Corner style: Smooth (rounded), Sharp (square), or Round (pill-shaped)

        - Background color: The button's default resting color

        - Hover background color: The color shown when a user mouses over the button

        - Text color: The button label color at rest

        - Hover text color: The label color during hover

      
      GDPR reminder: Save and Accept buttons must be equally prominent in size, weight, and visual treatment. Avoid styling patterns that make accepting consent significantly more visually dominant than other options.

    

    
      Reset to Default Settings

      If you are not satisfied with your customizations, click Reset to revert all color settings back to Secure Privacy's defaults. This provides a safe fallback if design changes produce unexpected results.

    
  

  
    Best Practices for Designing a Branded, Accessible Preference Center

    
      - Use your brand color palette: Apply your site's primary and secondary colors consistently across backgrounds, text, and buttons for a cohesive experience.

      - Verify contrast ratios: All text must meet WCAG 2.1 AA's 4.5:1 contrast ratio. Test every color combination before publishing.

      - Keep button labels clear: Use plain, action-oriented language on consent buttons (e.g., "Save Preferences," "Accept All," "Reject All") — avoid ambiguous labels.

      - Test on real devices: The built-in preview is a guide, not a guarantee. Test the live Preference Center on actual mobile devices to verify usability.

      - Audit after custom CSS changes: Run an accessibility check with Axe Tools or WAVE by WebAIM after applying any custom CSS to catch unintended accessibility regressions.

    
  

  
    Frequently Asked Questions (FAQ)

    Where do I find the Preference Center design settings in Secure Privacy?

    Go to Design in your Secure Privacy dashboard toolbar, select your template, and navigate to the Preference Center subsection. The Design tab and Color tab contain all visual customization options.

    Can I apply custom CSS to the Preference Center?

    Yes. The Custom CSS option within the Preference Center Design tab allows you to write CSS targeting Secure Privacy's Preference Center components. This is useful for typography, spacing, layout adjustments, and any styling beyond what the visual editor exposes.

    What contrast ratio should my Preference Center text meet?

    WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 for normal text. Use the WebAIM Contrast Checker to validate your heading, body text, and link color selections against their backgrounds.

    Can I reset my Preference Center design to defaults?

    Yes. The Reset button on the Color tab reverts all color configurations back to Secure Privacy's default settings — useful if your customizations have produced unexpected visual results.

    Do Primary and Secondary buttons need to look different from each other?

    They can be visually differentiated, but neither should be so prominent that it unfairly steers users toward one consent option. Under GDPR, all consent choices must be presented with equal clarity and accessibility. Use fill vs. stroke styling to distinguish them while keeping visual weight balanced.

  

  
    Conclusion

    Secure Privacy's Preference Center design editor gives you precise control over every visual element of your consent UI — from background and text colors to button styles and custom CSS. A well-designed Preference Center builds user trust, strengthens brand identity, and ensures your consent experience is both accessible and GDPR-compliant.

  

  
    See Also

    
      - How to Add Custom CSS for Improved Design and Branding

      - Customize Cookie Banner Design — Secure Privacy Guide

      - Customizing Secure Privacy Cookie Banners with CSS

      - Upload a Custom Logo — Personalize the Appearance of Banners

      - Banner Customization Overview

---

# Secure Privacy Product Terms Of Service

URL: https://support.secureprivacy.ai/article/secure-privacy-product-terms-of-service
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:30:51.275+00:00
Reading Time: 42 minutes
Summary: Secure your privacy with our comprehensive Terms of Service. Discover how we protect your personal information and how you can manage your data preferences.

This page contains the Secure Privacy Terms of Service, including the Data Processing Addendum (DPA), subprocessor list, and data deletion policy. These terms govern your use of Secure Privacy's consent management platform and apply to all subscribers, whether on a free trial or paid plan.
Last updated: August 23, 2023
Who Is This For?
- Website owners and administrators subscribing to Secure Privacy

- Legal and compliance teams reviewing GDPR data processing agreements

- Developers and agencies deploying Secure Privacy on behalf of clients

- Enterprise customers evaluating data processor obligations and subprocessors

Table of Contents
- Terms of Service for Products

- 1.1 Definitions

- 1.2 General Conditions; Access to and Use of the Services

- 1.3 Confidentiality, Security and Privacy

- 1.4 Intellectual Property Rights

- 1.5 Third-Party Services

- 1.6 Billing, Plan Modifications and Payments

- 1.7 Cancellation and Termination

- 1.8 Representations, Warranties and Disclaimers

- 1.9 Limitation of Liability and Indemnification

- 1.10 Governing Law and Dispute Resolution

- 2.0 Subprocessors

- Data Deletion Policy

- Data Processing Addendum

These Terms of Service apply to the use of Secure Privacy Products (as herein defined). For the purposes of these Terms of Service, the term “Products”, shall collectively refer to the products and services that are ordered by You online through a link or via an Order Form referencing this Agreement, whether on a trial or paid basis, and made available online by Us, via the applicable subscriber login link and other web pages designated by Us, including, individually and collectively, the applicable Software, updates, API, Documentation, and all applicable Associated Services that You have purchased or deployed.
Terms of Service for Products
These Terms of Service constitute a binding contract on you and govern your use of and access to the products by you, employees and end-users in connection with a paid or free trial subscription to the services.
By accepting this Agreement, either by signing up to the Service or End-User to access or use the service, You agree to be bound by this Agreement. If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to Secure Privacy that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Subscriber,” “You,” “Your” or a related capitalized term herein shall refer to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not accept this Agreement and may not use any of the Services.
1.1. Definitions
The following terms have the following meanings:
Account means any accounts or instances created by or on behalf of Subscriber or affiliate within the Services.
Affiliate means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, whereby “control” (including, with correlative meaning, the terms “controlled by” and “under common control”) means the possession, directly or indirectly, of the power to direct, or cause the direction of the management and policies of such person, whether through the ownership of voting securities, by contract, or otherwise.
Agreement means the Terms of Service for products together with any and all Supplemental Terms, any Data Processing Agreement and Order Forms along with the Secure Privacy Policy available on Our Site.
Applicable Data Protection Law means EU General Data Protection Regulation (or a successor thereto).
API means the application programming interfaces developed and enabled by Secure Privacy that permit Subscribers to scan, access and use certain functionality provided by the Services, including, without limitation, the REST API that enables the interaction with the Services automatically through HTTP requests and the application development API that enables the integration of the Services with other web applications.
Associated Services means products, services, features and functionality designed to be used in conjunction with the Services but not included in the Service Plan to which You subscribe, including, without limitation, integrations and applications created or developed by Secure Privacy or its Affiliates. For the avoidance of doubt, none of the Services or any other product, service, feature or functionality that is expressly stated to be governed by any alternative license, agreement or terms shall be deemed an Associated Service.
Beta Services means a product, service or functionality provided by Secure Privacy that may be made available to You to try at Your option at no additional charge which is clearly designated as beta, pilot, limited release, non-production, early access, evaluation or by a similar description.
Confidential Information means all information disclosed by Secure Privacy to You, or by You to Secure Privacy, which is in tangible form and labelled “confidential” (or with a similar label) or which a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure, including, but not limited to, information relating to Secure Privacy’s security policies and procedures. For the purposes of this Agreement, all Service Data shall be deemed Confidential Information. Notwithstanding the foregoing, Confidential Information shall not include information that (a) was already known to the receiving Party at the time of disclosure by the disclosing Party; (b) was or is obtained by the receiving Party from a third party not under an obligation of confidentiality with respect to such information; (c) is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the Parties; or (d) was or is independently developed by the receiving Party without the use of the disclosing Party’s Confidential Information.
Consulting Services means consulting and professional services (including any training, development or implementation services) provided by Secure Privacy or its authorized subcontractors as indicated on an Order Form or other written documents such as a statement of work “SOW”, as defined below.
Documentation means the user guides, online help, release notes, training materials, and other documentation produced by Secure Privacy or the Subscriber regarding the use or operation of the SAAS Services.
End-User means any person or entity other than Subscriber who is using a Service.
Order Form means any of Secure Privacy’s standard forms of sales order or any valid quote for Services and/or services issued by Secure Privacy and that sets forth the SAAS Services and/or services to be purchased or licensed, the price of each, and any mutually agreed additional terms and conditions.
Personal Data means any information relating to an identified or identifiable natural person (“data subject”).
Personnel means employees and/or non-employee service providers and contractors of Secure Privacy engaged by the Secure Privacy in connection with performance hereunder.
Service(s) means the products and services that are ordered by You online through a link or via an Order Form referencing this Agreement, whether on a trial or paid basis, and made available online by Us, via the applicable subscriber login link and other web pages designated by Us, including, individually and collectively, the applicable Software, updates, API, Documentation, and all applicable Associated Services that You have purchased.
Service Data means the data Secure Privacy processes on Your behalf in accordance with the Data Processing Agreement.
Service Plan means varied plans offered by us which you can subscribe to. Each plan entitles you to use certain specified features of the Services. Currently, we offer the following Service Plans: Basic, Plus, Business and Enterprise.
Site means secureprivacy.ai and all the websites on its subdomains.
Subscription Term means the period for which You have agreed to subscribe to and use a Service with respect to any website.
Third Party Services means third party products, applications, services, software, networks, plugins, systems, directories, websites, databases and information obtained separately by You and which a Service links to, or which You may connect to or enable in conjunction with a Service, including, without limitation, Third Party Services which may be integrated directly into Your Account by You or at Your direction.
1.2. General Conditions; Access to and Use of the Services
1.2.1 During the Subscription Term and subject to compliance by You and End-Users with this Agreement, You have the limited right to access and use a Service consistent with the Service Plan(s) that You subscribe to, together with all applicable Deployed Associated Services, for Your internal business purposes. We will (a) make the Services and Service Data available to You pursuant to this Agreement and the applicable Order Forms; (b) provide applicable standard customer support for the Services to You at no additional charge as detailed on the applicable Site and Documentation and/or upgraded support if purchased; (c) use commercially reasonable efforts to make the Services available 24 hours a day, 7 days a week, except (i) during planned downtime for upgrades and maintenance of the Services (of which We will use commercially reasonable efforts to notify You in advance both through Our Site and a notice to Your Account owner and Agents) (“Planned Downtime”); and (ii) for any unavailability caused by circumstances beyond Our reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, act of terror, strike or other labor problem (other than one involving Our employees), Internet service provider failure or delay, Third Party Services, or acts undertaken by third parties, including without limitation, denial of service attack (“Force Majeure Event”). Secure Privacy reserves the right to monitor and periodically audit Your use of the Secure Privacy Services to ensure that Your use complies with the Agreement and the Service Plan restrictions on Our Site. Should Secure Privacy discover that You are not in compliance with the Agreement or the Service Plan restrictions on Our Site, Secure Privacy reserves the right to charge You, and You hereby agree to pay for, said usage in addition to other remedies available to Us.
1.2.2 You may not use the Services to provide customer service, support or other outsourced business process services on behalf of more than one third party (other than Affiliates) through a single Account. Without limiting the foregoing, Your right to access and use the API is also subject to the restrictions and policies implemented by Secure Privacy from time to time with respect to the API as set forth in the Documentation or otherwise communicated to You in writing.
1.2.3 A high speed Internet connection is required for proper transmission of the Services. You are responsible for procuring and maintaining the network connections that connect Your network to the Services, including, but not limited to, “browser” software that supports protocols used by Secure Privacy, including the Transport Layer Security (TLS) protocol or other protocols accepted by Secure Privacy, and to follow procedures for accessing services that support such protocols. We are not responsible for notifying You or End-Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including Service Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Secure Privacy. We assume no responsibility for the reliability or performance of any connections as described in this section.
1.2.4 In addition to complying with the other terms, conditions and restrictions set forth below in this Agreement, You agree not to (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Services available to any third party except in furtherance of Your internal business purposes as expressly permitted by this Agreement; (b) use the Services to Process data on behalf of any third party other than Agents or End-Users; (c) modify, adapt, reverse engineer or hack the Services or otherwise attempt to gain unauthorized access to the Services or related systems or networks; (d) falsely imply any sponsorship or association with Secure Privacy, (e) use the Services in any unlawful manner, including, but not limited to, violation of any person’s privacy rights; (f) use the Services to send unsolicited or unauthorized bulk mail, junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages; (g) use the Services to store or transmit files, materials, data, text, audio, video, images or other content that infringes third party’s intellectual property rights; (h) use the Services in any manner that interferes with or disrupts the integrity or performance of the Services and its components; (i) attempt to decipher, decompile, reverse engineer or otherwise discover the source code of any Software making up the Services; (j) use the Services to knowingly post, transmit, upload, link to, send or store any content that is unlawful, racist, hateful, abusive, libellous, obscene, or discriminatory; (k) use the Services to knowingly post transmit, upload, link to, send or store any viruses, malware, trojan horses, time bombs, or any other similar harmful software (“Malicious Software”); (l) use or launch any automated system that accesses a Service (e.g. bot) in a manner that sends more request messages to a Service server in a given period of time than a human can reasonably produce in the same period by using a conventional on-line web browser; or (m) attempt to use, or use the Services in violation of this Agreement.
1.2.5 In addition to Our rights as set forth herein, We reserve the right, in Our reasonable discretion, to temporarily suspend Your access to and use of a Service if We suspect or detect any Malicious Software connected to Your Account or to the use of a Service by You or End-Users.
1.2.6 You acknowledge that Secure Privacy may modify the features and functionality of the Services during the Subscription Term at any time and at its sole discretion.
1.2.7 You may not access the Services if You are a direct competitor of the Secure Privacy, except with Secure Privacy’s prior written consent. You may not access the Services for the purposes of monitoring performance, availability, functionality, or for any benchmarking or competitive purposes.
1.2.8 If You register for a free trial for any of the Services, We will make such Services available to You on a trial basis free of charge until the earliest of (a) the end of the free trial period for which You registered to use the applicable Service(s); (b) the start date of any subscription to such Service purchased by You for such Service(s); or (c) termination of the trial by Us at our sole discretion. Additional trial terms and conditions may appear on the trial registration web page. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding.
Any service data you enter into a service, and any configurations or customizations made to a service by or for you, during your free trial will be permanently lost unless you purchase a subscription to the same service as covered by the trial or otherwise purchase the applicable service before the end of the free trial period.
1.2.9 From time to time, We may make Beta Services available to You at no charge. You may choose to try such Beta Services at Your sole discretion. Beta Services are intended for evaluation purposes only and not for production use, are not subject to regular customer support, and may be subject to additional terms that will be presented to You. Beta Services are not considered “Services” under this Agreement; however, all restrictions, Our reservation of rights and Your obligations concerning the Services, and the use of any Third Party Services shall apply equally to Your use of Beta Services. Unless otherwise stated, any Beta Services trial period will expire upon the earliest of one year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation. We may discontinue Beta Services at any time at Our sole discretion and may make them never generally available. We assume no liability for any harm or damage arising out of or in connection with a Beta Service.
1.2.10. The consent provided by your visitors is stored in your account as part of your subscription with us. You should be aware that we store the consent given by your visitors for a limited period of time. We remove the consent stored in your account after 12 months from the date of storing such consent. You acknowledge that you may need to renew the consent given by you visitors after the storage period for consent ends.
1.2.11. You shall acknowledge that the number of consents stored in your account shall be determined based on the Service Plan you subscribe to. Accordingly, for Basic, Plus, and Business Plans you shall be able to store 100.000 consents per account per month, whereas for Enterprise Plan you shall be entitled to store 1.000.000 consents per account per month.
1.3. Confidentiality, Security and Privacy
1.3.1 Subject to the express permissions set forth in this Agreement, each Party will protect each other’s Confidential Information from unauthorized use, access or disclosure in the same manner as it protects its own Confidential Information, but no less than with reasonable care. Except as otherwise expressly permitted pursuant to this Agreement, each of us may use each other’s Confidential Information solely to exercise our respective rights and perform our respective obligations under this Agreement and shall disclose such Confidential Information (a) solely to the Personnel who have a need to know such Confidential Information for such purposes and who are bound to maintain the confidentiality of, and not misuse, such Confidential Information; (b) as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction; or (c) as reasonably necessary to comply with any applicable law or regulation. The provisions of this Section shall supersede any non-disclosure agreement by and between the Parties that would purport to address the confidentiality and security of the Service Data and such an agreement shall have no further force or effect with respect to the Service Data.
1.3.2 Secure Privacy will maintain reasonable administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Service Data. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of the Service Data by the Personnel except (a) to provide the Services and prevent or address service, support or technical problems; (b) for compliance with this Agreement or applicable law; or (c) as You expressly permit in writing.
1.3.3 To the extent Service Data constitutes Personal Data, You and the Secure Privacy hereby agree that You shall be deemed to be the data controller and the relevant entity in Secure Privacy shall be deemed to be the data processor as those terms are understood under the Applicable Data Protection Law. Unless otherwise specifically agreed to by Secure Privacy, Service Data may be hosted by Secure Privacy or their respective authorized third-party service providers in the EU, the US or other locations around the world. Under no circumstances will any entity in Secure Privacy be deemed a data controller with respect to Service Data under the Applicable Data Protection Law or any relevant law or regulation of any Member State as defined in the Applicable Data Protection Law. Personal Data is processed in accordance with our Privacy Policy.
1.3.4 You agree that Secure Privacy and the subprocessors that are utilized by Secure Privacy to assist in providing the Services to You shall have the right to access Your Account and to use, modify, reproduce, distribute, display and disclose Service Data to the extent necessary to provide the Services, including, without limitation, in response to Your support requests. Any subprocessors utilized by the Secure Privacy will only be given access to Your Account and Service Data as is reasonably necessary to provide the Services and will be subject to confidentiality obligations which are commercially reasonable and substantially consistent with the standards described.
1.3.5 You acknowledge that Secure Privacy uses essential cookies for the application to function. We reserve the right to make changes in these Terms of Service or our Privacy Policy regarding cookies at any time. Currently, Secure Privacy uses the following types of cookies:
- _lr_hb_ - essential cookie used by Logrocket in our application for support and debugging purposes. Used to store basic information about the user’s session(s).

1.3.6 You acknowledge that Secure Privacy uses local storage for the service to function on a website. We reserve the right to make changes in these Terms of Service or our Privacy Policy regarding cookies at any time. Currently, Secure Privacy uses the following types of local storage:1. s_e_c_u_r_e_k_e_y – to record the preferences selected when the consent or declines the use of services and cookies.
1.3.7. Secure Privacy will process your personal data for the purpose of execution of these Terms of Service and the Data Processing Addendum and for providing customer support. The categories of personal data to be processed include your email address and your personal name.
1.4. Intellectual Property Rights
Each Party shall retain all rights, title and interest in and to all its respective patents, inventions, copyrights, trademarks, domain names, trade secrets, know-how and any other intellectual property and/or proprietary rights (collectively, “Intellectual Property Rights”). The rights granted to You, Agents and End-Users to use the Service(s) under this Agreement do not convey any additional rights in the Service(s) or in any Intellectual Property Rights associated therewith. Subject only to limited rights to access and use the Service(s) as expressly stated herein, all rights, title and interest in and to the Services and all hardware, Software and other components of or used to provide the Services, including all related Intellectual Property Rights, will remain with Secure Privacy and belong exclusively to Secure Privacy. Secure Privacy shall have a free, worldwide, transferable, sub-licensable (through multiple layers), assignable, irrevocable and perpetual license to implement, use, modify, commercially exploit, and/or incorporate into the Services or otherwise use any suggestions, enhancement requests, recommendations or other feedback We receive from You, Agents, End-Users, or other third parties acting on Your behalf.
You agree that Secure Privacy may use your name and logo, regardless of whether registered as a trademark, on Secure Privacy’s Websites and as a part of a general list of Secure Privacy's customers for use and reference in corporate, promotional and marketing materials. You hereby expressly acknowledge and agree that our use of your name and logo does not constitute an infringement of your rights, including intellectual property rights.
When you cease to use our Services, we may, at our sole discretion, remove your name and logo from Secure Privacy’s Websites and from our general list of customers for use and reference in corporate, promotional and marketing materials. Notwithstanding the foregoing, we may, at our sole discretion, continue using your name and logo, provided that we expressly refer to you as our past customer, on Secure Privacy’s Websites and as a part of a general list of customers for use and reference in corporate, promotional and marketing materials.
1.5. Third-Party Services
Secure Privacy may use Third Party Services as part of the Service. Your access and use of Third Party services are governed solely by the terms and conditions of such Third Party Services, and We do not endorse, are not responsible or liable for, and make no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle, protect, manage or Process data (including Service Data) or any interaction between You and the provider of such Third Party Services. We cannot guarantee the continued availability of such Third Party Service features, and may cease enabling access to them without entitling You to any refund, credit, or Third Party compensation, if, for example and without limitation, the provider of a Third Party Service ceases to make the Third Party Service available for interoperation with the corresponding Service in a manner acceptable to Us. You irrevocably waive any claim against Secure Privacy with respect to such Third Party Services. We are not liable for any damage or loss caused or alleged to be caused by or in connection with Your enablement, access or use of any such Third Party Services, or Your reliance on the privacy practices, data security processes or other policies of such Third Party Services. You may be required to register for or log into such Third Party Services on their respective websites. By enabling any Third Party Services, You are expressly permitting Secure Privacy to disclose Your Login, as well as Service Data as necessary to facilitate the use or enablement of such Third Party Services.
1.6. Billing Plan Modifications and Payments
1.6.1 Unless otherwise indicated on an Order Form referencing this Agreement, all charges associated with Your access to and use of a Service are due in full upon commencement of Your Subscription Term, with respect to the time the Service is purchased, subscribed to or otherwise deployed for. If You fail to pay Your Subscription Charges or other charges indicated on any Order Form within five (5) business days of Our notice to You that the payment is due or delinquent, or if You do not update your payment information upon Our request, in addition to Our other remedies, We may suspend or terminate your access to and use of such a Service by You, your Agents and End-Users.
1.6.2 We will automatically upgrade your account to the next plan when your account has hit the maximum number of documented website visitors.
1.6.3 If your account is upgraded to a more expensive plan, any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Your then current Subscription Term, charged to Your Account and due and payable upon the implementation of such a Subscription Upgrade. In any future Subscription Term, Your Subscription Charges will reflect any such Subscription Upgrades.
1.6.4 No refunds or credits for Subscription Charges or other fees or payments will be provided to You if You elect to downgrade Your Service Plan. Downgrading Your Service Plan may cause loss of content, features, or capacity of the Service as available to You under Your Account, and Secure Privacy does not accept any liability for such loss or disruption.
1.6.5 Unless otherwise stated, Our charges do not include any taxes, levies, duties or similar governmental assessments, including value-added or sales taxes (collectively “Taxes”).
1.6.6 If You pay by credit card or certain other payment instruments, the Services provide an interface to the Account owner to change credit card information (e.g. upon card renewal). The Account owner will receive a receipt upon each receipt of payment, or they may obtain a receipt from within the Services to track subscription status. You hereby authorize the payment provider to bill Your credit card or other payment instrument in advance on a periodic basis in accordance with the terms of the Service Plan for the Services and for the periodic Subscription Charges applicable to the Deployed Associated Services to which You subscribe until Your subscription to the Services terminates, and You agree to pay any Subscription Charges so incurred.
1.7. Cancellation and Termination
1.7.1 Either Party may elect to terminate Your Account and subscription to a Service as of the end of Your then current Subscription Term by providing notice, in accordance with this Agreement, thirty (30) calendar days preceding the end of such a Subscription Term. Unless Your Account and subscription to a Service are so terminated, Your subscription to a Service (including any and all Deployed Associated Services) will renew for a Subscription Term equivalent in length to the then expiring Subscription Term.
1.7.2 No refunds or credits for Subscription Charges or other fees or payments will be provided to You if You elect to terminate Your subscription to the Service or cancel Your Account prior to the end of Your then effective Subscription Term.
1.7.3 We reserve the right to modify, suspend or terminate the Services (or any part thereof), Your Account or Your and/or Agents’ or End-Users’ rights to access and use the Services, and remove, disable and discard any Service Data at any time if We believe that You or End-Users have violated this Agreement.
1.7.4 A Party may terminate this Agreement for cause (a) upon thirty (30) calendar days’ written notice to the other Party of a material breach if such a breach remains uncured at the expiration of that notice period; or (b) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding related to insolvency, receivership, liquidation or assignment for the benefit of creditors.
1.7.5 Upon request by You made within thirty (30) calendar days after the effective date of the termination or expiration of this Agreement, We will make Service Data available to You for export or download as provided in the Documentation. After such a 30-day period, We will have no obligation to maintain or provide any Service Data, and, as set forth in the Documentation, we will have the right to delete or destroy all copies of Service Data in Our systems or otherwise in Our possession or control, unless doing so is prohibited by law.
1.7.6 Secure Privacy can terminate Your Account with immediate effect due to a breach of these Terms of Service or the Website Terms of Service.
1.8. Representations, Warranties and Disclaimers
1.8.1 Each Party represents that it has voluntarily and validly entered into this Agreement and has the legal power to do so.
1.8.2 Except as specifically set forth herein, the sites and the services, including all server and network components are provided on an “as is” and “as available” basis, without any warranties of any kind, express or implied, to the fullest extent permitted by law, and we expressly disclaim any and all warranties, whether express or implied, including, but not limited to, any implied warranties of merchantability, title, fitness for a particular purpose, and non-infringement. You acknowledge that we do not warrant that the services will be uninterrupted, timely, secure, error-free or free from viruses or other malicious software, and no information or advice obtained by you from us or through the services shall create any warranty not expressly stated in this agreement.
1.8.3 You hereby acknowledge and agree that configuring the cookie banner which is provided to you as part of the Services, including the cookie & tracking blocking functionality is at Your sole responsibility and that we do not bear any liability for incorrectly configured, or any malfunctioning of the cookie banner and/or cookie & tracking blocking functionality.
1.8.4 You expressly acknowledge and agree that the use of our services is your sole responsibility and is at your discretion. You acknowledge and understand that the purpose of the services is to make your compliance process more efficient. Secure Privacy will never apply the law to your facts and/or act in the capacity of being a legal advisor. We are not a law firm or legal consulting firm and do not perform services performed by an attorney or other personnel that have acquired legal accreditation. Our services are not specific, direct, and do not propose a course of action. As a result, you acknowledge and accept that our services can under no circumstances be construed as legal advice.
1.9. Limitation of Liability and Indemnification
1.9.1 Under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) shall we, or our affiliates, officers, directors, employees, agents, service providers, suppliers or licensors be liable to you or any third party for any lost profits, lost sales or business, lost data, business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, or any other loss or damages incurred by you or any third party in connection with this agreement, the services or consulting services, regardless of whether we have been advised of the possibility of or could have foreseen such damages.
1.9.2 Notwithstanding anything to the contrary in this agreement, Secure Privacy’s aggregate liability to you or any third party arising out of this agreement or otherwise in connection with any subscription to, or use or employment of the services, shall in no event exceed the subscription charges for such services paid by you during the twelve (12) months prior to the first event or occurrence giving rise to such liability.
1.9.3 Secure Privacy provides a tool for collecting and managing user consent on websites. This tool is provided ‘as is’ and without warranty of any kind, express or implied. You understand that compliance with applicable data protection law is a multifaceted matter, which is reflected in all processes and areas of operation of your business, not only on your website. Moreover, a user consent management mechanism on a website alone does not guarantee full compliance of the website with applicable data protection law or any other state, national or international law. Therefore, Secure Privacy does not guarantee and is not liable for the compliance of your website and/or your business and data processing activities, for which user consent is collected, with applicable data protection law, and it is your sole responsibility to ensure such compliance.
1.9.4 It is at our discretion to decide when to delete user consents from our storage. Users may also decide to delete the consents at any time. We expressly disclaim any liability for the deletion of consents from our storage carried out either by us or the user.
1.9.5 Any claims or damages that You may have against Secure Privacy shall only be enforceable against Secure Privacy and not any other entity or its officers, directors, representatives or partners.
1.9.6 You agree to defend, indemnify and hold harmless Secure Privacy, its affiliates and their respective directors, officers, employees and partners from and against all claims and expenses, including attorneys’ fees, arising out of the use of the Websites by you. Secure Privacy reserves the right to take over the exclusive defense of any claim for which we are entitled to indemnification under this section. In such event, you shall provide Secure Privacy with such cooperation as is reasonably requested by Secure Privacy.
1.10. Governing Law and Dispute Resolution
These Terms of Use are governed by and construed in accordance with the laws of Denmark. Any disputes arising out of these Terms of Use shall be settled by the courts of Copenhagen, Denmark.
2.0. Subprocessors
Secure Privacy uses certain subprocessors and content delivery networks to assist in providing the Services.
What is a Subprocessor:
A subprocessor is a third party data processor engaged by Secure Privacy who has or potentially will have access to or process Service Data (which may contain Personal Data). Secure Privacy engages different types of subprocessors to perform various functions as explained in the tables below.
Due Diligence:
Secure Privacy undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
Infrastructure Subprocessors – Service Data Storage
Secure Privacy owns or controls access to the infrastructure that Secure Privacy uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Secure Privacy production systems for the Services are located in the EU (Netherlands).
Entity Country
Entity Type
Entity Name

Netherlands
Cloud Service Provider
Microsoft Azure

Service-Specific Subprocessors
Secure Privacy works with certain third parties to provide specific functionality within the Services. The list of subprocessors is available at https://secureprivacy.ai/subprocessors. In order to provide the relevant functionality these subprocessors access Service Data. Their use is limited to the indicated Services and purposes.
Content Delivery Networks
As explained above, Secure Privacy’s Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes the use of CDNs by Secure Privacy’s Services.
Description of CDN Services
CDN Location
Services Using CDN
CDN Provider

Cloudflare’s services include a content distribution network, a domain name system network, web content optimization, web application firewall, internet protocol reputation filtering, and distributed denial of service attack prevention.
Global
All Services
Cloudflare

Data Deletion Policy
Secure Privacy’s Data Deletion Policy (which is set out under the clause “Account Cancellation or Termination”) describes how our Subscribers’ Service Data is deleted in connection with the cancellation, termination or migration of an Account within the Secure Privacy’s Services detailed herein.
Service Data Deletion due to Account Cancellation or Termination
Two (2) years after your Account for one of the Services provided by us is cancelled or terminated; or, one (1) year after your trial has ended for one of the Services (assuming that you have not purchased a subscription to that Service), an automated process will begin that permanently deletes your Service Data for the cancelled Service.
Data Processing Addendum
This Data Processing Agreement (DPA) is an addendum to the Terms of Use between Secure Privacy and the Subscriber (Agreement). The provision of the Secure Privacy services (the “Services”) involves the Processing of Personal Data by Secure Privacy on behalf of the Subscriber. The provisions of this DPA govern the Processing of Personal Data by Secure Privacy for all services provided under this Agreement.
The Parties agree that for any Personal Data Processed as a result of or pursuant to the Agreement, Secure Privacy shall be the Data Processor and shall Process Personal Data on behalf of the Subscriber and shall not do anything which may put the Subscriber in breach of applicable Data Protection Legislation.
Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Data Processor” means a natural or legal person, public authority, agency, or another body that processes personal data on behalf of the controller;
“Data Protection Legislation” means all applicable laws and regulations relating to the Processing of Personal Data and privacy, including the EU’s General Data Protection Regulation (2016/679/EC), and all laws and regulations implementing or made under them and any amendment or re-enactment of them;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Subprocessor” means any Data Processor engaged by Secure Privacy in the Processing of Personal Data.
Instructions
The Subscriber hereby instructs Secure Privacy to Process Personal Data for the purpose of provision of SAAS Service. The SAAS Service is a service whereby Subscriber asks Secure Privacy to host a cookie/plugin consent management solution on Subscriber’s websites. Secure Privacy's Processing of Personal Data primarily concerns the following: Secure Privacy makes its cookie consent solution available to Subscriber and the Subscriber gets access, configure the solution and install it on their website to make it operational. Secure Privacy must process Personal Data on behalf of the Subscriber in accordance with the purpose stated in the Data Processing Agreement. Secure Privacy may not use Personal Data for any other purpose. The Personal Data may be Processed only on instructions from the Subscriber. The following types of Personal Data are being Processed: Email address, IP address, Name of contact person.
Subprocessors
Secure Privacy works with Subprocessors to provide specific functionalities within the SAAS Services. The Subprocessors are available at https://secureprivacy.ai/subprocessors. In order to provide the relevant functionality, these Subprocessors may access Personal Data. Their use is limited to the indicated Services and purposes. By accepting this Data Processing Agreement, Subscriber authorises the use of the above Subprocessors for the processing. Secure Privacy shall inform Subscriber of any intended changes concerning the addition or replacement of other Subprocessers at least 30 days in advance, thereby giving Subscriber sufficient time to be able to object to such changes prior to the engagement of the concerned Subprocessor. Secure Privacy shall provide Subscriber with the information necessary to enable Subscriber to exercise the right to object. If Subscriber notifies Secure Privacy of such objection, the parties will discuss the concerns in good faith with a view to achieving a commercially reasonable resolution. If Subscriber’s objection cannot be reasonably accomodated, Secure Privacy will either not appoint the new Subprocessor, or permit Subscriber to suspend or terminate the affected Service without liability to either party.
Secure Privacy may not – without the Subscriber’s specific and written authorisation – use the individual Subprocessors for any “other” Processing than agreed or have the described Processing be carried out by another Subprocessor. Secure Privacy uses Microsoft as it Datacenter operator with data located in the Netherlands. The security measures implemented by Microsoft Azure and used by Secure Privacy data centre include, but are not limited to data encryption, malware protection, background checks, penetration testing, intrusion detection, and audits. The rest of the measures are listed in the Microsoft Azure Security Documentation available on https://docs.microsoft.com/en-us/azure/security/.
Where Secure Privacy engages a Subprocessor, it shall do so by way of a contract which imposes on the Subprocessor the same data protection obligations as the ones imposed on Secure Privacy under this DPA. Secure Privacy shall remain fully responsible for each Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of such Subprocessor that cause Secure Privacy to breach any of its obligations under this DPA.
Subscriber Responsibilities
Compliance with laws. The Subscriber shall comply with the Data Protection Legislation with respect to Processing of Personal Data and the instructions for Processing of Personal Data given to Secure Privacy. The Subscriber acknowledges and agrees that it is solely responsible for: (i) ensuring that its instructions for Processing of Personal Data given to Secure Privacy comply with the Data Protection Legislation; (ii) the legality, quality, and accuracy of collected Personal Data; (iii) complying with all the applicable transparency and lawfulness requirements under Data Protection Legislation with respect to the collection and use of Personal Data; (iv) ensuring that the transfer of Personal Data to Secure Privacy for the purpose of processing is lawful.
Proper installation of the cookie solution. The Subscriber acknowledges and agrees that it shall be solely responsible for the proper installation and use of the cookie consent solution. Secure Privacy shall not be responsible for Subscriber’s non-compliance with Data Protection Legislation arising as a result of improperly installed or used cookie consent solution.
Secure Privacy Obligations
Compliance with Subscriber’s instructions. Secure Privacy shall only process personal data exclusively for the performance of the Services and in accordance with the written instructions of Subscriber in accordance with this DPA.
Conflict of laws. If Secure Privacy becomes aware that any law to which Secure Privacy is subject prevents Secure Privacy from complying with such instructions or requires the Processing of Personal Data other than as instructed by Subscriber, Secure Privacy shall inform Subscriber of the legal requirements before Processing, unless that law prohibits such information on important grounds of public interest. Secure Privacy shall immediately inform Subscriber if, in its opinion, an instruction infringes Data Protection Legislation. Secure Privacy must ensure that any natural person acting under the authority of Secure Privacy who has access to Personal Data does not act outside the instructions.
Personnel. Secure Privacy shall ensure that access to Personal Data is limited to those members of its personnel and Subprocessors who need access to Personal Data to meet Secure Privacy’s obligations under this DPA and in the case of any access by any personnel, such part or parts of the Personal Data as is strictly necessary for the performance of the duties of the personnel. Secure Privacy shall ensure that all personnel: (i) are informed of the confidential nature of Personal Data; (ii) have undertaken training relating to the handling of Personal Data; and (ii) are aware of both the Secure Privacy duties and their personal duties and obligations under Data Protection Legislation and the Agreement and the DPA. In addition, Secure Privacy shall take reasonable steps to ensure the reliability of any members of personnel that have access to the Personal Data.
Subprocessors Compliance. Secure Privacy must ensure that each Subprocessor is compliant with the data processing requirements as set by the Data Protection Legislation. If the subprocessor is located in a third country, Secure Privacy must ensure that such country is safe according to the Data Protection Legislation. If a Subprocessor is not located in such a country, Secure Privacy must ensure that the Subprocessor provides appropriate safeguards according to Article 46 of the GDPR, particularly in the form of standard contract clauses, or in the form of binding corporate rules according to Article 47 of the GDPR.
Security measures. Secure Privacy shall ensure that any Personal Data is subject to appropriate technical and organizational measures against unauthorized or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with any applicable Data Protection Legislation. Secure Privacy shall take all measures required under Article 32 of the GDPR to ensure a level of security appropriate to the risks of varying likelihood and severity to the rights and freedoms of natural persons.
Assistance. Secure Privacy shall provide reasonable assistance to Subscriber, in accordance with and as set forth in applicable Data Protection Legislation, in respect of Subscriber’s compliance with (i) the security of the Processing; (ii) the notification of a Personal Data Breach to the competent supervisory authority; (iii) the communication of the Personal Data Breach to the Data Subject; (iv) the carrying out of an assessment of the impact of the envisaged processing operations on the protection of Personal Data; and (v) prior consultations to the competent supervisory authority, taking into account the nature of the Processing undertaken by Secure Privacy and the information available to Secure Privacy. Furthermore, Secure Privacy must assist Subscriber in complying with any obligations resting upon Subscriber under applicable law in force from time to time where Secure Privacy’s assistance is implied or where Secure Privacy’s assistance is necessary for the Subscriber’s compliance with their obligations, including responding to data subject requests. Should Secure Privacy receive such requests, they must immediately provide the Subscriber with access to the requests and associated data.
Personal data breaches. If Secure Privacy has become aware of a potential or actual Personal Data Breach, Secure Privacy must immediately notify Subscriber in writing. This notification must as a minimum include information about the nature of the Personal Data Breach identified and, if possible, the categories of persons (data subjects) affected as well as the number of data subjects affected, the categories of Personal Data concerned and the number of Personal Data records concerned as well as the mitigating measures taken or suggested by Secure Privacy in respect of the Personal Data Breach identified.
Data Transfers. Secure Privacy shall not transfer any Personal Data to locations outside the European Economic Area or to a third country, a territory or one or more specified sectors within a third country, or an international organization against the provisions of the Data Protection Legislation without the consent of the Subscriber. Any transfer or Personal Data to a third country or an international organization by Secure Privacy must take place in compliance with the requirements of the Data Protection Legislation, including Chapter V of the GDPR.
Maintenance of records. Secure Privacy shall maintain complete and accurate records and information related to Processing of Personal Data on behalf of the Subscriber to demonstrate its compliance with this DPA and make available to Subscriber information reasonably necessary to demonstrate compliance with Secure Privacy’s Personal Data Processing obligations under the Terms of Use and this DPA and in accordance with the SAAS Services purchased by the Subscriber.
Audits. Secure Privacy shall allow for audits by the Subscriber or a third-party auditor designated by them to check out the compliance of Secure Privacy with this Agreement. The right to audit shall not extend to the facilities of Subprocessors or other third parties that Secure Privacy engages with for the purpose of providing its Services. The Subscriber or the designated third-party auditor will not be given access to the Personal Data of other Secure Privacy customers. The Subscriber shall announce the date and time of the audit and the name of the third-part auditor, if any, at least 90 days before the proposed time and date. Secure Privacy may object to the proposed date and time and the proposed third-party auditor. In the case of an objection of the date and time, Secure Privacy shall propose multiple dates and time no later than 120 days after the initial notification. If Secure Privacy objects to the third-party auditor, the Subscriber may propose another one. Secure Privacy and the Subscriber shall sign a written agreement on the engagement of a third-party auditor to conduct the audit on behalf of the Subscriber. The mutually agreed-upon third-party auditor shall be subject to an executed written confidentiality agreement between the third-party auditor and Secure Privacy. Secure Privacy shall ensure that the Subscriber is able to verify Secure Privacy’s compliance with the Data Protection Legislation. Subscriber may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports shall constitute confidential information of the parties under the Terms of Use. This right to audit may be exercised but not more than once a year. Subscriber may, once per the calendar year, demand documentation of Secure Privacy’s continuous assessment of its authorized Subprocessors.
Deletion or return of personal data. Secure Privacy shall erase all Personal Data being Processed on behalf of Subscriber as well as any copies thereof 30 days after the termination of the account. At the choice of Subscriber, Secure Privacy shall delete or return all Personal Data to Subscriber after the end of the provision of the Services relating to processing unless Secure Privacy is required to retain the Personal Data by any applicable law.

---

# 3D Secure (3DS) Payment Failed? How to Activate 3D Secure and Complete Your Secure Privacy Payment

URL: https://support.secureprivacy.ai/article/activate-3d-secure-authentication--secure-online-payments
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:03:14.135+00:00
Reading Time: 6 minutes
Summary: Learn what 3D Secure (3DS) is, how to activate it with your bank, and how to fix failed Secure Privacy card payments and 3DS authentication issues.

If your Secure Privacy payment is failing or asking for extra verification, 3D Secure (3DS) is usually the reason. This guide explains what 3D Secure authentication is, who can activate it, how to enable it with your bank, and how to fix common 3DS payment issues on your Secure Privacy account.
Quick answer: Secure Privacy and Stripe cannot enable 3D Secure on your card. Only your bank or card issuer can manage 3DS settings, send OTPs, or approve authentication requests.
What Is 3D Secure Authentication?
3D Secure (3DS) is an online card payment authentication standard that adds an extra verification step before a payment is approved. After you enter your card details, your bank may ask you to confirm the transaction with a one-time password (OTP), a banking app approval, a biometric check, or a passcode.
You may also see 3D Secure listed as Visa Secure, Mastercard Identity Check, American Express SafeKey, or J/Secure, depending on your card network.
This extra step helps reduce fraud and unauthorized card use by confirming that the real cardholder is approving the payment.
Who Controls 3D Secure: Your Bank or Secure Privacy?
Your bank or card issuer controls 3D Secure. Secure Privacy and Stripe cannot turn 3D Secure on, change your authentication method, or resend a bank verification request.
If your payment requires 3D Secure and your card is not enrolled, you will need to activate it through your bank’s mobile app, online banking portal, or support team.
How to Activate 3D Secure on Your Card
The exact steps depend on your country, bank, and card type, but the process is usually similar:
- Log in to your bank’s mobile app or online banking portal.

- Open card settings, card services, or payment security settings.

- Look for 3D Secure, online card authentication, Visa Secure, or Mastercard Identity Check.

- Complete enrollment using your phone number, email, banking app, passcode, or another approval method.

- Contact your bank if you cannot find the setting or are not sure whether 3D Secure is enabled on your card.

Before you start: Make sure your bank has your current mobile number and email address. Many failed 3D Secure payments happen because the OTP or approval request is sent to old contact details.
India
For cards issued in India, 3D Secure is commonly used for online payments. In many cases, the bank enables it when the card is issued, but you may still need to confirm your details or approve payments in your bank app or portal.
- Log in to your bank’s mobile app or net banking portal.

- Open Card Services or Online Payment Settings.

- Look for 3D Secure, Verified by Visa, or Mastercard SecureCode.

- If you do not see the setting, contact your bank for help.

United States
In the United States, 3D Secure may work differently depending on the issuer. Some banks enable it automatically for eligible payments, while others use risk-based authentication without a visible enrollment flow.
- Check whether your bank supports Visa Secure or Mastercard Identity Check.

- Review your app or online banking portal for card security settings.

- If you are unsure, contact your issuer and ask whether your card is enrolled for 3D Secure online authentication.

If you use American Express or Discover, contact the issuer directly to confirm how authentication works for your card.
South Africa
For South African cards, 3D Secure is commonly used for online payment verification. Your bank may require an app approval, OTP, or another security step.
- Check your bank’s online card security settings.

- Make sure your registered mobile number is correct.

- Contact your issuer if you cannot complete enrollment or authentication.

For more background information:
- PASA FAQ – Payments Association of South Africa

- 3D Secure Consumer FAQ (PDF)

Europe
Across Europe, Strong Customer Authentication (SCA) rules usually mean that online card payments require bank verification. In practice, most European cards already support 3D Secure, but you still need a working approval method such as app confirmation, SMS code, or biometric login.
- Log in to your banking app or online portal.

- Open Card Settings, Security, or Online Payments.

- Check that app approvals, SMS codes, or biometric login are active.

- Contact your bank if authentication is failing or not appearing.

If your country is not listed here, your bank is still the best source for 3D Secure activation steps.
How to Complete a 3D Secure Payment on Your Secure Privacy Account
If your Secure Privacy invoice requires 3D Secure authentication, follow these steps:
- Check your email. Look for a Stripe email with a link to complete payment authentication.

- Sign in to your Secure Privacy account. If you do not see the email, go to Billing > Invoices.

- Open your latest invoice and click Pay online.

- Complete the bank verification step. This may be an OTP, push notification, passcode, or biometric approval.

- Wait for confirmation. Do not close the browser until the payment page confirms that the transaction is complete.

If the authentication window closes too early or the page freezes, retry the payment in a new browser session.
3D Secure Payment Failed? Common Problems and Fixes
Didn’t receive the OTP or approval request?
- Confirm that your bank has your current phone number and email address.

- Make sure your phone can receive SMS messages or banking app notifications.

- Open your banking app to check for a pending approval request.

- Ask your bank whether the authentication message was delayed or blocked.

3D Secure is not activated on your card
- Contact your bank or card issuer and ask whether 3D Secure is enabled on your card.

- Confirm that your card is allowed for online payments or international e-commerce payments if relevant.

Payment page stuck or freezing during 3D Secure authentication
- Refresh the page once and try again.

- Try a different browser or device.

- Disable your VPN or browser extensions that may block redirects or pop-ups.

- Allow pop-ups for the payment page domain.

- If the issue continues, contact Secure Privacy support and your bank.

Card works on some websites but not others
Different merchants and banks use different fraud checks. A payment may trigger 3D Secure on one website but not another based on the merchant setup and your card issuer’s rules.
When to Contact Your Bank vs. Secure Privacy Support
Contact your bank if:
- you need to activate 3D Secure on your card

- you did not receive an OTP or authentication request

- your banking app is not approving the transaction

- your card is declined during the authentication step

Contact Secure Privacy if:
- you cannot find the invoice or payment link in your account

- the Stripe payment page does not load

- the payment shows as completed but your account has not been updated

For support, email support@secureprivacy.ai.
Frequently Asked Questions About 3D Secure
Is 3D Secure the same as an OTP?
No. 3D Secure is the authentication framework. An OTP is just one method your bank may use to verify that you are the cardholder.
Can Secure Privacy activate 3D Secure for me?
No. Only your bank or card issuer can enable or manage 3D Secure on your card. Secure Privacy and Stripe do not control your card’s authentication settings.
Why does my Secure Privacy payment need extra verification?
Your bank may require 3D Secure for online card payments to reduce fraud and confirm that you approved the transaction.
What should I do if my 3D Secure payment keeps failing?
First, confirm with your bank that 3D Secure is active and that your contact details are current. Then retry the payment in a fresh browser session with pop-ups enabled and your VPN disabled. If the issue continues, contact support@secureprivacy.ai and include your invoice details.
See Also
- Secure Privacy Pricing Plans

- Secure Privacy Volume Discounts | Custom Consent Storage Pricing

- Website Visits vs Page Views vs Consent Explained

---

# Google EU User Consent Policy: How to Comply with GDPR Requirements for EEA & UK Users

URL: https://support.secureprivacy.ai/article/google-eu-user-consent-policy-compliance-guide--secure-privacy
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T13:01:23.629+00:00
Reading Time: 6 minutes
Summary: Meet Google's EU User Consent Policy requirements with Secure Privacy. Learn the key steps for GDPR-compliant consent collection, Google Consent Mode setup, and full third-party disclosure for EEA and UK users.

Summary: Google's EU User Consent Policy requires website and app owners operating in the European Economic Area (EEA) and the UK to obtain explicit user consent for data collection, advertising personalization, and third-party data sharing — including with Google. This guide explains the policy's requirements and the steps you need to take to maintain compliance, including how Secure Privacy supports Google EU User Consent Policy adherence.

  
    Who Is This Guide For?

    
      - Website and app owners using Google AdSense, AdManager, or AdMob who serve users in the EEA or UK

      - Marketers and analytics managers relying on Google Ads or Google Analytics for campaign measurement

      - Compliance and privacy officers responsible for GDPR and EU User Consent Policy adherence

      - Developers implementing or auditing consent mechanisms and CMP integrations

    
  

  
    Overview of Google's EU User Consent Policy

    Google's EU User Consent Policy requires that website and app owners take direct responsibility for obtaining lawful user consent and providing full transparency about how personal data is collected and used. The policy applies to all publishers and advertisers using Google products to serve users in the EEA and UK.

    Key requirements include:

    
      - Obtaining explicit user consent: Affirmative permission must be collected before using cookies, local storage, data collection, data sharing, or ad personalization for each user.

      - Disclosing all third-party data access: You must clearly disclose all parties — including Google — that collect, receive, or use personal data from your users.

      - Providing transparency: End users must have easy access to clear information about how their personal data is used by your website and all involved third parties.

    

    
      ⚠️ What happens if you don't comply? Failure to comply with Google's EU User Consent Policy can result in suspension of ad serving for your Google Ads, AdSense, or AdMob accounts. Non-compliance may also expose your organization to GDPR enforcement actions from EU data protection authorities, including significant fines.

    
  

  
    How to Comply with Google's EU User Consent Policy: Step-by-Step

    If you are using Google AdManager, AdSense, or AdMob, follow these steps to ensure full compliance with Google's EU User Consent Policy:

    
      - Review your website or app's consent implementation: Audit your existing consent mechanisms and disclosures to confirm they meet Google's policy requirements — explicit consent, full disclosure, and user-friendly controls.

      - Implement a robust consent management platform (CMP): Deploy a Google-certified CMP such as Secure Privacy to ensure users can easily provide, manage, and withdraw consent for data collection and advertising personalization.

      - Enable Google Consent Mode: Connect your CMP to Google Consent Mode so that consent signals are passed automatically to Google Analytics, Google Ads, and other Google tags — ensuring tag behavior adapts correctly to each user's consent decision.

      - Update your privacy notices: Your Privacy Policy and cookie notice must transparently list all data recipients and describe how data is used — including Google services and any other third-party vendors.

      - Monitor and audit continuously: Regularly review your consent flows, third-party integrations, and privacy notices as regulations and Google's policy requirements evolve.

    
  

  
    How Secure Privacy Helps You Meet Google's EU User Consent Policy

    Secure Privacy is a Google-certified Consent Management Platform built to meet Google's EU User Consent Policy requirements out of the box. Key capabilities include:

    
      - Google Consent Mode integration: Secure Privacy automatically passes consent signals to Google tags via the Consent Mode API — ensuring analytics and advertising tags behave according to each user's explicit consent decision.

      - Google Tag Manager support: Deploy and manage consent via the Secure Privacy GTM Community Template, with no custom code required.

      - Full disclosure support: Secure Privacy's cookie scanner and service classification tools help you identify and disclose all third-party data collectors active on your site, including Google services.

      - Ongoing compliance updates: Secure Privacy is continuously updated to reflect evolving GDPR guidance, Google policy changes, and new EU privacy regulations.

    
  

  
    Additional Compliance Resources

    
      - Google's EU User Consent Policy Help Page — Official overview, FAQs, and implementation guidance from Google.

      - Legal consultation: Engage qualified legal counsel with GDPR expertise to review your specific consent implementation and ensure full regulatory compliance for your jurisdiction.

      - Google EU User Consent Policy Team: For policy-specific questions, contact Google directly at ddp-gdpr-escalations@google.com.

    
  

  
    Common Google EU User Consent Policy Issues & Fixes

    
      - 
        Users not seeing the cookie consent banner:

        Verify that your CMP script is correctly installed on all pages of your site and that the banner is enabled for EEA and UK users in your Secure Privacy configuration. Check that no script-blocking tools or caching layers are preventing the banner from loading.

      

      - 
        Insufficient disclosure in privacy notices:

        Review your Privacy Policy and cookie notice to confirm they fully disclose all third-party data collection activities — including Google AdSense, Google Analytics, and any other Google services active on your site. Update them to name each data recipient explicitly.

      

      - 
        Consent not being recorded or syncing with Google tags:

        Check your Secure Privacy and Google Tag Manager integration settings. Confirm that Google Consent Mode is enabled and that the correct trigger (Consent Initialization – All Pages) is configured in GTM. Use the Google Consent Mode verification guide to test that consent signals are passing correctly.

      

    
  

  
    Frequently Asked Questions (FAQ)

    What is Google's EU User Consent Policy?

    Google's EU User Consent Policy requires website and app owners using Google advertising products (AdSense, AdManager, AdMob, Google Ads) to obtain explicit consent from users in the EEA and UK before collecting data, setting cookies, or personalizing ads. It also requires full transparency about which third parties — including Google — access user data.

    Who does Google's EU User Consent Policy apply to?

    The policy applies to all publishers and advertisers using Google's ad products to serve users in the European Economic Area (EEA) and the United Kingdom. This includes websites, apps, and any digital property that displays Google-served ads or uses Google Analytics with advertising features enabled.

    Do I need a Google-certified CMP to comply?

    Google strongly recommends using a Google-certified Consent Management Platform to meet its EU User Consent Policy requirements. A certified CMP ensures that consent signals are correctly passed to Google's systems via the Consent Mode API. Secure Privacy is a Google-certified CMP that handles this integration automatically.

    What is Google Consent Mode and how does it relate to this policy?

    Google Consent Mode is the technical mechanism through which a CMP communicates user consent decisions to Google tags. When a user grants or denies consent, Google Consent Mode ensures that Google Analytics, Google Ads, and other Google tags respond appropriately — restricting data collection when consent is denied. Implementing Consent Mode is a key part of meeting Google's EU User Consent Policy requirements.

    What should I do if my Google ad account is flagged for non-compliance?

    Review your consent banner configuration, privacy disclosures, and CMP integration immediately. Ensure your banner is shown to all EEA and UK users, that all third-party data recipients are disclosed, and that Google Consent Mode is correctly implemented. If the issue persists, contact the Google EU User Consent Policy Team at ddp-gdpr-escalations@google.com.

  

  
    See Also

    
      - Implementing Google Consent Mode in Advanced Mode using Google Tag Manager

      - How to Add a Custom Service / Cookie

      - Should You Block All Cookies? GDPR Cookie Categories Explained

      - Ensuring Prior Consent for Non-Essential Cookies — GDPR Compliance

      - Secure Privacy — Google-Certified Consent Management Platform

---

# How to Install a GDPR & CCPA Cookie Consent Banner on Shopify with Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-shopify
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T22:59:25.021+00:00
Reading Time: 6 minutes
Summary: Add a GDPR & CCPA-compliant cookie consent banner to your Shopify store. Step-by-step guide to installing Secure Privacy via theme.liquid - no coding experience needed.

If you run a Shopify store and sell to customers in the EU, UK, California, or anywhere else with modern privacy laws, you are legally required to display a cookie consent banner before dropping tracking cookies. Ignore it and you risk fines under GDPR, the UK GDPR, CCPA, and the ePrivacy Directive — not to mention eroded customer trust.
Most cookie consent solutions for Shopify fall into one of two frustrating camps: too basic (a static bar that doesn't actually block scripts and won't satisfy a regulator) or too complex (enterprise platforms that require developer time and a legal team to configure). Neither is a good fit for a growing Shopify merchant who needs real, auditable compliance without the overhead.
Secure Privacy gives you a fully compliant, auto-blocking cookie consent banner that works natively with Shopify's theme system — no App Store subscription required, no ongoing per-pageview fees, and no custom development. One script tag in your theme.liquid file is all it takes. Secure Privacy then handles everything else: geo-targeted consent rules, automatic script blocking, and a timestamped audit log you can show to regulators.
By the end of this guide your Shopify storefront will display a GDPR- and CCPA-compliant cookie consent banner, and Secure Privacy will be recording consent events automatically.
Who Is This Guide For?
- Shopify store owners who need to comply with GDPR, UK GDPR, CCPA, or ePrivacy regulations

- Merchants already using Secure Privacy who need to connect it to their Shopify storefront

- Developers managing a client's Shopify theme who want a clean, code-based installation

Important — Shopify checkout restriction: Shopify does not allow external scripts in the native checkout flow. Secure Privacy can be applied to your Storefront and the Order Confirmation page, but not to the checkout pages themselves.
Prerequisites
- An active Secure Privacy account — sign up free if you don't have one yet

- Your Secure Privacy installation script copied from the Installation page inside your dashboard

- Admin access to your Shopify store

- Access to your active theme's code (no coding experience required — just copy and paste)

How to Install Secure Privacy on Shopify — Step-by-Step
Step 1 — Log in to your Shopify admin
Go to your Shopify admin panel and sign in with your store credentials.
Step 2 — Open Online Store
In the left-hand sidebar, click Online Store.
Step 3 — Go to Themes
Select Themes from the Online Store submenu. You will see your currently active theme at the top of the page.
Step 4 — Open the theme code editor
Click the Actions button (top-right of your active theme card) and choose Edit code [HTML/CSS] from the dropdown.
Shopify theme Actions menu — select "Edit code [HTML/CSS]"
Step 5 — Open theme.liquid
In the code editor's file tree, locate the Layout folder and click theme.liquid to open it.
Step 6 — Find the closing </head> tag
Use your browser's find function (Ctrl+F / Cmd+F) to search for </head>. Scroll to it in the file.
Tip: Depending on your theme, this tag may appear as {/head}, [/header], or a similar variation. All of these work the same way — paste the script just before whichever closing head tag your theme uses.
Step 7 — Paste your Secure Privacy script
Copy your Secure Privacy installation code (the <script> tag from the Installation page in your Secure Privacy dashboard) and paste it immediately before the closing </head> tag.
Paste your Secure Privacy <script> tag just before </head> in theme.liquid
Step 8 — Save the file
Click the Save button in the top-right corner of the code editor. Your Secure Privacy cookie consent script is now live on your Shopify store.
What Happens After Installation?
Once the script is saved, visit your storefront in a private/incognito browser window. You should see your Secure Privacy cookie consent banner appear within a few seconds. From this point Secure Privacy will:
- Display your consent banner to new visitors based on your configured geo-rules

- Block non-essential cookies until explicit consent is given

- Log every consent event with a timestamped audit trail

- Respect returning visitors' saved preferences on subsequent visits

If you don't see the banner immediately, allow up to two minutes for Shopify's CDN cache to refresh, then hard-reload the page (Ctrl+Shift+R / Cmd+Shift+R).
Troubleshooting Common Shopify Cookie Banner Issues
The cookie consent banner is not showing on my storefront
Double-check that the script was pasted in theme.liquid (not checkout.liquid or another layout file) and that you clicked Save after pasting. Also confirm the script tag from your Secure Privacy dashboard is assigned to the correct domain.
I can't find a </head> tag in my Shopify theme
Some Shopify themes use Liquid-syntax alternatives such as {/head} or [/header]. Search for head in the editor's find bar and look for the closing variant. If your theme still has no identifiable head closing tag, contact Secure Privacy support for theme-specific guidance.
The banner appears but does not block cookies
Script auto-blocking is configured inside your Secure Privacy dashboard under Cookie Scanner > Auto-blocking. Ensure auto-blocking is enabled for your domain and that a full cookie scan has been completed at least once.
Changes aren't visible after saving
Shopify caches theme assets aggressively. Wait 1–2 minutes, then open your storefront in a new private/incognito window to bypass your local browser cache.
Frequently Asked Questions
Do I legally need a cookie consent banner on my Shopify store?
Yes, if you have visitors from the EU, UK, or California (among other regions). GDPR and the ePrivacy Directive require explicit, informed consent before placing non-essential cookies on a user's device. CCPA requires a clear opt-out mechanism for the sale of personal data. Failure to comply can result in significant fines and reputational damage.
What is the best cookie consent solution for Shopify?
The best option depends on your compliance needs. Secure Privacy is a strong choice for merchants who need genuine script auto-blocking, geo-targeted consent rules, and a regulator-ready audit log — without paying per-pageview fees or needing a developer. It installs via a single script tag in theme.liquid and covers GDPR, UK GDPR, CCPA, and ePrivacy in one platform.
Can Secure Privacy be used on Shopify's checkout pages?
No. Shopify does not permit third-party scripts in its native checkout flow. Secure Privacy works on your storefront and the Order Confirmation page, but not within the checkout itself. This is a Shopify platform restriction, not a Secure Privacy limitation.
Will adding a cookie consent banner slow down my Shopify store?
Secure Privacy's script is lightweight and loads asynchronously, meaning it does not block your page from rendering. The impact on Core Web Vitals and overall page speed is negligible for most stores.
Will Secure Privacy work with all Shopify themes?
Yes. Any Shopify theme that uses a theme.liquid layout file — which includes all official Shopify themes and the vast majority of third-party themes — supports this installation method.
Do I need to reinstall Secure Privacy when I update or change my Shopify theme?
Yes. If you switch to a new theme or duplicate your theme for a major redesign, you will need to add the Secure Privacy script to the new theme's theme.liquid file, as theme code is not carried over between themes automatically.
Related Articles
- How to Install Secure Privacy on WordPress

- Secure Privacy WooCommerce Integration Guide[?]

- Running Your First Cookie Scan with Secure Privacy[?]

- Setting Up Geo-Targeted Consent Rules (GDPR vs CCPA)[?]

- How to Access and Export Your Consent Audit Log

---

# How to Install Secure Privacy on Squarespace (Cookie Consent Setup Guide)

URL: https://support.secureprivacy.ai/article/installing-secure-privacy-on-squarespace
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T22:54:08.904+00:00
Reading Time: 5 minutes
Summary: Add a GDPR & CCPA-compliant cookie consent banner to your Squarespace site in minutes. Step-by-step guide to install Secure Privacy via Code Injection — no coding required.

If you run a Squarespace website and collect any data from visitors — through analytics, contact forms, or embedded third-party tools — you are almost certainly required by GDPR, CCPA, or ePrivacy regulations to display a compliant cookie consent banner. Without one, your site may be exposing you to regulatory fines and eroding visitor trust before they even read your content.
Many Squarespace site owners try the built-in cookie banner first, only to find it lacks granular consent categories, geo-targeting, and the audit logs that regulators actually ask for. Others paste together free scripts that break on the next theme update. Neither approach gives you a defensible compliance record.
Secure Privacy is a dedicated cookie consent management platform built for exactly this problem. It auto-scans your cookies, generates a fully branded consent banner, records every visitor's consent decision, and keeps your policy documents current — all without touching your Squarespace theme files.
By the end of this guide you will have a live, fully compliant Squarespace cookie consent banner powered by Secure Privacy, installed in under five minutes via a single script tag.
Who Is This Guide For?
- Squarespace site owners who need GDPR or CCPA cookie compliance

- Designers and developers managing a client's Squarespace site

- Anyone who has already created a Secure Privacy account and is ready to deploy the banner

Prerequisites
- An active Secure Privacy account with your domain configured

- A Squarespace site on the Business or Commerce plan (Code Injection is not available on Personal plans — see Troubleshooting below)

- Admin access to your Squarespace account

How to Add the Secure Privacy Cookie Banner Script to Squarespace
Step 1 — Copy your Secure Privacy installation script
Log in to your Secure Privacy dashboard and navigate to the Installation page for the domain you want to activate. Copy the unique installation script shown there — this snippet is what connects your Squarespace site to your Secure Privacy consent configuration.
Step 2 — Open Squarespace Settings
Log in to your Squarespace account. In the left-hand sidebar, click the Settings icon (the cog/gear symbol) to open your site settings panel.
Step 3 — Navigate to Code Injection
Within Settings, scroll down to the Advanced section and click Code Injection.
Important: Code Injection is a premium feature available only on Squarespace's Business and Commerce plans. If you are on a Personal plan, you will not see this option. See the Troubleshooting section below for your options.
Step 4 — Paste the script into the Header section and save
In the Code Injection panel, paste your Secure Privacy installation script into the Header text area. Click Save to apply the changes. Placing the script in the header ensures it loads before any tracking or analytics scripts fire, which is required for a legally valid consent-before-load workflow.
Step 5 — Verify the cookie banner is live
Open your Squarespace site in a new private/incognito browser window. You should see your Secure Privacy cookie consent banner appear on first load. If it does not appear, clear your browser cache or check the Troubleshooting section.
What Happens After Installation?
Once the script is live, Secure Privacy will automatically:
- Scan your Squarespace site for cookies and trackers and categorise them

- Display your consent banner to visitors based on their location and the applicable regulation (GDPR, CCPA, LGPD, etc.)

- Record each visitor's consent decision in a tamper-proof audit log

- Block non-essential scripts from loading until consent is granted

You can customise banner appearance, languages, consent categories, and blocking rules at any time from your Secure Privacy dashboard — no changes to your Squarespace site are needed.
Troubleshooting
I can't find Code Injection in my Squarespace settings
Code Injection is only available on Squarespace Business and Commerce plans. If you are on a Personal plan, you will need to upgrade your Squarespace subscription to access this feature. Alternatively, contact Secure Privacy support to discuss other deployment options.
The cookie banner is not appearing after installation
- Make sure you clicked Save after pasting the script in Code Injection.

- Test in a private/incognito window to rule out cached consent decisions.

- Confirm the script in the Header field matches the one shown in your Secure Privacy Installation page exactly — no extra spaces or characters.

- Check that your domain in the Secure Privacy dashboard matches your live Squarespace URL (including or excluding www).

The banner appears but consent choices are not being saved
This can happen if a third-party browser extension is blocking the Secure Privacy script. Test in a clean browser profile without extensions enabled to confirm the issue.
Frequently Asked Questions
Does my Squarespace website need a cookie consent banner?
If your Squarespace site uses any cookies or tracking technologies — including Google Analytics, Meta Pixel, or Squarespace's own analytics — and you have visitors from the EU, UK, California, or other regulated regions, then yes: you are legally required to obtain cookie consent before setting non-essential cookies. GDPR (EU/UK), CCPA (California), and similar laws all mandate this.
Is Squarespace GDPR compliant by default?
Squarespace includes a basic cookie notice, but it does not provide the granular consent categories, prior-blocking of non-essential scripts, or consent audit logs required for full GDPR compliance. A dedicated consent management platform like Secure Privacy is needed to meet those requirements.
Can I add a GDPR cookie banner to Squarespace without coding?
Yes. With Secure Privacy, all you need to do is paste a single script tag into Squarespace's Code Injection header field — no theme editing or developer skills required. The entire banner configuration is handled inside the Secure Privacy dashboard.
Which Squarespace plan do I need to install a cookie consent script?
You need at minimum the Squarespace Business plan to access the Code Injection feature used in this installation method. Code Injection is not available on the Personal plan.
Will the Secure Privacy cookie banner slow down my Squarespace site?
The Secure Privacy script is lightweight and loads asynchronously, so it has minimal impact on your Squarespace page speed. Because it also blocks non-essential third-party scripts until consent is given, it can actually improve initial load performance for visitors who decline non-essential cookies.
Related Articles
- How to Install Secure Privacy on WordPress

- How to Install Secure Privacy on Wix

- How to Install Secure Privacy on Shopify

- How Secure Privacy Scans and Categorises Cookies[?]

- GDPR Compliance Checklist for Website Owners

---

# Secure Privacy Growth Plan Update – What Growth (Legacy) Subscribers Need to Know

URL: https://support.secureprivacy.ai/article/growth-plan-deprecation--migration-to-new-secure-privacy-pricing-tiers
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:20:36.596+00:00
Reading Time: 2 minutes
Summary: Secure Privacy's Growth plan is being renamed Growth (Legacy). Your features stay the same — learn what changed, why, and how to migrate to a new pricing tier.

Secure Privacy's Growth plan is being renamed to Growth (Legacy) as part of an updated pricing structure. Your existing features and service remain unchanged — this article explains what the change means, what stays the same, and how to migrate to a new plan when you are ready.

Who Is This For?

  - Existing customers currently subscribed to the Secure Privacy Growth plan

  - Business decision-makers evaluating subscription and upgrade options

  - Administrators planning migration to updated consent management pricing tiers

What the Growth Plan Change Means for Your Subscription

  - No immediate changes to your service. You can continue using your Growth (Legacy) plan without any disruption. Support and access to your current features remain consistent.

  - Your plan will be renamed Growth (Legacy). All existing features are preserved. Migration to a new pricing tier is recommended but not required right now.

Why Secure Privacy Is Updating Its Pricing Structure

The updated pricing tiers are designed to simplify plan selection, offer greater flexibility, and provide better scalability as your business grows. The new structure aligns more closely with how customers actually use the platform and delivers clearer value at each tier.

Benefits of Migrating from the Growth Legacy Plan

  - Access to the latest features: Unlock new consent management capabilities unavailable on the Growth (Legacy) plan.

  - Higher limits and flexibility: Choose a plan with usage allowances tailored to your current traffic and consent volumes.

  - Improved support options: Benefit from expanded support resources and account management available on newer tiers.

Next Steps: How to Migrate to a New Pricing Tier

We recommend reviewing the Secure Privacy pricing plans overview to compare available tiers with your existing Growth (Legacy) subscription and identify the best fit for your needs.

Our support team is ready to help with any questions or assist you through the migration process. Contact us at support@secureprivacy.ai.

Frequently Asked Questions

Will my Growth (Legacy) plan features change?

No. Your existing features and service will remain unchanged for the time being. The rename to Growth (Legacy) does not affect your current functionality.

Can I continue using the Growth (Legacy) plan indefinitely?

Yes, the plan is currently still supported. However, migrating to a newer pricing tier is recommended to access improved features, higher limits, and better long-term support.

How do I migrate to a new Secure Privacy pricing tier?

Review the available plans on the Secure Privacy pricing plans page to find the right tier, then contact our support team to start your migration.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Volume Discounts

  - Website Visits vs Page Views vs Consent Explained

---

# How to Add a GDPR Cookie Consent Banner to Your Magento Store with Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-magento
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T22:49:57.938+00:00
Reading Time: 5 minutes
Summary: Add a GDPR-compliant cookie consent banner to your Magento 2 store in minutes. No extension needed — install Secure Privacy with a single script. Step-by-step guide inside.

If you run a Magento 2 store and sell to customers in the EU, UK, California, or beyond, displaying a cookie consent banner isn't optional — it's a legal requirement under GDPR, ePrivacy, and CCPA. Without one, your store may be setting tracking and analytics cookies before visitors have given consent, exposing your business to regulatory fines and compliance risk.
Many Magento store owners start by searching for a Magento cookie consent extension or a Magento 2 GDPR plugin — only to find solutions that are complex to configure, require a developer, or don't keep up with evolving privacy laws. Secure Privacy solves this differently: it's a fully managed cookie consent management platform (CMP) that installs on Magento in minutes via a single JavaScript snippet — no Magento module, no FTP, no theme editing required.
With Secure Privacy on your Magento store you get:
- An automatic cookie scanner that detects all cookies and trackers on your storefront

- A customizable cookie consent popup that matches your Magento theme

- Granular consent categories (Analytics, Marketing, Functional) with opt-in/opt-out controls

- A consent log and audit trail to prove compliance to regulators

- Automatic updates as GDPR, CCPA, and ePrivacy regulations evolve — without touching your Magento code

This guide shows you exactly how to set up a Magento cookie consent banner using Secure Privacy — from copying your script to verifying the cookie notice is live on your storefront. The whole process takes under five minutes.
Who Is This For?
This article is for Magento store owners and administrators who need to add a GDPR-compliant cookie banner to their Magento 2 website without hiring a developer or installing a heavy Magento extension. It applies to both Magento Open Source and Adobe Commerce (Magento Commerce).
Before You Begin
- You have an active Secure Privacy account. (Sign up free[?] if you don't have one yet.)

- You have Magento Admin access with permissions to edit System Configuration.

- Your Magento store is running Magento 2.x (Open Source or Commerce).

- You know which Secure Privacy cookie consent plan is assigned to your domain.

Step-by-Step: Installing Secure Privacy Cookie Consent on Magento 2
Follow the steps below to add the Secure Privacy cookie consent script to your Magento store's <head> — no Magento extension or module installation needed.
Paste the Secure Privacy cookie consent script into System > Configuration > Design > HTML Head > Miscellaneous Scripts in your Magento Admin panel.
- Copy your Secure Privacy script. Log in to your Secure Privacy dashboard, navigate to the Installation page for your domain, and copy the unique JavaScript snippet provided. This is the script that powers your Magento cookie consent banner.

- Open Magento Admin. In your Magento backend, go to the Admin menu and select System > Configuration.

- Navigate to Design settings. In the left-hand configuration panel, click Design under the General section.

- Expand the HTML Head section. Click the arrow next to the HTML Head accordion to expand it and reveal the head-injection options.

- Paste the Secure Privacy script. Locate the Miscellaneous Scripts text field and paste your Secure Privacy cookie consent script directly into it. This field injects the script into the <head> of every page on your Magento storefront — ensuring your cookie notice loads on all pages, including checkout.
💡 Tip: Make sure you paste the full script tag, including the opening <script> and closing </script> tags. Pasting only the inner content will prevent the cookie banner from loading.

- Save your configuration. Click the Save Config button in the top-right corner of the page.

- Verify the cookie banner is live. Open your Magento storefront in a fresh browser window or incognito tab. The Secure Privacy GDPR cookie consent popup should appear automatically. Your Magento store is now cookie-law compliant.

What Happens After Your Magento Cookie Banner Is Live?
Once the Secure Privacy script is active on your Magento store, the platform works continuously in the background to keep your store compliant:
- Automatic cookie scanning — Secure Privacy scans your Magento storefront and categorizes all cookies and third-party trackers (Google Analytics, Facebook Pixel, etc.).

- Consent-based script blocking — tracking scripts are blocked until a visitor actively consents, keeping you compliant with GDPR's "prior consent" requirement.

- Consent records and audit logs — every consent decision is logged in your dashboard so you can demonstrate compliance to data protection authorities if required.

- No-code banner customization — adjust banner text, colors, button labels, and consent categories from your Secure Privacy dashboard without touching Magento.

Troubleshooting: Magento Cookie Consent Banner Not Showing
- Banner not appearing after installation? Clear your Magento full-page cache: go to System > Cache Management and click Flush Magento Cache. The cookie banner should appear on the next page load.

- Script saved but cookie popup still not loading? Confirm your Magento admin role has permission to edit Design configuration. If the Miscellaneous Scripts field is greyed out, contact your Magento administrator.

- Cookie notice appears on some pages but not others? A full-page cache layer (e.g., Varnish) or a third-party performance plugin may be stripping custom head scripts. Whitelist the Secure Privacy script domain in your caching configuration.

- Running multiple Magento store views? Switch the configuration scope (top-left dropdown in System > Configuration) to each store view and repeat step 5 for each, or set scope to Default Config to apply the cookie banner globally.

Frequently Asked Questions — Magento Cookie Consent & GDPR
Do I need a cookie consent banner on my Magento store?
Yes — if your Magento store uses cookies for analytics, advertising, or personalization and serves visitors in the EU, UK, or California, you are legally required to display a cookie consent banner under GDPR, ePrivacy, and CCPA. Operating without one can result in regulatory fines of up to €20 million or 4% of global annual turnover under GDPR.
Do I need a Magento extension or module to install a cookie banner?
No. Secure Privacy installs on Magento 2 as a lightweight JavaScript snippet — no Magento extension, module, or Composer package is required.

---

# Secure Privacy Browser Compatibility – Supported Browsers, Minimum Versions, and Recommended Versions

URL: https://support.secureprivacy.ai/article/-supported-browsers-for-secureprivacy-solution
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:10:51.102+00:00
Reading Time: 2 minutes
Summary: Check which browsers are supported by Secure Privacy — including minimum versions for Chrome, Firefox, Safari, Edge, Opera, Android, and iOS — and why staying updated matters for consent management.

Secure Privacy's installation script, cookie consent banner, and preference center are designed to work with modern web browsers. This article lists the supported browsers and minimum versions required for full functionality — and explains why keeping browsers up to date improves compatibility and performance.

Who Is This For?

  - Website administrators and IT teams verifying browser compatibility before deploying Secure Privacy

  - Privacy compliance teams ensuring the cookie banner and preference center function correctly for all visitors

  - Developers troubleshooting browser-specific issues with the Secure Privacy script or consent UI

Supported Browsers and Minimum Versions

Secure Privacy supports the following browsers at the minimum versions listed below. For the best experience, we recommend using the latest two major versions of each browser.

  
    
    
  
  
    
      Browser / Platform

      Minimum Version

    

    
      Chrome

      52+ (recommended: 110 or later)

    

    
      Firefox

      32+ (recommended: 110 or later)

    

    
      Edge

      15+ (recommended: 110 or later)

    

    
      Safari

      10+ (recommended: 16 or later)

    

    
      Opera

      23+ (recommended: 95 or later)

    

    
      Android

      5.0+ (recommended: Android 12 or later)

    

    
      iOS Safari

      iOS 10+ (recommended: iOS 16 or later)

    

  

Why Keeping Browsers Updated Matters

Using current browser versions ensures the best possible experience with Secure Privacy's consent management features:

  - Improved security and privacy controls: Modern browsers implement the latest privacy APIs and security standards that Secure Privacy's blocking and consent features rely on.

  - Better compatibility with consent management technologies: Newer browser versions support the latest JavaScript APIs and cookie handling behaviors required for accurate blocking and preference management.

  - Enhanced performance and web standards compliance: Up-to-date browsers render the cookie banner and preference center faster and more reliably across all screen sizes and devices.

Frequently Asked Questions

Will the cookie banner work on older browser versions?

The cookie banner will function on browsers at or above the minimum supported versions listed above — but older versions may have limited functionality, reduced performance, or display inconsistencies. If visitors on older browsers report issues with the banner or preference center, updating their browser is the recommended first step.

What should I do if the cookie banner or blocking features are not working correctly?

First, check that the visitor's browser meets the minimum version requirements. Then clear the browser cache and reload the page. If the issue persists on a supported browser version, contact Secure Privacy support at support@secureprivacy.ai wit

---

# How to Design Your Contextual Consent Page in Secure Privacy: Colors, Buttons & Custom CSS

URL: https://support.secureprivacy.ai/article/contextual-consent-design-how-to-personalize-your-page-user-experience
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T23:14:17.969+00:00
Reading Time: 6 minutes
Summary: Customize your Secure Privacy contextual consent overlay with brand colors, button styles, and custom CSS. Step-by-step design guide covering WCAG contrast, GDPR compliance, and mobile preview.

Summary: A well-designed contextual consent page builds user trust, reinforces your brand identity, and improves consent interaction rates. This guide explains how to use Secure Privacy's Contextual Consent design editor to customize background colors, text, button styles, and custom CSS — ensuring your consent overlay is both visually consistent with your site and compliant with WCAG accessibility standards.

  
    Who Is This Guide For?

    
      - Website administrators and designers customizing the visual appearance of Secure Privacy's contextual consent overlay

      - Developers applying custom CSS to fine-tune consent page styling beyond the visual editor

      - Marketers and compliance managers ensuring the contextual consent page reflects brand identity while meeting GDPR design requirements

    
  

  
    How to Access the Contextual Consent Design Editor

    To begin customizing your contextual consent page design in Secure Privacy:

    
      - Log in to your Secure Privacy account

      - Click Design in the dashboard navigation

      - Select the design template you want to preview or modify

      - Navigate to the Contextual Consent section within that template

    

    
      
      Navigate to Design > select your template > Contextual Consent to access the design configuration options.
    
  

  
    Contextual Consent Design Configuration Options

    
      Reset to Default Settings

      The Reset option reverts all design changes back to the Secure Privacy default settings. Use this if you want to start fresh or undo customizations that aren't working as intended — without needing to manually undo each individual change.

    

    
      Background Color

      The background color sets the visual foundation of your contextual consent overlay. Choose a color that complements your overall website theme while ensuring strong readability for the text layered above it. If your site uses a light theme, a light banner background with dark text typically performs best for both aesthetics and accessibility.

    

    
      Text Color

      Select a text color that provides strong contrast against your chosen background. WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 for normal body text — meeting this threshold ensures your consent message is readable for users with visual impairments as well as in bright ambient light conditions. Use the WebAIM Contrast Checker to verify your color combination before publishing.

    

    
      Button Design and Color Settings

      Each consent action button can be fully customized. The following options are available:

      
        - Fill style: Choose between a Filled button (solid background color) or a Stroke button (outline only) to match your site's design language.

        - Corner style: Select Smooth (rounded), Sharp (square), or Round (pill-shaped) corners to align with your brand's visual identity.

        - Background color: The button's resting state color — choose a color that clearly signals its function (e.g., green or blue for acceptance, neutral for decline).

        - Hover background color: The color shown when a user mouses over the button — should provide enough visual change to signal interactivity.

        - Text color: The label color on the button at rest — ensure strong contrast against the button background for readability.

        - Hover text color: The label color during hover — maintain contrast with the hover background color.

      
      GDPR reminder: Under GDPR, the "Accept" and "Decline" buttons must be equally prominent. Avoid styling that makes one option visually dominant over the other.

      
        
        Configure button fill style, corner style, background, hover, and text colors in the Contextual Consent design editor.
      
    

    
      Custom CSS for Contextual Consent Pages

      The Custom CSS panel gives developers complete control over the contextual consent overlay's appearance. You can override default styles to match your brand's specific color palette, typography, spacing, margins, and more — beyond what the visual editor exposes.

      Common use cases for custom CSS include importing a custom web font, adjusting overlay padding, modifying border radius, or applying animation effects. For guidance on using the Custom CSS panel, see How to Add Custom CSS for Improved Design and Branding.

    

    
      Preview Across Desktop, Tablet, and Mobile

      Once you have applied your design settings, use the Preview feature to see how your contextual consent overlay renders across desktop, tablet, and mobile screen sizes. Note that the built-in preview is approximate — for the most accurate visualization, switch to full-screen view before finalizing your design.

      After any significant design change, also verify that all consent buttons still function correctly by testing the overlay in a live or staging browser environment.

    
  

  
    Best Practices for Designing a GDPR-Compliant Contextual Consent Page

    
      - Meet WCAG contrast requirements: All text must achieve a minimum 4.5:1 contrast ratio against its background (WCAG 2.1 AA). Verify using WebAIM's Contrast Checker.

      - Use equal-prominence buttons: Style Accept and Decline buttons consistently — same size, weight, and visual prominence — to avoid dark patterns prohibited under GDPR.

      - Keep message text concise: Users are more likely to engage with short, plain-language consent text than with lengthy legal copy. State what data is being shared and why in as few words as possible.

      - Test on real devices: Supplement the built-in preview with testing on actual mobile devices to confirm touch target sizes, readability, and button responsiveness.

      - Review after every CSS change: Run an accessibility check using Axe Tools or WAVE by WebAIM after applying custom CSS to ensure no accessibility regressions have been introduced.

    
  

  
    Frequently Asked Questions (FAQ)

    Where do I find the Contextual Consent design settings in Secure Privacy?

    Go to Design in your Secure Privacy dashboard, select your template, and navigate to the Contextual Consent section. All background, text, button, and custom CSS options are available there.

    Can I reset my contextual consent design to defaults if I make a mistake?

    Yes. The Reset option in the Contextual Consent design editor reverts all settings back to Secure Privacy's defaults. This is useful if custom changes have produced unexpected results and you want to start from a clean slate.

    What contrast ratio should I use for my contextual consent overlay text?

    WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 for normal text against its background. Use the WebAIM Contrast Checker to test your color choices before publishing.

    Can I apply custom fonts to the contextual consent overlay?

    Yes. Use the Custom CSS panel to import a web font (e.g., from Google Fonts) and apply it to the consent overlay using the appropriate CSS selector. See the guide: Customize Cookie Banner Design — Secure Privacy Guide.

    Does my contextual consent overlay design need to be GDPR compliant?

    Yes. The design of your contextual consent overlay must not use dark patterns. This means the Accept and Decline options must be equally prominent — the same size, weight, and visual treatment. Styling that makes accepting significantly easier to see or click than declining can constitute a GDPR violation.

  

  
    Conclusion

    Secure Privacy's Contextual Consent design editor gives you full control over how your consent overlay looks and feels — from background and text colors to button styles and custom CSS. By investing in a clear, branded, and accessible contextual consent design, you improve user trust, encourage transparent consent interactions, and maintain compliance with GDPR and WCAG requirements.

  

  
    See Also

    
      - How to Add Custom CSS for Improved Design and Branding

      - Customize Cookie Banner Design — Secure Privacy Guide

      - Customizing Secure Privacy Cookie Banners with CSS

      - Banner Customization Overview

---

# How to Add a Custom Cookie or Service in Secure Privacy – Classification Tab Guide

URL: https://support.secureprivacy.ai/article/add-custom-cookies--services--secureprivacy-guide
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:09:13.646+00:00
Reading Time: 2 minutes
Summary: Learn how to manually add a custom cookie or service in Secure Privacy's Classification tab — including required fields, how to save, and when to rescan to apply changes.

If a cookie or third-party service is not automatically detected by Secure Privacy's scanner, you can add it manually via the Classification tab. This ensures all active cookies and services appear in your scan report, are correctly categorized, and are included in blocking rules and the preference center.

Who Is This For?

  - Website administrators managing cookie inventories and ensuring all active cookies are documented

  - Compliance teams adding known services that were not automatically detected during scanning

  - Developers integrating new third-party services that need to be classified and blocked before they appear in scan results

How to Add a Custom Service or Cookie in Secure Privacy

  - Log in to your Secure Privacy account and select the domain you want to work with.

  - Open the Classification tab in the left sidebar.

  - Click the Add Cookie button.

  - Complete the required fields for the cookie or service:

    
      - Cookie name — the exact name of the cookie

      - Host — the domain that sets the cookie

      - Service name — the third-party service associated with the cookie

      - Category — the consent category (e.g., Essential, Analytics, Marketing, Functional)

      - Expiry — how long the cookie persists

      - Description — a brief explanation of the cookie's purpose

    
  

  - Click Save to add the cookie to your classification list.

  - Navigate to Scan Report > Rescan Website to trigger a rescan and apply your changes — ensuring the new cookie appears in your scan report, blocking configuration, and preference center.

Frequently Asked Questions

Will the new cookie appear in the Preference Center after I add it?

Yes — but only after you trigger a website rescan. Once the rescan is complete, the manually added cookie will be included in the preference center under the category you assigned, giving visitors control over that cookie through the consent interface.

Can I edit or delete a custom cookie after adding it?

Yes. Return to the Classification tab at any time to update the cookie's details — such as its category, description, or expiry — or delete it entirely. After making changes, trigger a rescan to apply the updates to your live scan report and preference center.

Why would I need to add a cookie manually if Secure Privacy has automatic detection?

The automatic scanner detects cookies based on its known service database and live page crawl. Newly deployed services, custom-built tracking solutions, or cookies set through non-standard implementations may not be detected automatically. Adding them manually ensures they are correctly classified, blocked, and declared in your cookie policy.

See Also

  - How to Perform a Website Rescan

  - How to Change a Consent Category for a Service or Cookie

  - Why Essential Cookies Are Selected by Default

---

# How to Add a Custom Font to Your Secure Privacy Cookie Banner Using Google Fonts

URL: https://support.secureprivacy.ai/article/how-to-add-custom-fonts-using-css-in-secure-privacy-banner
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T22:48:17.374+00:00
Reading Time: 4 minutes
Summary: Use any Google Font or web font in your Secure Privacy cookie banner. This step-by-step CSS guide covers @import setup, selector targeting, and font loading best practices.

Summary: Want to use a specific font in your Secure Privacy cookie banner that isn't included in the default options? You can easily add a custom font to your Secure Privacy banner by importing any typeface from popular libraries like Google Fonts using a simple @import rule in the Custom CSS panel. This guide walks through every step.

  
    Who Is This Guide For?

    
      - Website administrators and marketers customizing the visual appearance of Secure Privacy consent banners to match their brand typography

      - Developers implementing design adjustments to the banner using custom CSS

    
  

  
    Step 1: Choose Your Custom Banner Font

    
      - Select a font: Browse and choose a typeface from a popular web font library such as Google Fonts. Look for fonts that complement your brand identity and are available in the weights you need.

    
  

  
    Step 2: Import the Font Using @import

    
      - 
        Use the @import rule: Add the following line at the very beginning of your Custom CSS to import your chosen font:

        @import url('https://fonts.googleapis.com/css2?family=Your+Font+Name&display=swap');
      

      - Replace Your+Font+Name with the actual font name from the library. For example, for Roboto:

        @import url('https://fonts.googleapis.com/css2?family=Roboto&display=swap');
      

      - Important: Always place @import statements at the very start of your CSS. Placing them after other rules will prevent the font from loading correctly.

    

    
      
      Place your @import rule at the very top of the Custom CSS field in Secure Privacy's design editor.
    
  

  
    Step 3: Apply the Custom Font to Your Secure Privacy Banner

    
      - Use CSS selectors to target specific elements in the banner—such as headings or buttons—and apply your chosen font using the font-family property.

    

    The following example imports Roboto from Google Fonts and applies it to the banner heading:

    @import url('https://fonts.googleapis.com/css2?family=Roboto&display=swap');

.sp-banner-heading {
  font-family: 'Roboto', sans-serif;
}

    
      
      Apply your imported font to specific banner elements using the appropriate Secure Privacy CSS selector.
    

    This targets the .sp-banner-heading class specifically. You can apply the same pattern to other banner elements such as body text, buttons, or links using their respective selectors.

  

  
    Best Practices for Custom Fonts in Cookie Banners

    
      - Test thoroughly after every change: Always verify that your custom CSS works correctly and does not interfere with banner functionality or consent button behavior.

      - Check the font library's documentation: Review the import instructions and usage guidelines provided by your chosen font source for any platform-specific requirements.

      - Load only what you need: Import only the font weights and styles you actually use. Loading unnecessary font variants increases page weight and can negatively impact Core Web Vitals scores.

    
  

  
    Common Issues & Fixes: Custom Fonts Not Loading

    
      - 
        Font not loading at all? Ensure the @import statement is placed at the very top of your CSS, before any other rules. Any CSS written above the @import line will cause it to fail silently.

      

      - 
        Custom font not applying to the banner? Double-check that your CSS selector correctly targets a Secure Privacy banner element. Use your browser's DevTools (Inspect Element) to confirm the exact class name being used by the element you want to style.

      

      - 
        Performance concerns? Use only the font weights you need (e.g., 400 and 700) and add display=swap to your Google Fonts URL to prevent render-blocking.

      

    
  

  
    Frequently Asked Questions (FAQ)

    Can I use any font library, or only Google Fonts?

    You can use any web font library that provides a CSS @import or <link> URL—including Google Fonts, Adobe Fonts (Typekit), Bunny Fonts, and others. The same @import approach applies regardless of the source.

    Where do I add the custom CSS in Secure Privacy?

    In your Secure Privacy dashboard, go to Design > Cookie Banner > Custom CSS. Paste your @import rule and font-family declarations there. See the full guide: How to Add Custom CSS for Improved Design and Branding.

    Which CSS class should I target for the banner heading?

    Use .sp-banner-heading to target the main heading of the Secure Privacy banner. For other elements, use your browser's Inspect tool to identify the correct Secure Privacy class names applied to each component.

    Will adding a custom font slow down my website?

    It can, if you load too many font weights or styles. To minimize impact, import only the weights you need and include display=swap in your Google Fonts URL to prevent the font from blocking page rendering.

  

  
    See Also

    
      - How to Add Custom CSS for Improved Design and Branding

      - Understanding Banner Customization Options

      - Customizing Secure Privacy Cookie Banners with CSS

---

# How to Customize Trust Widget Visibility by Page in Secure Privacy

URL: https://support.secureprivacy.ai/article/customize-trust-widget-placement--secure-privacy
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T22:57:37.628+00:00
Reading Time: 5 minutes
Summary: Control which pages display the Secure Privacy Trust Widget. Show the privacy icon on key pages like checkout and forms, hide it elsewhere — step-by-step setup guide included.

Summary: Secure Privacy gives you full, page-level control over where the Trust Widget (privacy icon) appears on your website. By customizing widget visibility, you can improve transparency on pages that handle sensitive data, reduce visual clutter on pages where it isn't needed, and maintain a clean, consistent site design — all from your Secure Privacy domain settings.

  
    Who Is This Guide For?

    
      - Website administrators managing privacy compliance and consent settings across their domain

      - Developers configuring page-level widget display behavior

      - Marketers optimizing Trust Widget placement for user experience, conversions, and brand consistency

    
  

  
    Why Customize Trust Widget Placement on Your Website?

    
      - Enhanced User Experience: Display the privacy icon only on pages where it adds value, avoiding unnecessary visual clutter across your site.

      - Improved Transparency: Place the Trust Widget on pages that handle sensitive data—like forms, checkout, or policy pages—to signal your commitment to user privacy.

      - Branding Control: Keep your site design consistent by precisely choosing which pages show the widget and where it appears.

    
  

  
    How to Customize Trust Widget Visibility in Secure Privacy

    
      - 
        Access Domain Settings:

        Log in to your Secure Privacy dashboard and navigate to the Domains section from the main navigation.

      

      - 
        Select Your Domain:

        Click on the domain you want to configure Trust Widget visibility for.

      

      - 
        Scroll to Widget View Settings:

        On the domain settings page, scroll down to find the Widget View Settings section near the bottom.

      

      - 
        Choose Your Visibility Option:

        Select one of the following display modes:

        
          - Show on all pages — The Trust Widget appears across your entire site

          - Show on specific pages only — Select individual pages from your existing pages list where the widget should appear

          - Hide on specific pages — Show the widget everywhere except the pages you select

        
      

    

    
      
      The Widget View Settings panel in Secure Privacy — choose to show the Trust Widget on all pages, specific pages only, or hide it on selected pages.
    
  

  
    Best Pages to Display the Trust Widget: Example Use Cases

    
      - Privacy and Cookie Policy Pages: Reinforce your transparency commitments right where users are reading about your data practices.

      - Contact or Data Collection Forms: Build confidence on pages where users are asked to submit personal information.

      - Checkout Pages: Display the Trust Widget during transactions to reduce purchase anxiety and increase conversion confidence.

      - Campaign Landing Pages: Place the privacy icon on data collection landing pages to increase trust and improve opt-in rates.

    
  

  
    Best Practices for Trust Widget Placement

    
      - Balance Visibility and UX: Ensure the widget is noticeable on relevant pages without adding visual noise to pages where it isn't needed.

      - Review Placement Regularly: Update widget visibility settings as your site structure, content, and user navigation patterns evolve.

      - Test Across Devices and Browsers: After changing settings, verify the widget displays and functions correctly on desktop, tablet, and mobile across multiple browsers.

    
  

  
    Common Trust Widget Issues & Fixes

    
      - Widget not displaying on a page: Confirm that visibility is enabled for that specific page in Widget View Settings, then clear your browser cache and reload.

      - Widget overlapping page content: Adjust your page layout or review the widget position settings in your Secure Privacy design configuration.

      - Changes not applying after saving: Log out and back into your dashboard, or hard-refresh the domain settings page. If the issue persists, contact support@secureprivacy.ai.

    
  

  
    Frequently Asked Questions (FAQ)

    What is the Secure Privacy Trust Widget?

    The Trust Widget (also called the privacy icon or cookie widget) is a small, persistent button that Secure Privacy displays on your website. It allows users to access your Preference Center at any time to review or change their consent choices. It also signals to visitors that your site is privacy-compliant and transparent about data use.

    Can I show the Trust Widget on some pages but not others?

    Yes. Secure Privacy's Widget View Settings let you choose to show the widget on all pages, only on specific pages you select, or everywhere except specific pages you exclude. This page-level control is available per domain in your dashboard.

    Where do I find Widget View Settings in Secure Privacy?

    Go to your Secure Privacy dashboard, navigate to the Domains section, select your domain, and scroll to the bottom of the domain settings page to find the Widget View Settings panel.

    Will hiding the Trust Widget on certain pages affect my GDPR or CCPA compliance?

    Hiding the widget on low-risk pages (such as blog posts or informational pages) is generally acceptable, provided users still have easy access to your Preference Center on key pages. It is best practice to display the widget on pages that collect personal data, such as contact forms, checkout pages, and account registration pages.

    Can I change the appearance of the Trust Widget as well as its placement?

    Yes. Widget appearance — including size, color, position, and label text — is managed separately under Design > Widget in your Secure Privacy dashboard. See the related articles below for full customization options.

  

  
    Conclusion

    Secure Privacy's Trust Widget visibility controls give you the flexibility to deliver a tailored privacy experience across your site. By strategically placing the privacy icon on the pages that matter most, you build user trust, stay aligned with GDPR and CCPA best practices, and keep your site design clean and intentional.

  

  
    See Also

    
      - How to Change Widget Text to "Do Not Sell" in CCPA Templates

      - Add Custom CSS for Branding

      - Design → Widget Page: Tailoring the Aesthetics of Your Trust Widget

      - Enhance User Trust with the Cookie Widget / Trust Badge

---

# Secure Privacy Domain Licensing Model – When Domains, Subdomains, and Subpages Need Separate Licenses

URL: https://support.secureprivacy.ai/article/domain-licensing-model-explained--secureprivacy-support
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T19:12:53.672+00:00
Reading Time: 3 minutes
Summary: Learn how Secure Privacy's domain licensing model works — when separate licenses are needed for domains, subdomains, and language subpages, and how to discover all your subdomains.

Secure Privacy requires a license for each domain and subdomain that places cookies or trackers on visitors' devices. Understanding how the domain licensing model works ensures you have the right coverage in place — and avoids compliance gaps across your web properties. This guide explains when a license is needed, what is covered by a single license, and how to handle special cases such as language subpages and staging environments.

Who Is This For?

  - Website administrators managing multiple domains or subdomains in Secure Privacy

  - Developers responsible for cookie compliance across complex web architectures

  - Marketers handling multilingual websites, brand subdomains, or regional domains

How the Domain Licensing Model Works

Each domain and subdomain that independently places cookies or trackers requires its own Secure Privacy license. A single license covers the domain or subdomain and all of its subpages — but separate domains and subdomains each need their own license.

  
    
    
    
  
  
    
      Type

      Example

      License Required?

    

    
      Root domain

      example.com

      Yes

    

    
      Subdomain

      subdomain.example.com

      Yes — separate license required

    

    
      Subpage

      example.com/subpage

      No — covered by the domain license

    

  

Domains vs. Subdomains vs. Subpages

Why domains and subdomains need separate licenses

Domains and subdomains are treated as separate entities because both can independently place cookies and trackers on a visitor's device — regardless of whether they share the same root domain. Each therefore requires its own Secure Privacy license.

Subpages are covered by the parent license

All subpages beneath a domain or subdomain fall under that entity's license and do not require separate licensing. For example:

  - example.com/contact and example.com/about are both covered by the example.com license

  - blog.example.com is a subdomain and requires a separate license from example.com

Special Case: Language-Based Subpages

Some websites structure language versions as subpages — for example, example.com/en or example.com/fr. While these are technically subpages and would normally be covered by the root domain license, if you require separate consent management, cookie blocking configurations, or customized banner text for each language version, a separate license is needed for each.

Licensing for Development and Staging Environments

Licenses are not mandatory for test or staging environments where Secure Privacy is not actively used. However, you may want to license specific non-production environments to ensure consistent consent management during testing, particularly for:

  - Staging or user acceptance testing (UAT) domains

  - Customer-specific subdomains used for demos or previews

  - Country-specific or brand subdomains ahead of launch

How to Discover All Your Subdomains

To identify all subdomains that may need licensing, use a public DNS subdomain discovery tool:

  - C99 Subdomain Finder

  - NMMapper Subdomain Finder

  - Spyse Domain Intelligence

These tools surface subdomains associated with your root domain — helping you ensure no active subdomain that places cookies is missing a license.

Frequently Asked Questions

Do I need a license for every subpage?

No. Subpages beneath a licensed domain or subdomain are automatically covered by that license. The only exception is if you need separate consent management, custom blocking rules, or different banner text for a specific subpage — in which case a separate license is required for that subpage.

How do I know if I need multiple licenses?

You need separate licenses if your website uses multiple root domains, subdomains that independently place cookies, or language-based subpages that require different consent configurations. Use a subdomain discovery tool to audit all active subdomains across your web properties.

Can I license my test and staging sites?

Yes. Licenses for staging and development environments are optional in most cases, but recommended if those environments actively place cookies or if you need to verify your Secure Privacy configuration before going live. Contact support@secureprivacy.ai if you are unsure whether a specific environment requires a license.

See Also

  - Managing Your Secure Privacy Account Settings

  - Do I Need to Pay for Subdomains?

---

# How to Add Custom CSS to Your Secure Privacy Cookie Banner: Inner Banner & Outer Wrapper Styling Guide

URL: https://support.secureprivacy.ai/article/customizing-secure-privacy-cookie-banners-with-css
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T22:53:00.931+00:00
Reading Time: 4 minutes
Summary: Style your Secure Privacy cookie banner with custom CSS. Learn how to target inner banner elements and the outer wrapper container using the SP-OUTER-START syntax — with examples and fixes.

Summary: This guide explains how to apply custom CSS to your Secure Privacy cookie banner—both inside the banner iframe and to its outer wrapper container. Whether you want to adjust padding, button styles, text colors, positioning, or shadows, this walkthrough covers the correct approach for each scope, including the /SP-OUTER-START/ and /SP-OUTER-END/ syntax for outer container styling.

  
    Who Is This Guide For?

    
      - Website administrators and designers customizing the visual appearance of their Secure Privacy cookie banner

      - Developers applying CSS to fine-tune banner styles beyond the visual editor's options

      - Marketers and compliance managers maintaining brand consistency across their consent UI

    
  

  
    How to Apply Custom CSS to Your Secure Privacy Cookie Banner

    
      1. Styling Elements Inside the Banner (iframe CSS)

      
        - 
          In your Secure Privacy dashboard, navigate to Design > Cookie Banner. You will find a Custom CSS input field located directly below the banner preview on the design page.

        

      

      
        
        The Custom CSS field in Secure Privacy's design editor — located below the banner preview panel.
      

      
        - 
          CSS entered here is applied within the banner's iframe. This means it can target and style inner banner elements such as padding, text colors, typography, and button styles — but it is scoped to the banner only and will not affect the rest of your website.

        

      

      
        
        Inner banner CSS is scoped to the iframe — safely targeting banner elements without affecting the rest of your page.
      
    

    
      2. Styling the Banner Outer Wrapper Container

      
        - 
          To style the banner's outer container—such as its position, box shadow, margin, or z-index—wrap your CSS rules between the following special comment tags in the same Custom CSS field:

        

      

      /*SP-OUTER-START*/

/* Your CSS code for the outer wrapper goes here */

/*SP-OUTER-END*/

      
        
        Wrap outer container CSS between /*SP-OUTER-START*/ and /*SP-OUTER-END*/ in the Custom CSS field.
      

      
        - 
          CSS placed between these tags is injected directly into your website's HTML, outside the iframe, and targets the banner's outer container element. This makes it suitable for layout-level properties like positioning and shadows.

        

      
    
  

  
    Important: Risks of Outer Wrapper CSS

    
      ⚠️ Use with caution: Because CSS placed between /*SP-OUTER-START*/ and /*SP-OUTER-END*/ is injected directly into your site's HTML, overly broad selectors can unintentionally affect other elements on your page. Always use highly specific selectors and test all changes on a staging environment before publishing to production.

    

    
      
      Outer wrapper CSS is injected into the page HTML — use specific selectors and test carefully to avoid unintended styling conflicts.
    
  

  
    Common Issues & Fixes: Custom CSS on Cookie Banners

    
      - 
        CSS changes inside the banner aren't affecting the outer wrapper?

        Inner banner CSS applies only within the iframe and cannot reach the outer container. To style the outer wrapper, use the /*SP-OUTER-START*/ ... /*SP-OUTER-END*/ syntax as described above.

      

      - 
        Outer wrapper styles are affecting other parts of your website?

        Your CSS selectors are likely too broad. Scope them as specifically as possible to the banner's outer container class. Always test on a staging site before pushing to production to catch unintended side effects.

      

      - 
        Concerned about the risks of injecting CSS into page HTML?

        Yes — outer wrapper CSS is injected directly into your site's HTML, so careless or generic styles can override other page elements. Use highly specific selectors, avoid global resets, and review changes in DevTools before publishing.

      

    
  

  
    Frequently Asked Questions (FAQ)

    What is the difference between inner banner CSS and outer wrapper CSS in Secure Privacy?

    Inner banner CSS is scoped inside the banner's iframe and can only affect elements within the banner itself—such as buttons, text, and padding. Outer wrapper CSS, placed between /*SP-OUTER-START*/ and /*SP-OUTER-END*/, is injected into the page HTML and controls the outer container's layout properties like position, margin, and shadow.

    Can inner banner CSS affect my website's other elements?

    No. Because inner banner CSS is applied inside an iframe, it is fully isolated from the rest of your page. Only CSS placed between the /*SP-OUTER-START*/ and /*SP-OUTER-END*/ tags can affect elements outside the banner.

    Where exactly do I add custom CSS in Secure Privacy?

    Go to Design > Cookie Banner in your Secure Privacy dashboard. The Custom CSS input field is located below the banner preview. Both inner and outer wrapper CSS rules are entered in this same field — the /*SP-OUTER-START*/ tags differentiate which scope applies.

    What kinds of styles should I apply to the outer wrapper vs the inner banner?

    Use inner banner CSS for typography, colors, padding, and button styles. Use outer wrapper CSS for positioning, margins, box shadows, z-index, and other layout-level properties that control how the banner sits on the page.

  

  
    Need More Help with Banner CSS Customization?

    If you have questions or need assistance with custom CSS for your Secure Privacy cookie banner, contact our support team at support@secureprivacy.ai.

  

  
    See Also

    
      - How to Add Custom CSS for Improved Design and Branding

      - Banner Customization Overview

      - Customize Cookie Banner Design — Secure Privacy Guide

---

# WCAG & ADA Compliance for Websites: How Secure Privacy Keeps Your Cookie Banner Accessible

URL: https://support.secureprivacy.ai/article/accessibility-and-ada-compliance-with-secure-privacy-banners
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T23:03:34.812+00:00
Reading Time: 8 minutes
Summary: Secure Privacy is built to WCAG 2.1 AA standards — screen reader support, keyboard navigation, and ARIA labels included. Learn ADA compliance requirements and how to verify your banner with Axe and WAVE.

Summary: The Web Content Accessibility Guidelines (WCAG) set the standard for making web content accessible to people with disabilities, as required under the Americans with Disabilities Act (ADA). This guide explains what ADA and WCAG compliance mean for your website, who needs to comply, and how Secure Privacy's cookie consent banners are built to meet WCAG 2.1 AA accessibility standards — including screen reader support, keyboard navigation, and proper ARIA labeling.

  
    Who Is This Guide For?

    
      - Website owners and administrators seeking to understand ADA and WCAG compliance obligations

      - Developers and designers building or auditing accessible web experiences

      - Compliance and legal teams evaluating whether their cookie consent solution meets accessibility requirements

      - Privacy managers using Secure Privacy who want to confirm their banners are ADA compliant

    
  

  
    What Is Web Accessibility?

    Accessibility is the practice of making websites usable by as many people as possible. While this is traditionally associated with users who have disabilities, accessible design also benefits people using mobile devices, those with slow network connections, and older users navigating less familiar interfaces.

    At its core, web accessibility means treating every user equally — giving everyone the same opportunity to access information and services, regardless of their ability or circumstances.

  

  
    What Is the Americans with Disabilities Act (ADA)?

    The Americans with Disabilities Act (ADA) was signed into law in 1990 with the goal of eliminating discrimination based on disability. Modeled on the Civil Rights Act of 1964, it has had a sweeping impact on public life — leading to wheelchair access ramps, accessible restroom facilities, and a wide range of equal-access accommodations across public spaces.

    Under Title III of the ADA, discrimination based on disability in places of public accommodation is prohibited. State and local governments, businesses, and non-profit organizations are all required to provide equal access to goods, services, and programs for people with disabilities.

  

  
    What Is ADA Website Compliance?

    The ADA's application to websites has evolved over time. While the original 1990 law did not include specific provisions for the internet, the US Department of Justice released ADA Standards for Accessible Design in 2010, establishing that all electronic and information technology must be made accessible to people with disabilities.

    The DOJ has further clarified that websites fall under Title III coverage. In a widely cited statement related to a Netflix case, the DOJ confirmed: the fact that specific web regulations are still being developed "in no way indicates that web services are not already covered by Title III."

    In practice, WCAG 2.1 Level AA is recognized as the current benchmark for ADA website compliance.

  

  
    Who Needs to Comply with ADA Website Accessibility Requirements?

    Any business or public entity that provides a "place of public accommodation" — which courts and the DOJ have extended to include websites — is required to meet ADA compliance standards. This includes:

    
      - Private businesses open to the public

      - State and local government websites

      - Non-profit organizations

      - E-commerce and SaaS platforms

    
    The number of ADA-related website lawsuits has grown significantly year over year, making proactive compliance both a legal necessity and a business best practice.

  

  
    What Defines Website ADA Compliance? WCAG's Three Pillars

    The Web Accessibility Initiative (W3C) and its Web Content Accessibility Guidelines (WCAG) are considered the definitive benchmark for ADA website compliance. Compliance is evaluated across three core disciplines:

    
      1. Developing for Accessibility

      WCAG defines the technical standard for building accessible web content. Key development requirements include:

      
        - Providing a label for every form control element (critical for screen reader users)

        - Using semantic HTML that identifies page language and supports assistive technologies

        - Ensuring reading order matches code order for logical screen reader navigation

        - Making pages responsive to the user's technology, including keyboard-only navigation and touch devices

      
    

    
      2. Designing for Accessibility

      Accessibility design requirements focus primarily on color, contrast, and visual clarity:

      
        - A minimum luminance contrast ratio of 4.5:1 for body text against background colors (WCAG AA standard)

        - Contrast requirements apply to text on images, background gradients, buttons, and interactive components

        - Color must not be the only means of conveying information — additional visual cues must be provided for users with color perception challenges

        - Clear standards for headings, spacing, navigation, links, and media

      
    

    
      3. Writing Accessible Content

      Accessible content writing ensures that information is clear and navigable for all users:

      
        - State the page subject before your brand name in the page title — helping users determine relevance quickly

        - For multi-step processes, indicate the current step in the page title

        - Use proper heading structure, descriptive anchor text, and meaningful alt text for all images

        - Provide transcripts for video content and captions for audio

      
    
  

  
    Why Is ADA Compliance Important for Your Website?

    
      - Legal risk reduction: ADA-related website lawsuits have increased significantly in recent years. Non-compliant sites face litigation, regulatory scrutiny, and reputational damage.

      - Broader audience reach: Approximately 1 in 4 adults in the US lives with some form of disability. Accessible websites serve a larger, more inclusive audience.

      - SEO benefits: Many WCAG best practices — semantic HTML, alt text, clear headings, fast load times — also directly improve search engine rankings.

      - Corporate responsibility: Accessibility reflects a commitment to equal access and inclusivity, strengthening brand trust and user loyalty.

    
  

  
    How to Comply with ADA Website Accessibility Requirements

    While the ADA encourages self-regulation as final regulations are developed, businesses are strongly advised to use WCAG 2.1 Level AA as their compliance baseline. Steps to get started:

    
      - Conduct an accessibility audit of your website using tools like Axe Tools by Deque or WAVE (Web Accessibility Evaluation Tool) by WebAIM

      - Remediate identified issues across your development, design, and content layers

      - Ensure your third-party components — including cookie consent banners — are also WCAG-compliant

      - Establish an ongoing accessibility review process as your site evolves

    
  

  
    Is Secure Privacy ADA Compliant? Yes — Here's How

    Secure Privacy is built to be ADA compliant. Our cookie consent banners and Preference Center are developed in accordance with the Web Content Accessibility Guidelines (WCAG 2.1 AA), ensuring that all users — including those using assistive technologies — can interact with your consent UI fully and independently.

    Secure Privacy Accessibility Features

    
      - Screen reader support: Both the cookie banner and Preference Center are fully accessible via screen readers, ensuring users with visual impairments receive complete information about consent choices.

      - Full keyboard navigation: Every component of the banner and Preference Center can be accessed and operated using a keyboard alone — no mouse or trackpad required.

      - ARIA labels: All buttons and interactive elements include proper aria attributes, ensuring screen readers can accurately announce their purpose and state.

      - Default focus management: The cookie banner receives default focus when displayed, allowing keyboard and screen reader users to immediately interact with it without additional navigation.

      - Enter / Space bar activation: All buttons and links within the banner can be activated using the Enter key or Space bar, meeting standard keyboard interaction expectations.

    

    
      ✅ Verify Secure Privacy's accessibility on your site: Use Axe Tools by Deque or WAVE by WebAIM to run a free accessibility audit on any page where your Secure Privacy banner is live. Both tools will flag WCAG violations and confirm that the banner's interactive elements pass accessibility checks.

    
  

  
    How to Ensure Your Cookie Consent Banner Meets WCAG Accessibility Standards

    While Secure Privacy's banner components are built to be WCAG-compliant out of the box, there are a few settings that web administrators should review to maintain full compliance:

    
      - Check your color contrast ratio: If you customize banner colors, ensure all text meets the WCAG 2.1 AA minimum contrast ratio of 4.5:1 against its background. Use dark, high-contrast colors for body text and buttons. Free contrast checkers are available at WebAIM's Contrast Checker.

      - Do not rely on color alone: If you customize button styles, ensure the Accept and Reject options are distinguishable by more than just color — use sufficient contrast differences or additional visual indicators.

      - Test after customization: Any time you apply custom CSS or modify the banner design, re-run an accessibility audit using Axe Tools or WAVE by WebAIM to confirm that your changes haven't introduced any WCAG violations.

      - Maintain button prominence parity: Under both WCAG and GDPR, Accept and Reject buttons must be equally prominent. Avoid styling choices that make one option significantly harder to see or interact with.

    
  

  
    Frequently Asked Questions (FAQ): ADA Compliance & Cookie Banners

    Is Secure Privacy's cookie banner WCAG compliant?

    Yes. Secure Privacy's cookie consent banner and Preference Center are developed to comply with WCAG 2.1 Level AA standards. This includes screen reader support, full keyboard navigation, ARIA labeling, focus management, and Enter/Space bar activation of all interactive elements.

    How can I verify that the Secure Privacy banner passes accessibility checks?

    You can audit any page where your banner is active using Axe Tools by Deque (available as a browser extension) or WAVE (Web Accessibility Evaluation Tool) by WebAIM. Both tools provide detailed WCAG violation reports and confirmation of passing elements — free of charge.

    What WCAG contrast ratio should my banner colors meet?

    WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 for normal text against its background. If you customize your banner colors in Secure Privacy, use the WebAIM Contrast Checker to verify your color choices meet this threshold before publishing.

    Does ADA compliance apply to my website's cookie banner?

    Yes. Your cookie consent banner is a user-facing interactive element that must meet the same accessibility standards as the rest of your site. Users with disabilities must be able to read, navigate, and interact with your consent options using assistive technologies.

    What is the difference between WCAG 2.0 and WCAG 2.1?

    WCAG 2.1 builds on WCAG 2.0 with additional success criteria addressing mobile accessibility, low vision, and cognitive disabilities. WCAG 2.1 Level AA is the current recommended standard for ADA compliance and is what Secure Privacy is built against.

  

  
    See Also

    
      - Customize Cookie Banner Design — Secure Privacy Guide

      - How to Add Custom CSS for Improved Design and Branding

      - Secure Privacy — Google-Certified Consent Management Platform

      - WAVE Web Accessibility Evaluation Tool by WebAIM

      - Axe Accessibility Testing Tools by Deque

---

# Secure Privacy Widget Design Settings – Floating, Button, and Hyperlink Widget Configuration Guide

URL: https://support.secureprivacy.ai/article/design-gtwidget-page-tailoring-the-aesthetics-of-your-widget
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T23:57:12.362+00:00
Reading Time: 3 minutes
Summary: Learn how to configure the Secure Privacy privacy widget — choose between Floating, Button, and Hyperlink types, set widget style, shape, position, logo, colors, and custom CSS.

The Design > Widget page in Secure Privacy lets you configure how the privacy widget appears on your website — including widget type, floating widget style, shape, position, logo, colors, and custom CSS. This guide walks through every available setting so you can align the widget's appearance with your brand and website design.
Who Is This For?
- Website administrators customizing the Secure Privacy privacy widget appearance

- Designers and developers configuring widget style, shape, position, and colors to match brand guidelines

- Compliance teams ensuring the privacy widget is visible and accessible across desktop, tablet, and mobile

How to Access Widget Settings
Log in to your Secure Privacy account and navigate to the Design section in the top toolbar. Select the design you want to configure, then open the Widget subsection.
Widget Types
Floating Widget
The floating widget offers the most customization options — including style, design, shape, position, logo, colors, and custom CSS. It is not constrained to a fixed location and can be positioned in any corner of the viewport, making it the most flexible option for most website designs.
Button Widget
The button widget is a simple, unobtrusive option with no configurable design settings. It displays as a straightforward button and is suited for interface designs where minimal visual impact is preferred.
Hyperlink Widget
The hyperlink widget displays as a text link with no additional configuration options. Like the button type, it suits minimalist interface designs where a low-profile privacy entry point is preferred.
Reset and Preview
Reset
Use the Reset option to revert all widget settings to their default state — useful if you want to start customization from scratch or undo changes that are not producing the desired result.
Preview
The preview feature lets you view the widget's approximate appearance across desktop, tablet, and mobile viewports. Switch to full screen for a larger view. Note that the preview provides an approximate rendering and may not be 100% identical to the live widget on all browsers and devices.
Floating Widget Configuration
Style
Choose how the floating widget content is displayed — options include icon only, text only, or a combination of text and icon. Test different combinations to find what works best for your audience and page layout.
Design
Configure the floating widget's visual design and position:
- Location: Choose which corner of the page the widget appears in — top-left, top-right, bottom-left, or bottom-right

- Shape: Select from smooth, sharp, or round widget shapes

- Logo: Use the default Secure Privacy logo, a cookie icon, a fingerprint icon, or upload a fully custom logo

For advanced customization, upload a custom logo or apply Custom CSS to fine-tune every design detail — ensuring the widget is fully aligned with your website's visual style.
Color
Adjust the widget's text color and background color independently to match your brand palette. These settings apply to the floating widget and update the live preview immediately when changed.
Frequently Asked Questions
Which widget type should I choose?
Use the Floating widget if you want full visual control and want the privacy entry point to be persistently visible across your site. Use the Button or Hyperlink types if you prefer a minimal, low-profile entry point and do not need design customization beyond the default appearance.
Can I use my own logo in the floating widget?
Yes. In the Design settings for the floating widget, select the custom logo option and upload your own image. This replaces the default Secure Privacy logo, cookie, or fingerprint icon with your brand's visual identity.
Will custom CSS override the default widget styles entirely?
Custom CSS is applied on top of the widget's default styles unless you also enable the Replace Default CSS option. To override everything and apply a completely custom stylesheet, enable Replace Default CSS — otherwise, your custom rules will be applied additively over the existing defaults.
See Also
- How to Add Custom CSS to Your Cookie Consent Banner

- Upload a Custom Logo to Your Banner

- Managing Designs in Secure Privacy

---

# How to Configure the Preference Center in Secure Privacy Templates – Tab Names, Categories, Languages, and Button Strings

URL: https://support.secureprivacy.ai/article/optimizing-user-engagement-with-the-preference-center-page-on-your-templates
Product: Consent Management
Category: Customization
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:05:58.369+00:00
Reading Time: 3 minutes
Summary: Learn how to configure the Secure Privacy Preference Center — enable it, customize tab names, edit cookie category descriptions, update UI strings, and manage multiple languages.

The Preference Center in Secure Privacy's Template settings lets you configure how the privacy preference center appears to your website visitors — including enabling or disabling it, editing tab names and descriptions, customizing cookie category labels, and updating button and UI strings across multiple languages. This guide walks through every available configuration option.

Who Is This For?

  - Website administrators enabling and configuring the Preference Center for their Secure Privacy template

  - Compliance teams customizing tab names, category descriptions, and privacy policy labels to match organizational requirements

  - Developers and designers localizing Preference Center content across multiple languages

How to Access Preference Center Settings

  - Log in to your Secure Privacy account.

  - Click Templates in the navigation.

  - Select the template you want to customize and click to preview or edit it.

  - Open the Preference Center section within the template.

Preference Center Configuration Options

Enable Preference Center

Each pre-existing template comes with the Preference Center pre-enabled. Use the Enable Preference Center toggle to activate or deactivate it for your visitors. When enabled, visitors can access the preference center to manage their individual cookie consent choices by category.

Preview

The template provides previews for desktop, tablet, and mobile viewport sizes. Use the preview to review the appearance of the Preference Center before publishing. Switch to full screen for a more accurate view — note that the preview is approximate and may not be 100% identical to the live experience on all browsers and devices.

Click the Edit button to switch into editor mode and begin making changes to the template content.

Language

Every template is pre-configured and pre-translated for a wide range of languages, ensuring accessibility across diverse audiences. Use the language selector in the editor to switch between languages and edit content for each one. Additional languages can be added or removed under Template > Settings.

Settings Tab — Tab Name, Heading, and Description

In the Settings sub-section, configure the Tab name, Tab heading, and Tab description that appear on your Preference Center page. These fields let you add organization-specific identifiers and wording to the settings tab for each assigned language.

Privacy Policy, Cookie Declaration, and Data Request Tabs

Customize the tab names for the Privacy Policy, Cookie Declaration, and Data Request sections to match your organization's terminology and policies. These labels can be set independently for each language assigned to the template.

Advanced Categories

The Advanced Categories section allows you to customize the name and description for each cookie consent category displayed in the Preference Center — including Advertising, Analytics, Customer Interaction, and others. Clear, accurate category descriptions help visitors make informed consent decisions.

All category text is pre-translated for the template's assigned languages, but each text field can be edited to better reflect your organization's terminology and communication style.

Buttons and Other UI Strings

Additional strings throughout the Preference Center can also be customized — including button labels such as Save and Cancel, and table column headers such as Block/Enable, Description, Expiry, Service, Name, Host, and Type. Editing these strings lets you align the interface language with your organization's tone and terminology.

Frequently Asked Questions

Can I customize the Preference Center differently for each language?

Yes. All text fields in the Preference Center editor — including tab names, category descriptions, and button labels — are editable per language. Use the language selector in the editor to switch between assigned languages and customize each one independently.

Can I disable the Preference Center for specific templates?

Yes. Each template has its own Enable Preference Center toggle. You can disable the Preference Center for templates where it is not required without affecting other templates or domains.

Where do I add or remove languages from the Preference Center?

Language options are managed at the template level under Template > Settings. Adding a language there makes it available throughout the Preference Center editor for that template — including all tab names, category descriptions, and UI strings.

See Also

  - Templates: Settings Explained

  - Customize Your Cookie Banner Using Templates

  - How to Add Custom CSS to Your Cookie Consent Banner

---

# Secure Privacy Domain Licensing – Why Domains and Subdomains Require Separate Licenses

URL: https://support.secureprivacy.ai/article/do-subdomains-require-separate-licenses--secureprivacy
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:29:54.25+00:00
Reading Time: 2 minutes
Summary: Learn why domains and subdomains each require a separate Secure Privacy license — and why subpages under a licensed domain are already covered without an additional license.

Understanding Secure Privacy's domain licensing model is essential for accurate compliance setup and billing. This article explains why domains and subdomains each require their own license, what counts as a subpage (covered by the parent domain license), and how to identify what needs to be licensed on your website.

Who Is This For?

  - Compliance teams managing cookie consent across multiple domains and subdomains

  - Website administrators handling domain and subdomain configurations in Secure Privacy

  - Marketers and operations teams coordinating cross-domain or cross-subdomain campaigns

Why Domains and Subdomains Each Require a Separate License

Domains and subdomains are technically separate entities in how browsers and tracking technologies work. Both can independently place cookies and trackers on a visitor's device — which means each requires its own Secure Privacy license under both privacy compliance requirements and billing policies.

What Requires a License vs. What Is Already Covered

Subpages under a licensed domain or subdomain are covered by that domain's license — they do not require a separate license. The table below summarizes what does and does not require its own license:

  
    
    
    
  
  
    
      Type

      Example

      License Required?

    

    
      Root domain

      example.com

      Yes

    

    
      Subpage

      example.com/subpage

      No — covered by the domain license

    

    
      Subdomain

      subdomain.example.com

      Yes — requires its own separate license

    

  

Frequently Asked Questions

Do all subdomains always require a separate license?

Yes, in most cases. Because subdomains function as technically separate entities and can independently place cookies and trackers — even if they are part of the same overall website — each subdomain requires its own Secure Privacy license to ensure full compliance coverage.

Are test or staging subdomains licensed differently?

Licensing for test, staging, or development subdomains depends on whether they place cookies or trackers — even in a non-production environment. If tracking is active, a license is required. Contact Secure Privacy support at support@secureprivacy.ai if you are unsure whether your specific subdomain configuration requires a license.

If I have a licensed domain, do I need to add subpages separately?

No. Subpages — such as example.com/about or example.com/contact — are automatically covered by the root domain's license. Only separate domains and subdomains require individual licenses.

See Also

  - Understanding the Secure Privacy Domain Licensing Model

  - Ensuring Prior Consent for Non-Essential Cookies (GDPR Compliance)

  - Secure Privacy Pricing Plans Overview

---

# How to Implement Google Consent Mode Basic in Secure Privacy – Setup Guide for GDPR-Compliant Google Tag Blocking

URL: https://support.secureprivacy.ai/article/google-consent-mode-basic-setup--secureprivacy-guide
Product: Consent Management
Category: Google Consent Mode
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T21:14:02.478+00:00
Reading Time: 2 minutes
Summary: Learn how to enable Google Consent Mode Basic in Secure Privacy — block Google Ads and Analytics from loading before visitor consent with simple domain framework configuration.

This guide explains how to implement Google Consent Mode Basic using Secure Privacy — preventing Google Ads and Analytics tags from loading or collecting data from visitors who have not given consent. If you want to compare Basic and Advanced modes before proceeding, see the Basic vs. Advanced Google Consent Mode comparison guide.
Who Is This For?
- Website administrators implementing Google Consent Mode via Secure Privacy

- Developers configuring consent-based Google tag behavior for GDPR or CCPA compliance

- Compliance officers ensuring Google Ads and Analytics do not collect data before visitor consent is obtained

What Google Consent Mode Basic Does
Google Consent Mode Basic is the simpler of two available approaches. When enabled in Secure Privacy, it:
- Blocks Google Ads and Analytics plugins from loading entirely until the visitor gives consent

- Prevents Google tags from collecting any data from visitors who have not consented — fulfilling the core Google Consent Mode requirement

- Uses Secure Privacy's standard cookie blocking method — no aggregated or modeled data is sent to Google before consent in this mode

How to Enable Google Consent Mode Basic in Secure Privacy
- Log in to your Secure Privacy dashboard and navigate to your domain settings.

- Locate the Framework or Consent Mode settings for your domain.

- Select the Google Consent Mode (Basic) framework category from the available options.

Default consent status and dataLayer configuration
Once Basic mode is enabled, the default consent status you have configured in your domain settings is applied automatically. This status — along with your developer ID and other required configuration details — is pushed to the dataLayer window object on each page load, ensuring Google tags receive the correct consent signal from the first interaction.
Frequently Asked Questions
How do I choose between Basic and Advanced Google Consent Mode?
Basic mode completely blocks Google tags until consent is given — no data is collected or modeled. Advanced mode allows Google tags to fire without cookies before consent, sending anonymized, aggregated signals to enable conversion modeling. Review the Basic vs. Advanced Google Consent Mode comparison guide to determine which is appropriate for your compliance requirements and marketing measurement needs.
Does Basic mode block all Google data collection automatically?
Yes. When Google Consent Mode Basic is enabled in Secure Privacy, Google Ads and Analytics plugins are blocked from loading entirely until the visitor grants consent. No data — including aggregated or anonymized signals — is sent to Google before consent in Basic mode.
Need Further Assistance?
Contact the Secure Privacy support team at support@secureprivacy.ai for general questions. For urgent or systemic Google Consent Mode issues, contact Andrew Sidorkin directly. The team aims to respond to escalations within one business day.
For policy questions directed to Google, contact the Google EU User Consent Policy team at ddp-gdpr-escalations@google.com.
See Also
- Basic vs. Advanced Google Consent Mode – Full Comparison Guide

- How to Check Your Google Consent Mode Implementation

- Google: Consent Status Defaults for Advanced Mode

---

# How to Insert and Customize Tables in the Secure Privacy Policy Editor

URL: https://support.secureprivacy.ai/article/using-tables-in-the-secure-privacy-policy-editor
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:29:09.164+00:00
Reading Time: 2 minutes
Summary: Learn how to add and customize tables in the Secure Privacy Policy Editor — select table size, edit cell content, and use right-click options to manage rows, columns, and table properties.

The Secure Privacy Policy Editor now supports inserting and customizing tables directly within your privacy and cookie policies. Tables provide a structured, easy-to-scan format for presenting cookie categories, data handling practices, retention periods, and other policy details that benefit from tabular organization.

Who Is This For?

  - Privacy officers and compliance teams adding structured data tables to privacy or cookie policies in Secure Privacy

  - Website administrators using the Policy Editor to improve the readability and clarity of their published policies

  - Legal teams formatting cookie category information, data recipient lists, or retention schedules in a structured table format

Why Use Tables in Your Privacy Policy?

Tables are particularly useful for presenting compliance-related information that would otherwise require long, dense paragraphs. Common uses include:

  - Organizing cookie categories with their purpose, duration, and provider details

  - Presenting data handling or processing activities in a structured format

  - Listing data recipients, retention periods, or lawful bases for processing

  - Improving the overall readability and scannability of your published policy documentation

How to Insert a Table in the Policy Editor

Navigate to the Policy Editor for the policy you want to edit in your Secure Privacy account.

In the editor toolbar, click the table icon to open the table size selector.

Hover over the grid to select the number of rows and columns for your table, then click to confirm the size and insert the table.

Editing and Customizing Tables

Once the table is inserted:

  - Add content: Click inside any cell to start typing your content.

  - Edit table structure: Right-click on any cell to access options for inserting or deleting rows and columns, merging cells, or adjusting table properties.

Frequently Asked Questions

Can I add tables to both privacy policies and cookie declarations?

Yes. The table insertion feature is available in the Policy Editor for any policy type in Secure Privacy — including privacy policies, cookie declarations, and any other custom policy documents you manage through the editor.

Can I resize or merge table cells after inserting the table?

Yes. Right-click on any cell after the table is inserted to access table editing options — including inserting and deleting rows or columns, merging cells, and adjusting table properties such as width and alignment.

Will tables in my policy update automatically when I rescan my website?

No. Manually inserted tables in the Policy Editor are custom content that you control directly. They are not affected by or overwritten by website rescans. System-generated sections — such as auto-populated cookie lists — are separate from manually added table content.

See Also

  - How to Set Up a Privacy Policy on Your Website

  - How to Set Up a Cookie Declaration on Your Website

  - Secure Privacy Pricing Plans Overview

---

# GDPR Cookie Categories Explained – Essential, Analytics, Advertising, and Social Media Cookies

URL: https://support.secureprivacy.ai/article/should-you-block-all-cookies-gdpr-cookie-categories-explained
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-23T00:33:36.147+00:00
Reading Time: 3 minutes
Summary: Learn the five GDPR cookie categories — Essential, Preferences, Analytics, Advertising, and Social Media — which require consent, and how Secure Privacy manages granular cookie consent.

Under GDPR, cookies are categorized by their purpose — and each category has different consent requirements. This guide explains the five GDPR cookie categories recognized by Secure Privacy, which require user consent and which do not, and why granular consent management is essential for compliance.

Who Is This For?

  - Website owners and administrators ensuring GDPR-compliant cookie management

  - Marketing teams managing cookie consent categories and preference center settings

  - Privacy officers and legal professionals advising on cookie consent obligations

  - Developers implementing cookie classification and consent management solutions

GDPR Cookie Categories Explained

1. Essential Cookies

Essential cookies are strictly necessary for basic website functionality — such as maintaining login sessions, processing form submissions, and tracking current page location. These cookies cannot be switched off in Secure Privacy because disabling them would break core website features.

Consent required under GDPR: No. Essential cookies are exempt from the GDPR consent requirement because they are necessary for the service explicitly requested by the user.

2. Preferences Cookies

Preferences cookies enhance site functionality beyond what is strictly necessary — for example, remembering language settings, video playback preferences, or other user-selected options. These are typically set by first- or third-party providers. Blocking them may reduce available functionality or degrade the quality of certain features.

Consent required under GDPR: Yes.

3. Analytics and Customer Interaction Cookies

Analytics cookies track user behavior and site usage — such as page visits, traffic sources, and popular content — to help website owners understand how their site is used. Data collected is typically aggregated and anonymized. Customer interaction cookies support surveys, questionnaires, and live chat tools.

Consent required under GDPR: Yes. Both analytics and customer interaction cookies require explicit consent before they are activated.

4. Advertising Cookies

Advertising cookies — typically third-party — are used to track users across websites and deliver personalized advertisements. They build detailed user profiles based on browsing behavior. Website owners are responsible for ensuring compliance with third-party advertising cookies placed on their site, as GDPR holds them accountable for all cookies activated from their domain.

Consent required under GDPR: Yes. Advertising cookies require explicit opt-in consent before activation.

5. Social Media Cookies

Social media cookies are placed by social platforms — such as Facebook, Twitter, or LinkedIn — to enable sharing buttons and other embedded features. They track user browsing activity across multiple sites to build profiles and personalize content. Disabling social media cookies will block social sharing buttons and related embedded tools.

Consent required under GDPR: Yes.

Why Granular Consent Matters Under GDPR

GDPR Article 7 and Recital 32 require that cookie consent be freely given, specific, informed, and unambiguous. In practice, this means:

  - Consent must be specific about the purpose of each cookie category — blanket "accept all" without granular options does not satisfy the requirement.

  - Consent must be granular — visitors must be able to accept or decline each cookie category independently, not just accept or reject all cookies as a single choice.

  - Visitors must be fully informed and able to manage or withdraw their cookie preferences at any time.

Secure Privacy's Privacy Preference Center is designed to deliver compliant granular consent — presenting each category separately and recording consent choices with a full audit trail.

Frequently Asked Questions

Are essential cookies ever blocked by Secure Privacy?

No. Essential cookies are necessary for the website to function correctly and are exempt from GDPR consent requirements. Secure Privacy never blocks essential cookies — they are always permitted regardless of a visitor's consent choices for other categories.

Can visitors decline advertising cookies?

Yes. Advertising cookies require explicit prior consent under GDPR. Visitors can decline this category through the cookie banner or preference center, and Secure Privacy will block advertising cookies from firing until consent is given.

What happens if essential cookies are blocked?

Blocking essential cookies can break core website functionality — including user login, session management, and form submissions. This is why essential cookies are excluded from the consent requirement under GDPR and cannot be disabled through Secure Privacy's preference center.

See Also

  - Ensuring Compliance with Google's EU User Consent Policy

  - Add Custom Cookies & Services in Secure Privacy

  - Ensuring Prior Consent for Non-Essential Cookies (GDPR Compliance)

---

# Secure Privacy Laws Page Explained – Visitor Statistics by Privacy Regulation (GDPR, LGPD, PIPEDA, THPDPA)

URL: https://support.secureprivacy.ai/article/navigating-the-laws-page-on-your-domain-understanding-compliance-and-visitor-statistics
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T13:05:42.467+00:00
Reading Time: 4 minutes
Summary: Learn how to use the Secure Privacy Laws page — view visitor statistics broken down by GDPR, LGPD, PIPEDA, THPDPA, and Other regions to identify compliance module priorities.

The Laws page in Secure Privacy provides a breakdown of your website visitors by geographic region — mapped to the applicable privacy regulations for each area. This snapshot helps you understand which localized compliance modules to enable, how many visitors fall under GDPR, LGPD, PIPEDA, THPDPA, and other frameworks, and where your compliance coverage may have gaps.

Who Is This For?

  - Website administrators monitoring visitor traffic by region to determine which privacy regulations apply to their audience

  - Compliance officers reviewing geographic compliance coverage and identifying which modules need to be activated

  - Privacy teams and marketers understanding which international data protection laws govern their website's visitor base

How to Access the Laws Page

Log in to your Secure Privacy account. From the dashboard, select Domains and click the domain you want to review. Navigate to the Laws section to view the visitor breakdown by regulation.

Laws Page Metrics Explained

GDPR — European Union Visitors

This figure represents the number of visitors from EU member states and the European Economic Area. The General Data Protection Regulation (GDPR) governs data protection and privacy for these visitors — making it the most widely applicable regulation for websites with international audiences. If this number is significant, ensure your GDPR compliance module is active and your cookie banner targets EU visitors.

LGPD — Brazilian Visitors

This figure represents visitors from Brazil. The Lei Geral de Proteção de Dados (LGPD) — Brazil's data protection law — governs how personal data from Brazilian users is collected, processed, and stored. Businesses serving Brazilian visitors should ensure the LGPD compliance module is enabled in Secure Privacy.

THPDPA — Thai Visitors

This figure represents visitors from Thailand. Thailand's Personal Data Protection Act (THPDPA) establishes the privacy rights of Thai internet users and imposes obligations on organizations that process their personal data. Monitor this metric to determine whether enabling a Thailand-specific compliance module is appropriate for your audience.

PIPEDA — Canadian Visitors

This figure represents visitors from Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how private-sector organizations collect, use, and disclose personal information during commercial activities. Monitoring Canadian visitor counts helps you assess whether PIPEDA compliance is a priority for your website.

Other — All Remaining Regions

The Other category captures visitors from regions not specifically covered by GDPR, LGPD, THPDPA, or PIPEDA in the Laws page breakdown. This may include visitors from countries with their own data protection frameworks — such as California (CCPA/CPRA), the UK (UK GDPR), or other jurisdictions. Review your Secure Privacy template configuration to ensure appropriate compliance coverage for your full visitor geography.

Summary

The Laws page gives you a data-driven view of your website's international compliance obligations — mapping visitor traffic to the regulations that govern each region. Use this information to prioritize which Secure Privacy compliance modules to activate, identify coverage gaps, and ensure your cookie consent banner is correctly targeting all visitor segments subject to privacy law requirements.

Frequently Asked Questions

What should I do if I see a large number of visitors under a region I haven't configured a compliance module for?

Navigate to your Secure Privacy Templates section and enable the appropriate compliance template for that region. For example, if you have significant Brazilian traffic, enable the LGPD template and configure its targeting settings. Without an active compliance module for a region, those visitors may not be shown a cookie banner — creating a compliance gap.

Why are some visitors counted under "Other" rather than a named regulation?

The named regulation categories — GDPR, LGPD, THPDPA, and PIPEDA — cover specific geographic regions. Visitors from countries not mapped to these frameworks are grouped under Other. This includes visitors from the US (CCPA), UK, Australia, and many other jurisdictions. Review the Other count alongside your active compliance modules to determine whether additional regional templates should be enabled.

How frequently is the Laws page data updated?

The Laws page reflects data based on your most recent scan and consent tracking records. Visitor counts update as new consent interactions are recorded across your domains. For the most current view, ensure your Secure Privacy script is correctly installed and active on all pages.

See Also

  - How to Increase Your Compliance Score (Overall Rating)

  - Customize Your Cookie Banner Using Templates

  - Secure Privacy Pricing Plans Overview

---

# Secure Privacy Templates: Cookie Consent, GDPR Compliance & Privacy Management Features Explained

URL: https://support.secureprivacy.ai/article/simplify-privacy-management-with-templates-settings-explained
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T17:55:27.426+00:00
Reading Time: 7 minutes
Summary: Learn how Secure Privacy templates simplify cookie consent and GDPR compliance. Explore geo-targeting, opt-in/opt-out consent types, IAB TCF v2.0, data retention, and all included privacy components.

Secure Privacy provides comprehensive privacy compliance templates that simplify cookie consent management and data privacy on your website or application. These templates come with predefined settings for key privacy components — including cookie banners, consent frameworks, and data retention rules — so you can implement a GDPR-compliant privacy setup with minimal effort.

  
    Who Is This For?

    This guide is for website owners, developers, and privacy managers who want to quickly deploy a compliant cookie consent solution using Secure Privacy's ready-made templates. Whether you need to meet GDPR, CCPA, PIPEDA, or other regional privacy regulations, these templates provide a structured starting point.

  

  
    In This Article

    
      - Geo-Targeting & Regional Coverage

      - Multi-Language Support

      - Data Retention Period

      - Cookie Consent Types

      - Privacy Compliance Framework

      - Privacy Components

      - FAQ

    
  

  To get started, click the "Templates" tab in the top navigation menu of your Secure Privacy dashboard:

  

  
    Geo-Targeting & Regional Coverage

    Secure Privacy templates let you define the geographical scope of your privacy compliance efforts. Select the specific countries, US states, or Canadian provinces where your template applies, ensuring your cookie consent solution meets the regulations in each jurisdiction.

    

    Countries

    Secure Privacy supports a wide range of countries worldwide, enabling compliance with region-specific data privacy regulations. Coverage includes major markets such as the United States, Canada, United Kingdom, Germany, France, Australia, and many more.

    US States

    Beyond country-level settings, you can target individual US states to address state-specific privacy laws — including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). This granular control ensures your cookie consent templates remain compliant as US state privacy law continues to evolve.

    Canadian Provinces

    For websites operating in Canada, Secure Privacy allows you to configure privacy settings at the provincial level. This supports compliance with PIPEDA and provincial laws such as Alberta's PIPA and Quebec's Act Respecting the Protection of Personal Information in the Private Sector.

    This level of geo-targeting ensures that your privacy management templates align with the legal requirements of every region where your website operates.

  

  
    Multi-Language Cookie Consent Support

    Secure Privacy offers support for over 70 languages, allowing you to display cookie banners and privacy widgets in the preferred language of each visitor. Once languages are configured, banners and widgets are automatically shown in the correct language based on the visitor's browser settings — providing a seamless, localized cookie consent experience.

    

    Localized privacy notices improve user trust and help meet regulatory requirements in multilingual markets such as the EU, where communicating in the user's language is considered a best practice under GDPR.

  

  
    Data Retention Period Settings

    Data retention refers to how long personal data collected by your website or application is stored. Secure Privacy templates give you three options for defining your data retention policy, helping you stay aligned with GDPR data minimization principles and internal data governance requirements.

    

    12 Months

    Retain personal data for up to 12 months. This is suitable when data is needed to fulfil legal obligations, run analytics, or deliver personalized services. Data is automatically deleted after 12 months.

    6 Months

    A shorter 6-month retention period is ideal for organizations with stricter internal data policies or those that do not require long-term user data storage. Data is automatically purged after 6 months.

    Do Not Store

    The "Do Not Store" option prevents any personal data from being retained. This privacy-first configuration is ideal for websites that want to minimize data collection risk entirely and demonstrate a strong commitment to user privacy.

  

  
    Cookie Consent Types: Opt-In vs. Opt-Out

    Secure Privacy templates support two consent models for managing how users agree to cookie and tracker use on your website. Choosing the right consent type is critical for GDPR compliance and meeting regional privacy standards.

    

    Explicit Consent (Opt-In)

    Explicit (opt-in) consent requires users to actively confirm their agreement before any personal data is processed. Users must take a deliberate action — such as clicking "Accept" — to give consent. This model is required under GDPR for most types of data processing and is the recommended approach for privacy-first websites operating in the EU.

    Implicit Consent (Opt-Out)

    Implicit (opt-out) consent assumes agreement unless the user takes action to decline. This model is typically used where data processing is necessary for contract performance or falls under legitimate interests. Always verify that this approach meets the legal requirements applicable to your specific data processing activities and target regions.

  

  
    Privacy Compliance Framework: Standard & IAB TCF v2.0

    Secure Privacy templates support multiple privacy compliance frameworks, including GDPR, CCPA, LGPD, and others. Select the framework that matches your legal obligations to ensure your cookie consent banner and data practices are fully aligned.

    

    Standard Framework

    The standard framework covers the core requirements of global privacy regulations. It simplifies the configuration of GDPR-compliant cookie banners and consent settings based on predefined legal templates, making it ideal for most websites without specialized advertising needs.

    IAB Framework (TCF v2.0)

    Secure Privacy supports the IAB Transparency and Consent Framework (TCF v2.0), the industry standard for managing user consent in digital advertising. By implementing TCF v2.0, publishers and ad-supported websites can manage consent for personalized advertising in compliance with IAB Europe's guidelines. Secure Privacy provides the tools and integrations needed to incorporate TCF v2.0 into your cookie consent setup.

  

  
    Privacy Components Included in Templates

    Each Secure Privacy template bundles a full suite of privacy management components. Below is an overview — refer to the corresponding articles for detailed configuration guidance.

    Cookie Banner

    Pre-built, customizable GDPR cookie banners that notify users about cookie usage and capture consent. Match the banner's appearance to your website's branding with flexible styling options.

    Privacy Widget

    An always-accessible widget that lets users revisit and update their cookie consent preferences, adjust settings, and exercise data privacy rights at any time.

    Preference Center

    A dedicated consent preference center where users can granularly manage which categories of cookies or data processing they accept. Increases transparency and gives users meaningful control.

    Privacy Policy

    Pre-configured privacy policy templates covering data collection, usage, sharing, and user rights. Customize these to reflect your organization's specific privacy practices.

    Cookie Declaration

    Auto-generated cookie declaration pages that list every cookie and tracker active on your site, along with their purpose and retention period — a requirement under GDPR's transparency obligations.

    Data Request Form

    Built-in data subject request (DSR) forms that enable users to submit requests for data access, correction, deletion, and portability — streamlining your GDPR rights-fulfillment workflow.

    Contextual Consent

    Support for contextual consent allows you to collect granular consent for specific purposes or data categories, giving you flexibility while maintaining compliance with privacy regulations.

  

  
    Frequently Asked Questions

    What are Secure Privacy templates?

    Secure Privacy templates are pre-configured privacy compliance setups that include cookie banners, consent settings, data retention rules, and privacy policies. They allow you to deploy a fully compliant cookie consent management solution quickly, without building settings from scratch.

    Which privacy regulations do the templates support?

    Templates support major global privacy frameworks including GDPR (EU), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and more. You can select the applicable framework during template configuration.

    Can I use one template for multiple countries?

    Yes. Secure Privacy's geo-targeting feature lets you apply different privacy rules per country, US state, or Canadian province within a single setup, so your site stays compliant across jurisdictions automatically.

    What is the difference between opt-in and opt-out consent?

    Opt-in (explicit) consent requires users to actively agree before data processing begins — required under GDPR. Opt-out (implicit) consent assumes agreement unless the user declines, and is used in specific legal contexts such as legitimate interests.

    Does Secure Privacy support the IAB TCF v2.0?

    Yes. Secure Privacy fully supports the IAB Transparency and Consent Framework v2.0, making it suitable for publishers and ad-supported websites that require standardized consent signals for programmatic advertising.

  

  Secure Privacy templates simplify privacy compliance management by bundling all essential components — cookie banners, consent preferences, privacy policies, and data request forms — into a single, configurable solution. Customize any template to match your brand and legal requirements, and streamline your path to GDPR, CCPA, and global privacy compliance.

---

# What Is the Global Privacy Platform (GPP)? How to Enable IAB GPP in Secure Privacy for Multi-Jurisdiction Consent

URL: https://support.secureprivacy.ai/article/global-privacy-platform-gpp-setup--secureprivacy-guide
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:38:34.563+00:00
Reading Time: 3 minutes
Summary: Learn what the IAB Global Privacy Platform (GPP) is and how to enable it in Secure Privacy — consolidating GDPR TCF and US state privacy consent signals into a single GPP String.

The Global Privacy Platform (GPP) is a standardized framework developed by the IAB to unify user consent signals across multiple privacy regulations and jurisdictions into a single, interoperable consent string. This guide explains what GPP is, which frameworks it supports, and how to enable it in Secure Privacy to simplify consent management across the EU, US states, and beyond.

Who Is This For?

  - Compliance officers managing consent requirements across multiple jurisdictions simultaneously

  - Developers implementing standardized privacy protocols for advertising and vendor consent

  - Marketing teams operating in global markets who need consolidated consent signal management

What Is the Global Privacy Platform (GPP)?

GPP is a protocol that consolidates consent signals from different regional privacy frameworks into a single standardized output known as the GPP String. Supported frameworks include:

  - IAB Europe's Transparency and Consent Framework (TCF v2.2)

  - IAB Canada TCF

  - MSPA US National privacy string

  - US state privacy laws — California (CCPA/CPRA), Virginia (VCDPA), Utah (UCPA), Colorado (CPA), and Connecticut (CTDPA)

How the GPP String Works

The GPP framework reads and merges consent signals from each enabled regional framework into a single GPP String. That string contains two components:

  - Header: Describes which jurisdictional frameworks are included in the string

  - Sections: Holds the jurisdiction-specific privacy and consent details for each included framework

This structure allows publishers, advertisers, and vendors to read a single consent signal rather than parsing multiple framework-specific strings separately.

Benefits of Implementing GPP

  - Simplifies global privacy compliance by consolidating multiple consent frameworks into one signal

  - Improves communication efficiency between websites, advertisers, and ad tech vendors

  - Built to adapt to evolving privacy regulations — new frameworks can be added without rebuilding your consent infrastructure

  - Reduces compliance costs for organizations operating across multiple jurisdictions

GPP and Privacy Law Coverage

GPP supports compliance with both EU and US privacy regulations:

  - EU GDPR: Supported via IAB's TCF v2.2 framework

  - US state privacy laws: California (CCPA/CPRA), Virginia (VCDPA), Utah (UCPA), Colorado (CPA), and Connecticut (CTDPA)

Secure Privacy supports the following US privacy strings within the GPP framework:

  - usca — California

  - usva — Virginia

  - usco — Colorado

  - usut — Utah

  - usct — Connecticut

How to Enable GPP in Secure Privacy

  - Log in to your Secure Privacy account.

  - Navigate to your domain's settings.

  - Locate the Framework dropdown and select IAB GPP.

  - Select the TCF Vendors you want to support — these are the ad tech vendors whose consent signals will be included in your GPP String.

  - Choose the relevant notices and opt-out categories to comply with US Privacy Strings and provide visitors with appropriate control over their data.

Note: US Privacy notices are not provided by Secure Privacy. You are responsible for creating and maintaining the required notices on your own domains in accordance with applicable state privacy laws.

Frequently Asked Questions

Which TCF vendors should I include in my GPP configuration?

The vendors you include should reflect the third-party advertising and analytics services active on your website. Review the IAB TCF vendor list and cross-reference it with the services detected in your Secure Privacy Scan Report. Only include vendors whose consent is relevant to your website's data processing activities — including unnecessary vendors increases complexity without compliance benefit.

Why are my US Privacy notices not applying correctly?

Confirm that the correct notice and opt-out categories have been selected in your Secure Privacy GPP settings. Also verify that the US Privacy strings relevant to your audience — such as usca for California visitors — are enabled. Remember that the content of US Privacy notices must be created and hosted by you, not Secure Privacy — check that your notice URLs are correctly configured and accessible.

Does enabling GPP replace my existing GDPR TCF configuration?

No. Enabling GPP adds an additional consent signaling layer — consolidating TCF v2.2 and US state framework signals into a single GPP String. Your existing TCF configuration is carried through the GPP framework under the TCF section of the string. Review your vendor selections after enabling GPP to ensure they still reflect your intended configuration.

See Also

  - IAB TCF: Navigating Cookie Consent Complexities

  - Implementing Google Consent Mode Advanced Using GTM Template

  - Secure Privacy Pricing Plans Overview

---

# Secure Privacy: Google-Certified Consent Management Platform (CMP) – Google Consent Mode Integration Guide

URL: https://support.secureprivacy.ai/article/secure-privacygooglecertified-consent-management-platform
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T12:56:43.925+00:00
Reading Time: 4 minutes
Summary: Secure Privacy is a Google-certified CMP — learn what CMP certification means, how Secure Privacy integrates with Google Consent Mode and GTM, and the key benefits for GDPR compliance.

Secure Privacy is a Google-certified Consent Management Platform (CMP) — meeting Google's strict standards for privacy compliance and full integration with Google Consent Mode. This guide explains what a CMP is, why Google certification matters, how Secure Privacy integrates with Google Tag Manager and Consent Mode, and what this means for your analytics accuracy and GDPR compliance.
Who Is This For?
- Website owners and administrators responsible for cookie consent and data privacy compliance

- Marketers and analytics teams balancing user privacy with accurate campaign measurement

- Compliance managers verifying that their CMP meets Google's certification standards

- Developers integrating Secure Privacy with Google Tag Manager and Consent Mode

What Is a Consent Management Platform (CMP)?
A Consent Management Platform is software that helps websites collect, record, and manage user consent for data collection and processing. A CMP presents the consent banner to visitors, records their choices, blocks non-essential cookies until consent is given, and signals those choices to third-party tools — ensuring compliance with GDPR, CCPA, and other applicable privacy regulations.
Why Google Certification for a CMP Matters
Google's CMP certification program verifies that a consent management platform meets strict technical and compliance standards for privacy and consent signal accuracy. Being Google-certified means:
- The CMP meets Google's requirements for consent signal transmission via the Consent Mode API

- Full compatibility with Google Analytics, Google Ads, and Google Tag Manager is verified

- Users and business partners can trust that consent signals are accurate, correctly passed, and auditable

Key Benefits of Using a Google-Certified CMP
Trust and credibility
Google's certification signals to users, partners, and regulators that your consent management meets the highest privacy and compliance standards — reducing reputational risk and demonstrating accountability.
Google Tag Manager integration
Secure Privacy works directly with Google Tag Manager — allowing you to manage ad and analytics tags while maintaining full consent-based control over when and how they fire.
Google Consent Mode support
Secure Privacy passes consent signals to Google tags via the Consent Mode API — ensuring user choices are respected while preserving the aggregated, modeled data needed for accurate campaign measurement.
Why Choose Secure Privacy as Your Google-Certified CMP
Powerful, user-friendly consent management
Granular consent controls for all data categories — Essential, Analytics, Marketing, Preferences, and Social Media — presented in a clear, accessible banner and preference center.
Seamless Google integrations
Works automatically with Google Tag Manager and Google Consent Mode — no custom code required for standard integrations.
Top-tier data security
Enterprise-grade security including multi-factor authentication, AES-256 encryption, and regular compliance audits to protect consent records and user data.
Commitment to transparency and compliance
Continuously updated to meet evolving regulations across GDPR, CCPA, LGPD, and 50+ other privacy laws — with regular security and transparency reviews.
How Secure Privacy Integrates with Google Consent Mode
- When a visitor lands on your website, Secure Privacy's CMP presents the consent banner.
- If consent is given, analytics and advertising tags activate and operate as normal.

- If consent is declined or not yet given, tags operate in restricted mode — no advertising cookies are set, and only anonymized, aggregated signals are sent.

- The visitor's consent choices are transmitted to Google via the Consent Mode API — ensuring all Google tags respect the user's intent in real time.

- Your marketing measurement data remains as accurate as possible while visitor privacy is fully respected and documented.

Frequently Asked Questions
Visitors are not seeing the consent banner — what should I check?
Verify that the Secure Privacy installation script is correctly placed at the top of the <head> section on all pages of your website. Check your compliance module's targeting settings to ensure the banner is enabled and set to display to the correct audience. If the script is installed but the banner is not appearing, check for Content Security Policy conflicts that may be blocking the script from loading.
Consent is not syncing correctly with Google tags — how do I fix this?
Confirm that Secure Privacy is correctly connected to Google Tag Manager and that Google Consent Mode is enabled in your Secure Privacy dashboard settings. Verify that your GTM tags are configured to respect consent signals — using Consent Initialization triggers where required. See the Google Consent Mode Advanced GTM guide for detailed setup steps.
My analytics data is dropping after consent changes — what should I review?
A drop in analytics data after enabling consent management is expected — it reflects visitors who have declined analytics cookies. Review your Google Tag Manager tag configuration to ensure tags are using the correct consent-aware triggers. If the drop seems larger than expected, audit your consent banner's accept/decline rates and check whether your Google Consent Mode Basic or Advanced configuration is passing signals correctly to Google Analytics.
See Also
- Implementing Google Consent Mode in Basic Mode

- Implementing Google Consent Mode Advanced Using GTM Community Template

- Basic vs. Advanced Google Consent Mode: Data Collection and Modeling Comparison

- Ensuring Compliance with Google's EU User Consent Policy

---

# How to Manage Privacy and Cookie Policies in Secure Privacy – Generate, Edit, Translate, and Publish Your Policy

URL: https://support.secureprivacy.ai/article/mastering-policies-page-for-effective-policy-management
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:52:34.184+00:00
Reading Time: 3 minutes
Summary: Learn how to generate, edit, and manage privacy and cookie policies in Secure Privacy — use the four-step wizard, replace placeholders, assign to domains, and manage multilingual translations.

The Policies section in Secure Privacy is your central control panel for creating, managing, and publishing the privacy and cookie policies that govern your website. This guide explains how to navigate the Policies dashboard, generate a legally compliant privacy policy using the guided wizard, edit policy content, assign policies to domains, and manage multilingual translations.
If you have already created your policy and are ready to display it on your website, see the dedicated guide to embedding policies.
Who Is This For?
- Website administrators setting up and managing privacy and cookie policies in Secure Privacy

- Compliance officers generating GDPR-compliant policy documents and keeping them current

- Developers assigning policies to specific domains and configuring multilingual policy content

Navigating the Policies Section
Log in to your Secure Privacy account and open the Policies section from the dashboard. Two default policies are pre-created for you on account setup: a Privacy Policy and a Cookie Policy — both pre-populated with your business name to maintain transparency and compliance from day one.
How to Find and Edit Your Policy Settings
The Policies section allows you to:
- Enable or disable policies: Use the toggle switches to activate or deactivate each policy for your website.

- Edit policy details: Click the policy name or the menu icon next to it and select Edit to modify settings — including the title, domain assignment, and policy source.

In Edit mode, you can:
- Edit the policy title

- Assign the policy to specific domains in your account

- Generate a new policy using the wizard or link to an existing policy URL hosted elsewhere

How to Generate a New Privacy Policy
Secure Privacy's policy generator walks you through a guided four-step wizard to create a legally compliant privacy policy. You will be asked to provide:
- The privacy laws and regulations the policy should adhere to (e.g., GDPR, CCPA, LGPD)

- Your entity type — business or individual

- Data Protection Officer (DPO) details, if applicable

- Contact information for users exercising their data rights

- Third-party service provider details — including payment processors, analytics tools, and advertising services

- Security measures and data collection practices

How to Edit Your Generated Policy
After generating your policy, use the block-based editor to fine-tune the content — formatting sections, updating text, and inserting tables where needed.
Important: Replace all placeholder text — including items in square brackets such as [sp-...] — with your actual business details, including your website URL, DPO name, and contact email. Incomplete placeholders will result in an inaccurate or non-compliant published policy.
Managing Multilingual Policies
If your website serves visitors in multiple languages, Secure Privacy allows you to translate your policies by selecting the target language from the dropdown in the top-right corner of the editor. The policy text adjusts automatically to the selected language. Make sure to save your changes after editing each language version.
Frequently Asked Questions
Placeholders are still visible in my published policy — what should I do?
Review your policy in the editor and search for any remaining text in square brackets — such as [your website URL] or [DPO email] — and replace each with your actual business information. Save the policy after making replacements and check the live version to confirm all placeholders have been resolved.
My policy is not displaying on my website — how do I fix this?
First, confirm that the policy is enabled using the toggle switch in the Policies dashboard. Then verify it is correctly embedded or linked on your website using the embed code from the Policies section. If you are using a linked URL, check that the URL is accessible and returns the correct policy content. See the policy embedding guide for detailed instructions.
The translated policy text is not updating after I select a new language — what should I check?
Clear your browser cache and hard refresh the policy editing page. Ensure you have saved your changes after switching languages — unsaved edits will revert when you navigate away. If the correct translation is still not appearing, try selecting the language again from the dropdown and saving once more.
See Also
- How to Embed Your Policies on Your Website

- Policy Generator Guide

- Using Tables in the Secure Privacy Policy Editor

---

# Ongoing Compliance Checkups – How to Maintain a High Secure Privacy Score with Regular Website Reviews

URL: https://support.secureprivacy.ai/article/cmp-v1-ongoing-checkups--best-practices--secure-privacy
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T22:54:54.892+00:00
Reading Time: 4 minutes
Summary: [CMP v1] Learn how to perform regular Secure Privacy compliance checkups — covering scan reports, cookie classification, Google Consent Mode, banner language, DSAR settings, and policy updates.

As your website evolves — adding new services, marketing tools, and tracking scripts — your Secure Privacy configuration needs periodic review to stay accurate and maintain a high compliance score. This guide outlines the key areas to check during regular ongoing compliance checkups, ensuring correct cookie detection, classification, consent mode settings, and policy documentation remain current.

Who Is This For?

  - Website administrators and compliance teams performing routine GDPR compliance reviews

  - Privacy officers maintaining accurate cookie classifications and DSAR notification settings

  - Marketing and legal teams verifying cookie banner language, Google Consent Mode configuration, and privacy policy currency

Ongoing Compliance Checkup — To-Do List

  - Website scan report review

  - Classification tab review

  - Google Consent Mode settings review

  - Cookie banner and preference center language review

  - DSAR email notification settings check

  - Privacy and cookie policy update

Key Areas to Check

1. Website Scan Report — Compliance Score and Recommended Actions

The Scan Report page is your primary starting point for every compliance review. Check your overall rating, review the recommended actions flagged with red X indicators, and work through any gaps with your team or Secure Privacy support.

Useful guides:

  - How to Increase Your Compliance Score (Overall Rating)

  - How to Block a Cookie in the Scan Report

Review the list of detected services —

— and check for any gaps in the detected cookies list —

The services and cookies detected should correspond as closely as possible to the services known to be deployed on your website. Any significant gaps may indicate that new scripts have been added since the last scan or that manual classification is needed.

2. Classification Tab — Categories and Cookie-to-Service Mapping

Review the Classification tab and identify:

  - Incorrect or missing categories — look for cookies marked as "Unclassified" and assign the correct category (Essential, Analytics, Marketing, Functional).

  - Services not mapped to cookies — ensure every detected cookie is correctly associated with the right service.

Full classification guide: How to Classify and Edit Your Cookies and Services

If services or cookies are missing from the scan results, add them manually via the Custom Cookies tab: How to Add a Custom Service or Cookie

3. Google Consent Mode (GCM) Settings

If your website uses Google Tag Manager, Google Analytics, or Google Ads, review your Google Consent Mode configuration to ensure it is correctly set up and aligned with your consent banner behavior.

Important: Consult your Marketing and Legal teams before enabling GCM Advanced mode. See: Ensuring Compliance with Google's EU User Consent Policy

Official Google documentation:

  - About Consent Mode — Google Ads Help

  - Comply with EU User Consent Policy — Google AdSense Help

4. Cookie Banner and Preference Center Language

Review the text displayed in your cookie consent banner and privacy preference center to ensure it aligns with your Legal team's current standards. Update translations and wording from the banner Edit Text interface as needed.

5. DSAR Email Notification Settings

Your Data Protection Officer or privacy team should be receiving email notifications whenever a visitor submits a data rights request via the DSAR form. Confirm that the correct email address is configured in the DSAR form settings under the Send data request emails to field.

6. Privacy and Cookie Policy Updates

Collaborate with your Legal team to ensure your privacy policy and cookie declaration remain current as regulations change and new services are added to your website. Update both documents whenever there are material changes to your data processing activities.

Frequently Asked Questions

How often should I perform these compliance checkups?

At minimum, a full compliance review should be conducted quarterly. Additionally, trigger a rescan and review classification whenever you add or remove third-party services, update your tag manager configuration, or make significant changes to your website's marketing or analytics stack.

What should I do if new cookies appear in the scan that I don't recognize?

Consult your development or marketing team to identify the source script or service responsible for the new cookie. Once identified, classify it correctly in the Classification tab — or use the Custom Cookies tab to add it if it wasn't automatically detected. If the cookie is non-essential and should require consent, verify it is being blocked correctly before user approval.

Who should be involved in these checkups?

A complete compliance review typically involves input from three teams: Legal (for policy language and regulatory requirements), Marketing (for Google Consent Mode and tracking tool changes), and IT/Development (for script identification, classification gaps, and blocking verification). The Privacy or DPO team should coordinate the overall review.

See Also

  - How to Increase Your Compliance Score (Overall Rating)

  - How to Block a Cookie in the Scan Report

  - How to Classify and Edit Your Cookies and Services

  - How to Add a Custom Service or Cookie

Need Help?

Contact Secure Privacy support at support@secureprivacy.ai if you have questions or need assistance with any aspect of your compliance review.

---

# Secure Privacy Consent Dashboard Guide – View, Filter, and Export Consent Records for GDPR Compliance

URL: https://support.secureprivacy.ai/article/navigate-and-utilize-your-consent-dashboard-an-indepth-guide
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T13:28:20.679+00:00
Reading Time: 4 minutes
Summary: Learn how to use the Secure Privacy Consent Dashboard — filter consent records, view per-category details, analyze location and device data, and export consent records to CSV for compliance audits.

The Consent Dashboard in Secure Privacy gives you a centralized view of all visitor consent records for your domain — including accepted, declined, and partial consents, per-category consent details, location and device data, and the ability to export consent records to CSV. This guide explains every feature on the dashboard and how to use it for GDPR accountability and consent analysis.

Who Is This For?

  - Compliance officers reviewing consent records and maintaining GDPR accountability documentation

  - Website administrators monitoring consent acceptance rates and analyzing visitor consent trends

  - Legal and privacy teams exporting consent data for audits or regulatory submissions

How to Access the Consent Dashboard

Log in to your Secure Privacy account, click Domains, and select the domain you want to review.

From the domain's home screen, click the Consent tab to open the Consent Dashboard.

Consent Dashboard Features

1. Filter by Text

Use the text filter to search for specific consent records. Enter keywords to instantly filter results — searchable fields include country and a partial anonymized IP address of the visitor. This is useful for quickly locating records from a specific region or verifying an individual consent interaction.

2. Date Range Filter

The date range filter defaults to the last 30 days. Available preset options include Today, Last 7 days, Last 30 days, This Year, and a Custom Range. Use date filtering to narrow down consent records to specific periods — for example, to analyze consent rates following a banner update or during a specific marketing campaign.

3. Total Consents Overview

The Total Consents row provides a high-level summary of visitor consent activity — showing the total number of Accepted, Declined, and Partial consent interactions for the selected date range. This snapshot gives you an immediate read on how visitors are responding to your cookie banner and data privacy policies.

4. Individual Consent Record Details

Click on any consent record in the list to view full details for that interaction. Individual consent records include:

  - IP Address (anonymized)

  - Country of the visitor

  - Consent status (Accepted, Declined, or Partial)

  - Date and time of consent

  - Device type used during the consent interaction

5. Per-Category Consent Details

Each individual consent record shows which cookie categories the visitor accepted or declined — including Advertising, Analytics, Audio/Video Player, Customer Interaction, and others. Per-category data gives you a granular view of user preferences and helps identify which categories are most frequently declined — supporting more informed banner and policy decisions.

6. Location and Device Details

Within each consent record, Location Details shows the visitor's City, State, and Country. Device Details shows the Operating System version, system architecture, and device type. This data is useful for understanding regional consent patterns and optimizing your website or application for the devices and operating systems most commonly used by your audience.

7. Export Consent Records to CSV

Click the Export button to export the full detailed consent dataset for the selected domain and date range to a CSV file. You will receive an email notification when the export is complete and ready to download. CSV exports are useful for compliance audits, regulatory submissions, internal reporting, and long-term record-keeping.

Frequently Asked Questions

How long are consent records stored in the Consent Dashboard?

Consent record retention depends on your Secure Privacy plan and data retention settings. Under GDPR, you are required to retain consent records for as long as the associated processing continues — and potentially longer for accountability purposes. Review your plan's data retention policy and configure retention periods under your domain settings. Contact support@secureprivacy.ai if you need guidance on your specific configuration.

What does "Partial" consent mean in the Total Consents count?

A partial consent indicates that the visitor accepted some cookie categories but declined others — for example, accepting Essential and Analytics cookies while declining Advertising and Social Media cookies. Partial consents are recorded with the full per-category breakdown visible in the individual consent record detail view.

Can I use exported consent records as proof of compliance for a regulatory audit?

Yes. The exported CSV contains timestamped, per-visitor consent records including consent status, category-level choices, IP address, country, and device data — providing auditable documentation that consent was obtained in accordance with GDPR's accountability requirements. For regulatory submissions, consult your legal team to confirm the export format meets the specific requirements of the relevant supervisory authority.

See Also

  - Website Visits vs Page Views vs Consent Explained

  - How to Increase Your Compliance Score (Overall Rating)

  - Secure Privacy Pricing Plans Overview

---

# How to Set the "Do Not Sell" Widget Label in Secure Privacy – CCPA/CPRA Opt-Out Configuration Guide

URL: https://support.secureprivacy.ai/article/ccpacpra-do-not-sell-compliance-secure-privacy
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:37:17.819+00:00
Reading Time: 4 minutes
Summary: Learn how to configure the Secure Privacy CCPA widget to display "Do Not Sell" or "Do Not Sell or Share My Personal Information" — step-by-step opt-out label setup for CCPA/CPRA compliance.

If your organization is subject to CCPA/CPRA and your data practices qualify as a "sale" or "share" of personal information, you are generally required to provide California consumers with a clear, accessible opt-out entry point. This guide explains how to configure the Secure Privacy CCPA widget to display the "Do Not Sell" or "Do Not Sell or Share My Personal Information" label — aligning your website with CCPA/CPRA expectations.

Note: This article provides product configuration guidance and is not legal advice. Consult your legal team to confirm whether your data practices qualify as a sale or share under CCPA/CPRA.

Who Is This For?

  - Businesses subject to CCPA/CPRA that may "sell" or "share" personal information — for example, through cross-context behavioral advertising.

  - Privacy and compliance owners who need a visible opt-out link or label on their website for California consumers.

  - Web teams implementing the opt-out UX — site administrators, marketing ops, or developers managing Secure Privacy Templates and site caching or CDN configuration.

CCPA/CPRA "Do Not Sell or Share" Requirement

Organizations subject to CCPA/CPRA that sell or share personal information must provide a visible, accessible opt-out entry point for California consumers. Many websites present this as a persistent label in the footer or via a widget displaying "Do Not Sell" or "Do Not Sell or Share My Personal Information."

Updating your Secure Privacy widget text helps:

  - Make the opt-out entry point clearly visible and recognizable to California consumers

  - Align your site UI with common CCPA/CPRA consumer expectations

  - Reduce friction for privacy requests and improve visitor trust

How to Set the Widget Text to "Do Not Sell" in Secure Privacy

Step 1: Sign in and open the CCPA template

  - Sign in to your Secure Privacy dashboard.

  - In the main navigation, click Templates.

  - Select CCPA from the template categories.

Step 2: Open the Widget settings

  - In the CCPA template options, locate the Widget section.

  - Click to expand the widget configuration panel.

Step 3: Update the widget label

  - Locate the Widget Display Text field.

  - Clear the existing text and enter: Do Not Sell

  - Click Save.

Optional: If you prefer full CPRA wording, use "Do Not Sell or Share My Personal Information" — provided it fits your site's design constraints.

Verify Your "Do Not Sell" Opt-Out Experience

  - Open your website in an incognito or private browser window.

  - Confirm the widget now displays "Do Not Sell" (or your chosen label).

  - Click the widget and verify that the opt-out flow loads and functions correctly.

  - If your site uses caching or a CDN, clear the cache and retest to confirm the updated label is live.

Best Practices for CCPA Opt-Out Widget Configuration

Use wording consumers recognize

"Do Not Sell" and "Do Not Sell or Share My Personal Information" are the standard phrases California consumers are familiar with — and what many will actively search for. Using recognized wording reduces confusion and increases opt-out discoverability.

Make the opt-out easy to find

Keep the widget or opt-out link persistently accessible — commonly in the website footer and/or via a floating widget visible on all pages. CCPA/CPRA requires the opt-out to be easy to locate, not buried in a privacy policy.

Ensure the opt-out actually functions

The label is only effective if the underlying configuration correctly limits the sale or sharing of personal information when a consumer opts out. Verify the full opt-out flow — not just the label — is working as intended.

Frequently Asked Questions

Why is my widget text not updating on the live site?

Confirm you clicked Save in the CCPA template settings. Then clear your site cache, CDN cache, and browser cache, and retest in an incognito window. If you manage multiple templates or environments, confirm you edited the correct template.

Can I customize widget text for other templates, such as GDPR?

Yes. Open the relevant template — for example, GDPR or another regional template — and locate the equivalent Widget settings section to update the display text for that template's widget.

Does changing the widget text alone make me CCPA/CPRA compliant?

No. The label helps consumers find the opt-out, but CCPA/CPRA compliance also requires the underlying opt-out functionality to work correctly, and your overall data practices, disclosures, and privacy policy must align with the regulation's requirements. Consult your legal team for compliance guidance.

See Also

  - Templates: Settings Explained

  - Customized Cookie Banner Design

  - Secure Privacy Pricing Plans Overview

Need More Help?

If the label updates in the dashboard but is not appearing on your live site — or you are unsure whether your setup qualifies as a "sale" or "share" under CCPA/CPRA — contact Secure Privacy support at support@secureprivacy.ai.

---

# Global Data Privacy Laws & Data Protection Regulations: Complete Guide by Country and Region

URL: https://support.secureprivacy.ai/article/global-data-privacy-compliance-solutions--secure-privacy
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T17:50:04.849+00:00
Reading Time: 3 minutes
Summary: Explore all major global data privacy laws and data protection regulations by country and region — GDPR, CCPA, LGPD, and 55+ more. Find compliance resources and tools.

The global digital landscape is governed by a growing patchwork of data privacy laws and data protection regulations that vary significantly by region and country. This reference guide provides an organized starting point to explore major privacy regulations worldwide, and links to our detailed blog posts for deeper reading. Whether you need to understand the EU GDPR, US state privacy laws, or emerging frameworks in Asia and Africa, this pillar guide covers it all.
Who Is This Guide For?
This guide is designed for compliance officers, legal teams, website owners, and data protection professionals who need a reliable overview of international data privacy regulations. It is especially useful for businesses operating across multiple jurisdictions who need to quickly identify applicable laws and plan their privacy compliance strategy.
Data Privacy Laws by Region
- Europe: EU GDPR, UK DPA, Switzerland FADP, Norway DPA

- North America – US State Privacy Laws: Colorado CPA, California CCPA/CPRA, Connecticut DPA, Virginia CDPA, Utah CPA

- North America – Canada: Canada PIPEDA, Quebec Law 25

- South America: Argentina PLDP, Colombia DPL, Panama LSPDP, Brazil LGPD

- Asia – East Asia: Japan APPI, South Korea PIPA, China PIPL

- Asia – Southeast Asia: Vietnam PDPA, Singapore PDPA, Malaysia PDPA, Philippine DPA

- Asia – West Asia & South Asia: Israel PPL, Saudi Arabia DPL, Dubai DIFC DPL, UAE PDPL, India DPDPA

- Africa & Middle East: Morocco DPL, Egypt DPL, Kenya DPA, South Africa POPIA, Oman PDPL

- Oceania: New Zealand Privacy Act 2020, Australia APP, Thailand PDPA

Data Privacy Laws by Country (A–Z)
- Argentina PLDP

- Australia APP

- Belarus LPDP

- Brazil LGPD

- California CCPA/CPRA (US)

- Canada PIPEDA

- China PIPL

- Colombia DPL

- Colorado CPA (US)

- Connecticut DPA (US)

- Delaware PDPA (US)

- Dubai DIFC DPL (UAE)

- Egypt DPL

- EU GDPR

- India DPDPA

- Indiana CDPA (US)

- Iowa DPA (US)

- Israel PPL

- Japan APPI

- Kenya DPA

- Kentucky CDPA (US)

- Malaysia PDPA

- Maryland ODPA (US)

- Minnesota CDPA (US)

- Montana CDPA (US)

- Morocco DPL

- Nebraska DPA (US)

- New Hampshire CDPA (US)

- New Jersey CDPB (US)

- New Zealand Privacy Act 2020

- North Macedonia ZZLP

- Norway DPA

- Oman PDPL

- Oregon CPA (US)

- Panama LSPDP

- Philippine DPA

- Quebec Law 25 (Canada)

- Russia FLDP

- Saudi Arabia DPL

- Serbia ZZPL

- Singapore PDPA

- South Africa POPIA

- South Korea PIPA

- Switzerland FADP

- Tennessee IPA (US)

- Texas DPSA (US)

- Thailand PDPA

- Turkey KVKK

- UAE PDPL

- UK DPA

- Utah CPA (US)

- Vermont DPA (US)

- Vietnam PDPA

- Virginia CDPA (US)

Global Data Privacy Compliance Made Easy
Managing compliance with the growing number of global data protection regulations can be challenging for any organization. Secure Privacy offers a comprehensive privacy compliance platform that simplifies adherence to over 55 international data privacy laws. Key features include:
- Easy Cookie Consent Management: User-friendly tools that clarify cookie usage and empower user control across jurisdictions.

- Certified Google Consent Management Platform (CMP): Google-certified CMP ensuring standardized, transparent consent collection for optimal ad performance and regulatory compliance.

- Customizable Privacy Policies: Automatically generated, legally compliant privacy policies tailored to your specific jurisdiction and business needs.

- Automated Website Scanning: Proactively identify potential privacy compliance issues across your website.

- Expert Compliance Support: A dedicated team ready to assist with your data privacy compliance needs at any stage.

Ensure your business complies with privacy laws worldwide, builds customer trust, and confidently enters global markets with Secure Privacy. Get started today at secureprivacy.ai.
Frequently Asked Questions About Global Data Privacy Laws
How can I ensure compliance with multiple data privacy laws simultaneously?
Use Secure Privacy's unified compliance platform, which supports over 55 international data privacy regulations with continuous updates as laws evolve. A single account can cover multiple jurisdictions at once.
Can Secure Privacy handle data protection regulations for different regions at the same time?
Yes. Secure Privacy is built for multi-jurisdictional compliance, allowing you to manage requirements from the EU GDPR, US state privacy laws, and other regional frameworks within a single account.
Does Secure Privacy provide legal support for privacy policy creation?
Secure Privacy automatically generates customizable, legally vetted privacy policies. For complex or high-risk compliance scenarios, consulting a qualified legal professional is also recommended.
Which US states have data privacy laws?
Numerous US states have enacted or are enacting comprehensive data privacy legislation, including California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (DPA), Utah (CPA), Texas (DPSA), and many others. This guide lists all currently known state-level laws above.
See Also
- Basic vs. Advanced Google Consent Mode: Full Comparison Guide

- Modifying Data Retention Period for Legal Templates

- Simplify Privacy Management with Templates: Settings Explained

---

# How to Set Up & Customize Your Cookie Consent Banner in Secure Privacy

URL: https://support.secureprivacy.ai/article/customize-your-websites-cookie-banner-using-templates
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T18:00:00.801+00:00
Reading Time: 4 minutes
Summary: Step-by-step guide to configuring your cookie consent banner in Secure Privacy. Customize text, buttons, languages, and cookie categories to stay GDPR & CCPA compliant.

A cookie consent banner is one of the most visible elements of your website's privacy compliance strategy. Whether you need to meet GDPR, CCPA, or ePrivacy requirements, configuring the right cookie banner template helps you collect valid user consent, build trust, and avoid regulatory risk. This guide walks you through every setting on the Secure Privacy Cookie Banner page — from enabling your banner to customizing text, buttons, and advanced consent categories.

  

  
    Who Is This For?

    This article is for website owners, developers, and privacy managers using Secure Privacy who want to set up, customize, or troubleshoot their cookie consent banner. No prior technical knowledge is required.

  

  
    Quick Feature Index

    
      - 1. Enable or Disable Cookie Banner

      - 2. Preview Cookie Banner on All Devices

      - 3. Switch to Edit Mode

      - 4. Edit Mode: Language Settings

      - 5. Edit Mode: Banner Text & Links

      - 6. Edit Mode: Consent Buttons

      - 7. Edit Mode: Advanced Cookie Categories

      - 8. Edit Mode: Interactive Preview

    
  

  
    How to Access Cookie Banner Settings in Secure Privacy

    To reach the Cookie Banner configuration page, log in to your Secure Privacy account, click Templates in the navigation bar, select the template you want to modify, then open the Cookie Banner tab.

    
  

  
    1. How to Enable or Disable Your Cookie Consent Banner

    The Enable Cookie Banner toggle is pre-configured for every template. Use it to instantly show or hide the cookie consent banner on your website — no code changes required. This is useful when running A/B tests, performing maintenance, or managing seasonal compliance needs.

  

  
    2. Preview the Cookie Banner Across Devices

    Before publishing, use the built-in preview to see how your cookie banner will appear on desktop, tablet, and mobile devices. Switch to full-screen mode for the most accurate visual representation. Note that the preview is an approximation — always verify on a live staging environment for final checks.

  

  
    3. How to Switch to Cookie Banner Edit Mode

    To modify any cookie banner setting, click the Edit button. This unlocks the full editor, divided into five sections: Language, Text, Buttons, Advanced Categories, and Preview.

    
  

  
    4. Edit Mode: Cookie Banner Language Settings

    Each template comes pre-loaded with languages relevant to its target region — for example, EU-focused templates include the major EU languages by default. To add or remove languages, navigate to Template → Settings. Supporting multiple languages ensures your cookie consent notice is compliant and accessible to all visitors.

  

  
    5. Edit Mode: Customize Cookie Banner Text & Links

    The Text section lets you edit every written element of your cookie banner — including the heading, body copy, and embedded hyperlinks. You can link directly to key privacy resources such as your preference center, privacy policy, cookie policy, and data request form.

    All text is pre-written to be legally compliant, but can be tailored to match your brand's tone and voice for a seamless user experience.

    
  

  
    6. Edit Mode: Configure Cookie Consent Buttons

    Customize the label and visibility of your consent action buttons — Accept, Decline, and Personalize — for each supported language. The Decline and Personalize buttons can be independently enabled or disabled to match your legal requirements and UX preferences. Default states are pre-configured per template.

  

  
    7. Edit Mode: Advanced Cookie Consent Categories

    Advanced categories allow granular control over cookie consent — for example, separating analytics cookies from marketing cookies. You can enable or disable each category here. To edit category names and descriptions, go to the Preference Center tab. Changes are reflected instantly in the preview below.

  

  
    8. Edit Mode: Interactive Cookie Banner Preview

    The interactive preview updates in real time as you make edits, so you can see exactly how your cookie banner will look before going live. Preview across desktop, tablet, and mobile to confirm the design is consistent with the rest of your website.

    
  

  
    Summary: Building a Compliant, Customized Cookie Banner

    The Templates → Cookie Banner page in Secure Privacy gives you complete control over your cookie consent experience. With pre-configured templates, multi-language support, customizable text and buttons, and an interactive preview, you can create a GDPR-compliant cookie banner that fits your brand and satisfies your legal obligations — without writing a single line of code.

  

  
    Frequently Asked Questions

    Can I disable the cookie banner for specific pages?

    The Enable/Disable toggle applies at the template level. For page-level control, configure targeting rules within your Secure Privacy account settings.

    Will the cookie banner work on mobile devices?

    Yes. The cookie banner is responsive by design. Use the built-in device preview in Edit Mode to verify how it appears on mobile and tablet before publishing.

    How do I add a new language to my cookie banner?

    Navigate to Template → Settings and add your desired language. It will then become available in the Language section of the Cookie Banner editor.

    What is the Preference Center in cookie banners?

    The Preference Center is a dedicated UI where users can manage their individual cookie consent choices by category (e.g., analytics, marketing). You can link to it directly from your banner text.

---

# How to Block Cookies in Google Tag Manager Using Secure Privacy Consent Event Triggers

URL: https://support.secureprivacy.ai/article/howto-manually-block-cookies-using-google-tag-manager
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-27T22:06:31.741+00:00
Reading Time: 3 minutes
Summary: Learn how to block cookies in Google Tag Manager using Secure Privacy's sp-consent custom event triggers — step-by-step guide for creating triggers and attaching them to GTM tags.

This guide explains how to block cookies and trackers in Google Tag Manager (GTM) using Secure Privacy's custom consent event triggers — using Google Analytics as a working example. By attaching sp-consent custom event triggers to your GTM tags, you can ensure third-party scripts only fire after a visitor has given the appropriate consent.
Prerequisites: This guide assumes you have already created a GTM account, set up a website container, and added the GTM container snippet to your website. See Google's GTM setup guide for help. It also assumes Secure Privacy is already installed on your website. If not, see how to implement Secure Privacy with GTM before proceeding.
Who Is This For?
- Developers and tag managers implementing Secure Privacy cookie blocking via Google Tag Manager

- Compliance teams ensuring third-party scripts only fire after visitor consent is obtained

- Website administrators using GTM to manage analytics, advertising, and tracking tags with consent controls

How to Block Cookies Using a GTM Custom Event Trigger
The following steps use Google Analytics as the example plugin. Repeat the same process for each additional plugin or service you need to block.
Step 1: Create a custom event trigger in GTM
- In your GTM container, navigate to Triggers and click New.

- Select Custom Event as the trigger type.

- In the Event Name field, enter the consent event for the plugin you want to block — using the format: sp-consent="PLUGIN NAME"
The exact plugin name must match the service name shown in your Secure Privacy account under Classification in the Scan Report. For example, to block Google Analytics, enter: sp-consent="Google Analytics"

- Name the trigger clearly — for example, SP-Consent-Google-Analytics — so it is easy to identify in your tag configuration.

- Click Save to create the trigger.

Repeat this process for each plugin or service you need to block — creating one custom event trigger per service.
Step 2: Attach the trigger to the relevant GTM tag
- In your GTM container, navigate to Tags and click New — or open your existing Google Analytics tag to edit it.

- If creating a new tag, select Universal Analytics under Choose tag type.

- Under Google Analytics Settings, select New Variable and enter your GA Tracking ID in the Tracking ID field.

- Under Triggering, select the trigger you created in Step 1 — for example, SP-Consent-Google-Analytics.

- Click Save to create or update the tag.

Step 3: Publish your GTM container
Click Submit then Publish to push your updated tag configuration live to your website.
Note: If any of your GTM tags use multiple triggers, additional configuration is needed to ensure correct consent-based blocking. See the guide on blocking cookies with multiple GTM triggers for full instructions.
Frequently Asked Questions
Where do I find the correct plugin name to use in the sp-consent event?
The plugin name must exactly match the service name shown in your Secure Privacy account under Classification in the Scan Report. Navigate to your Secure Privacy dashboard, open the Classification tab for your domain, and copy the service name exactly as it appears — including capitalization and spacing.
Do I need to create a separate trigger for every plugin I want to block?
Yes. Each plugin or service requires its own sp-consent custom event trigger in GTM — one trigger per service. Once the trigger is created, attach it to the corresponding tag in your GTM container.
What happens if I use the wrong plugin name in the event trigger?
If the plugin name in your GTM custom event trigger does not exactly match the service name in your Secure Privacy Classification tab, the consent event will not fire correctly and the tag may load without consent — creating a compliance gap. Always copy the service name directly from the Classification tab rather than typing it manually.
See Also
- How to Block Cookies with Multiple GTM Triggers

- How to Implement Secure Privacy with Google Tag Manager

- Implementing Google Consent Mode Using GTM Template

---

# How to Enable IAB TCF 2.0 in Secure Privacy – Consent Banner and Preference Center Setup

URL: https://support.secureprivacy.ai/article/cmp-v1-how-to-enable-iab-20
Product: Consent Management
Category: Compliance & Regulations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T00:33:09.075+00:00
Reading Time: 3 minutes
Summary: Learn how to enable IAB TCF 2.0 in Secure Privacy, what changes to expect in your consent banner and preference center, and how to decode IAB consent strings.

IAB Transparency and Consent Framework 2.0 (TCF 2.0) is the latest version of the IAB Europe standard for managing user consent in programmatic advertising. It significantly expands publishers' options for collecting and signaling consent in the bidstream — requiring companies to disclose specific data uses and their role in ad campaigns. This guide explains how to enable IAB TCF 2.0 in your Secure Privacy account and what changes to expect in your consent banner and preference center.

Who Is This For?

  - Publishers and website owners running programmatic advertising

  - Ad operations and marketing teams managing consent for ad partners

  - Developers configuring IAB-compliant cookie consent banners

  - Compliance teams ensuring TCF 2.0 alignment across their CMP setup

How to Enable IAB TCF 2.0 in Secure Privacy

  - 
    Navigate to your banner settings. Log in to your Secure Privacy account and open the cookie banner configuration for your domain.

  

  - 
    Enable the IAB toggle. Locate the Enable IAB switch and turn it on to activate IAB TCF 2.0 for your account.

  

Changes to the Preference Center After Enabling IAB TCF 2.0

Once IAB TCF 2.0 is enabled, your preference center is automatically updated to reflect the new framework. You will see additional tabs, including a "Partners" tab listing IAB-registered vendors.

Note: All tabs in the preference center can be renamed by clicking on them. Make sure to select the correct language first before editing tab labels.

Editing IAB Messages in the Preference Center

You can customize the IAB-specific text shown in your preference center under the "Edit IAB message" tab:

Changes to the Cookie Consent Banner After Enabling IAB TCF 2.0

Enabling IAB TCF 2.0 also updates your cookie consent banner. The banner text is automatically aligned with IAB-approved messaging. While the text can be edited using the WYSIWYG editor, changes are not recommended — the default copy is pre-approved by IAB and editing it may affect your TCF compliance status.

Below is an example of a standard IAB TCF 2.0 cookie consent banner. The design can be customized and restyled to match your corporate branding:

IAB TCF 2.0 Consent String

When a visitor clicks Accept or Reject on your cookie banner, an IAB TCF 2.0 consent string is generated and stored. This encoded string records the user's consent choices for all registered vendors and purposes.

You can view the consent string in your browser's developer console. To decode and inspect a consent string, use the official decode tool:

Decode IAB TCF 2.0 Consent String – Secure Privacy CMP Tool

An example of how the IAB TCF 2.0 consent string appears in the browser console:

Frequently Asked Questions

What is IAB TCF 2.0 and why does it matter?

IAB TCF 2.0 (Transparency and Consent Framework) is the industry standard for managing and signaling user consent in programmatic advertising. It requires publishers to disclose data uses and vendor roles, and gives users finer control over how their data is used — going beyond simple on/off consent toggles.

Will enabling IAB TCF 2.0 change my existing cookie banner?

Yes. Enabling IAB TCF 2.0 updates both your cookie consent banner text and your preference center. The banner text is replaced with IAB-pre-approved copy, and your preference center gains additional tabs such as "Partners." Your branding and styling remain customizable.

Can I edit the IAB-approved banner text?

Technically yes, using the WYSIWYG editor — but it is not recommended. The default text is pre-approved by IAB, and modifying it may affect your TCF 2.0 compliance status.

Where can I decode an IAB TCF 2.0 consent string?

Use the Secure Privacy IAB consent string decode tool to inspect and verify the consent data being recorded for your visitors.

See Also

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained

  - Secure Privacy Volume Discounts | Custom Consent Storage Pricing

---

# Secure Privacy Affiliate Program: How to Join and Earn 30% Recurring Commission

URL: https://support.secureprivacy.ai/article/secure-privacy-partner-program--earn-commissions-by-referring-customers
Product: Consent Management
Category: Subscriptions & Partnerships
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-21T23:34:01.179+00:00
Reading Time: 3 minutes
Summary: Learn how the Secure Privacy Affiliate Program works, get your referral link in Partnero, and earn 30% recurring commission from customer signups today!

The Secure Privacy Affiliate Program lets affiliates, agencies, website owners, and marketers earn a 30% recurring commission for every customer they refer to the Secure Privacy consent management platform. Managed through Partnero, the program makes it easy to join, get your unique affiliate link, track referrals, and monitor commissions from one dashboard.
What Is the Secure Privacy Affiliate Program?
The Secure Privacy Affiliate Program is a partner program designed for people and businesses that want to monetize their audience while promoting website privacy compliance. When someone signs up through your unique referral link, you earn recurring commission and can track performance inside your Partner Portal.
Who Is the Secure Privacy Affiliate Program For?
This program is a good fit for:
- Affiliates and marketers looking for commission-based partnership opportunities

- Website owners and digital agencies promoting privacy compliance solutions

- Individuals or businesses recommending GDPR and cookie consent platforms

How Much Commission Do Secure Privacy Partners Earn?
Secure Privacy partners earn a 30% recurring commission for each customer who signs up through their affiliate link.
How to Join the Secure Privacy Partner Program
- Sign up: Register on the Secure Privacy Partner Program page.

- Access your Partner Portal: After registration, you can log in to the Partner Portal powered by Partnero to manage referrals and track commissions.

How to Find Your Secure Privacy Affiliate Link
Your affiliate link is what connects referrals to your account and commissions. To find it:
- Log in to your Partner Portal.

- Locate the area that displays your unique affiliate code.

- Click Copy URL to copy your referral link instantly.

Example of where to find and copy your Secure Privacy affiliate link in the Partner Portal.
Your affiliate link will look similar to https://secureprivacy.ai?aff=yourAffiliateCode123.
How Affiliate Commission Tracking Works
Secure Privacy tracks referrals through your unique affiliate link so commissions can be assigned to your partner account.
- A visitor clicks your affiliate link and is redirected to the Secure Privacy website.

- A partner tracking cookie is placed on the visitor’s device to connect the referral to your affiliate code.

- When the visitor signs up, the referral and commission details appear in your Partner Portal dashboard in real time.

Frequently Asked Questions About the Secure Privacy Affiliate Program
How do I find my affiliate link?
After you create your Partner Portal account, your unique affiliate code and referral link are displayed in the dashboard. Use the Copy URL button to copy the link.
How is my commission tracked?
Each referral places a tracking cookie that links the new customer to your affiliate code. Your dashboard updates automatically with new signups and commission totals.
Who can join the Secure Privacy Partner Program?
The program is built for affiliates, marketers, website owners, digital agencies, and businesses that recommend privacy compliance, GDPR, or cookie consent solutions.
Who can I contact for partner support?
If you need help with the partner program, contact the Secure Privacy support team at support@secureprivacy.ai.
Start Earning with the Secure Privacy Affiliate Program
If you want to promote a consent management platform and earn recurring revenue, join the Secure Privacy Partner Program today and start referring customers.
Related articles
- Secure Privacy Pricing Plans

- Secure Privacy Volume Discounts and Custom Consent Storage Pricing

- Website Visits vs Page Views vs Consent Explained

---

# How to Install Secure Privacy on a Vue.js Application (Cookie Consent Setup)

URL: https://support.secureprivacy.ai/article/install-secure-privacy-on-vue-js--quick-setup-guide
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-25T01:12:35.104+00:00
Reading Time: 2 minutes
Summary: Step-by-step guide to installing Secure Privacy on your Vue.js app. Set up a GDPR-compliant cookie consent banner quickly, and troubleshoot common script issues.

Follow these steps to install Secure Privacy on your Vue.js application and enable cookie consent and compliance management seamlessly. Once installed, your site will display a fully customizable cookie banner to help meet GDPR, CCPA, and ePrivacy requirements.
Who is this for: Vue.js developers and site owners who need to add a cookie consent banner and comply with data privacy regulations such as GDPR and CCPA.
Installing the Secure Privacy Script in Vue.js
- Log in to your Secure Privacy account.

- Go to the Installation page and copy your unique Secure Privacy script.

- Open the index.html file in the root of your Vue.js project.

- Paste the Secure Privacy script at the top of the <head> section, before any other scripts.

- Click Save to apply your changes.

- Rebuild and publish your Vue.js site to make the changes live.

- Your Secure Privacy cookie consent script is now successfully installed! 🎉

Common Issues & Fixes
Script Not Loading on Website
Confirm the script was pasted inside the <head> tag of your index.html file and that the site was rebuilt and republished after saving.
Cookie Banner Not Displaying
Check that your domain is configured correctly in your Secure Privacy dashboard and that cookie consent is enabled in your account settings.
Changes Not Reflecting After Save
Clear your browser cache and do a hard refresh to see the updated cookie consent script take effect. If the issue persists, try accessing the site via a VPN to rule out regional caching.
Frequently Asked Questions
Does Secure Privacy work with Vue.js single-page applications (SPAs)?
Yes. Because the Secure Privacy script is added to the index.html entry file, it loads on every route in a Vue.js SPA and manages cookie consent across the entire application.
Where exactly should I paste the Secure Privacy script in Vue.js?
Paste the script at the very top of the <head> section in your index.html file. Placing it early ensures the cookie consent banner loads before any analytics or tracking scripts fire.
Will installing Secure Privacy affect my Vue.js app's performance?
The Secure Privacy script is lightweight and asynchronous, so it has minimal impact on page load times. It is designed to initialize cookie consent management without blocking other resources.
See Also
- Onboard with Secure Privacy via CMS Plugins (Shopify, WordPress)

- Customize Your Website's Cookie Consent Banner

- Add Custom CSS for Cookie Banner Branding

---

# How to Handle a DSAR Under GDPR Article 15 – Data Subject Access Request Compliance Process

URL: https://support.secureprivacy.ai/article/gdpr-article-15-dsar-compliance-process
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-24T00:33:21.076+00:00
Reading Time: 5 minutes
Summary: Step-by-step GDPR Article 15 DSAR compliance guide — covering identity verification, data mapping, response preparation, deadlines, secure delivery, and accountability documentation.

When your organization receives a Data Subject Access Request (DSAR) under GDPR Article 15, you must follow a defined compliance process to meet your legal obligations and avoid enforcement action. This guide covers every stage of DSAR handling — from initial acknowledgement and identity verification through to response preparation, secure delivery, and record-keeping. Secure Privacy's DSAR management tools can help automate key steps in this process, including request intake, deadline tracking, and secure document exchange.

Who Is This For?

  - Data Protection Officers (DPOs) managing GDPR Article 15 access requests

  - Privacy and compliance teams handling DSAR workflows and documentation

  - Legal professionals advising on or responding to data subject requests

  - IT and security teams supporting data retrieval, mapping, and secure response delivery

Step 1: Initial Response and Identity Verification

Acknowledge receipt promptly. Inform the data subject of their rights and confirm the request has been received. While GDPR does not specify an exact acknowledgement timeframe, responding within 72 hours demonstrates good faith and commitment to compliance.

Verify the requester's identity before disclosing any personal data — to prevent unauthorized disclosure to third parties. Verification requests must be proportionate and reasonable; requesting extensive documentation is only justified where genuine doubt exists about the requester's identity.

Clarify the scope of the request if it is unclear or overly broad. You may ask for clarification, but this does not pause your one-month response deadline unless the request is manifestly unfounded or excessive.

Step 2: Processing the DSAR Under GDPR Article 15

Conduct comprehensive data mapping across all processing activities — including systems recorded in your Article 30 ROPA, third-party processors, and any international data transfers involving the data subject's personal data.

Involve your Data Protection Officer (DPO) and coordinate with relevant departments — including IT, HR, legal, marketing, and customer service — to ensure all personal data held across the organization is identified and reviewed.

Document your search methodology at every stage to satisfy GDPR's accountability principle under Article 5(2). A clear audit trail of how and where you searched for personal data is essential for supervisory authority reviews.

Step 3: Preparing a GDPR-Compliant DSAR Response

Compile all relevant personal data as required by GDPR Article 15(1), including:

  - The purposes for which the data is being processed

  - The categories of personal data held

  - Recipients or categories of recipients to whom the data has been disclosed

  - Retention periods or the criteria used to determine them

  - Information about any automated decision-making, including profiling

Inform the data subject of their remaining rights — including the right to rectification, erasure, restriction of processing, data portability, and the right to object.

Include source details if personal data was not collected directly from the data subject.

Remove third-party personal data from the response unless disclosure is legally required or the third party has provided consent.

Step 4: GDPR Deadlines and Legal Compliance

Respond within one calendar month from the date of receipt. For complex or high-volume requests, this can be extended by a further two months — but you must notify the data subject of the extension and reason within the first month.

Provide the information free of charge in all standard cases. A reasonable fee may only be charged for requests that are manifestly unfounded, excessive, or repetitive — and this must be documented and justifiable.

Consider applicable GDPR exemptions under national law — such as legal professional privilege or third-party rights — but always document the legal grounds for any partial or full refusal.

Step 5: Secure Delivery and Record-Keeping

Deliver the response securely — using encryption for electronic responses or registered post for physical delivery — to ensure the personal data reaches only the verified requester.

Provide data in a structured, commonly used, machine-readable format where applicable, to support the data subject's right to data portability under GDPR Article 20.

Maintain complete records of the DSAR handling process — including correspondence, search methodology, risk assessments, and decisions made — for accountability and supervisory authority review.

Monitor for follow-up requests such as rectification, erasure, or restriction of processing that commonly follow a completed access request.

GDPR Enforcement and Penalties

Failure to comply with DSAR obligations under GDPR Article 15 can result in fines of up to €20 million or 4% of global annual turnover under Article 83 — whichever is higher. Supervisory authorities take into account your compliance history, the nature of the infringement, and your demonstrated cooperation when determining penalties.

Establishing documented DSAR procedures, staff training programs, and clear escalation paths is essential for demonstrating proactive compliance and mitigating enforcement risk.

Frequently Asked Questions

What if identity verification delays the DSAR response?

Verification must be proportionate — requesting excessive documentation to confirm identity can itself constitute a GDPR violation. Maintain a clear audit trail of your verification process and communicate transparently with the requester. If verification is genuinely necessary and proportionate, document the reason for any resulting delay. The one-month response clock typically starts from the point of receipt, not the completion of verification, unless your national implementation specifies otherwise.

How should I handle an overly broad or unclear DSAR?

Request clarification promptly — but continue working on any unambiguous parts of the request in parallel to ensure you meet the deadline. Asking for clarification does not pause the response deadline unless the request is manifestly unfounded or excessive. Document all clarification requests and responses as part of your audit trail.

What documentation is required for GDPR accountability under Article 5(2)?

You must securely retain records of your search methodology (which systems were searched and how), all correspondence with the data subject, any risk assessments conducted, decisions made regarding exemptions or partial refusals, and the final response delivered. These records must be available for supervisory authority review and should be retained for a reasonable period after the request is closed.

See Also

  - Setup DSAR Forms in Secure Privacy – Step-by-Step Guide

  - Using DSAR Custom Controls in Secure Privacy

  - Modifying Data Retention Periods for Legal Templates

  - Where Is My Data Stored?

---

# How to Change a Cookie Consent Category in Secure Privacy – Classification Tab Guide

URL: https://support.secureprivacy.ai/article/how-do-i-change-a-consent-category-service-cookie
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:05:56.633+00:00
Reading Time: 2 minutes
Summary: Learn how to update a cookie consent category in Secure Privacy — locate the service in the Classification tab, edit its category, and rescan to apply changes to your preference center.

If a cookie or service has been miscategorized — or if a business decision requires changing its consent category — you can update it directly in your Secure Privacy account under the Classification tab. This guide explains how to locate the service, apply the category change, and rescan to propagate updates across your cookie declaration and preference center.

Who Is This For?

  - Compliance officers managing and correcting cookie classifications in Secure Privacy

  - Website administrators updating consent categories for detected services

  - Marketing and legal teams ensuring cookies are correctly classified as Essential, Analytics, Marketing, or Functional

How to Change a Cookie Consent Category

  - Log in to your Secure Privacy account and select the domain you want to work with.

  - Navigate to the Classification tab.

  - Under the Cookies tab, locate the cookie you want to update and confirm which Service it belongs to.

  - Since consent categories are assigned to services — not individual cookies — switch to the Services tab.

  - Find the relevant service, click the three-dot menu next to it, and select Edit.

  - In the edit window, select the required category from the dropdown and click Save.

  - Navigate to Scan Report > Rescan Website to propagate your changes across the scan report, preference center, and cookie/privacy policies.

Frequently Asked Questions

Can I change the consent category for a specific cookie directly?

No. Consent categories are assigned at the service level — not to individual cookies. To change the category for a cookie, locate the service it belongs to using the Cookies tab, then edit the service's category in the Services tab. All cookies associated with that service will inherit the updated category after a rescan.

Why don't my changes appear immediately in the preference center?

After editing a service category, you must trigger a website rescan from Scan Report > Rescan Website. The rescan updates your scan report, preference center, and cookie/privacy policies to reflect the new classification.

How do I find which service a specific cookie belongs to?

Navigate to the Classification tab and open the Cookies tab. Each cookie entry shows its associated service name — use this to identify which service you need to edit before switching to the Services tab to make the category change.

See Also

  - How to Manage Cookie Classifications

  - How to Perform a Website Rescan

  - Add Custom Cookies & Services

---

# Secure Privacy Website Performance – Script Loading Speed, Blocking Modes, and SEO Protection Explained

URL: https://support.secureprivacy.ai/article/secure-privacy-banner-performance-optimization--seo-best-practices
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:18:24.736+00:00
Reading Time: 3 minutes
Summary: Learn how Secure Privacy minimizes its impact on website performance — covering 100ms script loading, automatic vs manual blocking modes, noindex for banner text, and V2 platform improvements.

Secure Privacy is designed to keep your website fast while maintaining full cookie consent compliance. This article explains how the Secure Privacy script is optimized for performance — including script loading modes, SEO protection for banner text, and the performance improvements introduced in the V2 platform.

Who Is This For?

  - Website administrators focused on minimizing the performance impact of the cookie consent banner

  - SEO professionals verifying that cookie banner content does not affect search engine indexing

  - Developers evaluating script loading modes and choosing the right configuration for their website

Noindex for Cookie Banner Text

All Secure Privacy banner texts include a noindex tag to prevent search engine crawlers from indexing cookie consent content. This ensures your website's primary content remains the focus for SEO — protecting your rankings from interference by consent banner copy.

Script Loading Speed

Secure Privacy targets an average script loading time of 100ms — in line with industry standards. This ensures the consent script causes minimal delay and keeps your website responsive for all visitors.

Script Loading Modes

Automatic Blocking Mode (default)

Enabled by default, Automatic Blocking Mode loads the Secure Privacy script synchronously — meaning it runs before any other scripts on the page. This guarantees that visitor consent preferences are applied before any third-party tags or cookies can fire. Despite being synchronous, the script's fast loading time (~100ms) minimizes the impact on page performance.

Manual Mode

Manual Mode allows the Secure Privacy script to load asynchronously — the rest of your website does not wait for the script to complete before rendering. This can further improve page speed, but requires manual configuration of blocking rules for scripts, pixels, and iframes.

Performance Improvements in Secure Privacy V2

Smaller script bundle size

V2 uses improved code splitting techniques, resulting in a smaller script bundle that consumes fewer browser resources — contributing to faster page load times across all devices.

Enhanced global geolocation distribution

V2's advanced geolocation infrastructure ensures the script is served from servers optimized for each visitor's location — providing consistently low load times regardless of where your audience is based.

Frequently Asked Questions

Will the cookie banner text affect my SEO rankings?

No. The noindex tag applied to all Secure Privacy banner texts prevents them from being indexed by search engines — ensuring cookie consent copy does not appear in search results or interfere with your site's SEO.

What is the impact of synchronous script loading on my website?

Synchronous loading temporarily pauses other scripts from executing until the Secure Privacy script has finished loading. However, with an average load time of approximately 100ms, this pause is minimal and unlikely to be noticeable to visitors or affect Core Web Vitals significantly.

Can I switch between Automatic Blocking Mode and Manual Mode?

Yes. Automatic Blocking Mode is the default and recommended setting for organizations that want strict, guaranteed pre-consent blocking. Manual Mode is available for teams that prefer asynchronous loading and are comfortable managing blocking configuration manually. You can switch between modes in your Secure Privacy dashboard settings.

See Also

  - Templates: Settings Explained

  - Domain Licensing Model Explained

  - Basic vs. Advanced Google Consent Mode

---

# Secure Privacy SDK FAQ – Supported Platforms, GDPR Compliance, UI Customization, and Developer Support

URL: https://support.secureprivacy.ai/article/mobile-sdk--integrate-seamless-crossplatform-consent-management
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:42:46.908+00:00
Reading Time: 3 minutes
Summary: Answers to common questions about the Secure Privacy SDK — including supported platforms (iOS, Android, React Native, Flutter), GDPR/CCPA compliance, UI customization, and cross-platform consent sync.

This FAQ covers the most common questions about the Secure Privacy SDK — including supported platforms, compliance coverage, UI customization, cross-platform consent synchronization, and developer support options.

Who Is This For?

  - Mobile and web developers integrating privacy consent management into iOS, Android, or cross-platform applications

  - Product managers evaluating SDK capabilities for GDPR, CCPA, and multi-regulation compliance

  - Technical teams responsible for data privacy, user consent, and compliance audit logging

What Platforms and Frameworks Does the Secure Privacy SDK Support?

The Secure Privacy SDK supports a wide range of development environments:

  - Native iOS: Swift and Objective-C

  - Native Android: Kotlin and Java

  - Cross-platform: React Native and Flutter

The SDKs are designed to be flexible and straightforward to integrate regardless of your development stack.

Can the SDK Manage Consent Across Multiple Platforms?

Yes. The SDK supports seamless cross-platform consent management. When a user grants or updates consent on one device, their preferences are synchronized across web, mobile, and other connected platforms — ensuring a consistent consent state across your entire product ecosystem.

Is the SDK Compliant with GDPR, CCPA, and Other Privacy Regulations?

Yes. The Secure Privacy SDK is designed to support compliance with global data privacy regulations, including:

  - GDPR — General Data Protection Regulation (EU)

  - CCPA/CPRA — California Consumer Privacy Act / California Privacy Rights Act

  - LGPD — Lei Geral de Proteção de Dados (Brazil)

  - 50+ additional privacy laws globally

The SDK provides tools for managing consent requests, handling opt-ins and opt-outs, and generating audit logs for regulatory compliance documentation.

Can I Customize the Consent UI?

Yes. The SDK offers a fully customizable consent UI — allowing you to tailor the design, language, and behavior of consent pop-ups and banners to match your brand guidelines and meet the expectations of your audience across different regions.

Does the SDK Support Multiple Languages?

Yes. The SDK supports multilingual environments, allowing consent requests to be displayed in the user's preferred language — supporting compliance with GDPR transparency requirements across different markets.

How Does the SDK Handle Updates to User Consent Preferences?

The SDK supports real-time updates to user consent preferences. Changes made by users are immediately synchronized and can be fetched dynamically by your backend — ensuring accurate, up-to-date consent records are always available for processing decisions.

Is the SDK Lightweight? Will It Affect App Performance?

The SDK is performance-optimized to minimize its footprint on your application. It is lightweight, fast-loading, and designed to operate efficiently even on low-bandwidth networks — with minimal impact on app startup time or runtime performance.

Does the SDK Include Analytics and Compliance Reporting?

Yes. The SDK includes built-in analytics that track user consent actions — including opt-ins and opt-outs. You can generate detailed compliance reports for regulatory audits and internal governance reviews directly from the Secure Privacy dashboard.

What Developer Support Is Available for SDK Integration?

Secure Privacy provides:

  - Comprehensive documentation including step-by-step integration guides for each supported platform

  - Code samples covering common frameworks and integration scenarios

  - Dedicated developer support for technical questions and integration challenges

Common Issues and Fixes

How do I ensure user consent stays synchronized across devices?

Use the SDK's built-in cross-platform synchronization feature, which automatically keeps user consent preferences consistent across web and mobile. Ensure all platforms are using the same Secure Privacy account and domain configuration.

My app performance slowed after adding the SDK. What can I do?

Verify you are using the latest SDK version — each release includes performance optimizations. Avoid loading SDK features or modules you are not actively using, and check whether any custom UI components are adding unnecessary rendering overhead.

How do I customize the consent UI to match my brand guidelines?

Refer to the SDK's customization documentation, which includes design examples, available styling parameters, and guidance on applying custom themes, colors, and typography to consent banners and pop-ups.

See Also

  - Secure Privacy Pricing Plans Overview

  - Secure Privacy Setup and Installation Checklist

  - Basic vs. Advanced Google Consent Mode

---

# How to Fix the "Legal Template Not Found" Error in Secure Privacy – Regional Template Coverage Guide

URL: https://support.secureprivacy.ai/article/understanding-quotlegal-template-not-foundquot-message
Product: Consent Management
Category: FAQs
Published: 2026-03-06T12:43:00+00:00
Updated: 2026-03-22T23:56:40.209+00:00
Reading Time: 3 minutes
Summary: Learn what the Secure Privacy "Legal Template Not Found" error means, why it appears, and how to fix it by auditing regional template coverage and configuring a fallback template.

The "Legal Template Not Found" error appears in the developer console when a website visitor accesses your site from a region that has no matching legal template configured in Secure Privacy. This means no cookie consent banner or preference center is displayed to that visitor — creating a compliance gap that should be addressed promptly.

Who Is This For?

  - Website administrators and compliance teams managing Secure Privacy template coverage across regions

  - Developers troubleshooting the "Legal Template Not Found" console error

  - Privacy officers ensuring cookie consent banners are displayed to visitors from all relevant jurisdictions

Why Does "Legal Template Not Found" Appear?

Secure Privacy displays legal templates — including cookie consent banners and preference centers — based on each visitor's geographic location. When a visitor arrives from a region that is not covered by any configured template, the system cannot find a matching legal template and logs this error. The result is that no consent banner or legal disclosure is shown to that visitor.

Common causes include:

  - Templates have only been configured for specific regions (e.g., GDPR for the EU, CCPA for California) but your website receives traffic from uncovered regions

  - No global fallback template has been configured to catch visitors from regions without a specific template

  - Geolocation detection is not correctly identifying or segmenting visitor locations

Compliance Impact

When this error occurs, visitors from unsupported regions do not see your cookie consent banner or required legal disclosures. This can compromise visitor transparency, undermine your compliance posture under international data protection regulations, and expose your organization to legal risk in jurisdictions where consent is mandatory.

How to Fix "Legal Template Not Found"

  - 
    Audit your geographical template coverage. Review your existing templates against the regions your website receives traffic from. Identify any regions without a configured template and add or enable the appropriate legal template for each gap.

  

  - 
    Configure a global fallback template. Enable a default fallback template to cover visitors from regions that do not have a specific template assigned. This ensures some level of consent management is in place for all visitors while you complete more targeted regional coverage.

  

  - 
    Verify geolocation detection accuracy. Test visitor location scenarios across different regions to confirm that the correct template is being assigned based on detected location. Use reliable geolocation tools and review any edge cases where detection may be failing.

  

  - 
    Consult privacy and legal experts. For organizations serving visitors across multiple jurisdictions, work with data protection professionals to ensure your template coverage and consent practices align with the specific legal requirements in each region.

  

Frequently Asked Questions

A template is missing for a specific region — how do I fix it?

Navigate to your Secure Privacy Templates settings and review which regions are currently covered. Add a new template for the missing region by selecting the applicable regulation — for example, GDPR for EU countries or PIPEDA for Canada — and configure it appropriately. Once saved, visitors from that region will see the correct banner.

My fallback template is configured but not displaying — why?

Check that the fallback template is enabled (not just created) in your dashboard settings, and that it is set as the default for regions without a specific template assignment. Clear any site or CDN cache and test in an incognito window from an uncovered region to confirm it is now appearing.

How do I test whether the correct template is being shown to visitors in different regions?

Use a VPN or browser geolocation testing tool to simulate visits from different countries and verify which template is triggered for each location. This helps identify any geolocation detection gaps before they become live compliance issues.

See Also

  - Template Coverage – GDPR, CCPA, PIPEDA & 50+ Regulations

  - Templates: Settings Explained

  - Customize Your Cookie Banner Using Templates

---

# How to Set Up Microsoft Clarity Consent Mode with Secure Privacy (GDPR Guide)

URL: https://support.secureprivacy.ai/article/microsoft-clarity-consent-mode-integration-guide
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T22:48:47.36+00:00
Reading Time: 3 minutes
Summary: Learn how to enable Microsoft Clarity Consent Mode with Secure Privacy for GDPR-compliant cookie management and behavioral analytics. Step-by-step setup guide.

Who is this for? This guide is intended for website owners, developers, and digital marketers who use Microsoft Clarity for behavioral analytics and need to ensure their implementation complies with GDPR and other data privacy regulations through Secure Privacy.

  

  
    Microsoft Clarity Consent Mode: Overview

    Microsoft Clarity enables businesses to prioritize user privacy while collecting valuable behavioral analytics for website optimization. Its built-in Consent Mode is designed to comply with data protection regulations such as GDPR, ensuring responsible, regulation-ready data handling at all times.

    Key Features of Microsoft Clarity Consent Mode

    
      - Tailoring data collection: Adjust how Clarity tracks user interactions based on each visitor's consent preferences.

      - Controlling cookie access: Manage cookie usage to ensure compliance with user permissions using straightforward consent controls.

      - Collecting limited anonymized data: When full consent is not provided, Clarity can still gather anonymized, cookieless data to provide behavioral insights without compromising visitor privacy.

    
  

  

  
    Technical Implementation of Microsoft Clarity Consent Mode

    How Clarity Consent Mode Works

    Consent Mode in Microsoft Clarity is managed through direct JavaScript commands that enable or disable tracking and cookie usage. The two primary commands are:

    
      
        
          Command
          Description
        

      
      
        
          window.clarity("consent")
          Enables Clarity to read and write first- and third-party cookies for analytics purposes. This is the default behavior if no consent setting is specified.
        

        
          window.clarity("stop")
          Disables Clarity from reading or writing first-party cookies. Third-party cookies are not written and are read-only for fraud detection purposes only — not analytics.
        

      
    

    Clarity uses a JavaScript function called clarity on the window object. Unlike Microsoft UET consent mode, it does not rely on a property like ad_storage — instead, it uses the consent and stop keywords to control tracking behavior directly.

    A default consent state should be set on each page load before capturing user consent:

    
      - GDPR-regulated regions (e.g., EU/EEA): Use stop as the default to block cookies until consent is granted.

      - Non-GDPR regions (e.g., most U.S. states): Use consent as the default to allow analytics tracking.

    

    

    Cookie Blocking in Microsoft Clarity Consent Mode

    Clarity manages cookies by enabling or restricting them based on the active consent state. When the Clarity framework is enabled but consent is denied, Microsoft cookies are not blocked outright — they are restricted. The affected cookies include:

    
      - _clck

      - _clsk

      - CLID

      - MR

    
  

  

  
    How to Enable Microsoft Clarity Consent Mode via Secure Privacy

    To start using Microsoft Clarity with Secure Privacy's cookie consent management, follow these steps:

    
      - 
        Navigate to Domain Settings:
        Log in to your Secure Privacy dashboard and go to Domain Settings.

      

      - 
        Access the Advanced Tab:
        Within Domain Settings, click on the Advanced tab.

      

      - 
        Enable the Microsoft Clarity Toggle:
        Inside the Advanced tab, locate the toggle for Microsoft Clarity Consent Mode and enable it.

      

    

    

    Test Your Microsoft Clarity Consent Mode Implementation

    After enabling the toggle, verify your setup using browser developer tools or Secure Privacy's built-in debug mode. Confirm that:

    
      - The Clarity script loads only when appropriate consent has been granted.

      - Consent-based commands (stop or consent) are correctly executed in response to user choices.

    

    Secure Privacy automatically handles consent storage and synchronization. Once a user grants or denies consent, Microsoft Clarity will behave accordingly — with no additional manual coding required on your part.

  

  

  
    Frequently Asked Questions: Microsoft Clarity Consent Mode

    
      Does Microsoft Clarity collect any data when consent is denied?
      When window.clarity("stop") is active, Clarity does not read or write first-party analytics cookies. However, it may still collect limited, anonymized and cookieless behavioral data to support basic insights without identifying individual users.

      Is Microsoft Clarity Consent Mode compatible with GDPR?
      Yes. Clarity's Consent Mode is designed with GDPR compliance in mind. By defaulting to stop for EU/EEA visitors and only activating full tracking upon explicit user consent, it aligns with GDPR's requirements for lawful data processing.

      Do I need to write custom code to integrate Clarity with Secure Privacy?
      No. Secure Privacy's native Microsoft Clarity integration handles all consent signaling automatically. Simply enable the toggle in your Domain Settings — no additional JavaScript coding is needed.

---

# How to Enable Microsoft UET Consent Mode with Secure Privacy (GDPR Compliant)

URL: https://support.secureprivacy.ai/article/implementing-microsoft-consent-mode-with-secure-privacy
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T22:59:23.687+00:00
Reading Time: 3 minutes
Summary: Enable Microsoft UET Consent Mode with Secure Privacy to meet GDPR requirements. Control ad_storage, manage cookie consent, and stay compliant with Microsoft Advertising.

Microsoft is updating its Microsoft Advertising Platform (MAP) to align with evolving data protection laws, including GDPR. Websites using MAP must now obtain explicit consent from users before using first- and third-party cookies for advertising and tracking. Personal data is only collected through MAP if the website visitor has specifically agreed to it. If you use MAP on your website, these updates are essential for maintaining compliance.
Microsoft Consent Mode, working together with Universal Event Tracking (UET), helps businesses respect user privacy while still gathering valuable data for their advertising campaigns. It is designed to comply with data protection regulations such as GDPR and similar laws worldwide — and is compatible with Microsoft Consent Mode v2 requirements.
Key Features of Microsoft UET Consent Mode
- Tailoring data collection: Adjust how UET tracks website visitors based on whether they have given their consent.

- Controlling cookie access: The ad_storage setting lets you manage how cookies are used, ensuring they are only activated when the user has permitted it.

- Collecting limited anonymous data: Even when a user does not fully consent, you can still gather anonymized information to better understand your ad performance without violating privacy rules.

Who Is This For?
This guide is for website owners, developers, and digital marketers who use the Microsoft Advertising Platform (MAP) with Universal Event Tracking (UET) and want to ensure their implementation is compliant with GDPR and other data privacy regulations. It is particularly relevant if you use a Consent Management Platform (CMP) like Secure Privacy.
How Microsoft UET Consent Mode Works (Technical Implementation)
Consent Mode is configured via a property in UET called ad_storage. Unlike Google Consent Mode — which uses a JavaScript array called dataLayer on the window object — Microsoft UET Consent Mode uses a JavaScript array called uetq on the window object. The possible values for ad_storage are:
Value for ad_storage
Description

granted
First-party and third-party cookies may be read and written for UET. If no default is set, UET uses granted by default.

denied
First-party cookies are not read or written for UET. Third-party cookies are not written. Third-party cookies are read-only for fraud and spam prevention — not for advertising purposes.

Secure Privacy sets a default value for ad_storage on each page load, before consent is captured. For the EU and countries with stricter data privacy laws such as GDPR, Secure Privacy sets ad_storage to denied by default. For countries with less strict regulations, such as most US states, Secure Privacy sets ad_storage to granted by default.
How to Enable Microsoft UET Consent Mode with Secure Privacy
To activate Microsoft UET Consent Mode through your Secure Privacy dashboard, follow these steps:
- Navigate to Domain Settings: Log in to your Secure Privacy dashboard and go to Domain Settings.

- Access the Advanced Tab: Inside Domain Settings, click on the Advanced tab.

- Enable the Microsoft Consent Mode Toggle: Within the Advanced tab, find the toggle for Microsoft Consent Mode and switch it on. You're all set!

Frequently Asked Questions (FAQ)
What is Microsoft UET Consent Mode?
Microsoft UET Consent Mode is a feature of Universal Event Tracking (UET) that allows website owners to control whether cookies are set based on a visitor's consent status. It helps businesses stay compliant with GDPR and other data privacy regulations while continuing to use Microsoft Advertising.
Is Microsoft Consent Mode the same as Google Consent Mode?
They work similarly, but Microsoft Consent Mode uses a JavaScript array called uetq on the window object, whereas Google Consent Mode uses dataLayer. Both are designed to respect user consent before setting advertising cookies.
What happens if a user denies consent?
If a user denies consent, ad_storage is set to denied. First-party cookies will not be read or written, and third-party cookies will only be used in a limited read-only capacity for fraud and spam prevention — not for advertising.
Does Secure Privacy support Microsoft Consent Mode v2?
Yes. Secure Privacy's integration with Microsoft UET Consent Mode is designed to support current Microsoft Advertising compliance requirements, including the expectations of Microsoft Consent Mode v2.

---

# How to Set Up Okta SSO with Secure Privacy (OIDC Integration Guide)

URL: https://support.secureprivacy.ai/article/single-signon-sso-configuration-integration-with-okta
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T23:40:57.599+00:00
Reading Time: 3 minutes
Summary: Set up Okta Single Sign-On (SSO) with Secure Privacy using OIDC. This step-by-step guide covers authorization servers, app configuration, scopes, and common SSO troubleshooting tips.

This guide provides a clear, step-by-step walkthrough for setting up Single Sign-On (SSO) with Okta in Secure Privacy. The Okta SSO integration lets administrators manage user access to multiple applications through a single, secure login — streamlining authentication while maintaining tight control over who can access your Secure Privacy account.

    Important: Only Okta members who are already added to your Secure Privacy account (visible on the Users page) will be permitted to log in via Okta SSO. Okta members not found in Secure Privacy will be blocked from access.

  

  
    Who Is This For?

    This guide is intended for IT administrators and account owners who want to configure Okta as an identity provider (IdP) for Secure Privacy using OpenID Connect (OIDC). You should have admin access to both your Okta organization and your Secure Privacy account before proceeding.

  

  
    Step 1: Locate Your Okta Organization Domain

    Find your Okta domain in the header dropdown menu within your Okta admin account. Copy it and paste it into the Organization domain field in Secure Privacy's SSO settings.

    
    Paste the domain into the corresponding field in Secure Privacy, as shown below:

    
  

  
    Step 2: Create an Authorization Server in Okta

    In your Okta admin console, navigate to Security → API → Authorization Servers and create a new Authorization Server.

    Note: This step is optional if you prefer to use your organization's default authentication server. However, creating a custom authorization server is the recommended approach for better scope and claims control.

     API">
  

  
    Step 3: Create and Configure an OIDC Web Application in Okta

    Under Applications in Okta, create a new app integration for Secure Privacy:

    
      - Select OIDC – OpenID Connect as the sign-on method and Web Application as the application type.

      - Optionally enable Client Credentials grant type if required by your organization.

    
    
    
      - Set the Sign-in redirect URI to exactly: https://cmp.secureprivacy.ai/callback (no trailing slash).

    
    Confirm the sign-on method is set to OpenID Connect:

    
    Ensure all required OAuth 2.0 Scopes are enabled. These are pre-selected by default unless you have previously reconfigured them:

    
    
    Finally, copy the Client ID and Client Secret from your Okta app and paste them into the corresponding fields in Secure Privacy's SSO settings:

    
  

  
    Step 4: Complete the Okta SSO Setup

    Once all fields are saved, your Okta users can log in to Secure Privacy using their existing Okta credentials. No separate Secure Privacy password is required for SSO-enabled users.

  

  
    Common Okta SSO Issues & Fixes

    
      Authorization Server Configuration Errors
      Double-check your Okta Authorization Server settings, including all configured scopes and claims. Ensure the correct server is selected and that the issuer URI matches what is entered in Secure Privacy.

      Invalid Redirect URI Error
      Ensure the redirect URI in Okta matches exactly https://cmp.secureprivacy.ai/callback — with no trailing slash and no variation in casing.

      Users Unable to Log In via SSO
      Confirm that the affected users have been added to your Secure Privacy account on the Users page and have been assigned the appropriate application in Okta. Both conditions must be met.
    
  

  
    Frequently Asked Questions

    
      Can I use Okta SSO without creating a custom authorization server?
      Yes. Creating a custom authorization server is recommended for granular control, but you can use your organization's default Okta authorization server if preferred.

    

    
      What happens if an Okta user is not in Secure Privacy?
      Okta members who are not already added to your Secure Privacy account will be denied login, even if they are valid Okta users. You must first add them on the Secure Privacy Users page.

    

    
      Which sign-on method does Secure Privacy use with Okta?
      Secure Privacy uses OpenID Connect (OIDC) for Okta SSO integration. Make sure the OIDC sign-on method is selected when creating the Okta app integration.

    

    
      Is Okta SSO available on all Secure Privacy plans?
      SSO availability depends on your Secure Privacy subscription plan. Contact Secure Privacy support if you are unsure whether SSO is included in your current plan.

    
  

  
    See Also

    
      - How to Onboard with Secure Privacy via CMS Plugins (Shopify & WordPress)

      - Scanning Your Website for Regulatory Compliance

      - Should You Block All Cookies? GDPR Cookie Categories Explained

      - Google Consent Mode Basic Setup – Secure Privacy Guide

---

# How to Set Up Secure Privacy via CMS Plugin Onboarding (WordPress & Shopify)

URL: https://support.secureprivacy.ai/article/onboard-with-secure-privacy-via-cms-plugins--shopify--wordpress
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T23:46:24.638+00:00
Reading Time: 2 minutes
Summary: Set up Secure Privacy's cookie consent banner directly in your WordPress or Shopify plugin. Create your account, add your domain, and achieve GDPR compliance in minutes.

Getting started with Secure Privacy is simple thanks to seamless onboarding built directly into your CMS plugin. Without ever leaving your WordPress or Shopify dashboard, you can sign up, configure your cookie consent banner, and activate your Consent Management Platform (CMP) — achieving GDPR, CCPA, and global privacy law compliance in minutes.

  
    Note: Seamless in-plugin onboarding is currently supported for the Shopify and WordPress plugins.

  

  
    Who Is This For?

    This guide is for website owners and developers installing the Secure Privacy plugin on WordPress or Shopify for the first time. It walks you through account creation, domain registration, and activating your cookie consent banner — no technical experience required.

  

  

  
    New User Account Setup in the CMS Plugin

    Once the Secure Privacy plugin is successfully installed on your CMS, you will be presented with the sign-in screen:

    

    New to Secure Privacy? Click Sign Up Now to create your account. The account creation form will appear:

    

    Signing up automatically enrolls you in a 30-day free trial — no credit card required. After completing onboarding, log in to the Secure Privacy CMP Console to access all features and manage your privacy compliance settings.

  

  
    Adding Your Domain to Display the Cookie Consent Banner

    After creating your account, add the domain where your CMP is installed to begin displaying your cookie consent banner to visitors:

    

    Once the domain is successfully added, you will see the following confirmation screen:

    

    Click Change Settings to open the Secure Privacy CMP Console. Use the same email and password from your plugin sign-up to access and configure your settings.

  

  
    Managing Your Cookie Banner Settings for an Existing Account

    If you are already logged in via the plugin, a domain selection screen will appear automatically:

    

    Select the domain where you want the cookie consent banner to appear. You can manage multiple domains from a single Secure Privacy account.

  

  
    Frequently Asked Questions

    Which CMS platforms support Secure Privacy in-plugin onboarding?

    Seamless onboarding is currently available for the WordPress and Shopify plugins. Additional CMS integrations may be supported in the future.

    Do I need a paid plan to get started?

    No. Signing up through the plugin automatically activates a 30-day free trial, giving you full access to Secure Privacy's cookie consent and GDPR compliance features.

    Can I manage multiple domains from one Secure Privacy account?

    Yes. After onboarding, you can add and manage multiple domains from the Secure Privacy CMP Console using a single account.

    Where do I access the full CMP settings after onboarding?

    After completing the in-plugin setup, click Change Settings to open the Secure Privacy CMP Console, or log in directly at app.secureprivacy.ai using your registered email and password.

  

  
    See Also

    
      - How to Install Secure Privacy on WordPress

      - Integrations with Secure Privacy: How to Install on Your CMS

      - How to Add a Custom Service/Cookie

---

# How to Install the Secure Privacy Drupal Module for Cookie Consent & GDPR Compliance

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-drupal
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T23:34:22.6+00:00
Reading Time: 3 minutes
Summary: Learn how to install and configure the Secure Privacy Drupal module for GDPR-compliant cookie consent management. Full setup guide for Drupal 8, 9, and 10.

Drupal
    is a powerful, open-source content management system (CMS) known for its flexibility and modular architecture.
    Since 2001, it has evolved into a favored platform for complex, scalable websites used by governments,
    enterprises, educational institutions, and communities. Its modular structure allows extensive customization
    through contributed modules and themes — making it an ideal CMS for integrating a
    consent management platform (CMP) like Secure Privacy for GDPR and cookie consent compliance.
  

  
    This guide walks you through installing and configuring the Secure Privacy Drupal module
    to enable cookie consent management on your Drupal site.
  

  
    - New to Secure Privacy? Please follow the entire guide.

    - Already onboarded? You can skip directly to the "Downloading the Drupal Module" section.

  

  

  
    Who Is This For?

    
      - Drupal developers and administrators integrating Secure Privacy

      - Website owners seeking compliance with GDPR, CCPA, and other privacy regulations

      - Technical teams setting up a cookie consent management system (CMP) on Drupal

    
  

  
    Getting Started with Secure Privacy

    
      - Activate your email address and log in to your Secure Privacy account.

      - 
        After login, you will see an onboarding screen similar to this:

        
      

      - Select Drupal.

      - Copy the displayed Secure Privacy script code and save it for later.

      - Keep this tab open and open a new tab to continue with the Drupal module installation.

    
  

  
    Downloading the Secure Privacy Drupal Module

    
      - 
        Download the
        Secure Privacy Drupal Module
        and save it locally.
        
          - Extract the downloaded archive on your local machine.

        
      

      - 
        Upload the extracted secure_privacy folder to your Drupal site's modules directory using FTP or your server's file manager.
        
          - For Drupal 8, 9, and 10, use the recommended paths: /modules/contrib/ or /modules/custom/

        
      

      - Set correct file permissions (755 for folders and 644 for files).

    
  

  
    Installing the Secure Privacy Module in Drupal

    
      - While logged in as Administrator, go to the Configuration tab.

      - 
        Scroll to the System section and click on Secure Privacy.
        

        
      

      - Enable the Secure Privacy module by selecting it and clicking Install.

    
  

  
    Configuring the Secure Privacy Drupal Module

    
      - While logged in as Administrator, go to the Configuration tab.

      - 
        Scroll to the System section and click on Secure Privacy.

        
      

      - 
        On the configuration screen, paste the Secure Privacy installation script you copied earlier into the Secure Privacy Script text box.

        
      

      - Check Enable Secure Privacy and click Save configuration.

    
  

  
    Complete the Secure Privacy Setup

    
      - Return to the Secure Privacy onboarding tab.

      - Click Test Installation.

      - 
        A toast notification confirming successful installation will appear at the bottom left of the screen.

        
      

    
  

  
    Common Issues & Fixes

    
      The Secure Privacy module is not showing up in the Extend list. What should I do?

      
        
          Verify the secure_privacy folder is correctly uploaded to the
          modules/contrib/ or modules/custom/ directory and that file
          permissions are set correctly (755 for folders, 644 for files).
        

      

    

    
      I cannot see the configuration screen for the Secure Privacy module.

      
        
          Ensure the module is enabled in the Extend menu and that you are logged
          in with administrator privileges.
        

      

    

    
      The Secure Privacy cookie consent script does not load on my website.

      
        
          Double-check that the correct installation script has been pasted into the
          Secure Privacy Script field and that the configuration has been saved with
          Enable Secure Privacy checked.
        

      

    

  

  
    See Also

    
      - Using Secure Privacy with Drupal (CMP v1)

      - Customizing Secure Privacy Cookie Banners with CSS

      - Adjust Trust Widget Placement in Secure Privacy

---

# Meta Consent Mode: How It Works & How to Enable It with Secure Privacy

URL: https://support.secureprivacy.ai/article/implementing-meta-consent-mode-with-secure-privacy
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T22:38:44.025+00:00
Reading Time: 4 minutes
Summary: Understand how Meta Consent Mode controls Meta Pixel and Conversions API tracking based on cookie consent. Enable GDPR-compliant advertising with Secure Privacy in minutes.

Meta (formerly Facebook) is updating its advertising platform—including the Meta Pixel and Conversions API—to align with evolving data‑protection regulations. Meta Consent Mode is the mechanism that lets your website respect a user's privacy choices while maintaining aggregated advertising insights. In the European Union and other jurisdictions, websites must secure a user's explicit consent before first‑ or third‑party cookies are used for advertising or analytics. If you use the Meta Pixel or Conversions API, these updates are essential for compliance with privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Meta Consent Mode works alongside your Consent Management Platform (CMP) to honor each visitor's privacy preferences. When consent is granted, Meta's tracking tools operate normally; when consent is denied, the system switches to privacy‑preserving measurement techniques so you retain high‑level campaign insights without unauthorized data collection.
Who Is This For?
This guide is for website owners, marketing teams, and developers who use the Meta Pixel or Meta Conversions API and need to comply with GDPR, CCPA, or similar cookie‑consent regulations. It applies specifically to users of the Secure Privacy CMP who want to enable Meta Consent Mode from their dashboard.
Key Features of Meta Consent Mode
Meta Consent Mode, as implemented through Secure Privacy, provides the following capabilities:
- Tailored data collection: Adjust how the Meta Pixel and Conversions API track visitors based on whether they have granted or denied cookie consent.

- Controlled cookie access: Determine precisely when Meta cookies and tracking scripts are loaded, ensuring cookies are only set when the user has given permission.

- Limited data collection on denial: Even when a visitor declines advertising cookies, the Pixel can still gather anonymized or aggregated information to preserve a basic understanding of campaign performance.

- Real‑time consent updates: When a user changes their consent preferences, Secure Privacy immediately sends a grant or revoke signal to Meta, enabling or disabling tracking without delay.

How Meta Consent Mode Works (Technical Implementation)
Meta Consent Mode is controlled through the Meta Pixel's fbq('consent', …) command. Secure Privacy sets a default consent value on every page load—before the user interacts with the cookie banner. In the EU and other regions with stricter privacy regulations, the default is revoked; in jurisdictions with more permissive rules, the default may be granted.
Meta Pixel consent values and their effects

Consent Value
Description

grant
The Meta Pixel is fully activated. First‑ and third‑party cookies may be read and written, and conversion and tracking events are sent normally.

revoke
Cookies are not written, and only limited technical information is read. The Pixel switches to privacy‑preserving measurement; aggregated data may be sent for basic reporting only.

Default Consent Behavior by Region
Secure Privacy automatically sets the consent value on page load based on the user's detected location. EU visitors will typically have consent set to revoke by default. Once a visitor interacts with the CMP banner and grants marketing consent, the system calls fbq('consent', 'grant') to activate the Meta Pixel and Conversions API.
Granting or Revoking Consent in Real Time
When a user updates their cookie preference via the CMP banner, Secure Privacy sends the corresponding consent signal to Meta immediately:
- Grant: fbq('consent', 'grant') — activates the Meta Pixel. Requests to Facebook are allowed and first‑ and third‑party cookies are written.

- Revoke: fbq('consent', 'revoke') — disables advertising tracking. No new cookies are set, and only aggregated, non‑advertising data may be processed.

This feature is built into Secure Privacy and can be enabled or disabled via a single toggle in your dashboard.
How to Enable Meta Consent Mode in Secure Privacy
Activating Meta Consent Mode in your Secure Privacy dashboard takes only a few steps:
- Enable Meta Consent Mode: Turn the toggle on in your Secure Privacy dashboard. Once enabled, Secure Privacy will automatically send grant or revoke signals to Meta based on each user's consent preferences.

- Update your Meta Pixel & Conversions API: Ensure your implementations use the fbq('consent', …) calls so they respond correctly to consent signals.

- Test your setup: Visit your site without accepting the cookie banner—no Meta requests should fire. Then grant consent and confirm that tracking requests are triggered and cookies are placed correctly.

Frequently Asked Questions
Does Meta Consent Mode affect all website visitors?
Meta Consent Mode applies to all visitors, but its default behavior varies by region. In the EU, consent is revoked by default and only activated when the user explicitly accepts advertising cookies. In regions with less strict regulations, tracking may be granted by default.
What happens to campaign data when consent is revoked?
When a user revokes consent, the Meta Pixel switches to privacy‑preserving measurement mode. Advertising cookies are not set, but anonymized, aggregated data may still be sent to Meta to provide basic campaign performance insights without identifying individual users.
Is Meta Consent Mode required for GDPR compliance?
If you use the Meta Pixel or Conversions API and have visitors from the EU, implementing Meta Consent Mode is an important step toward GDPR compliance. It ensures that user tracking is only activated after explicit consent is granted, in line with the regulation's requirements.
Can I disable Meta Consent Mode after enabling it?
Yes. Meta Consent Mode can be toggled on or off at any time from your Secure Privacy dashboard. Disabling it will stop Secure Privacy from sending consent signals to Meta.

---

# How to Install the Secure Privacy Plugin on WordPress (GDPR Cookie Consent Setup)

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-wordpress
Product: Consent Management
Category: Integrations
Published: 2026-03-06T12:42:00+00:00
Updated: 2026-03-24T23:51:00.27+00:00
Reading Time: 3 minutes
Summary: Step-by-step guide to installing the Secure Privacy WordPress plugin for GDPR and CCPA cookie consent. Covers onboarding setup, manual install, and common troubleshooting tips.

WordPress powers over 35% of websites worldwide — from business portals and e-commerce stores to blogs and portfolios. This step-by-step guide shows you how to install the Secure Privacy plugin on WordPress to enable GDPR- and CCPA-compliant cookie consent management on your site. Whether you are a first-time Secure Privacy user going through onboarding or an existing user performing a manual install, the instructions below cover both scenarios.

Who Is This Guide For?

  - WordPress site administrators and webmasters

  - Website owners implementing GDPR or CCPA privacy compliance

  - Developers integrating the Secure Privacy WordPress plugin

  - Marketing and compliance teams managing cookies and user consent

How to Install the Secure Privacy Plugin on WordPress

What You'll Need Before You Start

  - WordPress administrator access

  - An active Secure Privacy account

  - Your confirmed Secure Privacy email address (for new users)

Scenario 1: Install During the Onboarding Process (New Users)

  - After confirming your Secure Privacy email address, select your preferred installation method.

  - Choose WordPress as your installation platform.

  - Follow the steps in the Instructions for Adding the Secure Privacy Plugin in WordPress section below.

    
  

  - Click Test Installation to verify the plugin is connected correctly.

    
  

  - Look for a toast notification at the bottom-left of the screen confirming a successful installation.

Scenario 2: Manual Installation for Existing Users

  - Log in to your WordPress admin panel.

  - Navigate to Settings in the left sidebar (administrator access is required).

  - Download the Secure Privacy WordPress plugin using the Secure Privacy plugin ZIP file.

  - Follow WordPress's official guide for installing a plugin from a ZIP file.

  - After installation, activate the plugin and confirm the activation success message appears.

    
  

  - Access Secure Privacy under Settings in the WordPress sidebar to begin configuring your cookie consent banner.

    
  

Troubleshoot Common Secure Privacy WordPress Plugin Issues

  - The Secure Privacy option doesn't appear in WordPress Settings: Ensure your WordPress user role has full administrator privileges and that the plugin has been activated — not just installed.

  - Test Installation fails: Verify that the plugin ZIP was uploaded correctly and that your WordPress installation meets minimum system requirements. Try deactivating and reactivating the plugin, then re-run the test.

Frequently Asked Questions

Is the Secure Privacy plugin free to install on WordPress?

The Secure Privacy WordPress plugin itself is free to install. Cookie consent management features are available based on your Secure Privacy subscription plan.

Does the Secure Privacy WordPress plugin support GDPR and CCPA compliance?

Yes. The plugin enables a customizable cookie consent banner that helps your WordPress site comply with GDPR, CCPA, and other global privacy regulations.

Can I install Secure Privacy on multiple WordPress sites?

Yes. You can install the plugin on multiple WordPress websites. Each site will need to be configured separately within your Secure Privacy account.

What if my site uses Elementor Cloud (WordPress pre-installed)?

See the dedicated guide linked in the See Also section below for Elementor Cloud-specific installation instructions.

Additional Resources

For detailed walkthroughs and further troubleshooting, visit the Secure Privacy support article for WordPress and Shopify.

See Also

  - How to Onboard with Secure Privacy Directly from Your CMS (WordPress/Shopify) Plugins

  - How to Install Secure Privacy on Elementor Cloud (WordPress Pre-Installed)

  - Integrations with Secure Privacy: How to Install on 10+ Different CMS Platforms

  - Secure Privacy: Google-Certified Consent Management Platform

---

# What Is a Cookie Banner? GDPR Requirements, Consent Management, and How Secure Privacy CMP Automates Compliance

URL: https://support.secureprivacy.ai/article/why-do-you-need-a-cookie-banner-on-your-website
Product: Consent Management
Category: Policies & User Consent
Published: 2026-03-06T07:43:00+00:00
Updated: 2026-03-24T00:23:31.853+00:00
Reading Time: 5 minutes
Summary: Learn what a cookie banner is, when you need one under GDPR, what the consent requirements are, and how Secure Privacy's CMP automates cookie blocking, consent recording, and compliance.

A cookie banner is a consent notice that appears when a visitor lands on a website — informing them that the site uses cookies and requesting permission to collect and process their personal data. Under GDPR and the ePrivacy Directive, cookie banners are legally required for websites that receive visitors from the European Union. This guide explains how cookie banners work, when you need one, what GDPR requires, and how Secure Privacy's Consent Management Platform (CMP) automates compliant cookie consent management.

Who Is This For?

  - Website owners and administrators determining whether they need a cookie banner and what GDPR requires

  - Compliance officers and legal teams understanding cookie consent obligations under GDPR and ePrivacy

  - Marketing and development teams implementing a compliant cookie consent solution using Secure Privacy

How Does a Cookie Banner Work?

When a visitor lands on a website, a pop-up appears on screen — this is the cookie banner. It informs the visitor that the site uses cookies, explains why and how their data is used, and requests their consent before any non-essential data collection begins.

Many websites set non-essential cookies before obtaining consent — collecting user data without permission. This approach risks significant GDPR fines and reputational damage. A compliant cookie banner, powered by a CMP like Secure Privacy, ensures cookies are blocked until consent is given, and that consent records are automatically stored and auditable.

Do I Need a Cookie Banner?

You need a cookie banner if your website receives visitors from the European Union and uses any cookies or tracking technologies beyond those strictly necessary for the site to function. This includes commonly used tools such as Google Analytics, Facebook Pixel, HubSpot, social media buttons, and advertising plugins.

Cookie consent requirements originate from two EU laws:

  - ePrivacy Directive (2002): First required website owners to obtain visitor consent for cookies — prompting cookie banners to appear across the internet.

  - GDPR (May 2018): Significantly raised the standard for valid consent — requiring it to be freely given, specific, informed, and unambiguous — and introduced substantial fines for non-compliance.

You can scan your website for GDPR and ePrivacy compliance using Secure Privacy's automated scanner after creating an account.

What Are the GDPR Requirements for Cookie Banners?

Under GDPR, passive or implied consent — such as "By using this website, you accept cookies" — is no longer sufficient. GDPR requires active, informed opt-in consent. Specifically, GDPR requires you to:

  - Display a cookie banner that clearly informs EU visitors that you use cookies, the purpose of each cookie category, and how and where their data is used — in plain, easy-to-understand language

  - Give visitors the ability to opt in and opt out of each cookie category individually (granular consent)

  - Obtain consent before collecting any non-essential data or injecting non-essential cookies

  - Maintain auditable records of all collected consents

  - Allow visitors to withdraw consent as easily as they gave it

  - Delete visitor data upon request

The obligation to obtain consent applies specifically when visitors from EU member states access your website.

Can Cookie Banners Be Shown Only to EU Visitors?

Yes. Secure Privacy's CMP includes geographic targeting — allowing you to display cookie consent banners only to visitors from the EU (or other specified regions such as California for CCPA). This ensures visitors outside the scope of GDPR are not unnecessarily interrupted, while full compliance is maintained for EU traffic. You can configure this in your compliance module targeting settings.

Will the Cookie Banner Block Cookies Before Consent Is Given?

Yes — when correctly configured. Secure Privacy's Prior Consent blocking feature prevents non-essential cookies and tracking technologies from loading until the visitor has given valid consent. This is a core GDPR requirement and a key differentiator of a properly implemented CMP. Secure Privacy's automatic blocking engine handles this without requiring custom code.

Can I Customize the Cookie Banner Design?

Yes. Secure Privacy gives you full control over the visual appearance of your cookie banner. Pre-built design templates are available for quick setup, and you can customize position, colors, button styling, typography, and layout using CSS. Custom logos can also be uploaded to ensure the banner aligns with your brand identity.

How Does Cookie Consent Management Work?

Cookie consent management is the process of documenting, storing, and managing visitor consent records — both accepts and declines — for every consent interaction on your website. GDPR sets strict standards for this process:

  - You must obtain a positive opt-in for each data collection purpose — pre-ticked boxes and visitor inactivity do not constitute valid consent

  - Every consent record must be stored and attributable to a specific interaction

  - If a visitor withdraws consent, their record must be updated and data processing must cease — withdrawal must be as easy as giving consent

How Does Secure Privacy Record and Store Cookie Consents?

With Secure Privacy's CMP, consent management is fully automated. Every time a visitor interacts with the cookie banner — accepting, declining, or customizing their preferences — the consent is instantly recorded and stored in a secure, auditable log. Withdrawals are processed automatically and reflected in the consent records without any manual action required from you.

This automation ensures you maintain continuous GDPR compliance without building or managing custom consent infrastructure.

Frequently Asked Questions

Does my website need a cookie banner if I'm based outside the EU?

Yes — if your website receives visitors from EU member states and you use cookies or tracking technologies, GDPR applies regardless of where your business is located. The regulation is based on where your visitors are, not where your company is headquartered. If you have EU visitors and use analytics, advertising, or social media tracking, you need a compliant cookie banner.

What is the difference between a cookie banner and a Consent Management Platform?

A cookie banner is the visible interface visitors interact with — the pop-up that requests consent. A Consent Management Platform (CMP) like Secure Privacy is the full system behind the banner — handling cookie blocking, consent storage, audit logging, preference management, policy generation, and regulatory reporting. The banner is the front end; the CMP is the compliance infrastructure.

How do I get started with Secure Privacy?

Select the plan that best matches your needs on the Secure Privacy pricing page. After creating an account, you can scan your website, configure your consent banner, and begin collecting compliant consents immediately. Contact the Secure Privacy team at support@secureprivacy.ai if you have questions before getting started.

See Also

  - Secure Privacy Setup and Installation Checklist

  - GDPR Cookie Categories Explained

  - Automatic Cookie Blocking Explained

  - Secure Privacy Pricing Plans Overview

---

# Cross-Domain Consent: Sync Cookie Consent Across All Your Websites

URL: https://support.secureprivacy.ai/article/crossdomain-consent-setup--secure-privacy-enterprise
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:14:00+00:00
Updated: 2026-03-26T01:18:26.789+00:00
Reading Time: 3 minutes
Summary: Stop showing cookie banners on every domain. Secure Privacy's cross-domain consent syncs user consent across all your websites automatically. Business plan and above.

If your organization runs multiple websites or subdomains, you already know the problem: every domain shows its own cookie banner, users are interrupted with repeated consent prompts as they move between your sites, and your team is left managing separate configurations for each one. It's a frustrating experience for visitors — and a compliance headache for your team.
Most cookie consent solutions treat each domain in isolation. That means a user who accepts cookies on shop.example.com is asked again on help.example.com, and again on www.example.com. Patching this with manual cookie-sharing scripts is fragile, hard to audit, and unlikely to hold up under GDPR or CCPA scrutiny.
Cross-domain consent in Secure Privacy solves this at the platform level. It collects consent once and synchronizes it across all your linked domains automatically — no custom code, no repeated prompts, no compliance gaps.
By the end of this article you'll understand exactly how cross-domain consent works, who it's for, which plan includes it, and where to find the step-by-step setup guide.
What Is Cross-Domain Consent?
Cross-domain consent is a cookie consent management feature that lets you collect and synchronize user consent across multiple domains or subdomains using a single, unified cookie banner. Instead of displaying a separate consent prompt on every website, Secure Privacy shares the user's consent decision across all your linked domains in real time — reducing friction and ensuring a seamless, GDPR-compliant experience as users navigate between your sites.
Cross-domain consent is available exclusively on the Secure Privacy Business plan and above. To enable the feature and configure it for your domains, follow the step-by-step setup guide: How to Enable Cross-Domain Consent in Secure Privacy.
Who Is This Feature For?
Cross-domain consent is designed for organizations that:
- Operate multiple websites or subdomains under one brand (e.g. a main site, a shop, a support portal, and a blog)

- Run multi-step user flows that span several domains — such as checkout or onboarding funnels

- Need to centralize cookie consent management and reduce repeated prompts for returning users

- Are required to demonstrate unified consent records for GDPR, CCPA, or ePrivacy compliance audits

If you manage only a single domain, standard Secure Privacy cookie consent covers your needs. Cross-domain consent is for multi-domain and multi-site setups where synchronization matters.
Common Questions and Troubleshooting
Can I enable cross-domain consent on plans below Business?
No. Cross-domain consent is exclusive to the Secure Privacy Business plan and above. If you are on a lower-tier plan and need this feature, you will need to upgrade your subscription to gain access. View available plans and upgrade options.
How does cross-domain consent improve the user experience across multiple websites?
By synchronizing consent across all your linked domains, users only need to provide cookie consent once. This eliminates repeated consent prompts as users move between your websites, resulting in a smoother, less disruptive browsing experience — particularly important for multi-step business processes that span several domains or subdomains.
Does cross-domain consent work for subdomains as well as separate domains?
Yes. Cross-domain consent in Secure Privacy can be configured to synchronize consent across both separate top-level domains and subdomains within the same organization. Full configuration details are covered in the setup guide linked below.
Are there technical requirements to enable cross-domain consent?
Yes. Proper configuration of your domains and cookie banners within the Secure Privacy platform is required to enable seamless consent sharing. Refer to the official setup guide for full configuration instructions: Enable Cross-Domain Consent in Secure Privacy.
See Also
- Onboard with Secure Privacy via CMS Plugins (Shopify, WordPress, and more)

- Step-by-step: Enable Cross-Domain Consent in Secure Privacy

- A Guide to Scanning Your Website for Regulatory Compliance

---

# Ow to Reset or Delete Your Secure Privacy Account — Danger Zone Guide

URL: https://support.secureprivacy.ai/article/navigating-the-danger-zone-in-secure-privacy-account-reset-and-deletion
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T00:14:31.051+00:00
Reading Time: 5 minutes
Summary: Learn how to reset Secure Privacy templates & designs or permanently delete your account. Step-by-step guide with key warnings before you take action.

Sometimes you need a clean slate. Maybe your cookie consent banners have accumulated months of design tweaks that no longer reflect your brand, your templates are out of sync across domains, or you simply want to restore your Secure Privacy account to its original defaults before reconfiguring from scratch. Other times, your needs have changed entirely and you're ready to close your account for good.
Either way, both actions live in the same place: the Danger Zone tab inside your Secure Privacy account settings. These aren't everyday features — they're designed for significant, account-wide changes that can't always be undone. Knowing exactly what each option does, what it affects, and what you can't reverse is the difference between a smooth reset and an unwanted surprise.
By the end of this guide, you'll know how to reset your cookie consent templates and designs back to their defaults, or permanently delete your Secure Privacy account — step by step, with nothing missed.
⚠️ Before proceeding: Carefully review your settings and data before using any Danger Zone feature. These actions can significantly impact your account and some cannot be undone. Ensure the action you are taking aligns with your requirements.
The Danger Zone tab in Secure Privacy Account Settings, showing Reset Account and Delete Account options.
Before You Reset or Delete Your Secure Privacy Account
Both actions in the Danger Zone affect your entire account — not a single domain or banner. Before proceeding, consider the following:
- Do you have a backup or record of your current template and design configurations?

- Are there active domains relying on your current consent banner setup?

- Have you explored support options if a specific issue — such as a bug, a billing concern, or a configuration problem — prompted this decision?

If you have questions before acting, the Secure Privacy support team is available at hello@secureprivacy.ai or you can book a 45-minute support call to discuss your situation.
How to Reset Your Secure Privacy Account Templates and Designs
Resetting your account reverts selected settings — your cookie consent templates, banner designs, or both — back to their factory defaults. This is useful when you want to start fresh with your consent management configuration without creating a new account. Note that this action cannot be selectively undone, so review your options carefully before confirming.
Step 1 — Log in to your Secure Privacy account
Go to the Secure Privacy dashboard and sign in with your credentials.
Step 2 — Navigate to the Account page
Click "Account" in the top navigation bar to open your account settings.
Step 3 — Open the Danger Zone tab
Select the "Danger Zone" tab within Account Settings.
Step 4 — Choose a reset option
Under the "Reset Account" section, select one of the following options based on what you need to restore:
- Reset all templates — Removes all customizations made to your account templates and restores them to their default state.

- Reset all designs — Reverts all cookie consent banner designs in your account to their default settings.

- Reset all templates and designs — Resets both templates and designs simultaneously.

Important Notes Before Resetting
- Resetting will overwrite the selected scope of settings across your entire Secure Privacy account — not just a single domain.

- Domains already assigned to a template will remain assigned to the newly reset (default) version of that template.

- Consider the impact on all active domains and live cookie consent banners before selecting a reset option.

How to Permanently Delete Your Secure Privacy Account
⚠️ Account deletion is permanent and cannot be reversed. Once your Secure Privacy account is deleted, all data, settings, consent logs, and configurations associated with your account will be permanently removed. There is no recovery option after confirmation.
If you have questions or concerns before deleting your account — including questions about pricing, technical issues, or alternative plans — reach out first:
- Email the Secure Privacy team at hello@secureprivacy.ai

- Book a 45-minute demo or support call via Calendly

Step 1 — Log in to your Secure Privacy account
Go to the Secure Privacy dashboard and sign in with your credentials.
Step 2 — Navigate to the Account page
Click "Account" in the top navigation bar to open your account settings.
Step 3 — Open the Danger Zone tab
Select the "Danger Zone" tab within Account Settings.
Step 4 — Click "Delete Account"
Click the "Delete Account" button to begin the deletion process.
Step 5 — Select a reason for leaving
When prompted, choose a reason for deleting your account. The available options are:
- I encountered bugs and problems.

- I do not know how to use the product.

- The product is too expensive.

- Other (please specify).

Your feedback helps Secure Privacy improve its product and address issues for future users.
Step 6 — Confirm the deletion
Confirm the deletion to permanently close your account. This action is irreversible.
Need Help Before You Act?
If you're unsure whether a reset or deletion is the right move, the Secure Privacy support team is happy to help you explore your options — whether that's troubleshooting a technical issue, discussing your plan configuration, or walking through what a reset would mean for your active domains.
- Email: hello@secureprivacy.ai

- Book a 45-minute support call

Frequently Asked Questions
Can I undo a Secure Privacy account reset?
No. Once you confirm a reset, the selected templates or designs are immediately overwritten with their defaults. There is no built-in undo or restore option, so export or note down any configurations you want to keep before proceeding.
Will resetting my templates affect my live cookie consent banners?
Yes. Resetting templates affects your entire account. Any domain currently assigned to a template will continue to use that template — but the template itself will now reflect the default settings, not your previous customizations. Review all active domains before confirming a reset.
Is Secure Privacy account deletion permanent?
Yes, account deletion is permanent and irreversible. All data, consent records, domain configurations, templates, and designs associated with your account are permanently removed upon confirmation. If you think you may want to return, consider reaching out to the support team first to explore alternatives.
What happens to my GDPR consent records when I delete my account?
All data associated with your account — including consent logs and records — is permanently deleted when you close your account. If you need to retain consent records for compliance purposes, download or export them before initiating deletion. Contact hello@secureprivacy.ai for guidance on data export options.
What should I do if Secure Privacy is too expensive for my needs?
Before deleting your account due to pricing concerns, consider reaching out to the Secure Privacy team. You can email hello@secureprivacy.ai or book a call to discuss plan options that may better suit your budget or website scale.
Related Articles
- Managing Your Secure Privacy Account Settings

- How to Customize Cookie Consent Banner Templates

- Adding and Managing Domains in Secure Privacy[?]

- Setting Up GDPR Compliance with Secure Privacy

---

# How to Manage Account Settings in Secure Privacy: Personal Info, Password & Two-Factor Authentication (2FA)

URL: https://support.secureprivacy.ai/article/managing-personal-information-your-password-and-twofactor-authentication-in-secure-privacy
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T00:03:44.829+00:00
Reading Time: 6 minutes
Summary: Learn how to update personal info, change your password, and enable two-factor authentication (2FA) in Secure Privacy. Secure your GDPR compliance account in minutes.

Your Secure Privacy account is the control centre for cookie consent banners, GDPR compliance settings, and privacy policies across every website you manage. A compromised account doesn't just mean lost access — it can mean altered consent records, broken compliance, and regulatory exposure. Yet most account security problems come down to the same two gaps: a password that hasn't been changed in months, and no second layer of verification stopping an attacker who already has it.
Many teams rely on a single strong password or a shared login, assuming that's enough. It isn't — especially for a platform that touches your organisation's legal compliance posture. The good news is that Secure Privacy makes it straightforward to close both gaps: you can update your personal information, rotate your password, and enable two-factor authentication (2FA) via SMS in a few minutes, all from one place.
By the end of this guide you will have fully secured your Secure Privacy account — with verified contact details, a fresh password, and 2FA activated so every future login requires both your password and a one-time code sent to your phone.
Who Is This Guide For?
This article is for anyone who owns or administers a Secure Privacy account, including:
- Website owners and webmasters managing GDPR or CCPA cookie consent banners

- Privacy or compliance officers who need audit-ready account security

- Developers and agencies managing Secure Privacy on behalf of clients

- Any user who has recently changed their email address or phone number and needs to update their account details

Prerequisites
- An active Secure Privacy account with login credentials

- Access to your current password (required to change it)

- A mobile phone number capable of receiving SMS, if you plan to enable 2FA

Accessing Your Account Settings
All personal information, password, and two-factor authentication settings are managed from the same account menu. To get there:
Step 1 — Log in to Secure Privacy
Visit the Secure Privacy website and sign in using your credentials.
Step 2 — Open the account settings menu
In the top-left corner of the dashboard, click your name. This opens the account settings menu where all profile, security, and authentication options are found.
Click your name in the top-left corner to access account settings, password, and two-factor authentication options.
How to Update Your Personal Information
Your personal information — name and email address — is used for account identification, login, and platform communications. Keeping it current ensures you receive important compliance notifications and can always recover account access.
Navigate to the Personal Information page within account settings and update the following fields:
First name
Enter your first name as you want it to appear in the platform.
Last name
Enter your last name.
Email
Provide your current, active email address. This is also your login identifier, so keep it up to date if your address changes.
Click Save to apply your changes.
How to Change Your Secure Privacy Account Password
Regularly rotating your password is one of the simplest ways to maintain account security — particularly important for a platform that controls your website's compliance configuration. To update your password, fill in these fields in account settings:
Old password
Enter your current password to verify your identity before making changes.
New password
Choose a new password that meets Secure Privacy's password requirements. Use a mix of letters, numbers, and symbols for the strongest protection.
Repeat new password
Re-enter your new password exactly to confirm there are no typos.
Click Save to apply your new password. You will use it on your next login.
How to Enable Two-Factor Authentication (2FA) in Secure Privacy
Two-factor authentication adds a critical second layer of security to your account. Even if your password is ever exposed in a breach, an attacker cannot sign in without also having access to your mobile phone. For any account managing GDPR cookie consent and privacy settings across live websites, enabling 2FA is strongly recommended.
The Two-Factor Authentication section in Secure Privacy account security settings, with the SMS verification method available.
Step 1 — Enable the 2FA toggle
In your account settings, locate the Two-Factor Authentication section and toggle the switch to the enabled position.
Step 2 — Choose your authentication method
A confirmation popup will appear showing the available Two-Factor Authentication Methods. Select your preferred method. Currently available:
- Authentication by SMS — a one-time verification code is sent to your registered mobile number each time you sign in.

Step 3 — Enter your mobile number
If you selected SMS authentication, provide your mobile number in international format. This is the number that will receive your verification codes at every login.
Step 4 — Confirm and activate
Confirm your selection to activate two-factor authentication. From this point on, every Secure Privacy login will require both your password and a one-time SMS code.
What Happens After You Enable 2FA
Once two-factor authentication is active on your Secure Privacy account:
- Every login attempt will prompt you for a one-time SMS code after your password is accepted.

- Even if someone obtains your password, they cannot access your account without physical access to your registered phone.

- You can disable 2FA at any time by returning to the security settings and toggling it off — though this is not recommended for accounts managing live compliance configurations.

Troubleshooting Common Account Settings Issues
I'm not receiving my SMS verification code
Check that the mobile number saved in your account settings is correct and entered in full international format (e.g. +44 for UK numbers). If the number is correct, check that your phone has signal and is not in airplane mode, then request a new code. If the issue persists, contact Secure Privacy support.
My old password isn't being accepted when I try to change it
Passwords are case-sensitive. Check that Caps Lock is off and that you are entering the password exactly as set. If you cannot remember your current password, use the password reset option[?] on the login page before returning to this process.
Changes to my personal information aren't saving
Ensure all required fields (first name, last name, email) are filled in before clicking Save. If the email field contains an address already in use by another account, the save will be blocked — use a unique email address.
Frequently Asked Questions
Does Secure Privacy support two-factor authentication?
Yes. Secure Privacy supports two-factor authentication via SMS. Once enabled in your account security settings, you will receive a one-time verification code on your registered mobile number each time you sign in.
How do I change my password in Secure Privacy?
Open account settings by clicking your name in the top-left corner of the dashboard. Enter your current password, then your new password twice in the password fields, and click Save.
What authentication methods does Secure Privacy's 2FA support?
Currently, Secure Privacy offers SMS-based two-factor authentication. A one-time code is sent to your mobile number at each login.
Can I update my email address in Secure Privacy?
Yes. Go to the Personal Information section in your account settings, update the email field, and click Save. Use an active, unique email address you control, as it is also your login identifier.
Why should I enable 2FA on my cookie consent management account?
Your Secure Privacy account controls GDPR consent banners, cookie policies, and compliance data across your websites. Enabling 2FA ensures that even if your password is compromised, an attacker cannot access or alter your compliance settings without also having your phone.
Related Articles
- How to Add and Manage Team Members in Secure Privacy

- How to Manage Your Subscription and Billing Settings[?]

- Setting Up a GDPR-Compliant Cookie Consent Banner

- Getting Started with Secure Privacy — Quick Setup Guide

---

# Scanning Cookies & Trackers on Login-Protected Pages: Authenticated Website Scanning in Secure Privacy

URL: https://support.secureprivacy.ai/article/authenticated-secure-privacy-website-scans
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T21:32:45.645+00:00
Reading Time: 8 minutes
Summary: Discover cookies and trackers hidden behind your login with Secure Privacy's authenticated website scanner. Supports form login, OAuth 2.0, OpenID Connect & API keys.

Note: Authenticated scanning is available under the Enterprise plan only. For details on current plans and billing options, visit the Secure Privacy Pricing page.
Scanning Cookies & Trackers on Login-Protected Pages: Authenticated Website Scanning in Secure Privacy
Most cookie compliance tools only see what an anonymous visitor sees — the public-facing pages of your site. But if your web application shows a dashboard, a member portal, or any content behind a login wall, a significant portion of your cookies, third-party services, iframes, and tracking pixels are completely invisible to a standard scan. The result: a cookie audit with a blind spot, and a compliance report that may be dangerously incomplete under GDPR, CCPA, or other privacy regulations.
Manual auditing is one painful workaround — but maintaining a spreadsheet of every script that loads after authentication is time-consuming, error-prone, and nearly impossible to keep current as your tech stack evolves. Generic website scanners that don't support login simply can't help you here.
Secure Privacy's authenticated website scanning solves this directly. By logging in to your web application as a real user — via form-based login, OAuth 2.0, OpenID Connect, or API key authentication — the scanner reaches your protected pages and surfaces every cookie and tracker your authenticated users encounter, feeding them directly into your compliance reports and consent management workflow.
By the end of this guide, you'll understand which authentication methods are supported, what information you need to provide for each, and how to get started so that your cookie audit covers 100% of your website — not just the publicly accessible portion.
Who Is This For?
Authenticated scanning is designed for teams who manage web applications where meaningful functionality — and significant data processing — happens only after a user logs in. This includes:
- SaaS platforms and web apps with user accounts or dashboards

- E-commerce sites with customer portals or checkout flows that load additional trackers

- Membership sites, intranets, or subscription content platforms

- Any organization subject to GDPR, CCPA, or ePrivacy that needs a complete picture of cookie usage across all authenticated user journeys

If your website loads different scripts, pixels, or services after a user logs in, authenticated scanning is essential for accurate compliance reporting.
In this guide:
- Why Your Cookie Audit May Be Incomplete Without Authenticated Scanning

- Supported Authentication Methods

- Prerequisites

- Form-Based Authentication — Configuration

- OAuth 2.0, OpenID Connect, and API Keys

- What Happens After the Authenticated Scan

- Troubleshooting

- Frequently Asked Questions

Why Your Cookie Audit May Be Incomplete Without Authenticated Scanning
Without authentication enabled, the Secure Privacy scanner — like any website scanner — can only analyze the publicly accessible portion of your website: the pages available before a user logs in. However, web applications routinely load additional cookies, third-party services, iframes, and tracking pixels only after a user authenticates. Analytics platforms, CRM integrations, support widgets, and advertising pixels often fire exclusively within the authenticated session.
If those elements are not detected and documented, they cannot be categorized, disclosed in your cookie policy, or gated behind user consent — leaving you exposed to regulatory risk. Authenticated scanning closes that gap, giving you a complete and accurate picture of your website's cookie and tracker usage across every user journey.
Supported Authentication Methods
The Secure Privacy Website Scanner supports four methods for performing authenticated scans on login-protected pages:
- Form-based authentication — standard username/password login forms

- OAuth 2.0 — including client credentials, resource owner password, authorization code, and other grant types

- OpenID Connect — identity layer on top of OAuth 2.0 for SSO and federated login

- API keys — including custom header-based and authorization header authentication

Prerequisites
Before configuring authenticated scanning, confirm the following:
- Your Secure Privacy account is on the Enterprise plan. Authenticated scanning is not available on lower-tier plans.

- You have a dedicated test or service account in your web application that the scanner can use to log in. Using a real user account is not recommended, as the scanner will create active sessions.

- The login credentials or OAuth / API key details for that account are available to you.

- For OAuth 2.0 or OpenID Connect: you have access to your application's client ID, client secret, token endpoint URL, and relevant scopes.

Form-Based Authentication — Configuration
Form-based authentication allows the Secure Privacy scanner to log in to your web application using a valid set of credentials, then scan the authenticated pages for cookies and services. To configure this method, provide the following details in your scanner settings.
Step 1 — Provide the Login URL
Enter the full URL of the page that contains your application's login form. This is the page the scanner will navigate to in order to submit credentials — for example, https://app.yourdomain.com/login. Make sure this URL loads the form directly, without any redirects that require prior interaction.
Step 2 — Enter the Username
Provide a valid username or email address for a dedicated scanning account in your application. The scanner will use this account to authenticate and access protected pages. We recommend creating a dedicated service account rather than using a real user's credentials.
Step 3 — Enter the Password
Enter the password associated with the scanning account username provided in Step 2. Secure Privacy stores and handles these credentials securely as part of the Enterprise scanning configuration.
OAuth 2.0, OpenID Connect, and API Key Authentication
These authentication methods require additional configuration details specific to your application's authorization protocol and flow. The Secure Privacy team will work with you directly to understand your application's setup — including token endpoints, grant types, scopes, client credentials, and header formats — and assist with the custom configuration required to complete the integration.
To get started with OAuth 2.0, OpenID Connect, or API key authenticated scanning, contact the Secure Privacy support team at support@secureprivacy.ai and include a brief description of your application's authentication method.
What Happens After the Authenticated Scan
Once authenticated scanning is configured and a scan is complete, Secure Privacy processes the results in the same way as a standard scan — but with full coverage of your login-protected pages:
- All detected cookies and services from authenticated pages are added to your cookie inventory and classified by category (Necessary, Analytics, Marketing, etc.).

- Newly discovered cookies are surfaced for review so you can update your cookie policy and consent banner to reflect them accurately.

- Your compliance report reflects the complete state of cookie usage across both public and authenticated areas of your site.

We recommend running authenticated scans whenever you deploy significant changes to your web application, or on the same schedule as your standard scans, to keep your cookie inventory current.
Troubleshooting Authenticated Scanning
The scanner doesn't appear to be reaching authenticated pages
Verify that the Login URL you provided loads the login form directly and does not redirect to an intermediary page (such as an SSO provider page or a cookie consent gate) before displaying the form. Also confirm that the credentials belong to an active account with no enforced MFA, as multi-factor authentication prompts will block the scanner from completing the login flow. If MFA is required, contact Secure Privacy support to discuss options.
OAuth 2.0 or OpenID Connect configuration isn't completing
OAuth and OpenID Connect integrations depend on application-specific parameters — token endpoint URLs, client IDs, scopes, and grant types — that vary between implementations. If the configuration is not completing, reach out to support@secureprivacy.ai with your authorization server details. The Secure Privacy team handles these integrations collaboratively and can guide you through the required settings.
Frequently Asked Questions
Do I need to scan cookies behind a login for GDPR compliance?
Yes. Under GDPR and the ePrivacy Directive, your obligation to obtain consent covers all cookies and tracking technologies that process personal data — regardless of whether they are set on public pages or within an authenticated session. If your web application loads analytics, advertising, or other non-essential cookies after a user logs in, those must be disclosed in your cookie policy and covered by your consent mechanism. Authenticated scanning ensures those cookies are detected and documented.
Can a standard website cookie scanner detect cookies behind a login?
No. Standard website scanners crawl your site as an unauthenticated visitor and cannot access any content that requires a login. If your application loads cookies or third-party services exclusively within authenticated sessions, those will not appear in a standard scan report. Authenticated scanning — as offered by Secure Privacy on the Enterprise plan — is required to detect cookies on password-protected or login-gated pages.
Which authentication methods does Secure Privacy's scanner support?
Secure Privacy supports four authenticated scanning methods: form-based authentication (username and password login forms), OAuth 2.0 (all major grant types), OpenID Connect, and API key / authorization header-based authentication. For OAuth, OpenID Connect, and API key configurations, the Secure Privacy support team assists with setup.
Is authenticated scanning available on all Secure Privacy plans?
No. Authenticated website scanning is available exclusively on the Secure Privacy Enterprise plan. If you are on a lower-tier plan and need this feature, visit the Secure Privacy Pricing page for details on upgrading.
Does the scanner support sites that require multi-factor authentication (MFA)?
Standard form-based authenticated scanning does not support MFA, as the additional authentication step cannot be automated with a username and password alone. If your application enforces MFA for all accounts, contact support@secureprivacy.ai to discuss alternative configuration options such as OAuth 2.0 client credentials or API key-based access.
Related Articles
- How to Run a Website Cookie Scan in Secure Privacy

- Understanding Your Website Scan Results and Cookie Report[?]

- Configuring Your Cookie Consent Banner

- Auto-Updating Cookie Policy: Keeping Your Disclosure Accurate

---

# TitleHow to Manage Privacy Policy & Cookie Policy Settings in Secure Privacy

URL: https://support.secureprivacy.ai/article/mastering-the-template-gt-policies-page-for-effective-policy-management
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:33:15.796+00:00
Reading Time: 7 minutes
Summary: Learn how to enable, edit, and embed a GDPR-compliant privacy policy and cookie declaration using Secure Privacy Templates. Step-by-step setup guide with tips.

Every website that uses cookies — from a basic analytics script to a full advertising stack — is legally required to display a privacy policy and cookie policy under GDPR, CCPA, and a growing list of global regulations. Yet most website owners face the same painful options: pay a lawyer to draft policies from scratch, copy-paste a generic template that may not reflect your actual data practices, or wrestle with a bloated plugin that breaks your site on every update.
Secure Privacy was built to replace all three of those headaches. Its Templates → Policies page gives you a purpose-built, cookie consent management platform where GDPR-compliant privacy policies and cookie declarations are preconfigured, pre-translated, and kept accurate automatically — without requiring any legal expertise on your part.
By the end of this guide, you will know how to enable your policies, customize their content for your domain, and embed them on your website — in any format and any language you need.
Who Is This Guide For?
This article is for website owners, developers, and compliance managers who:
- Need to publish or update a GDPR-compliant privacy policy or cookie policy

- Are setting up Secure Privacy for the first time and want to configure their policy templates

- Want to embed a cookie declaration or privacy policy directly on a page — as a button, hyperlink, or full inline embed

- Manage multiple domains and need per-domain policy customization

Accessing the Templates → Policies Page
To open your privacy and cookie policy settings in Secure Privacy:
Step 1 — Log in to your Secure Privacy account.
Step 2 — Click "Templates" in the dashboard navigation.
Step 3 — Select and open the template you want to configure.
Step 4 — Navigate to the "Policies" section within that template.
The Templates → Policies page in Secure Privacy, where you enable and manage your GDPR-compliant cookie and privacy policies.
Policy Toggle Settings and Domain Preview
Once on the Policies page, you will see the following controls:
Enable Cookie Policy
Toggle this switch to activate a cookie policy on your website. Cookie policies are preconfigured for each pre-loaded template, simplifying your initial GDPR compliance setup.
Enable Privacy Policy
Toggle this switch to publish a privacy policy on your website. Like the cookie policy, privacy policies are already preconfigured for each pre-loaded template and cover the core disclosure requirements of GDPR, CCPA, and similar regulations.
Domain
Use this dropdown to select a specific domain and preview how its policies will appear. The preview widget below updates automatically to reflect the selected domain — useful if you manage multiple websites from a single Secure Privacy account.
Preview: View Policies Across Devices
The Preview widget lets you visualize how your privacy policy and cookie declaration will appear on desktop, tablet, and mobile devices. Note that the preview may not be 100% pixel-perfect. Switch to full-screen mode for a more detailed view.
Click the "Edit" button at the top to switch to Editor mode and make direct adjustments to your policy content.
Editor mode in Secure Privacy lets you customize your privacy policy content, switch languages, and navigate between policy sections.
Editor Mode: Customizing Your GDPR-Compliant Policies
Step 1 — Select a Language
Each policy comes preconfigured and pre-translated into multiple languages. You can review and edit translations as needed. Additional languages can be added or removed under Template → Settings.
Step 2 — Edit Your Privacy Policy Content
The Privacy Policy editor lets you fully customize your site's privacy policy to meet your legal requirements. Available actions include:
- Edit text, add hyperlinks, and adjust heading levels

- Add new sections using "+ Add section" at the top or bottom of the policy

- Click a section name in the sidebar to scroll directly to that section

- Use shortcodes such as [sp-legal-basis] to automatically populate domain-specific legal information generated from the domain's Policies page

The policy closes with a 'Contact us' section, which is auto-filled with your domain data.
Step 3 — Configure the Cookie Declaration
The Cookie Declaration section informs visitors about the specific cookies used on your website — a key GDPR transparency requirement. It works similarly to the Privacy Policy editor, with the addition of pre-defined sections that describe cookies detected on your implemented domain. Available actions include:
- Edit text, add hyperlinks, and change heading levels

- Add sections at the top or bottom using "+ Add section"

- Use cookie-specific shortcodes such as [sp-cookie-categories] or [sp-preferences-cookies], which are automatically populated with correct domain data when viewed on your live website

- Use the [sp-gdpr-trust-badge] shortcode to add a link that lets visitors open the preference center and adjust their consent options directly from the cookie declaration page

The Cookie Declaration editor in Secure Privacy, with pre-defined cookie sections and shortcodes that auto-populate with your live domain's cookie data.
Click the "Next Step" or "Embed" button at the top to proceed to the Embed page, where you can publish your configured policies on your domain.
Embed Settings: Publishing Your Privacy Policy on Your Website
Step 4 — Select a Language for the Embed
Customize the text for your embed button or hyperlink in any of the languages assigned to your template.
Step 5 — Choose Your Embed Type
Choose how your policy appears on your website. Three embed types are available:
- Button — Creates a clickable icon that directs visitors to your policy page when clicked.

- Hyperlink — Generates a clickable inline link, suitable for embedding in your footer or alongside other legal information.

- Embed on Website — Integrates the full policy directly into your page as an iframe, making it immediately visible to all visitors without requiring a click.

Step 6 — Configure Text Settings
Define the display text for your embed button or hyperlink, using any of the languages assigned to your template.
The Embed Settings page in Secure Privacy, where you choose your policy display format and generate the embed shortcode for your website.
Step 7 — Preview the Embed
Visualize how your policy embed will appear across desktop, tablet, and mobile devices. The preview provides a close approximation of the final appearance, though it may not be 100% exact.
Step 8 — Copy and Paste the Shortcode
This section generates the embed shortcode you need to insert on your website to display your policy. The code generated depends on your selected embed type — button, hyperlink, or direct iframe embed. Copy the shortcode and paste it into the relevant location in your website's page template or footer.
Tip: Shortcodes like [sp-cookie-categories] and [sp-legal-basis] are resolved dynamically when a visitor loads the page on your live domain — so your policy content stays accurate as your cookie setup changes, without requiring manual edits each time.
Troubleshooting Common Issues
Policy toggle is enabled but the policy isn't appearing on my website
Confirm that the Secure Privacy embed shortcode has been pasted into the correct location in your website template (typically the footer or a dedicated legal page). Also verify that the domain selected in the dropdown matches the domain where the script is installed.
Shortcodes are displaying as plain text instead of resolved content
Shortcodes are resolved only on your live website where the Secure Privacy script is active — they will not render inside the Secure Privacy dashboard editor or in a staging environment that does not have the script installed. Preview your live page to confirm correct rendering.
Frequently Asked Questions
Do I need a privacy policy and cookie policy on my website?
Yes — if you collect any personal data or use cookies (including analytics or advertising cookies), GDPR, CCPA, and most other privacy regulations require you to publish a privacy policy and a cookie policy. Failing to do so can result in significant fines and a loss of visitor trust.
What is a cookie declaration and why do I need one?
A cookie declaration is a detailed list of all cookies active on your website — their purpose, duration, and provider. Regulators, particularly under GDPR, require transparency about which cookies you set, making an up-to-date cookie declaration a legal necessity for most websites.
Can Secure Privacy generate a privacy policy automatically?
Yes. Secure Privacy's pre-loaded templates include preconfigured, pre-translated privacy policies. You can customize the content in the built-in editor and use shortcodes like [sp-legal-basis] to automatically populate domain-specific legal information.
How do I embed a privacy policy on my website using Secure Privacy?
Navigate to Templates → Policies → Embed in your Secure Privacy dashboard. Choose your embed type (button, hyperlink, or direct iframe), configure the display text, then copy the generated shortcode and paste it into your website's page template or footer.
Does Secure Privacy support multiple languages for privacy policies?
Yes. Each policy template comes pre-translated into multiple languages. You can review, edit, and add or remove languages under Template → Settings.
What are Secure Privacy shortcodes and how do they work?
Shortcodes are placeholders you insert into your policy content — for example, [sp-cookie-categories] or [sp-legal-basis]. When a visitor views the live policy on your website, Secure Privacy automatically replaces each shortcode with the correct domain-specific data, keeping your policies accurate without manual updates.
Related Articles
- How to Set Up Your Cookie Consent Banner in Secure Privacy

- GDPR Compliance Checklist for Website Owners

- Managing Template Settings: Languages, Domains, and Branding[?]

- How Secure Privacy Scans and Categorizes Cookies on Your Domain[?]

- Configuring CCPA Compliance Settings in Secure Privacy[?]

---

# Account-Level Classification in Secure Privacy: Centralized Cookie, Pixel, Iframe & Service Management Across All Domains

URL: https://support.secureprivacy.ai/article/leveraging-accountlevel-configuration-for-cookies-pixels-iframes-and-services-to-drive-business-success
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:46:06.64+00:00
Reading Time: 5 minutes
Summary: Stop managing cookie consent domain by domain. Secure Privacy's account-level classification applies cookie, pixel, iframe & service settings across all your websites at once.

If you run multiple websites, keeping cookie consent settings consistent across every domain is one of the most frustrating parts of GDPR and ePrivacy compliance. You configure cookies correctly on one site — then realize your tracking pixels are uncategorized on another, or that an iframe from a marketing service is loading without consent on a third. Doing this domain-by-domain is slow, error-prone, and almost impossible to audit at scale.
Most consent management platforms force exactly that workflow: log in, find the domain, open Classification, make a change, repeat across every property. As your portfolio grows, so does your compliance risk.
Secure Privacy solves this with Account-Level Classification — a single control panel where you define how cookies, tracking pixels, iframes, and third-party services are categorized and blocked, once, and those settings propagate across every domain in your account automatically, overriding individual domain configurations.
By the end of this guide you'll have centralized, consistent consent management configured across your entire account — no per-domain repetition required.
Who Is This For?
This guide is for Secure Privacy users who manage two or more domains and want to enforce consistent cookie consent, pixel blocking, iframe management, or service categorization across all of them from one place. It is especially relevant if you:
- Run a portfolio of websites and need uniform GDPR consent management.

- Use the same third-party services (Google Analytics, Meta Pixel, etc.) across multiple domains.

- Want to ensure that a change to a service category or cookie description is reflected everywhere instantly.

What Is Account-Level Classification?
The Classification page in Secure Privacy provides account-wide control over how cookies, pixels, iframes, and services are configured across all your domains. Any configuration made at the account level will override domain-level settings, giving you centralized, consistent control over data collection and processing across your entire account.
Account → Classification → Cookies
Step 1 — Open the Cookies Tab and Add a Cookie
Navigate to Account → Classification → Cookies and click "Add Cookie" to configure the following fields:
Cookie name
The exact name of the cookie to be classified.
Host
The domain host associated with this cookie.
Category
The consent category for this cookie. Note: category can only be assigned from the Services tab — see below.
Service name
The service this cookie belongs to (e.g., Google Analytics, Facebook Pixel).
Expiry
The expiry duration of the cookie.
Description
A cookie description that can be entered in multiple available languages for localized consent banners.
The Add Cookie form in Account → Classification → Cookies.
Cookie configurations added here are applied account-wide, overriding the corresponding settings on all individual Domain → Classification pages.
Account → Classification → Pixels
Step 2 — Open the Pixels Tab and Add a Pixel
Navigate to Account → Classification → Pixels and click "Add Pixel" to configure the following fields:
Source URL
The source URL of the tracking pixel to be blocked or managed (e.g., a Meta Pixel or TikTok Pixel endpoint).
Service name
The service this pixel is associated with.
The Add Pixel form in Account → Classification → Pixels.
Account-level pixel configurations ensure consistent pixel blocking and management behavior across all domains in your account — so no tracking pixel fires without consent on any property.
Account → Classification → Iframes
Step 3 — Open the Iframes Tab and Add an Iframe
Navigate to Account → Classification → Iframes and click "Add Iframe" to configure the following fields:
Level
Select whether this iframe configuration applies at the domain or account level.
Source
The source URL of the iframe to be managed or blocked (e.g., a YouTube embed or Google Maps widget).
Service name
The service this iframe is associated with.
The Add Iframe form in Account → Classification → Iframes.
Iframe configurations applied at the account level ensure uniform iframe consent behavior across all your domains, regardless of individual domain-level settings.
Account → Classification → Services
Step 4 — Open the Services Tab and Edit a Service
Navigate to Account → Classification → Services. To edit a service, click the "..." (three-dot) menu next to the service and select "Edit" to configure the following fields:
Service name
The name of the third-party service (e.g., Google Analytics, Facebook Ads, HubSpot).
Category
The consent category this service belongs to (e.g., Analytics, Marketing). This is the only place where a category can be assigned to cookies associated with this service.
Script source
The script source URL(s) used to identify and block this service. Multiple sources must be comma-separated.
Privacy policy
A link to the third-party service's privacy policy, displayed in the consent banner where applicable.
The Edit Service form in Account → Classification → Services.
Configuring services at the account level ensures coordinated, consistent service management and consent categorization across all your domains — including correct category assignment for every cookie associated with each service.
Key Reminder: Account-Level Settings Override Domain-Level Settings
All configurations made on the Account → Classification page take precedence over domain-level classification settings. Use this feature to enforce consistent cookie, pixel, iframe, and service configurations across your entire account without needing to adjust each domain individually. This is the most efficient way to maintain GDPR-compliant consent management at scale — one change here propagates everywhere.
Frequently Asked Questions
Can I manage cookie consent settings across all my websites from one place?
Yes. Secure Privacy's Account-Level Classification lets you define cookie, pixel, iframe, and service settings once at the account level. Those settings are automatically applied to every domain in your account, overriding any conflicting domain-level configurations.
What happens if I also have classification settings configured at the domain level?
Account-level settings always take precedence. If you have a cookie or service configured at both the account and domain level, the account-level configuration will override the domain-level one.
Where do I assign a consent category (Analytics, Marketing, etc.) to a cookie?
Categories are assigned through the Services tab (Account → Classification → Services), not the Cookies tab directly. You associate each cookie with a service, and the service carries the consent category. This is the only place where category assignment is configured.
Does account-level classification block tracking pixels and iframes across all domains automatically?
Yes. Pixels and iframes added under Account → Classification → Pixels and Iframes are applied across every domain in your account. Any pixel or iframe listed there will be blocked until the visitor provides the appropriate consent, consistently on every site.
Can I add cookie descriptions in multiple languages for international compliance?
Yes. The Description field in the Add Cookie form supports multiple languages. You can enter localized descriptions for each language supported by your consent banner, ensuring visitors see cookie information in their own language.
Related Articles
- Domain-Level Classification: Cookies, Pixels & Iframes[?]

- Setting Up Your Consent Banner

- Configuring Google Analytics with Consent Mode

- GDPR Compliance Checklist for Website Owners

---

# How to Install Secure Privacy on Adobe Dynamic Tag Manager (DTM)

URL: https://support.secureprivacy.ai/article/install-secure-privacy-with-adobe-dynamic-tag-manager
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:17:30.804+00:00
Reading Time: 5 minutes
Summary: Deploy a GDPR-compliant cookie consent banner on your site without touching source code. Follow this step-by-step guide to install Secure Privacy via Adobe DTM.

If your website must comply with GDPR, ePrivacy, CCPA, or other cookie consent laws, you already know the problem: every solution either requires a developer to touch your site code, slows your page load with heavy scripts, or hands you a cookie banner so generic that visitors ignore it entirely. Manual implementation is brittle — one theme update and your consent layer disappears.
Adobe Dynamic Tag Manager (DTM) exists precisely to solve the deployment problem. It lets your team add, update, and manage third-party scripts — including a cookie consent solution — without touching site source code. But you still need a consent platform worth deploying. Many teams end up stitching together free plugins that lack automatic cookie scanning, multi-regulation support, or a reliable consent record — leaving them exposed even after they think they're compliant.
Secure Privacy is a fully managed cookie consent and GDPR compliance platform that deploys in minutes through Adobe DTM. It automatically scans your site for cookies, generates a compliant Cookie Declaration, and maintains a verifiable consent record — all without ongoing manual maintenance.
By the end of this guide, your Secure Privacy cookie consent banner will be live on your website via Adobe DTM, your cookie scan will be up to date, and your site will be on the right side of GDPR and ePrivacy requirements.
Who Is This Guide For?
This guide is for website owners, marketing managers, and developers who:
- Already use Adobe Dynamic Tag Manager to manage third-party scripts

- Need to add a GDPR-compliant cookie consent banner without modifying site source code

- Have an active Secure Privacy account (or are evaluating it)

Prerequisites
- An active Secure Privacy account. Sign up at secureprivacy.ai if you haven't already.

- Your Secure Privacy installation script. Log in, go to Domains → Installation, and copy your unique script snippet.

- Access to your Adobe DTM dashboard with permission to create or edit rules.

Installing Secure Privacy via Adobe DTM
The steps below add your Secure Privacy cookie consent script to your site as a non-sequential JavaScript tag in Adobe DTM — the correct load type to ensure the consent layer fires before other marketing or analytics tags.
Step 1 — Open the JavaScript / Third Party Tags section
In your Adobe DTM dashboard, navigate to the rule or page load event where you want the Secure Privacy consent script to fire. Open the JavaScript / Third Party Tags section and select "Non-Sequential JavaScript" as the script type. This load order ensures the cookie consent banner appears before any non-essential tracking tags execute — a requirement for valid consent under GDPR.
Step 2 — Paste your Secure Privacy installation script
Paste your Secure Privacy installation script into the code editor field. Remove the opening <script> and closing </script> tags from the pasted code — Adobe DTM wraps non-sequential JavaScript entries in these tags automatically, so including them will cause a script error.
Step 3 — Save and activate the rule
Click "Save Rule" to apply your changes. Adobe DTM will activate the configuration, and your Secure Privacy cookie consent banner will begin loading on your website immediately.
Your Secure Privacy cookie consent script is now installed and active via Adobe Dynamic Tag Manager.
After Installation: Rescan Your Website
Once the script is live, run a new cookie scan to keep your Cookie Declaration current. In your Secure Privacy account, navigate to Report → Scan Reports in the left sidebar and click "Rescan". This detects all cookies set by your updated site — including any new marketing or analytics tags recently added via DTM — and ensures your consent records remain accurate and your site stays fully compliant.
Troubleshooting Common Issues
The cookie banner is not appearing after saving the rule
Confirm that Adobe DTM has published the updated rule (not just saved it in draft). Also check that the rule fires on the correct page load event. Clear your browser cache and reload the page to rule out a caching issue.
The page shows a JavaScript error after adding the script
The most common cause is leaving the <script> and </script> wrapper tags in the code field. Adobe DTM adds these automatically for non-sequential JavaScript — remove them from your pasted Secure Privacy snippet and save the rule again.
The rescan is not picking up new cookies
Allow 5–10 minutes after saving the rule before rescanning, to give DTM time to publish and propagate the change. If cookies are still missing, verify the rule fires on all relevant page types (not just the homepage).
Frequently Asked Questions
Do I need to edit my website's source code to add a cookie consent banner?
No. Using a tag manager like Adobe DTM, you can deploy the Secure Privacy cookie consent script entirely through the DTM dashboard — no source code changes required. This makes it safe and fast for non-developer teams to manage compliance independently.
Is Secure Privacy compliant with GDPR and ePrivacy regulations?
Yes. Secure Privacy is built to meet GDPR, ePrivacy Directive, CCPA, and other major data privacy regulations. It records and stores proof of user consent, automatically scans for cookies, and generates a compliant Cookie Declaration — the core requirements for legal cookie consent.
Why should I use "Non-Sequential JavaScript" in Adobe DTM for the consent script?
Under GDPR, consent must be obtained before non-essential cookies are set. Loading the Secure Privacy script as Non-Sequential JavaScript ensures it fires early in the page load, before advertising or analytics tags can execute and drop cookies without consent.
How often should I rescan my website after installation?
Rescan whenever you add or remove tags via Adobe DTM, publish a major site update, or add new marketing or analytics integrations. Keeping your Cookie Declaration current is an ongoing compliance requirement — Secure Privacy makes it easy with one-click rescanning from the Report → Scan Reports section.
Does Secure Privacy work with other tag managers besides Adobe DTM?
Yes. Secure Privacy can be deployed via Google Tag Manager (GTM), Tealium, and other tag management systems, as well as through direct script installation on any website. Dedicated installation guides are available for each platform in the Secure Privacy Help Center.
Related Installation Guides
- How to Install Secure Privacy via Google Tag Manager (GTM)

- How to Install Secure Privacy on WordPress

- How to Run and Interpret a Cookie Scan in Secure Privacy[?]

- How to Add a Cookie Declaration to Your Website

---

# Cookie Widget & Trust Badge in Secure Privacy — Complete Configuration Guide

URL: https://support.secureprivacy.ai/article/enhance-user-trust-with-the-cookie-widget--trust-badge
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:40:49.705+00:00
Reading Time: 6 minutes
Summary: Learn how to enable, customize, and embed the Secure Privacy cookie widget and trust badge. Step-by-step setup for GDPR-compliant cookie transparency on any website.

Most websites collect cookies — but simply having a cookie banner is no longer enough. Visitors and regulators increasingly expect ongoing, accessible transparency about how your site uses cookies, not just a one-time pop-up they clicked through six months ago. Without a visible, persistent way for visitors to review and manage their cookie preferences, you leave trust on the table and expose yourself to compliance gaps under GDPR, CCPA, and similar privacy regulations.
Many site owners try to solve this with static cookie policy pages buried in footers, or generic third-party widgets that clash with their brand and offer no real consent management. These approaches are time-consuming to maintain, inconsistent across devices, and do nothing to signal to visitors that privacy is a priority.
The Secure Privacy cookie widget — also called the trust badge — is a purpose-built solution that sits persistently on your website, giving visitors on-demand access to your cookie usage details and consent controls. It's pre-configured inside every Secure Privacy template, supports multiple languages, and embeds in minutes via a simple shortcode.
By the end of this guide, you'll know how to enable, preview, customize, and embed the Secure Privacy cookie widget on your website — so every visitor can see exactly how you handle their data, at any time.
Who Is This Guide For?
This guide is for website owners, developers, and privacy officers who:
- Want to display a cookie trust badge that builds visitor confidence

- Need a GDPR-compliant cookie widget that stays accessible after the initial consent banner is dismissed

- Are setting up or customizing a Secure Privacy template for the first time

- Manage a multilingual website and need cookie notices in multiple languages

Before You Begin
- An active Secure Privacy account[?]

- At least one template already created (see How to create a Secure Privacy template[?])

- Access to your website's page template or CMS to paste the embed shortcode

How to Access the Cookie Widget Settings
Step 1 — Log in and open Templates
Log in to your Secure Privacy account and click "Templates" in the main navigation menu.
Step 2 — Select your template
Browse your available templates and select the one you want to configure. Each template holds its own independent cookie widget settings.
Step 3 — Open the Widget section
Within your chosen template, click the "Widget" section in the left-hand navigation panel to open the cookie widget configuration page.
Navigate to Templates → [Your Template] → Widget to open the cookie widget settings.
Enable or Disable the Cookie Trust Badge
Every Secure Privacy template comes with the cookie widget preconfigured and ready to activate. Use the toggle to enable or disable the trust badge based on your compliance requirements.
When enabled, the trust badge displays persistently on your website — giving visitors a clear, accessible entry point to review your cookie usage and privacy stance at any time. This ongoing transparency supports GDPR compliance requirements and improves visitor confidence.
Preview the Cookie Widget Across Devices
Before publishing, use the built-in Preview option to see exactly how your cookie trust badge will appear on desktop, tablet, and mobile screens. Click full-screen mode for a larger, more detailed view.
Note: The preview is a close approximation. Minor rendering differences may appear on your live website depending on your theme and CSS.
Switch between desktop, tablet, and mobile views to verify how your cookie widget renders on each device.
After previewing, switch to Edit mode to make changes to the widget text, language, or styling so it aligns with your website's tone and your visitors' expectations.
Configure Cookie Widget Languages
The Secure Privacy cookie widget is preconfigured and pre-translated for each template's default language settings. To serve a multilingual audience, you can add or remove languages under Template → Settings.
This ensures your cookie trust badge displays in the visitor's language — a requirement under GDPR for websites operating across multiple EU jurisdictions.
Click "Save" after making any language changes.
Add or remove languages in Edit mode to ensure your cookie widget is accessible to all your visitors.
Embed the Cookie Widget on Your Website
To display the cookie trust badge on your site, copy the provided shortcode and paste it into your page template. The embed shortcode is unique to your template and automatically reflects any changes you make in the widget settings.
Step 1 — Copy the shortcode
In the Embed section of the Widget page, click "Copy to clipboard" to copy your unique cookie widget shortcode.
Step 2 — Paste into your page template
Open your website's page template or CMS and paste the shortcode at the location where you want the trust badge to appear — typically in a persistent element such as the footer or a floating overlay.
Copy the embed shortcode from the Widget page and paste it into your site's template to activate the trust badge.
Troubleshooting: Cookie Widget Not Showing?
If the trust badge isn't appearing on your website after embedding, check the following:
- Widget is disabled: Confirm the toggle on the Widget page is set to enabled.

- Shortcode not saved: Make sure you saved your page template after pasting the shortcode.

- Script not published: Ensure the Secure Privacy script tag is live on the page where you placed the shortcode. Check under Account → Script.

- Cache not cleared: If you use a caching plugin or CDN, purge the cache after embedding.

- Wrong template selected: Verify the shortcode you copied belongs to the template associated with that website.

Frequently Asked Questions
What is a cookie trust badge and do I need one on my website?
A cookie trust badge is a persistent, visible widget that lets visitors access information about your site's cookie usage at any time — not just on their first visit. Under GDPR and similar privacy regulations, users have the right to withdraw or review their consent at any point, so a trust badge is not just good practice; it supports ongoing compliance by keeping cookie controls accessible.
What is the difference between the cookie banner and the cookie widget in Secure Privacy?
The cookie banner appears once (or on each new session) to collect initial consent. The cookie widget — or trust badge — is a persistent element that stays on your site so visitors can review or change their cookie preferences at any time after the banner has been dismissed.
Can I show the cookie widget in multiple languages?
Yes. The Secure Privacy cookie widget supports multiple languages. You can add or remove languages under Template → Settings. The widget will automatically display in the appropriate language based on your configuration.
How do I embed the Secure Privacy cookie widget on my website?
Go to Templates → [Your Template] → Widget → Embed, click "Copy to clipboard" to copy the shortcode, then paste it into your website's page template at the position where you want the trust badge to appear.
Will the cookie widget look the same on mobile as it does on desktop?
The widget is designed to be responsive. You can preview it across desktop, tablet, and mobile views within the Secure Privacy template editor. Note that the preview is an approximation — minor differences may occur depending on your site's CSS and theme.
Related Articles
- How to Create a Secure Privacy Consent Template[?]

- Configuring Your Cookie Banner (Pop-up) in Secure Privacy

- Managing Languages in Secure Privacy Templates

- How to Install the Secure Privacy Script on Your Website

- GDPR Cookie Consent Requirements — What Your Website Needs

---

# How to Install Secure Privacy on Your Wix Website for Cookie Consent, GDPR & CCPA Compliance

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-wix
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:05:31.67+00:00
Reading Time: 7 minutes
Summary: Learn how to add Secure Privacy's GDPR & CCPA cookie consent banner to your Wix site in minutes. Step-by-step setup using Wix Custom Code — no developer needed.

If you run a Wix website, you almost certainly need a cookie consent banner. Privacy regulations — including the EU's GDPR, the ePrivacy Directive, and CCPA/CPRA in California — require that you obtain informed consent before dropping non-essential tracking cookies on your visitors. Ignore this, and you're exposed to regulatory fines that can reach into the tens of thousands of euros or dollars.
Most Wix site owners first try the built-in Wix Cookie Consent Banner. It looks tidy, but it gives you little control over which cookies are actually blocked before consent is given — a hard requirement under GDPR. Others turn to generic cookie notice widgets that display a banner without doing the underlying blocking, leaving them technically non-compliant even though something appears on screen.
Secure Privacy takes a different approach. It automatically scans your Wix site for cookies and trackers, classifies them, and blocks all non-essential scripts until your visitor actively consents — meeting the standard required by GDPR, CCPA, and other major privacy laws. Setup takes under five minutes using Wix's built-in Custom Code feature, and no developer is needed.
By the end of this guide, your Wix site will have a fully functional, legally compliant cookie consent banner powered by Secure Privacy — with automatic cookie blocking, a customisable consent interface, and an audit trail you can rely on.
Important: This installation method is only available for Wix sites that are published and have a connected custom domain. Free Wix subdomains (e.g. yourname.wixsite.com/site) do not support Custom Code injection.
Who Is This Guide For?
This guide is for Wix website owners and administrators who:
- Need to add a GDPR-compliant cookie banner to their Wix site

- Want to ensure their Wix site meets CCPA, ePrivacy, or LGPD cookie consent requirements

- Have already signed up for Secure Privacy and need to complete the technical installation

- Are looking for a cookie consent solution that actually blocks non-essential cookies before consent is given — not just displays a notice

Prerequisites
Before you start, make sure you have the following:
- A Secure Privacy account — sign up at secureprivacy.ai if you haven't already

- Your Secure Privacy installation script (available from the onboarding walkthrough or under Domains → Installation in your dashboard)

- A Wix site that is published and connected to a custom domain

- Admin access to your Wix dashboard

Add the Secure Privacy Cookie Consent Script to Your Wix Site
Follow the seven steps below to install Secure Privacy on Wix using the platform's Custom Code feature. The entire process takes under five minutes and requires no coding experience.
Step 1 — Get Your Secure Privacy Installation Script
Obtain your unique Secure Privacy installation script from the Secure Privacy onboarding walkthrough, or log in to your Secure Privacy account and navigate to Domains → Installation. Every domain has its own unique script — make sure you're using the one generated for your Wix site's domain.
Step 2 — Copy the Script to Your Clipboard
Copy the Secure Privacy script in full and save it to your clipboard. Do not modify the script — altering any part of it can prevent the cookie consent banner from loading correctly.
Step 3 — Open Custom Code in Your Wix Dashboard
Log in to your Wix dashboard. In the left-hand menu, go to Settings → Custom Code. This section lets you inject scripts directly into your site's HTML — it is the standard method for adding any third-party cookie consent tool to a Wix site.
Step 4 — Add a New Code Snippet in the Head Section
Under the Head section, click "Add Code." The Secure Privacy script must be placed in the <head> so it loads before any other scripts on the page — this is what enables it to block non-essential cookies before they fire.
Navigate to Settings → Custom Code, then click "Add Code" under the Head section.
Step 5 — Paste the Secure Privacy Script
Paste your Secure Privacy script into the code field. Configure the remaining name and placement options as shown in the screenshot below — keep the placement set to Head and apply it to All Pages so the cookie consent banner appears site-wide.
Paste the script into the code field and apply the recommended settings shown above.
Step 6 — Set Code Type to "Essential"
On the Code Type tab, leave the selection as "Essential" (the default). This is the correct setting. The Secure Privacy script itself is responsible for blocking all non-essential cookies based on your manual or automatic cookie classification settings — marking it as Essential ensures it always loads so it can manage consent for every other script on your site.
Step 7 — Save and Publish
Click Save to store your Custom Code entry, then republish your Wix site to push the change live. The Secure Privacy cookie consent banner will now appear for all new visitors to your site.
What Happens After Installation
Once the Secure Privacy script is live on your Wix site:
- The cookie consent banner appears automatically for new visitors, giving them the option to accept, reject, or customise their cookie preferences.

- Non-essential cookies and tracking scripts are blocked until a visitor gives their consent — satisfying the core GDPR and ePrivacy requirement for prior consent.

- Consent records are logged in your Secure Privacy dashboard, giving you an auditable record for regulatory purposes.

- Returning visitors who have already consented will not see the banner again unless they clear their cookies or your cookie policy changes.

To verify the installation, open your Wix site in a private/incognito browser window. The Secure Privacy consent banner should appear within a few seconds of the page loading.
Troubleshooting: Cookie Banner Not Showing on Wix
The banner does not appear after installation
Make sure you republished your Wix site after saving the Custom Code entry — changes to Custom Code do not go live until the site is published. Also check that the script placement is set to Head and applies to All Pages.
The Custom Code option is greyed out or unavailable
Wix Custom Code requires a published site with a connected custom domain. If your site is on a free Wix subdomain (e.g. yourname.wixsite.com/site), you will need to connect a custom domain before Custom Code becomes available.
The banner appears but cookies are not being blocked
Verify that your cookies and third-party services have been correctly classified in your Secure Privacy dashboard. Services marked as "Essential" will not be blocked — review your classification settings to ensure analytics, advertising, and other non-essential scripts are categorised correctly.
Frequently Asked Questions
Does my Wix website need a cookie consent banner?
Yes, in most cases. If your Wix site uses any cookies or tracking technologies — including Google Analytics, Meta Pixel, or Wix's own analytics — and you have visitors from the EU, UK, California, or many other jurisdictions, you are legally required to obtain informed consent before setting non-essential cookies. Failure to comply can result in significant regulatory fines.
Is the built-in Wix cookie banner GDPR compliant?
Wix's native cookie banner can display a notice to visitors, but it has limited functionality for actually blocking non-essential cookies before consent is given — a hard requirement under GDPR. A dedicated consent management platform like Secure Privacy provides proper prior blocking, granular consent categories, consent logging, and automatic cookie scanning.
Does Secure Privacy work with Wix?
Yes. Secure Privacy installs on any Wix site that has a connected custom domain by adding a single script via Wix's Custom Code feature (Settings → Custom Code). No Wix app or plugin is required — the script handles cookie scanning, blocking, and the consent banner automatically.
Will adding Secure Privacy slow down my Wix site?
The Secure Privacy script is lightweight and loads asynchronously. Because it blocks other non-essential scripts until consent is granted, it can actually improve initial page load performance for visitors who have not yet consented, since those third-party scripts are held back until after the visitor interacts with the banner.
Why should the Secure Privacy script be set to "Essential" in Wix?
Setting the script as "Essential" tells Wix not to block it under any circumstance. This is necessary because the Secure Privacy script is itself the consent manager — it needs to load first, before all other scripts, so it can block non-essential cookies until the visitor consents. If it were categorised as non-essential, it could be blocked by other tools before it has a chance to run.
Does Secure Privacy support CCPA compliance for Wix sites?
Yes. Secure Privacy supports multiple privacy regulations including GDPR, CCPA/CPRA, ePrivacy, LGPD, and others. You can configure region-based consent rules in your Secure Privacy dashboard so visitors from California, the EU, and other jurisdictions see the appropriate consent experience.
The Secure Privacy cookie consent script is now configured on your Wix website. If you run into any issues or have questions about your setup, contact the Secure Privacy support team by emailing support@secureprivacy.ai.
Related Articles
- Secure Privacy Onboarding Walkthrough — Getting Your Installation Script

- How to Classify Cookies and Services for a Domain

- How to Install Secure Privacy on Shopify

- How to Install Secure Privacy on WordPress

- GDPR Cookie Consent Requirements — What Your Website Needs

---

# Track Every Change: Using the Audit Log (Audit Trail) in Secure Privacy for GDPR Compliance

URL: https://support.secureprivacy.ai/article/understanding-the-audit-log-audit-trail-in-secure-privacy
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T00:09:13.012+00:00
Reading Time: 6 minutes
Summary: Learn how to use the Secure Privacy Audit Log to track every consent setting change, monitor user activity, and stay GDPR-compliant. Step-by-step guide inside.

When a GDPR auditor asks "who changed your cookie consent banner settings last month — and when?" you need an answer in seconds, not hours of frantic email archaeology. The same urgent question surfaces during internal security reviews, when unexpected changes appear in your privacy configuration, or when you're trying to establish accountability across a team that shares access to your consent management platform.
Many privacy teams work around this gap by maintaining manual change logs in spreadsheets or relying on email threads — approaches that are error-prone, inconsistently updated, and never available at exactly the moment they're needed. Other consent management tools either omit activity tracking entirely or bury it behind expensive enterprise tiers.
Secure Privacy includes a built-in Audit Log — also called the Audit Trail — as a standard account management feature. Every action taken inside your account is automatically captured: who did it, what they changed, which domain was affected, and precisely when it happened. No manual logging, no add-ons required.
By the end of this guide you'll know how to access the Audit Log, understand every column in the activity table, filter records by date or domain, and build a regular review habit that keeps your organisation continuously audit-ready.
Who Should Use the Secure Privacy Audit Log?
- Privacy & Compliance Officers who need a tamper-proof activity history to satisfy GDPR, ePrivacy, and CCPA audit requirements.

- Website Owners & Marketing Teams managing cookie consent banners across one or more domains and needing visibility over team-level changes.

- IT & Security Teams investigating unauthorised or unexpected modifications to privacy management settings.

- Agencies administering Secure Privacy accounts on behalf of multiple clients and maintaining a clean change record for each.

Prerequisites
- An active Secure Privacy account with at least one domain configured.

- Account-level access (Admin or Owner role) — team members with restricted roles may have limited visibility.

How to Access the Audit Log in Secure Privacy
Step 1 — Log in to your Secure Privacy account
Open secureprivacy.ai and sign in with your account credentials.
Step 2 — Open the Account area
Click "Account" in the top navigation bar to enter your account management settings.
Step 3 — Select the Audit Log tab
Click the "Audit Log" tab. The full activity history for your account will load in a sortable, filterable table.
The Audit Log tab inside Secure Privacy Account settings, showing a full table of timestamped activity records.
Understanding the Audit Log Table Columns
Each row in the Audit Log represents a single recorded action. The table contains the following columns:
Domain
The domain associated with the recorded activity — useful when your account manages multiple sites.
Person
The user account responsible for performing the action, providing clear individual accountability.
Description
A concise summary of the activity or change made — for example, "Updated consent banner colour" or "Added new domain."
Area (sortable)
The specific module or section of Secure Privacy where the action took place — such as Consent Banner, Domains, or Account Settings. Click the column header to sort by area.
Action (sortable)
The type of operation performed: created, updated, or deleted. Sort this column to quickly group all deletions or creations in a given period.
Date
The calendar date the action occurred. Hover over the date to reveal the precise timestamp, which is essential for detailed compliance reporting.
Filtering the Audit Log by Date or Domain
By default, the Audit Log displays activity across all domains in your account. Use the available filters to narrow results to a specific domain, time period, or both — ideal for scoped compliance investigations or client reporting.
Filter by Date
Use the calendar dropdown widget to select a specific date or date range. Only audit log entries falling within that window will be shown, making it straightforward to scope activity to a particular compliance period or incident timeframe.
The date range filter in the Secure Privacy Audit Log — select any custom period to scope the activity history.
Filter by Domain
If your Secure Privacy account manages multiple domains, use the domain search field to filter audit log entries by a specific domain name. Type the domain and click it in the results to apply the filter — all other domains' activity will be hidden, giving you a clean, domain-specific change record.
The domain filter in the Secure Privacy Audit Log — type a domain name to isolate that site's full activity history.
Best Practice: Review Your Audit Log Regularly
Schedule a monthly Audit Log review as part of your GDPR compliance routine. Look for unexpected deletions, configuration changes made outside normal working hours, or actions by users who shouldn't have modified specific settings. This proactive habit closes accountability gaps before they become audit findings.
Troubleshooting the Audit Log
The Audit Log tab is not visible
The Audit Log is an account-level feature. If you cannot see the tab, check that you are logged in with an Admin or Owner role. Team members with limited permissions may not have access — contact your account owner to adjust role settings.
No entries appear after applying a filter
Confirm the selected date range overlaps with the period when activity occurred, and that the correct domain is selected. Clearing both filters will restore the full activity history so you can verify that records exist before narrowing results.
Timestamps show the wrong time zone
Dates in the Audit Log are displayed in your account's configured time zone. If you see unexpected times, hover over the date to view the full timestamp and cross-reference with your local time zone offset.
Frequently Asked Questions
Does Secure Privacy have an audit trail for GDPR compliance?
Yes. Secure Privacy includes a built-in Audit Log (Audit Trail) that automatically records every change made in your account — who did it, what was changed, and when — making it straightforward to demonstrate accountability during a GDPR audit.
Can I see who changed my cookie consent banner settings?
Yes. The "Person" column in the Audit Log identifies the specific user account responsible for each action, and the "Description" column summarises what was changed — including modifications to consent banner configuration.
How long does Secure Privacy retain audit log history?
Retention periods may vary by plan. For specific details about how long your Audit Log history is stored, contact the Secure Privacy support team at support@secureprivacy.ai.
Can I export or download the Audit Log?
Export functionality may depend on your account plan. Reach out to support@secureprivacy.ai for guidance on exporting audit trail data for compliance reporting.
Does the Audit Log track changes across multiple domains?
Yes. By default the Audit Log shows activity across all domains in your account. You can then use the domain filter to isolate the activity history for any individual domain.
Related Articles
- Managing User Roles and Permissions in Secure Privacy[?]

- How to Configure Your Cookie Consent Banner

- GDPR Compliance Checklist for Website Owners

- Managing Multiple Domains in One Secure Privacy Account[?]

Need Further Help?
If you have questions about the Audit Log or need assistance interpreting activity records for a compliance review, the Secure Privacy support team is ready to help. Reach out at support@secureprivacy.ai.

---

# Secure Privacy JavaScript API Reference: sp Object Methods and Event Listeners

URL: https://support.secureprivacy.ai/article/developer-guide-for-javascript-methods
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T21:32:10.11+00:00
Reading Time: 3 minutes
Summary: Full reference for the Secure Privacy JavaScript API — including sp object methods to control banners and consent, and window event listeners for tracking user interactions.

The Secure Privacy script loads a client-side JavaScript object named sp that exposes a set of public methods and events. Use these methods optionally to programmatically control the display of your consent banners, manage language switching, handle plugin consent, and listen for user interactions with Secure Privacy UI elements.
In this reference:
- Direct Methods — sp.* calls

- Event Listeners — window.addEventListener

Direct Methods
The following methods can be called directly on the sp object to control banner visibility, manage language, and handle consent programmatically.
Method
Parameters
Description

sp.showPrivacyBanner();
None
Forces the privacy banner to show.

sp.hidePrivacyBanner();
None
Forces the privacy banner to hide.

sp.showPrivacyPolicy();
None
Forces the privacy policy popup to show.

sp.hidePrivacyPolicy();
None
Forces the privacy policy popup to hide.

sp.showCookieBanner();
None
Forces the cookie banner to show.

sp.hideCookieBanner();
None
Forces the cookie banner to hide.

sp.showTrustWidget(true);
true
Forces the trust widget to show.

sp.hideTrustWidget();
None
Forces the trust widget to hide.

sp.switchLanguage('lang_code');
'lang_code' — a 2-character language code, e.g. 'en' or 'sv'. Must be a language code already activated for the domain.
Changes the language of all banners to the specified language.

sp.switchLanguage('lang_code', 'cookieBanner');
'lang_code', 'cookieBanner'
Changes the language of the cookie banner specifically. Overrides all default language settings and forces the cookie banner to show.

sp.cookieBannerVisible();
None
Returns true if the cookie banner is currently visible on screen; otherwise returns false.

sp.savePluginConsent(pluginName);
pluginName — string
Saves consent for a specific plugin. The pluginName parameter must be a string matching the plugin name exactly.

sp.checkConsent(pluginName);
pluginName — string
Checks whether consent has been given for a specific plugin. Returns a boolean: true if consent has been given, false if not.

sp.allGivenConsents
None
A JavaScript object containing all consents given by the current user. This value is available on the window object after the user has given consent. Can be used to check consent status and pass it to your server.

Event Listeners
The following events can be subscribed to via window.addEventListener. Each event fires at a specific point in the Secure Privacy consent lifecycle and passes relevant data via evt.detail.
Event Name
Example Usage
Description and Returned Data

sp_init
window.addEventListener("sp_init", function(evt) { console.log(evt.detail); }, false);
Fires when Secure Privacy has fully initialized. Use this event to safely execute any code that depends on the sp object being ready.

sp_trust_badge_shown
window.addEventListener("sp_trust_badge_shown", function(evt) { console.log(evt); });
Fires when the trust badge is shown or hidden. Returns detail: true when the trust badge is shown; detail: false when it is hidden.

sp_cookie_banner_shown
window.addEventListener("sp_cookie_banner_shown", function(evt) { console.log(evt); });
Fires when the cookie banner is shown or hidden. Returns detail: true when shown; detail: false when hidden.

sp_cookie_banner_click
window.addEventListener("sp_cookie_banner_click", function(evt) { console.log(evt); });
Fires when a button on the cookie banner is clicked. Returns detail: "accept" when the user clicks Accept; detail: "reject" when the user clicks Reject.

sp_cookie_banner_save
window.addEventListener("sp_cookie_banner_save", function(evt) { console.log(evt); });
Fires when the user's cookie banner choice is saved. Returns detail: "accept" when the Accept choice is saved; detail: "reject" when the Reject choice is saved.

sp_privacy_banner_shown
window.addEventListener("sp_privacy_banner_shown", function(evt) { console.log(evt); });
Fires when the privacy banner is shown or hidden. Returns detail: true when shown; detail: false when hidden.

sp_privacy_banner_click
window.addEventListener("sp_privacy_banner_click", function(evt) { console.log(evt); });
Fires when a button on the privacy banner is clicked. Returns detail: "accept" when the user clicks Accept; detail: "reject" when the user clicks Reject.

sp_privacy_banner_save
window.addEventListener("sp_privacy_banner_save", function(evt) { console.log(evt); });
Fires when the user's privacy banner choice is saved. Returns detail: "accept" when the Accept choice is saved; detail: "reject" when the Reject choice is saved.

sp_switch_lang
window.addEventListener("sp_switch_lang", function(evt) { console.log(evt); });
Fires when the user changes the language in a privacy banner. Returns an object: detail: { useLang: "en", category: "privacy-banner" }, where useLang is the selected language code and category identifies which banner triggered the language change.

sp_unblock_[ServiceName]
window.addEventListener("sp_unblock_Google_Analytics", function(evt) { console.log(evt); }, false);
Fires when a specific service is unblocked following user consent. Replace [ServiceName] with the exact service name as shown in the Scan Report. Replace any spaces in the service name with underscores (_). For example, to listen for Google Analytics being unblocked, use the event name sp_unblock_Google_Analytics.

---

# How to Install Secure Privacy via Adobe Launch for Cookie Consent Management

URL: https://support.secureprivacy.ai/article/install-secure-privacy-with-adobe-launch
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T01:18:54.449+00:00
Reading Time: 2 minutes
Summary: Learn how to deploy the Secure Privacy cookie consent script through Adobe Launch by configuring a rule with a custom HTML action — enabling cookie blocking without editing site code.

If you use Adobe Launch (Adobe Experience Platform Tags) to manage your website's scripts and tags, you can inject the Secure Privacy cookie consent script directly through a Launch rule. This enables cookie blocking and preference center functionality for your visitors without modifying your site's source code.
Before you begin: You will need your unique Secure Privacy installation script. Log in to your Secure Privacy account at secureprivacy.ai and copy the script from the Domains → Installation page.
Steps to Install the Secure Privacy Script via Adobe Launch
- In Adobe Launch, create a new rule and configure the event using the settings shown below. This defines when the Secure Privacy script will be triggered on your website.

- Click "Keep Changes" to save the event configuration.

- Within the same rule, click "Add Action" and configure the action as shown below.

- Click "Keep Changes" to save the action settings, then click "Open Editor" to access the HTML code editor.

- In the code editor, add your published Cookie Banner script and your Secure Privacy installation script to the HTML code field. The final setup should look similar to the example below.

- Click "Keep Changes", then save and publish your rule to deploy the Secure Privacy script across your website.

The Secure Privacy cookie consent script is now active on your website via Adobe Launch.
Common Issues and Fixes
Cookie banner is not appearing on the website.
Check that the rule is published in Adobe Launch and that both the event and action are configured correctly. Unpublished rules will not fire on your live site.
The Secure Privacy script is not blocking cookies.
Verify that the Secure Privacy installation script is correctly inserted into the HTML code editor within the action. Also check for any conflicting scripts on your site that may be loading cookies before the Secure Privacy script fires.
See Also
- How to Onboard with Secure Privacy from CMS Plugins

- How to Perform a Website Rescan

- Implementing Google Consent Mode (Advanced)

---

# How to Integrate Secure Privacy with Your CMS: Supported Platforms and Setup Guides

URL: https://support.secureprivacy.ai/article/integrations-with-secure-privacy-how-to-install-on-your-cms
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-24T16:08:25.372+00:00
Reading Time: 2 minutes
Summary: Learn how to integrate Secure Privacy with popular Content Management Systems (CMS) to enhance your website

Secure Privacy integrates with all major Content Management Systems — making it straightforward to implement cookie consent and privacy compliance on your website regardless of your platform. This guide explains how to access the Integrations section in your Secure Privacy account and links to the platform-specific installation guide for each supported CMS.
Who Is This For?
- Website administrators and developers installing Secure Privacy on a CMS-powered website

- Compliance teams verifying that Secure Privacy is correctly integrated with their existing CMS or tag management platform

- Agencies and developers managing Secure Privacy installations across multiple client websites on different platforms

Step 1: Log In and Access the Integrations Section
- Log in to your Secure Privacy account.

- Navigate to the Account page using the top navigation bar.

- Select the Integrations tab — this lists all CMS platforms currently supported for Secure Privacy integration.

Step 2: Select Your CMS Platform
Choose your platform from the list below and follow the platform-specific installation guide. You can also click Read support article next to your CMS within the Integrations tab to access the same guide directly from your dashboard.
- Install Secure Privacy on Weebly

- Integrate Secure Privacy with HubSpot

- Install Secure Privacy with Google Tag Manager (GTM)

- Install Secure Privacy on Wix

- Install Secure Privacy on Shopify

- Install Secure Privacy on Squarespace

- Install Secure Privacy on WordPress

- Install Secure Privacy on Joomla

- Install Secure Privacy on Magento

- Install Secure Privacy with Adobe Dynamic Tag Manager

- Install Secure Privacy on Drupal

- Set Up and Verify Google Consent Mode with Secure Privacy

Step 3: Follow the Platform-Specific Installation Guide
- Click your platform's link from the list above — or select Read support article next to your CMS in the Integrations tab.

- Follow the step-by-step installation and configuration instructions, including any platform-specific requirements for embedding the Secure Privacy script and verifying the installation.

- After installation, navigate to the Scan Report tab in your Secure Privacy dashboard and click Rescan Website to confirm the script is detected and your cookie compliance status is up to date.

Frequently Asked Questions
What if my CMS is not listed in the Integrations tab?
If your platform is not listed, you can still install Secure Privacy manually by placing the installation script in the <head> section of your website's HTML. See the Secure Privacy Setup and Installation Checklist for the general installation steps applicable to any platform.
Do I need a separate installation for each domain?
Yes. Each domain requires its own Secure Privacy script and configuration. Repeat the integration steps for each domain in your account. If you manage multiple domains, the installation script for each can be found under Domain > Installation in your dashboard.
How do I verify the integration is working after installation?
After installing the Secure Privacy script, visit your website and check that the cookie consent banner appears. Then navigate to Scan Report > Rescan Website in your Secure Privacy dashboard to confirm the script is detected on your domain. You can also use your browser's developer tools to check that the Secure Privacy script is loading in the page source.
See Also
- Secure Privacy Setup and Installation Checklist

- Implementing Google Consent Mode Advanced Using GTM

- Secure Privacy Pricing Plans Overview

---

# How to Integrate Secure Privacy Cookie Consent with Tealium iQ Tag Management

URL: https://support.secureprivacy.ai/article/integration-secure-privacy-with-tealium
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T01:20:55.055+00:00
Reading Time: 2 minutes
Summary: Step-by-step guide to integrating the Secure Privacy cookie consent banner with Tealium iQ Tag Management for centralized, GDPR-compliant cookie control across all environments.

Who is this for? This guide is for web developers, tag managers, and marketing teams who use Tealium iQ Tag Management and need to implement a GDPR-compliant cookie consent banner via Secure Privacy.

  

  This guide explains how to integrate the Secure Privacy cookie consent banner script with Tealium iQ Tag Management, enabling centralized cookie management and GDPR-compliant consent control across your website.

  Before you begin: You will need your unique Secure Privacy installation script. Log in to your Secure Privacy account at secureprivacy.ai and copy the script from the Domains → Installation page.

  
    How to Add the Secure Privacy Cookie Consent Script in Tealium iQ

    Follow these steps to deploy the Secure Privacy cookie consent banner as an Advanced JavaScript Code extension in Tealium iQ Tag Management:

    
      - 
        In the Tealium iQ Tag Management menu, select "Extensions."

        
      

      - 
        Click "Add Extension."

        
      

      - 
        Select the "Advanced" tab and choose "Advanced JavaScript Code" as the extension type.

        
      

      - 
        Configure the extension with the following settings:

        
          - Title: Enter "Secure Privacy" as the extension name.

          - Scope: Select "Pre Loader" to ensure the Secure Privacy cookie consent script fires before any other tags or cookies load — essential for GDPR compliance.

          - Configuration: Paste your Secure Privacy installation script into the JavaScript code field.

        
        
      

      - 
        Once the script is configured, click "Approve for Publish."

        
      

      - 
        Select all environments to which the script should be deployed (e.g., dev, QA, production).

        
      

      - 
        Click "Publish" to deploy the Secure Privacy cookie consent script across all selected environments.

        
      

    

    The Secure Privacy cookie consent script is now live on your website via Tealium iQ Tag Management.

  

  
    After Installation: Rescan Your Website for Cookie Compliance

    Once the Tealium iQ integration is complete, run a new scan in your Secure Privacy account to detect all cookies on your updated website. Navigate to Report → Scan Reports in the left sidebar and click "Rescan" to keep your Cookie Declaration accurate and your site fully GDPR-compliant.

  

  
    Frequently Asked Questions

    Why must the Secure Privacy script be set to "Pre Loader" scope in Tealium iQ?

    Setting the scope to Pre Loader ensures the cookie consent banner loads before any other tags or tracking scripts fire. This is a core requirement for GDPR compliance — users must be able to give or withhold consent before any cookies are set.

    Does this integration work across all Tealium iQ environments (dev, QA, production)?

    Yes. During the publish step, you can select individual or all environments. It is recommended to deploy to all environments so cookie consent behaviour is consistent and compliant at every stage of your development workflow.

---

# How to Install Secure Privacy on HubSpot for GDPR-Compliant Cookie Consent

URL: https://support.secureprivacy.ai/article/how-to-integrate-secure-privacy-with-hubspot
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:27:02.037+00:00
Reading Time: 6 minutes
Summary: Learn how to add a GDPR-compliant cookie consent banner to your HubSpot website using Secure Privacy. Step-by-step setup in under 10 minutes — no developer needed.

If your website runs on HubSpot, you already have one of the most powerful inbound marketing platforms available — but that power comes with a privacy compliance responsibility. HubSpot loads tracking, analytics, and personalization cookies by default, and under the GDPR, placing those cookies without prior user consent can expose your organisation to significant fines.
Many HubSpot users assume the platform's built-in cookie notification handles this. It doesn't. HubSpot's native banner is a notification, not a consent gate — it doesn't block non-essential cookies before consent is given, doesn't maintain a granular audit log, and doesn't meet the legal standard required by GDPR or ePrivacy. Free generic scripts often have the same gap, and coding a compliant solution from scratch requires ongoing maintenance every time HubSpot updates its cookie behaviour.
Secure Privacy is a dedicated cookie consent management platform built specifically to close this gap. It integrates with HubSpot in under 10 minutes — no developer required — and handles prior blocking, consent categorisation, audit logging, and multi-language banners automatically.
By the end of this guide you will have a fully GDPR-compliant cookie consent banner live on your HubSpot website, with documented consent records and visitor-facing preference controls that satisfy EU and international privacy law.
In this guide:
- Who Is This For

- Prerequisites

- GDPR Cookie Consent Requirements for HubSpot Websites

- Installing Secure Privacy on HubSpot

- After Installation

- Troubleshooting

- Frequently Asked Questions

Who Is This For?
This guide is for:
- HubSpot website owners and marketers who need to add a GDPR-compliant cookie consent banner without touching code.

- Web and marketing agencies managing HubSpot sites on behalf of EU-facing clients.

- Compliance and legal teams verifying that their HubSpot property meets GDPR and ePrivacy Directive requirements.

Prerequisites
- An active HubSpot account with permission to edit website settings.

- A Secure Privacy account with at least one domain configured.

- Your Secure Privacy installation script (available during onboarding or under Domains → Installation in your Secure Privacy dashboard).

GDPR Cookie Consent Requirements for HubSpot Websites
Obtaining proper cookie consent is a fundamental legal requirement under the GDPR and the ePrivacy Directive. To be legally valid, cookie consent collected on your HubSpot website must be:
- Obtained before cookies are set — Consent must be captured before any non-essential cookies are placed on the visitor's browser. Strictly necessary cookies are exempt from this rule.

- Informed and specific — Visitors must receive clear, specific information about what they are consenting to before consent is recorded — vague or bundled consent is not valid.

- Withdrawable — Visitors must be able to access their cookie preferences at any time and change or withdraw consent as easily as they originally gave it.

- Documented — Proof of consent must be recorded and stored, including the date, time, and nature of each visitor's decision, so it can be produced in the event of an audit.

Installing Secure Privacy on Your HubSpot Website
Follow these five steps to add the Secure Privacy cookie consent banner script to your HubSpot website. The process takes approximately 5–10 minutes and requires no coding.
Step 1 — Get Your Secure Privacy Installation Script
Obtain your Secure Privacy installation script. You can find it during the Secure Privacy onboarding walkthrough or in your account under Domains → Installation. Copy the full script to your clipboard.
Step 2 — Log In to HubSpot and Open Settings
Log in to your HubSpot account and navigate to Settings (the gear icon in the top navigation bar).
Step 3 — Paste the Script into the Head HTML Field
In the left sidebar, scroll to the Advanced section. Locate Additional code snippets and paste your Secure Privacy script into the Head HTML field.
HubSpot Settings → Advanced → Additional code snippets — paste the Secure Privacy script into the Head HTML field.
Step 4 — Confirm Auto-Save
Your changes will be saved automatically — there is no separate save button required in this section of HubSpot settings.
Step 5 — Publish Your Website
Publish your HubSpot website to make the Secure Privacy cookie consent banner live for all visitors. Once published, the banner will appear on page load and begin blocking non-essential cookies until consent is given.
After Installation — What to Expect
Once the script is live, Secure Privacy will automatically:
- Scan your HubSpot pages for cookies and trackers.

- Display a consent banner to new visitors before any non-essential cookies are set.

- Record and store timestamped consent logs for audit purposes.

- Provide returning visitors with a preference centre to update or withdraw consent at any time.

To verify the installation, open your HubSpot website in a private/incognito browser window — the Secure Privacy cookie consent banner should appear immediately on page load.
Troubleshooting
HubSpot's Essential Cookies
HubSpot injects certain cookies into its web pages that are required for core website functionality. These cookies cannot be blocked by any consent management solution. To handle them correctly, assign them to the Essential category inside the Secure Privacy admin dashboard — this exempts them from the consent requirement in line with GDPR's strictly necessary cookie exception.
Banner Not Appearing After Publishing
If the cookie consent banner does not appear after you publish, check the following:
- Confirm the script is pasted in the Head HTML field (not Footer HTML).

- Ensure the correct domain is configured and active in your Secure Privacy account under Domains → Installation.

- Clear your browser cache and test in a private/incognito window, as your own consent may have already been recorded.

Frequently Asked Questions
Does my HubSpot website need a cookie consent banner?
Yes — if your HubSpot website is accessible to visitors in the EU or other regions covered by privacy law (GDPR, ePrivacy, CCPA, etc.), you are legally required to obtain valid cookie consent before placing non-essential cookies. HubSpot itself sets several tracking and analytics cookies that fall outside the "strictly necessary" exemption and therefore require explicit user consent.
Is HubSpot's built-in cookie banner GDPR compliant?
HubSpot includes a basic cookie notification, but it does not meet all GDPR requirements — particularly prior blocking of non-essential cookies, granular consent categories, and auditable consent logs. A dedicated consent management platform like Secure Privacy is required to fully satisfy GDPR and ePrivacy obligations.
How do I add a GDPR cookie banner to HubSpot?
The fastest method is to paste a cookie consent script into the Head HTML field inside HubSpot's Settings → Advanced → Additional code snippets. Secure Privacy provides this script during onboarding, and the full installation takes under 10 minutes with no coding required.
Will Secure Privacy block HubSpot's essential cookies?
No. HubSpot injects certain cookies that are required for core website functionality and cannot be blocked. You can manage these correctly by assigning them to the Essential category inside the Secure Privacy admin dashboard, which exempts them from the consent requirement in line with GDPR rules.
Do I need a developer to install Secure Privacy on HubSpot?
No. The entire installation is a copy-and-paste action inside HubSpot account settings. It takes approximately 5–10 minutes and requires no coding knowledge or developer access.
Related Articles
- Secure Privacy Onboarding Walkthrough — Getting Your Installation Script

- Secure Privacy Support Centre — All Integration Guides

---

# How to Set Up SSO with Microsoft Entra ID (Azure AD) in Secure Privacy

URL: https://support.secureprivacy.ai/article/single-signon-sso-configuration-integration-with-microsoft-entra-id
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:52:49.847+00:00
Reading Time: 7 minutes
Summary: Connect Microsoft Entra ID (Azure AD) to Secure Privacy in 5 steps. Centralize user login, eliminate separate passwords, and manage access from one place.

Managing user access to a consent management platform shouldn't mean handing out yet another set of credentials. When your team grows — or when an employee leaves — manually updating logins in every tool creates real security and compliance risk. Juggling separate passwords for your privacy platform is friction your IT and compliance teams don't need.
Many organizations try to solve this with shared accounts or manual offboarding checklists, but both approaches are error-prone and fail even basic access-control audits. A proper Single Sign-On (SSO) integration is the right fix — and if your organization already uses Microsoft Entra ID (formerly Azure Active Directory), you're minutes away from a clean solution.
Secure Privacy natively supports Microsoft Entra ID SSO. Once connected, every user in your Azure AD tenant can log in to Secure Privacy with their existing Microsoft credentials — no separate password, no manual provisioning, and instant access revocation the moment you disable an account in Azure.
By the end of this guide you will have a fully working Microsoft Entra ID SSO integration with Secure Privacy: your Tenant ID, App Registration, API permissions, and client secret all wired up so your team can sign in via the Microsoft login button on their very next visit.
Who Is This Guide For?
This article is written for IT administrators and compliance managers who:
- Manage their organization's Microsoft Entra ID (Azure AD) tenant

- Have an active Secure Privacy account with administrator access

- Want to centralize authentication so team members use their Microsoft credentials to access Secure Privacy

Prerequisites
- An active Microsoft Entra ID (Azure AD) tenant

- An Azure account with permission to create App Registrations and grant Admin consent (typically a Global Administrator or Application Administrator role)

- An active Secure Privacy account with admin rights to access SSO settings

- All Secure Privacy user email addresses must match the User Principal Name (UPN) format in your Azure tenant (no EXT guest accounts)

Step 1 — Locate Your Tenant ID in Azure
Your Tenant ID identifies your organization's Microsoft Entra ID directory. Secure Privacy needs it to know which Azure AD tenant to authenticate against.
- From the Azure Home page, use the search bar to find "Microsoft Entra ID" and navigate to it.

Search for "Microsoft Entra ID" from the Azure Home page.
- On the Microsoft Entra ID overview page, locate your Tenant ID and copy it.

- Paste the Tenant ID into the SSO settings page of your Secure Privacy account.

Copy the Tenant ID from the Microsoft Entra ID overview page.
Step 2 — Create an Enterprise App Registration in Microsoft Entra ID
An App Registration tells Azure AD that Secure Privacy is an authorized application allowed to authenticate your users.
- From the Azure Home page, search for "Microsoft Entra ID", then click "Add" → "App registration."

Select "App registration" from the Add menu in Microsoft Entra ID.
- In the setup wizard, enter a name for your SSO application (this can be changed later).

- Select the appropriate account type as shown below:

Choose the supported account type for your Secure Privacy SSO app registration.
- Once created, you will be redirected to the application's overview page. Locate your Application (client) ID.

Copy the Application (client) ID from the App Registration overview.
- Copy the Application (client) ID and paste it into the SSO settings page in your Secure Privacy account.

Paste the Application (client) ID into Secure Privacy's SSO settings.
Step 3 — Configure Microsoft Graph API Permissions
Secure Privacy requires specific Microsoft Graph API permissions to read user identities during the SSO login flow. This step also covers the redirect URI and email format requirements.
Grant the Required API Permissions
Navigate to the API Permissions page of your SSO application and confirm the following permissions are granted to Microsoft Graph:
Delegated permissions:
- email

- openid

- profile

Application permissions:
- User.Read.All

Confirm all four required Microsoft Graph API permissions are listed.
Grant Admin Consent for All Permissions
Ensure that all configured permissions have been granted with Admin consent:
All permissions must show Admin consent granted before SSO will work.
Note: If you cannot grant Admin consent yourself, ask your organization's Global Administrator to approve the permissions.
Verify the User Principal Name (UPN) Email Format
The email address stored in Secure Privacy for each user must exactly match their User Principal Name (UPN) in Azure. This applies to the admin configuring SSO and to every user added on the Users page.
Important: Email addresses containing "EXT" (external/guest accounts) are not supported and will prevent login.
Confirm each user's UPN in Azure matches the email stored in Secure Privacy.
Set the Redirect URI on the Authentication Page
On the Authentication page of your Azure App Registration:
- Select "Web" as the platform.

- Add https://cmp.secureprivacy.ai/ as the Redirect URI.

Add https://cmp.secureprivacy.ai/ as the redirect URI under the Web platform.
Step 4 — Create a Client Secret for the SSO Application
The client secret is the credential Secure Privacy uses to authenticate with your Azure App Registration. Copy it immediately — Azure only shows the value once.
- In App Registrations, select your SSO application.

- Navigate to "Certificates & secrets" and click "+ New client secret."

- Immediately copy the "Value" of the newly created client secret — this value is only visible once.

Copy the client secret Value immediately — it won't be shown again after you leave this page.
- Paste the client secret value into the "Client secret" field in your Secure Privacy SSO settings.

Paste the client secret value into the corresponding field in Secure Privacy's SSO settings.
Step 5 — Add Users and Enable Microsoft SSO Login in Secure Privacy
Your SSO configuration is complete. The final step is adding your Azure organization's users in Secure Privacy so they can log in with their Microsoft accounts.
Add users via the Users page in Secure Privacy, using their Azure User Principal Name as their email address:
Add Azure users to Secure Privacy via the Users page using their UPN email addresses.
Once added, your Azure users can log in to Secure Privacy using their Microsoft account — no separate Secure Privacy password required.
Users will see a "Sign in with Microsoft" option on the Secure Privacy login page.
What Happens After SSO Is Enabled
Once the integration is live, user access is managed entirely from your Azure tenant. Disable or remove a user in Microsoft Entra ID and their Secure Privacy access is revoked automatically on their next login attempt — no separate offboarding step required in Secure Privacy.
If your organization's SSO configuration changes (for example, a client secret expires or you rotate credentials), simply generate a new client secret in Azure and update the value in Secure Privacy's SSO settings page.
Troubleshooting Microsoft Entra ID SSO in Secure Privacy
Users receive a login error after SSO is configured
Check the following in order:
- The user's email in Secure Privacy exactly matches their User Principal Name (UPN) in Azure — including letter case.

- The email address does not contain EXT. External/guest Azure accounts are not supported.

- All four Microsoft Graph API permissions are present and have been granted Admin consent (look for a green tick in the Azure API Permissions page).

- The redirect URI https://cmp.secureprivacy.ai/ is saved on the Authentication page with Web selected as the platform.

The client secret value is no longer available
If you navigate away from the Certificates & secrets page before copying the value, the secret cannot be recovered. Delete the old secret and create a new one, then update the Client secret field in Secure Privacy's SSO settings immediately.
Admin consent cannot be granted
Only users with the Global Administrator or Privileged Role Administrator role in Azure can grant tenant-wide Admin consent. Contact your IT department or Azure tenant admin and share the API Permissions page URL with them.
Frequently Asked Questions
Does Secure Privacy support Single Sign-On (SSO)?
Yes. Secure Privacy supports SSO via Microsoft Entra ID (formerly Azure Active Directory). Once configured, your team logs in with their existing Microsoft credentials — no separate Secure Privacy password is needed.
What is Microsoft Entra ID and how is it different from Azure Active Directory?
Microsoft Entra ID is the new name for Azure Active Directory (Azure AD) following Microsoft's 2023 rebrand. The underlying identity platform and SSO integration process are identical — if your organization already has an Azure AD tenant, you already have Microsoft Entra ID.
Do I need a Global Admin to set up SSO with Microsoft Entra ID?
You need an account with permission to create App Registrations and grant tenant-wide Admin consent. If you can't grant Admin consent yourself, ask your organization's Global Administrator to approve the Microsoft Graph API permissions.
What Microsoft Graph API permissions does Secure Privacy SSO require?
Three delegated permissions — email, openid, and profile — plus one application permission: User.Read.All. All four must be granted Admin consent in the Azure portal.
What redirect URI should I use for Secure Privacy SSO?
Add https://cmp.secureprivacy.ai/ as a redirect URI on the Authentication page of your Azure App Registration, with Web selected as the platform type.
Why can't my users log in to Secure Privacy after SSO is set up?
The most common causes are a mismatch between the user's email in Secure Privacy and their Azure UPN, an email address containing EXT (guest accounts are unsupported), missing Admin consent on API permissions, or a missing redirect URI. See the Troubleshooting section above for a step-by-step resolution checklist.
Related Articles
- Managing Users and Roles in Secure Privacy

- Account Security Settings Overview

- Using the Secure Privacy Audit Log

---

# How to Anonymize Visitor IP Addresses for GDPR Compliance in Secure Privacy

URL: https://support.secureprivacy.ai/article/anonymize-visitors-ip-addresses
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T00:19:41.562+00:00
Reading Time: 5 minutes
Summary: Learn how to configure IP address anonymization in Secure Privacy to meet GDPR data minimization rules. Choose your masking level and apply it account-wide in two steps.

Under the GDPR, an IP address is considered personal data — which means every visit to your website quietly creates a compliance liability if those addresses are stored in full. Many organizations discover this only after an audit, scrambling to retrofit privacy controls onto analytics pipelines and log files that were never designed with data minimization in mind. Generic workarounds — disabling logging entirely, manually scrubbing databases, or relying on each third-party tool to handle it separately — are time-consuming, error-prone, and hard to document for regulators.
Secure Privacy solves this at the account level. Its built-in IP address anonymization feature lets you mask visitor IP data at a configurable byte depth before it is ever stored — giving you a single, auditable control point that applies across your entire account, not just one tool or one page.
By the end of this guide you will have selected the right masking level for your compliance needs, saved it account-wide, and understood exactly what each setting does to your visitors' data.
Who Is This For?
This article is for website owners, privacy officers, and developers who need to bring their site into GDPR compliance by anonymizing visitor IP addresses — and who manage that site through a Secure Privacy account.
Prerequisites
- An active Secure Privacy account with admin or account-owner permissions

- Access to the Account section in the Secure Privacy dashboard

Configuring GDPR-Compliant IP Address Anonymization
Step 1 — Log In and Open the Anonymize Data Settings
- Log in to your Secure Privacy account using your credentials.

- Navigate to the "Account" page using the top navigation bar.

- Select the "Anonymize Data" tab from the left-side menu. This tab contains all settings related to visitor IP address anonymization.

The Anonymize Data tab inside the Secure Privacy Account settings.
Step 2 — Choose Your IP Address Masking Level
Under "Anonymize Visitor IP Addresses", select the masking depth that matches your compliance requirements:
Without a mask
No masking is applied. Full IP addresses are stored as-is. Not recommended for GDPR compliance.
1 byte
 The last octet is masked.
Example: 192.168.100.xxx
2 bytes (Recommended)
 The last two octets are masked.
Example: 192.168.xxx.xxx
This option balances GDPR data-minimization requirements with reasonable geolocation accuracy for analytics.
3 bytes
 The last three octets are masked.
Example: 192.xxx.xxx.xxx
Fully mask IP address
 The entire IP address is masked. Maximum privacy protection; no geolocation data will be available.
- Select your preferred masking level.

- Click "Save" to apply the setting account-wide.

How IP Address Anonymization Works
When IP anonymization is enabled, Secure Privacy masks the configured number of trailing bytes in each visitor's IP address before the data is stored. This means a full, identifiable IP address never reaches your logs or analytics — satisfying the GDPR's data minimization and purpose limitation principles without requiring changes to your existing tracking setup.
Note: Selecting a higher masking level (2 bytes or more) reduces geolocation accuracy, because less of the IP address is available for location lookups. For most GDPR use cases, 2-byte masking provides the best balance between compliance and analytics utility.
What Happens After You Save
Your chosen masking level is applied immediately and account-wide. All subsequent visitor sessions will have their IP addresses stored only up to the depth you selected. Previously recorded full IP addresses are not retroactively modified — if you need historical data scrubbing, contact Secure Privacy support.
You can return to the Anonymize Data tab at any time to adjust the masking level as your compliance requirements evolve.
Troubleshooting
I can't see the "Anonymize Data" tab.
 This tab is visible only to users with admin or account-owner permissions. Ask your account owner to grant you the appropriate role, or ask them to configure the setting on your behalf.
The "Save" button is greyed out.
 Make sure you have selected a masking option that differs from the currently active setting. If the issue persists, try refreshing the page and repeating the steps.
Geolocation data disappeared after enabling anonymization.
 Higher masking levels (3 bytes or full mask) remove enough IP information to prevent accurate geolocation. Switch to 2-byte masking to restore country- or region-level accuracy while remaining GDPR-compliant.
Frequently Asked Questions
Is an IP address considered personal data under GDPR?
Yes. The GDPR treats IP addresses as personal data when they can — even indirectly — be used to identify a natural person. This means collecting or storing full IP addresses without a lawful basis or appropriate safeguards creates a compliance risk. Anonymizing IP addresses before storage is one of the most straightforward ways to reduce that risk.
Does GDPR require me to anonymize visitor IP addresses?
The GDPR does not mandate a specific technical method, but it requires data minimization — you should only collect personal data that is necessary for your stated purpose. Anonymizing or pseudonymizing IP addresses is a widely recognized best practice to satisfy this requirement and reduce the scope of your GDPR obligations.
What is the best IP masking level for GDPR compliance?
For most websites, 2-byte masking (e.g. 192.168.xxx.xxx) is recommended. It removes enough of the IP address to make individual identification impractical while preserving country- and region-level geolocation for analytics. If your use case has no need for any geolocation data, a 3-byte or full mask offers the strongest privacy protection.
Does IP anonymization in Secure Privacy apply to all my websites?
Yes. The IP anonymization setting in Secure Privacy is configured at the account level, so it applies automatically to all websites and properties connected to that account. You do not need to configure it separately for each site.
Will enabling IP anonymization affect my analytics or reporting?
It depends on the masking level you choose. A 1-byte mask has minimal impact on analytics. A 2-byte mask may slightly reduce the precision of city-level geolocation but leaves country and region data intact. A full mask removes all IP-based location data. Choose the level that matches your balance of privacy and analytics requirements.
Related Articles
- How to Set Up a GDPR Cookie Consent Banner with Secure Privacy

- Configuring Data Retention Periods for GDPR Compliance

- GDPR Compliance Checklist for Website Owners

- How to Access and Export Your Consent Audit Log

---

# How to Install Secure Privacy on Your Drupal Website: Step-by-Step Guide

URL: https://support.secureprivacy.ai/article/cmp-v1-secure-privacy-installation-guide-for-drupal--stepbystep
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T21:32:27.99+00:00
Reading Time: 2 minutes
Summary: [CMP v1] Learn how to install Secure Privacy on your Drupal website using the Header and Footer Scripts module with easy-to-follow steps and screenshots.

Drupal is a powerful open-source digital experience management system used by over 1 million contributors worldwide to deliver personalized web content at scale. This guide explains how to install the Secure Privacy cookie consent script on a Drupal 8 or 9 website using the Header and Footer Scripts module.
Before you begin: You will need your unique Secure Privacy installation script. Log in to your Secure Privacy account at secureprivacy.ai and copy the script from the Domains → Installation page.
Who Is This Guide For?
- Website administrators managing Drupal 8.x or 9.x websites

- Developers integrating Secure Privacy with a Drupal-powered website

In this guide:
- Step 1: Install the Header and Footer Scripts Module

- Step 2: Add the Secure Privacy Script via the Module

- Common Issues and Fixes

- See Also

Step 1: Install the Header and Footer Scripts Module in Drupal
The Secure Privacy integration for Drupal 8/9 uses the Header and Footer Scripts module. Download it here: Header and Footer Scripts Drupal Module.
If you are already experienced with installing Drupal modules, skip directly to Step 2.
Download the Module
- Navigate to the "Downloads" section on the module page.

- Copy the URL for the latest Drupal release. It will look similar to:
https://ftp.drupal.org/files/projects/header_and_footer_scripts-3.0.0.tar.gz

Install and Enable the Module in Drupal 8/9
- In your Drupal admin dashboard, navigate to Manage → Extend and click "Add new module."

- Paste the copied module URL into the "Install from a URL" field and click "Continue."

- Once uploaded, locate "Header and Footer Scripts" in the Extend module list.

- Check the checkbox next to "Header and Footer Scripts" and click "Install" to enable the module.

Step 2: Add the Secure Privacy Script Using the Header and Footer Scripts Module
- In your Drupal admin dashboard, navigate to Configuration → Header and Footer Scripts.

- Paste your Secure Privacy installation script into the "Header Scripts" field to ensure it loads before any non-essential cookies are set.

- Click "Save configuration" to apply the changes.

The Secure Privacy cookie consent script is now installed on your Drupal website. Your site is ready to manage user consent and GDPR compliance via Secure Privacy.
Common Issues and Fixes
Where do I find my Secure Privacy installation code?
Log in to your Secure Privacy account and navigate to Domains → Installation. Your unique script code is displayed and available to copy from this page.
I don't see "Header and Footer Scripts" in Drupal's Extend menu.
Ensure you uploaded the module correctly using the "Add new module" option and the latest module URL from Drupal.org. After uploading, the module must be enabled by checking its checkbox in the Extend list and clicking "Install."
My Secure Privacy consent banner is not showing after installation.
Clear your Drupal cache and refresh your website. Also confirm the script is correctly pasted in the "Header Scripts" field under Configuration → Header and Footer Scripts — not the Footer Scripts field.
See Also
- Using Secure Privacy With Drupal

- Using Secure Privacy with Drupal (Module Approach)

- How to Add Custom CSS for Improved Design and Branding

- Create and Customize Privacy Policies

---

# How to Transfer Secure Privacy Account Ownership to Another Admin

URL: https://support.secureprivacy.ai/article/transfer-account-ownership
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-26T00:28:47.617+00:00
Reading Time: 5 minutes
Summary: Learn how to transfer your Secure Privacy account ownership to a verified admin. Step-by-step guide covering settings, eligibility, and what happens after the transfer.

When team structures change — a new compliance lead takes over, a contractor hands back the reins, or your organization restructures — you need a clean, reliable way to transfer account ownership without disrupting your live cookie consent banners or privacy settings. Manually recreating an account from scratch or sharing login credentials are messy workarounds that create security gaps and accountability headaches.
Secure Privacy solves this with a dedicated Account Transfer feature. As the current account owner, you can hand full control to any verified admin on your account in just a few clicks — no data loss, no downtime, and with email confirmation sent to both parties so there's a clear record of the handover.
By the end of this guide, you will have successfully transferred your Secure Privacy account ownership to a new account holder, with both parties notified and full administrative control in place.
Who Is This Guide For?
This article is for the current account owner of a Secure Privacy account who needs to:
- Change the primary account holder — for example, after a staff change or role reassignment

- Transfer account responsibility to a colleague, partner, or client

- Hand over billing and privacy management to a new team member within your organization

Note: Only the current account owner can initiate a transfer. Admins and other user roles will not see the Account Transfer option.
Before You Begin
- You are logged in as the current account owner

- The intended new owner has already been added to the account as an admin

- The new admin has verified their Secure Privacy account via email — unverified users will not appear in the transfer dropdown

Step 1 — Log In as Account Owner and Open Account Settings
Log in to your Secure Privacy account using the credentials of the current account owner. Once logged in, navigate to the Account page from the top navigation bar.
Step 2 — Locate the Account Transfer Section
On the Account Settings page, scroll down until you reach the Account Transfer section.
The Account Transfer section in Secure Privacy Account Settings — visible to the account owner only.
Step 3 — Select the New Account Owner and Confirm the Transfer
In the Account Owner dropdown menu, select the verified admin you want to transfer ownership to. Only users who have been added as an admin and have verified their account will appear in this list.
Once you have selected the new owner, click the Transfer button to initiate the ownership transfer. Both the current and new account owners will receive email notifications confirming the outcome of the transfer.
Important Considerations Before You Transfer
- The transfer process may take some time depending on the size and complexity of your account.

- The new account owner will assume full control and responsibility for the account, including privacy settings, account management, and billing decisions.

- Only the current account owner can initiate a transfer — use this feature in accordance with your organization's internal policies.

- Ensure you fully trust the new owner and have verified their identity and credentials before proceeding.

What Happens After the Transfer?
Once the transfer is confirmed:
- The new owner receives full administrative access, including the ability to manage domains, cookie consent configurations, billing, and team members.

- The previous account owner is automatically downgraded to an admin role — they retain access to the account but no longer hold owner-level permissions.

- Both parties receive a confirmation email as a record of the handover.

Troubleshooting: Common Account Transfer Issues
The new admin does not appear in the dropdown
The intended owner must be added to the account as an admin and must have completed email verification. Ask them to check their inbox for the Secure Privacy verification email and complete the process before you retry.
The Account Transfer section is not visible
Only the current account owner can see and use this feature. If you do not see it, you are likely logged in as an admin rather than the account owner. Log out and log back in with the owner's credentials.
The transfer is taking longer than expected
Large or complex accounts may take a few minutes to complete the handover. Wait for the confirmation email before assuming there is an issue. If neither party receives confirmation within 15 minutes, contact support.
Frequently Asked Questions
Can I transfer my Secure Privacy account to someone who is not yet an admin?
No. The new owner must first be added to your account as an admin and must have verified their account before they can be selected in the Account Transfer dropdown. Add them via your team settings and ask them to complete email verification, then return to the Account Transfer section.
What happens to the old account owner after the transfer?
After the transfer is complete, the previous account owner is automatically reassigned to an admin role. They retain access to the account and its settings but no longer hold owner-level permissions such as initiating further ownership transfers or managing billing at the owner level.
Will transferring account ownership affect my live cookie consent banners?
No. The Account Transfer process only changes who holds administrative ownership of the account. All existing cookie consent configurations, domains, and privacy settings remain intact and continue to function without interruption during and after the transfer.
Can an account transfer be reversed or undone?
Yes — but only the new account owner can initiate a reverse transfer, since they now hold owner-level permissions. If you need to reverse a transfer, the new owner can follow the same steps above and re-assign ownership back to the original owner, provided the original owner is still a verified admin on the account.
Need Further Help?
If you encounter any issues during the account ownership transfer or have questions about managing your Secure Privacy account, reach out to the support team at support@secureprivacy.ai.
Related Articles
- How to Add and Manage Admin Users in Secure Privacy

- Understanding Secure Privacy User Roles and Permissions

- How to Update Account Billing Information

---

# How to Add a Cookie Consent Banner to WordPress + Elementor (Secure Privacy Setup Guide)

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-on-elementor-cloud-wordpress-preinstalled
Product: Consent Management
Category: Integrations
Published: 2026-03-06T07:13:00+00:00
Updated: 2026-03-25T23:22:53.54+00:00
Reading Time: 6 minutes
Summary: Add a GDPR-compliant cookie consent banner to your WordPress Elementor site in minutes. Secure Privacy blocks all tracking scripts before consent — no coding needed.

If your WordPress website uses cookies — and almost every site does, thanks to analytics tools, contact forms, and embedded media — EU law requires you to ask visitors for their consent before those cookies are set. Failing to do so exposes your business to GDPR, ePrivacy, and CCPA penalties that can reach into the tens of thousands of euros.
The usual answers are frustrating. Generic WordPress cookie consent plugins flood your dashboard with settings you don't understand, produce banners that block your entire page, or quietly stop blocking third-party scripts the moment a visitor clicks "Decline." Hosted consent management platforms can cost hundreds of dollars a year and still require a developer to wire them up properly.
Secure Privacy is different. It automatically scans your site for cookies, categorises them, generates a legally compliant cookie declaration, and blocks all tracking scripts until a visitor gives explicit consent — all through a single lightweight script added to your website header. No coding, no bloated plugin, no ongoing maintenance headaches.
This guide walks you through installing the Secure Privacy cookie consent script on a WordPress website built with Elementor — the world's most popular drag-and-drop page builder — using the free Insert Headers and Footers plugin. The whole process takes under five minutes, and by the end your site will block cookies before consent, display a fully branded GDPR-compliant consent banner, and stay audit-ready automatically.
Who Is This Guide For?
- WordPress site owners using Elementor or Elementor Cloud

- Businesses that need GDPR, ePrivacy, or CCPA cookie compliance without hiring a developer

- Anyone who has tried a basic cookie banner plugin and found it inadequate for true script-blocking compliance

- New Secure Privacy customers completing their initial setup

Before You Begin: Prerequisites
- A Secure Privacy account and installation script. Log in at secureprivacy.ai, navigate to Domains → Installation, and copy your unique Secure Privacy script snippet. Keep this tab open — you'll paste the script during Step 4 below.

- Admin access to your WordPress dashboard. You'll need permission to install plugins and modify site-wide settings.

- An Elementor or Elementor Cloud website. These steps work for both self-hosted WordPress + Elementor and Elementor Cloud.

Installing Secure Privacy on Your WordPress Elementor Website
Step 1 — Log in to your Elementor account
Go to my.elementor.com and sign in with your Elementor credentials.
Log in to your Elementor Cloud account at my.elementor.com.
Step 2 — Open the WordPress administration panel
Once logged in, click the Edit Website button to switch to your site's WordPress admin dashboard.
Step 3 — Install the "Insert Headers and Footers" plugin
In the WordPress left sidebar, go to Plugins → Add New. Search for Insert Headers and Footers (free, by WPBeginner), install it, and activate it. This plugin lets you add scripts — including your Secure Privacy cookie consent code — directly to your site's <head> without editing theme files.
Search for "Insert Headers and Footers" in the WordPress Plugin Directory and click Install Now.
Step 4 — Paste your Secure Privacy script into the header
Navigate to Settings → Insert Headers and Footers. In the Scripts in Header field, paste your Secure Privacy installation script on the very first line, above any other code that may already be there. Placing the script at the top of the <head> ensures Secure Privacy loads before any other cookies or tracking scripts — blocking them until the visitor gives explicit consent.
Paste the Secure Privacy script at the very top of the "Scripts in Header" field.
Step 5 — Save the changes
Scroll to the bottom of the page and click Save. Your Secure Privacy cookie consent banner is now live on your WordPress Elementor website.
After Installation: Rescan Your Website to Keep Your Cookie Declaration Current
With the script in place, run a fresh cookie scan so your Secure Privacy dashboard reflects the current state of your site. In your Secure Privacy account, go to Report → Scan Reports in the left sidebar and click Rescan. This keeps your Cookie Declaration accurate, up to date, and legally defensible — an important step before sharing your privacy policy or cookie notice with visitors.
Troubleshooting: Cookie Consent Banner Not Showing?
If your consent banner does not appear after saving, work through these checks:
- Script position: Confirm the Secure Privacy snippet is on the first line of the Scripts in Header field with no blank lines before it.

- Browser cache: Clear your browser cache and cookies, then reload the page in a private/incognito window to simulate a first-time visitor.

- Plugin conflicts: Temporarily deactivate other caching or optimisation plugins (e.g., WP Rocket, W3 Total Cache) and check whether the banner appears. Re-enable them one at a time to identify a conflict.

- Domain mismatch: Verify that the domain registered in your Secure Privacy account matches the domain you are testing. The script is domain-specific.

- Script copied incorrectly: Return to Domains → Installation in your Secure Privacy account, copy the script again in full, and replace the existing entry in the header field.

Frequently Asked Questions
Do I need a cookie consent banner on my WordPress website?
Yes — if your website uses any cookies that track or identify visitors (analytics, advertising, embedded video, social share buttons, etc.) and you have visitors from the EU, UK, California, or other regulated jurisdictions, you are legally required to obtain informed consent before those cookies are set. A cookie banner alone is not enough; the underlying scripts must also be blocked until consent is given. Secure Privacy handles both requirements automatically.
Does Secure Privacy work with Elementor and Elementor Cloud?
Yes. Because Secure Privacy runs as a header script — independent of any page builder — it works seamlessly with Elementor, Elementor Cloud, and all Elementor-powered WordPress themes. No additional configuration inside Elementor is required.
Will Secure Privacy block Elementor's own scripts before consent?
Secure Privacy uses a whitelist/category approach. Core functional scripts required for your site to operate — including essential Elementor scripts — can be categorised as "Necessary" and will always run. Only scripts that fall under Analytics, Marketing, or Preferences categories will be blocked until the visitor grants consent for those categories.
Can I add the Secure Privacy script to WordPress without a plugin?
Yes. If you prefer not to use a plugin, you can add the script directly to your active theme's functions.php file using wp_enqueue_script() with a high priority, or via a child theme's header template. The plugin method described in this guide is recommended for non-developers because it requires no code editing and survives theme updates.
How is Secure Privacy different from a standard WordPress cookie consent plugin?
Most WordPress cookie plugins display a banner but do not actually block third-party tracking scripts before consent — which means they do not make your site compliant with GDPR's "prior consent" requirement. Secure Privacy automatically scans your site to detect all cookies and trackers, blocks them at the script level before consent is obtained, generates a legally required cookie declaration, and logs consent records for audit purposes.
Do I need to rescan my WordPress site after every update?
It is good practice to rescan whenever you add a new plugin, change your theme, or add new third-party integrations (e.g., a new analytics tool or live chat widget). Secure Privacy also supports scheduled automatic rescans so your cookie declaration stays current without manual intervention.
Related Articles
- How to Install Secure Privacy on WordPress (All Themes)[?]

- Adding Cookie Consent to a WooCommerce Store[?]

- Running Your First Cookie Scan in Secure Privacy[?]

- GDPR Website Compliance Checklist for Small Businesses

- How Secure Privacy Records and Stores Consent Logs[?]

---

# How to Edit Your Account Settings in Secure Privacy — Update Company Info, Address & VAT

URL: https://support.secureprivacy.ai/article/how-to-edit-your-account-settings-in-secure-privacy
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T01:04:26.971+00:00
Reading Time: 4 minutes
Summary: Learn how to update your company name, address, language, and EU VAT number in Secure Privacy. Keep your GDPR cookie consent account accurate and compliant.

Stale or incorrect company details in your consent management platform aren't just an administrative inconvenience — they can introduce real compliance risk. Cookie consent declarations, billing records, and privacy reports all pull from your account profile. If your company name, address, or EU VAT number is out of date, you may be generating inaccurate compliance documentation without realising it.
Many teams work around this by manually editing exported reports or maintaining a separate record of "correct" details — an error-prone process that defeats the purpose of centralised privacy management. With Secure Privacy, keeping your account information accurate takes under two minutes and ensures every consent log, invoice, and compliance report reflects the right data automatically.
This guide walks you through exactly how to update your Secure Privacy account settings — including company name, billing address, preferred interface language, and EU VAT number — so your privacy management stays consistent and compliant across all your domains.
Who Is This Guide For?
This article is for Secure Privacy account owners and administrators who need to:
- Correct or update their company name, address, or contact details

- Add or change an EU VAT number for billing purposes

- Switch the account interface language

- Ensure company information is accurate across all managed domains and consent banners

Steps to Update Your Secure Privacy Account Information
Step 1 — Log In to Your Secure Privacy Account
Go to the Secure Privacy dashboard and log in using your registered email address and password.
Step 2 — Open the Account Section
Once logged in, navigate to the Account section in the main dashboard menu.
Step 3 — Click on Account Settings
Inside the Account section, click Account Settings to open your company profile and editable fields.
The Account Settings page in Secure Privacy, where you can update all company information fields.
Step 4 — Update Your Company Details
On the Account Settings page, edit any of the following fields as needed:
- Company Name: Enter or correct your company's registered name.

- Address Line 1: Provide or update the primary line of your company address.

- Address Line 2: Add a secondary address line if applicable (e.g. suite or floor number).

- City: Enter the city where your company is located.

- Country: Select your company's country from the dropdown list.

- Post Code: Enter the correct postal or ZIP code.

- Language: Choose your preferred language for the Secure Privacy account interface.

- VAT Number: Enter your EU VAT number if applicable — required for correct tax handling on invoices.

Step 5 — Save Your Changes
Once you have made all necessary updates, click the Save button to apply your new account settings. Your changes take effect immediately.
Important Notes
- Always ensure the information you provide is accurate and current — incorrect details can affect billing, compliance reporting, and your cookie consent declarations.

- If you manage multiple domains under one Secure Privacy account, keeping your account settings up to date ensures consistent and compliant privacy management across all your properties.

- Your EU VAT number is used for invoice generation. If you are based in the EU and have a valid VAT ID, entering it here may affect the tax applied to your subscription.

Frequently Asked Questions
How do I change my company name in Secure Privacy?
Log in to your Secure Privacy account, go to Account > Account Settings, update the Company Name field, and click Save. The change applies immediately across your account.
Where do I add my EU VAT number in Secure Privacy?
Your EU VAT number can be entered in the VAT Number field found under Account > Account Settings. This is used for correct tax treatment on your invoices.
Can I change the interface language in Secure Privacy?
Yes. Under Account Settings, use the Language dropdown to select your preferred language for the Secure Privacy dashboard interface, then save your changes.
Will updating my account settings affect my cookie consent banners?
Account settings such as company name and address are used in compliance records and billing, not in the consent banner itself. Banner content is managed separately under your domain or cookie settings. However, keeping account details accurate is important for audit-ready GDPR compliance documentation.
Do account setting changes apply to all my domains?
Yes. Your Secure Privacy account settings apply at the account level, meaning the company profile information is shared across all domains you manage under that account.
Related Articles
- How to Manage Users and Permissions in Secure Privacy[?]

- How to Update Your Billing Information and Subscription Plan

- How to Add a New Domain to Your Secure Privacy Account

- How to Configure Your Cookie Consent Banner

---

# How to Set Up Secure Privacy: Account Creation, Email Activation & Script Installation

URL: https://support.secureprivacy.ai/article/secure-privacy-onboarding-guide--quick-setup-steps
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:48:51.693+00:00
Reading Time: 5 minutes
Summary: Create your Secure Privacy account, activate your email, and install cookie consent on your website. Step-by-step GDPR compliance setup guide — get started in minutes.

If your website collects cookies or processes visitor data, regulations like GDPR, ePrivacy, CCPA, and LGPD require you to obtain informed, documented consent before those cookies fire. Non-compliance can mean hefty fines — up to €20 million or 4% of global annual turnover under GDPR alone. Most website owners know they need a cookie consent banner, but getting one that's legally compliant, correctly configured, and not a nightmare to maintain is harder than it looks.
Homemrown solutions and free WordPress plugins often lack the automatic cookie scanning, geo-targeted consent logic, and audit-trail reporting that regulators actually expect. Heavyweight enterprise platforms can take weeks to implement and cost a fortune. Secure Privacy is built to close that gap: a fully featured cookie consent management platform designed so that any website owner — with or without a developer — can achieve genuine GDPR compliance quickly.
By the end of this guide you will have a verified Secure Privacy account, the consent script live on your website, and your cookie consent banner ready to serve compliant consent to every visitor — all in under 15 minutes.
Who Is This Guide For?
This guide is for new Secure Privacy users — including website administrators, developers, and compliance managers — who need a clear walkthrough of initial account setup and script installation. Whether you're running a small business site, a large e-commerce platform, or managing compliance for multiple clients, the steps below apply to every use case.
Prerequisites
- The domain name of the website you want to make compliant

- Access to the email address you'll use for your Secure Privacy account

- Ability to edit your website's <head> HTML, install a CMS plugin, or access Google Tag Manager (depending on your chosen installation method)

Setting Up Your Secure Privacy Account: Step-by-Step
Step 1 — Enter Your Domain and Account Information
Navigate to the Secure Privacy sign-up page. Enter your website domain and the required account details — including your name, company information, and a valid company email address. Double-check that your domain is entered without a trailing slash and matches the URL visitors actually use (e.g. www.example.com vs example.com). Once all fields are complete, click to proceed to the next step.
The Secure Privacy sign-up form — enter your domain and company details to begin account creation.
Step 2 — Activate Your Email Address
After submitting your details, Secure Privacy will send a verification email to the address you provided. Open that email and click the activation link to confirm your account. If the email doesn't arrive within a few minutes, check your spam or junk folder — automated messages from compliance platforms often get filtered. You can also request a new activation link directly from the sign-up page. Once your email is verified, log in to your Secure Privacy account to continue.
Step 3 — Choose Your Installation Method and Complete Setup
After logging in, the onboarding wizard will prompt you to choose how you want to install the Secure Privacy cookie consent script on your website. Three options are available:
- Direct script install — paste a small JavaScript snippet into your site's <head> tag

- CMS plugin — one-click integration for WordPress, Shopify, Magento, and other supported platforms

- Google Tag Manager — deploy via your existing GTM container without touching site code

Select the method that matches your website setup and follow the on-screen instructions. A loading screen will appear while your configuration is processed, after which you'll be redirected to your Secure Privacy dashboard.
The Secure Privacy setup loading screen — your consent configuration is being applied before you're taken to the dashboard.
What Happens After Setup?
Once installation is complete, your Secure Privacy dashboard gives you full access to:
- Cookie consent management — customize banner appearance, consent categories, and language

- Automated cookie scanning — Secure Privacy scans your site and categorizes cookies automatically

- Compliance reporting & audit logs — timestamped consent records you can produce if audited

- Privacy policy generator — keep your privacy documentation up to date with applicable laws

- Google Consent Mode v2 support — pass consent signals directly to Google Analytics and Google Ads

Your website will begin collecting GDPR-compliant consent from the moment your first visitor lands after installation.
Common Issues and Fixes
- Activation email not received: Check your spam or junk folder, or request a new activation link from the sign-up or activation page.

- Installation fails verification: Ensure the Secure Privacy script has been added to your site's <head> section — not the footer — or verify that your CMS plugin or GTM tag is published and firing correctly.

- Cookie banner not appearing on the site: Clear your browser cache and check in an incognito window to rule out a cached version of the page loading without the script.

- Unsure which installation method to use: Contact your website developer or the Secure Privacy support team for guidance tailored to your platform.

Frequently Asked Questions
Do I legally need a cookie consent banner on my website?
Yes, if your website sets non-essential cookies (analytics, advertising, personalization) and you have visitors from the EU, UK, California, Brazil, or other jurisdictions with privacy laws, you are legally required to obtain explicit consent before those cookies are placed. GDPR, the ePrivacy Directive, CCPA, and LGPD all include this requirement. Secure Privacy automates compliant consent collection for all major privacy regulations.
How long does it take to set up Secure Privacy?
Most users complete the full setup — account creation, email verification, and script installation — in under 15 minutes. The onboarding wizard guides you through every step, and no coding is required if you use the CMS plugin or Google Tag Manager option.
Which platforms does Secure Privacy support for installation?
Secure Privacy supports direct script installation on any website, as well as dedicated CMS plugins for WordPress, Shopify, Magento, and other popular platforms. You can also deploy via Google Tag Manager if you prefer to manage your scripts centrally without editing site code directly.
Does Secure Privacy support Google Consent Mode v2?
Yes. Secure Privacy fully supports Google Consent Mode v2, including the Advanced implementation via Google Tag Manager. Once installed, consent signals are automatically passed to Google Analytics and Google Ads, ensuring your measurement and advertising data remains compliant.
What happens if a visitor doesn't accept cookies?
Secure Privacy blocks non-consented cookies from firing until a visitor gives explicit consent. If a visitor declines or ignores the banner, only strictly necessary cookies are allowed to run. All consent and rejection events are logged in your dashboard for compliance audit purposes.
Related Guides
- How to Onboard with Secure Privacy Directly from Your CMS Plugin

- How to Install Secure Privacy on WordPress

- Implementing Google Consent Mode (Advanced) via Google Tag Manager

- Understanding the Global Privacy Platform (GPP) — Setup Guide

- Secure Privacy Partner Onboarding

---

# How to Manage Billing & Payment Methods in Your Secure Privacy Account

URL: https://support.secureprivacy.ai/article/understanding-of-payments--billing-history-management
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:55:23.452+00:00
Reading Time: 4 minutes
Summary: Learn how to update your payment method and download invoices in your Secure Privacy account. Keep your cookie consent subscription active and records accurate.

An expired card or a missing invoice shouldn't put your cookie consent compliance at risk — but it happens. When a payment fails on your Secure Privacy subscription, your consent banners can go dark, leaving your website exposed to GDPR, CCPA, and ePrivacy enforcement. And when your finance team asks for a PDF invoice, hunting through email threads is the last thing you need.
Secure Privacy keeps everything in one place. The Billing page lets you update your payment method in seconds, while the Billing History page gives you a filterable, downloadable record of every transaction — no support ticket required.
By the end of this guide, you'll know exactly how to update your card details, read your invoice status at a glance, and download receipts for your business records.
Who Is This For?
This article is for any Secure Privacy account holder who needs to:
- Update or replace an expired or declined credit/debit card

- Review past charges on their Secure Privacy subscription

- Download PDF invoices for accounting or VAT purposes

How to Update Your Payment Method
The Billing page in your Secure Privacy account dashboard is where you add and manage the credit or debit card associated with your subscription. To update your card, navigate to Account → Billing and enter the following details:
The Billing page in the Secure Privacy account dashboard.
- Card Number: The 16-digit number on the front of your credit or debit card.

- Expiration Date: The card expiry date, typically formatted as MM/YY.

- CVV: The 3- or 4-digit Card Verification Value found on the back of your card, used to verify authenticity.

- Cardholder Name: The full name exactly as it appears on your credit or debit card.

- Address: The billing address associated with your card.

- City, State, and Post Code: Must match the information registered to your card.

- Country: The country where your card was issued.

Keeping your payment information accurate and up to date ensures uninterrupted access to your Secure Privacy subscription and prevents any gap in your cookie consent coverage.
How to View and Download Your Billing History
The Billing History page provides a complete, filterable log of all charges on your Secure Privacy account. Use it to verify payments, check for outstanding invoices, and download receipts for your records.
The Billing History page, with date filters and downloadable invoices.
You can filter your transaction history by the following time periods: Today, Last 7 Days, Last 30 Days, This Year, or a Custom Date Range.
Each invoice entry includes:
- Invoice Number: A unique identifier for each invoice (for example, "AAA11111-1111").

- Date: The date on which the invoice was issued.

- Amount: The total amount charged for the specified billing period.

- Status: Indicates whether the invoice is Paid, Pending, or Overdue.

- Download: Click the download icon to save a PDF copy of the invoice for personal or business record-keeping.

Regularly reviewing your Billing History and keeping your payment details current will help you avoid service disruptions, stay on top of your account status, and maintain an accurate record of all transactions.
Troubleshooting Common Billing Issues
- Payment declined: Double-check that the card number, expiry date, CVV, and billing address all match your bank's records exactly. Some banks also require you to authorise online SaaS charges — contact your card issuer if the problem persists.

- Invoice shows "Overdue": Update your payment method immediately and then contact Secure Privacy Support to reprocess the charge.

- Can't download a PDF invoice: Ensure your browser isn't blocking pop-ups or downloads from the Secure Privacy domain. Try a different browser if the issue continues.

- Invoice not visible in Billing History: Use the Custom Date Range filter to widen your search window, or check that you are logged in to the correct account.

Frequently Asked Questions
How do I update my payment method on Secure Privacy?
Log in to your Secure Privacy account, navigate to Account → Billing, and enter your new card details (card number, expiry, CVV, cardholder name, and billing address). Save your changes to apply the new payment method immediately.
Where can I download invoices for my Secure Privacy subscription?
Go to Account → Billing History. Find the invoice you need using the date filters, then click the Download icon on that row to save a PDF copy to your device.
What happens to my cookie consent banners if my payment fails?
If a payment fails and your Secure Privacy subscription lapses, your cookie consent banners may stop displaying, which can put your website out of compliance with GDPR, CCPA, and ePrivacy regulations. Update your payment method as soon as possible to restore service.
Can I filter my billing history by date range?
Yes. The Billing History page offers preset filters — Today, Last 7 Days, Last 30 Days, and This Year — as well as a Custom Date Range picker for more precise searches.
Does Secure Privacy store my full card number?
Secure Privacy uses a PCI-compliant payment processor. Your full card number is never stored on Secure Privacy's servers; only a secure token is retained to process recurring subscription charges.
Related Articles
- Managing Your Secure Privacy Account Settings

- Secure Privacy Subscription Plans & Pricing[?]

- How to Upgrade or Downgrade Your Secure Privacy Plan[?]

- How to Cancel Your Secure Privacy Subscription[?]

---

# Cross-Domain Cookie Consent: Share One Consent Banner Across All Your Websites

URL: https://support.secureprivacy.ai/article/enable-crossdomain-consent-in-secure-privacy
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T01:12:10.801+00:00
Reading Time: 6 minutes
Summary: Stop showing cookie banners on every domain. Set up cross-domain consent in Secure Privacy to sync GDPR-compliant cookie consent across all your websites in minutes.

If you run more than one website, you already know the problem: a visitor lands on your main domain, accepts the cookie banner, clicks through to your regional site or booking portal — and the banner appears again. And again. Every domain triggers its own consent prompt, frustrating users and making your brand feel fragmented rather than seamless.
Many teams try to work around this with custom code, shared subdomains, or third-party scripts stitched together — solutions that are brittle, hard to audit, and rarely satisfy a GDPR compliance review. Managing cookie consent across multiple domains shouldn't require a developer sprint every time you add a new site.
Secure Privacy's cross-domain consent feature is built for exactly this situation. By grouping your related domains into a single shared consent configuration, users grant cookie consent once — and that consent automatically carries across every site in the group. No repeated banners, no compliance gaps, no custom plumbing required.
By the end of this guide, you'll have cross-domain cookie consent fully configured in your Secure Privacy account, with all your related domains sharing a single GDPR-compliant consent record.
Who Is This Guide For?
This guide is intended for anyone responsible for cookie consent and privacy compliance across multiple websites:
- Website Administrators managing several related domains

- Privacy Compliance Officers overseeing GDPR and ePrivacy obligations

- Web Developers and IT Teams integrating consent management solutions

- Digital Marketers running multi-domain brand or campaign sites

Prerequisites
Before configuring cross-domain consent, make sure you have:
- An active Secure Privacy account with the relevant subscription plan

- All target domains fully onboarded in your domain management settings

- The Secure Privacy script installed on every domain you plan to link

- Confirmed — ideally with your legal or privacy team — that all linked domains share a related purpose and a valid legal basis for sharing consent data

Understanding Cross-Domain Cookie Consent
What Is Cross-Domain Consent?
Cross-domain consent allows users to provide cookie consent once, with that consent automatically applying across multiple related domains or subdomains. Rather than storing a separate consent cookie on each domain, a single shared consent record covers every site in your configured group. This prevents visitors from being shown a cookie banner on every site they navigate to — significantly improving the experience for users moving between related websites, such as a brand's main site, regional subdomains, or linked service portals.
When Should You Use Cross-Domain Consent?
Cross-domain consent is appropriate when the domains involved share the same purpose or provide related content and functionality. Always ensure that data processing across the linked domains aligns with applicable privacy regulations — particularly GDPR — and that there is a valid legal basis for sharing consent. Avoid enabling cross-domain consent for domains that serve distinctly different purposes, as this can create compliance risks.
Example Use Case
An online hotel booking platform operating across multiple domains — for example, one for location selection, one for hotel details, and one for the booking process — can use cross-domain consent so that users grant cookie consent once and are not prompted again as they move through the booking journey.
How to Enable Cross-Domain Consent in Secure Privacy
Follow these four steps to create a shared cookie consent group and synchronize consent across all your related domains.
Step 1 — Install the Secure Privacy Script on All Domains
Before configuring cross-domain consent, ensure the Secure Privacy script is correctly installed on all domains you intend to include in the consent group. This script is responsible for managing and synchronizing cookie consent across your websites. If the script is missing from even one domain, consent will not sync correctly to that site.
Step 2 — Access the Cross-Domain Consent Settings Page
Log in to your Secure Privacy account. Click Account and navigate to the Cross Domain Consent tab. This is where you create and manage your cross-domain consent groups.
The Cross Domain Consent tab inside Secure Privacy Account settings
Step 3 — Create a New Cross-Domain Consent Group
Click the ADD NEW button to create a new consent group. Enter a descriptive group name in the popup window. Open the Domains dropdown list and use the search bar to find and select all domains you want to link within this cross-domain consent group.
Creating a new cross-domain consent group and selecting domains
Step 4 — Save and Apply Your Cross-Domain Consent Configuration
Click Save to confirm and activate your new consent group settings. Cross-domain cookie consent will now be enabled for all selected domains within the group. Users will only need to provide consent once — that single consent record will apply seamlessly across all linked sites.
Important GDPR Compliance Notice
Enabling cross-domain consent requires careful legal consideration. Using this feature across domains that differ significantly in purpose or data processing activities can result in non-compliance with GDPR and other applicable privacy regulations. Only enable cross-domain consent for domains that share a related purpose and where a proper legal basis exists for sharing consent data. Cross-domain consent works by sharing a single consent cookie across all linked domains — which reduces repetitive banners but must be implemented responsibly. Consult your legal or privacy team if you are unsure whether your domain configuration meets regulatory requirements.
Troubleshooting Cross-Domain Consent
Common cross-domain consent issues and recommended fixes

Issue
Recommended Fix

Consent not syncing across domains
Verify the Secure Privacy script is correctly installed on all domains. Ensure all relevant domains are added to the same consent group.

Domains flagged for non-compliance
Confirm that all linked domains serve the same or closely related purpose and that shared data processing complies with applicable privacy laws.

Unable to find a domain in the selection list
Confirm the domain has been added in domain management and that onboarding is fully complete before attempting to add it to a consent group.

Frequently Asked Questions
Why do my visitors keep seeing a cookie consent banner on every domain?
By default, cookie consent is stored per domain, so each site a user visits triggers its own banner. Cross-domain consent solves this by sharing a single consent record across all your linked domains, so users only see the banner once regardless of how many sites they navigate between.
Is cross-domain cookie consent GDPR compliant?
Cross-domain consent can be fully GDPR compliant when implemented correctly. The domains must share a related purpose and a valid legal basis for sharing consent data. Linking unrelated domains or purposes can create compliance risks — consult your legal or privacy team if in doubt.
Can cross-domain consent work for subdomains as well as separate domains?
Yes. Secure Privacy's cross-domain consent feature works for both separate top-level domains and related subdomains. Simply add all relevant domains or subdomains to the same consent group in your account settings.
What should I do if consent is not syncing across my domains?
First, verify that the Secure Privacy script is correctly installed on every domain in the group. Then confirm all domains have been added to the same consent group in your account's Cross Domain Consent settings. If a domain is missing from the group or the script is absent, consent will not sync to that site.
Does a domain need to be fully set up before I can add it to a consent group?
Yes. Any domain you want to include in a cross-domain consent group must first be fully onboarded in your Secure Privacy domain management settings. Domains that are still mid-onboarding will not appear in the domain selection list.
Related Articles
- Navigate and Utilise Your Consent Dashboard — In-Depth Guide

- Ensuring Compliance with Google's EU User Consent Policy

- Secure Privacy: Google-Certified Consent Management Platform

---

# How to Configure Scan Report Settings in Secure Privacy - Location, Frequency & Login Scanning

URL: https://support.secureprivacy.ai/article/scan-report-settings-in-secure-privacy
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:59:15.596+00:00
Reading Time: 8 minutes
Summary: Learn how to configure Secure Privacy's Scan Report settings — set scan location, frequency, email delivery, and scan behind login for full GDPR compliance coverage.

Keeping your website GDPR-compliant isn't a one-time checkbox — cookies and third-party trackers change every time you add a plugin, run a new ad campaign, or update your tech stack. Many teams try to stay on top of this with manual cookie audits, browser extensions, or one-off spreadsheet reviews. The result is always the same: incomplete coverage, outdated reports, and the nagging uncertainty of not knowing what's actually firing on your site right now.
Secure Privacy's Scan Report feature solves this with automated, geo-specific website cookie scanning that produces audit-ready compliance reports on your schedule. You control where scans run from (US or EU), how often they run, which pages are included, and whether the scanner can reach authenticated, login-protected areas of your site — giving you a complete picture of your privacy compliance posture, not just the public-facing pages.
By the end of this guide, you'll have every Scan Report setting configured correctly for your domain, so you can run comprehensive cookie audits automatically and receive compliance reports without any manual effort.
Who Is This Article For?
This guide is for website owners, privacy officers, and developers who use Secure Privacy and want to:
- Automate recurring GDPR cookie compliance scans for one or more domains

- Ensure scan results reflect the correct legal jurisdiction (US or EU)

- Exclude irrelevant or sensitive pages from compliance reports

- Audit login-protected pages and member areas for hidden trackers

- Receive automated email delivery of completed scan reports

Prerequisites
- An active Secure Privacy account

- At least one domain added and verified in your Secure Privacy dashboard

- For Scan Behind Login: an Advanced or Enterprise plan subscription

How to Access Scan Report Settings
Step 1 — Log In to Secure Privacy
Log in to your Secure Privacy account using your credentials.
Step 2 — Open the Domains Section
In the main navigation, go to the Domains section and select the specific domain for which you want to configure Scan Report settings.
Step 3 — Navigate to Reports › Scan Report
Under the Reports section in the domain menu, click Scan Report to open the scan report overview page.
Step 4 — Open the Settings Tab
On the Scan Report overview page, click the Settings tab to access all configurable scan and reporting options.
The Scan Report overview page — click the Settings tab to access all configuration options.
Scan Report Configuration Options
The Scan Report Settings page gives you precise control over how cookie and tracker scans are conducted and how compliance results are delivered. Each setting is described in detail below.
Scan Location — Choose US or EU for Geo-Specific Compliance Results
This setting lets you specify the geographic location from which Secure Privacy performs website scans. You can choose between the United States (default) and the European Union (Germany). Selecting a scan location that matches your primary audience or legal jurisdiction — for example, choosing EU (Germany) for GDPR-focused audits — ensures your compliance reports reflect the cookies and trackers that actually load for users in that region, since some third-party scripts behave differently based on visitor location.
Scan Location options: United States (default) or European Union (Germany) for GDPR-region scanning.
Scan Frequency — Automate Monthly Cookie Audits or Scan on Demand
This setting controls how often automated cookie scans run for your domain. You can choose between a monthly automated scan — recommended for most organizations to catch newly introduced trackers as your website evolves — or a manual scan that you initiate on demand. Monthly scanning is particularly valuable if your site regularly adds new plugins, advertising scripts, or third-party integrations that could introduce undisclosed cookies.
Choose between monthly automated scanning or manual on-demand scans.
Send Compliance Report via Email — Automated Delivery on Scan Completion
This toggle enables or disables automated email delivery of completed scan reports. When enabled, each completed scan report is sent directly to the email address associated with your logged-in Secure Privacy account. This is useful for keeping privacy officers, compliance managers, or developers automatically informed without requiring them to log in to the dashboard after every scan.
Enable the email toggle to receive automated compliance report delivery after each scan completes.
Include or Exclude Specific Pages from Cookie Scans
You can precisely control which pages of your website are included in or excluded from the cookie scanning process. This is useful when certain pages contain sensitive content, require authentication that you're handling separately, or are simply not relevant to your compliance reporting scope. Enter the URLs you wish to include or exclude in the field provided — multiple URLs must be comma-separated.
Enter comma-separated URLs to include or exclude specific pages from your cookie compliance scans.
Scan Behind Login — Audit Authenticated Pages and Member Areas
The Scan Behind Login feature enables Secure Privacy to scan web pages that require user authentication or sit behind access controls — such as customer portals, subscription dashboards, or member-only areas. Without this, login-protected pages are completely invisible to standard cookie scanners, leaving a significant compliance blind spot. Configure the following parameters to allow Secure Privacy's scanner to authenticate and access those restricted areas:
- Login page URL

- Email / username field ID and value

- Password field ID and value

- Submit button ID

- Username button ID

- Action

- reCAPTCHA handling

- Option to press Enter after entering username or password

Scan Behind Login configuration — supply your login page credentials so Secure Privacy can audit authenticated areas of your website.
Once configured, Secure Privacy automatically navigates through your login process and scans restricted areas during each audit, giving you a comprehensive compliance report that covers your entire site — not just publicly accessible pages.
Note: The Scan Behind Login feature is available on Advanced and Enterprise plans only. View plan options to upgrade if needed.
Save Your Scan Report Settings
After configuring your preferred options, click the Save button at the top of the settings page to apply and activate your changes. Ensure the settings accurately reflect your website's structure and your compliance obligations — this guarantees that every generated scan report is both comprehensive and directly relevant to your data protection requirements.
What Happens After You Save
Once saved, Secure Privacy will apply your new settings to all subsequent scans for that domain. If you've enabled monthly automated scanning, the next scheduled scan will run according to your configured frequency and location. If you've enabled email delivery, you'll receive a compliance report to your account email address each time a scan completes. You can return to the Settings tab at any time to adjust your configuration as your website changes.
Troubleshooting Common Scan Report Issues
Scan results are missing pages I expect to see
Check the Include/Exclude Pages field to confirm the pages in question haven't been accidentally excluded. Also verify that the pages are publicly accessible from the scan location you've selected — geo-blocked content may not load from a US or EU scan origin.
Scan Behind Login isn't accessing protected pages
Double-check the field IDs for the username, password, and submit button — these must match the exact HTML element IDs in your login form. If your login form uses reCAPTCHA, ensure the reCAPTCHA handling option is configured. Note that this feature requires an Advanced or Enterprise plan.
I'm not receiving scan report emails
Confirm the "Send Report via Email" toggle is enabled and that the email address on your Secure Privacy account is correct. Also check your spam or junk folder, and add the Secure Privacy sending domain to your email allowlist if needed.
Frequently Asked Questions
How do I check if my website cookies are GDPR compliant?
The most reliable way is to use an automated cookie scanner that audits your website from a European Union location and reports every cookie and tracker it finds. Secure Privacy's Scan Report feature does exactly this — configure the Scan Location to EU (Germany), run a scan, and you'll receive a compliance report listing all detected cookies, their categories, and whether they require consent under GDPR.
How often should I scan my website for cookie compliance?
Monthly automated scanning is recommended for most websites. Cookies and trackers change whenever you update plugins, add marketing scripts, or change your ad tech stack. Monthly scans ensure your consent banner and cookie policy stay accurate and up to date without requiring manual audits.
Can Secure Privacy scan pages that require a login?
Yes. The Scan Behind Login feature allows Secure Privacy to authenticate with your website and scan password-protected pages, member areas, and customer portals. This feature is available on Advanced and Enterprise plans and requires you to configure your login page URL, field IDs, and credentials in the Scan Report Settings.
What is the difference between scanning from the US vs. the EU?
Some third-party scripts, advertising networks, and tracking technologies behave differently based on the visitor's geographic location — for example, serving different cookies to EU visitors than to US visitors. Scanning from the EU (Germany) gives you a more accurate view of what GDPR-regulated users actually experience on your site, which is essential for accurate compliance reporting under European privacy law.
Can I exclude certain pages from the cookie scan?
Yes. In the Scan Report Settings, you can enter specific URLs to include or exclude from each scan. Enter multiple URLs as a comma-separated list. This is useful for pages that require special authentication handling, contain sensitive content, or fall outside the scope of your compliance reporting.
Related Articles
- How to Set Up Your Cookie Consent Banner

- Generating a Cookie Policy with Secure Privacy

- GDPR Compliance Checklist for Website Owners

- How to Add and Verify a Domain in Secure Privacy[?]

- Understanding Your Compliance Reports Dashboard[?]

---

# How to Install the Secure Privacy Cookie Consent Script on Your Website

URL: https://support.secureprivacy.ai/article/installation-of-secure-privacy-script-on-a-new-domain
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-06-05T11:19:11.022+00:00
Reading Time: 6 minutes
Summary: Learn how to add the Secure Privacy cookie consent script to your website. Step-by-step guide for WordPress, Shopify, GTM & more. Get GDPR-compliant today.

Under GDPR, CCPA, and similar privacy laws, every website that drops cookies or tracks visitors must display a cookie consent banner — and collect proof of that consent. Failing to do so can mean hefty fines and damaged user trust.
Many site owners try to solve this with free WordPress plugins or hand-coded banners, only to discover they expire, break on updates, lack an audit trail, or don't cover regulations beyond GDPR. A proper consent management platform (CMP) handles all of that automatically.
Secure Privacy is a fully automated CMP that scans your site for cookies, generates a compliant consent banner, and keeps your records up to date as laws change — with no ongoing manual work. The single lightweight script you'll install in this guide is all it takes to activate everything.
By the end of this article you will have:
- Located your unique Secure Privacy installation script

- Added it to your website — manually, via your CMS, or through a developer

- Verified the script is live and working correctly

Who Is This Guide For?
This article is for anyone who needs to add GDPR or CCPA cookie consent to their website using Secure Privacy, including:
- Website owners and marketers who want to self-install without coding knowledge

- Developers who have been asked to add the consent script on behalf of a client

- Agencies managing multiple client domains from a single Secure Privacy dashboard

Prerequisites
- An active Secure Privacy account — start a free trial if you don't have one yet

- The domain you want to protect must already be added inside your Secure Privacy dashboard

- Ability to edit the <head> section of your website (or access to a developer who can)

Installing Your Secure Privacy Script: Step-by-Step
Step 1 — Find Your Cookie Consent Installation Script
Each domain in Secure Privacy gets its own unique script. Here is how to locate yours:
- Log in to your Secure Privacy account.

- Navigate to the "Domains" section in the main menu.

- Locate or search for the domain you want to add cookie consent to.

Select the domain you want to install the cookie consent script on.
- Click on the domain name to open its settings.

- Select the "Installation" tab from the left-side menu.

Open the Installation tab to access your unique cookie consent script.
- Copy the installation script code displayed on the page.

- Paste the script into your website's <head> section, placing it immediately after the opening <head> tag for optimal performance and consent capture.

If you are not comfortable editing HTML directly, skip to Step 2a (CMS-specific guide) or Step 2b (email your developer).
Step 2a — Use a Platform-Specific CMS Installation Guide
If your website runs on a popular CMS or tag management platform, Secure Privacy provides dedicated cookie consent installation guides for each. Supported platforms include:
Select your CMS from the dropdown to access a tailored installation guide.
- WordPress

- Shopify

- Squarespace

- HubSpot

- Weebly

- Joomla

- Magento

- Drupal

- Google Tag Manager

- Adobe Tag Manager

Select your CMS or platform from the dropdown menu in the Installation tab to access step-by-step instructions tailored to your specific setup.
Step 2b — Email the Cookie Consent Script to Your Developer
If you prefer to have a developer handle the installation, you can send the script directly from your Secure Privacy dashboard — no copy-pasting required:
- Log in and click on the relevant domain name.

- In the "Installation" tab, click the "Email Script" button.

- Enter your developer's email address and click "Share Script" to send the installation code.

- Ask your developer to place the script immediately after the opening <head> tag on every page of your website for full cookie consent coverage.

Share the script with a developer in one click from the Installation tab.
Step 3 — Verify Your Cookie Consent Script Is Working
Once the script has been added to your website, confirm it is installed correctly before going live:
- Return to the "Installation" tab for your domain in the Secure Privacy dashboard.

- Click the "Test Installation" button.

Use the Test Installation button to confirm your cookie consent script is live.
- The system will automatically verify whether the script is correctly installed:
- Success: You will see a confirmation message confirming the cookie consent script is correctly installed and active.

- Error: You will receive a notification describing the issue. Review your installation to ensure the correct script is placed in the right location for your domain.

Troubleshooting: Script Not Detected?
If the Test Installation check returns an error, run through this quick checklist:
- Wrong domain selected: Confirm the script you copied belongs to the exact domain (including subdomain) you installed it on.

- Script not in <head>: The script must be placed inside the <head> element, not in <body> or a footer.

- Caching: If your site uses a caching plugin or CDN, clear the cache and re-run the test.

- Tag manager firing rule: If you installed via Google Tag Manager or Adobe Tag Manager, verify the tag is set to fire on All Pages.

- Script blocked: Check that no Content Security Policy (CSP) header is blocking the Secure Privacy script domain.

If the problem persists, contact the Secure Privacy support team at support@secureprivacy.ai with a screenshot of the error message and your domain URL.
What Happens After Installation?
With the script live, Secure Privacy begins automatically scanning your site for cookies and trackers. Within a short time you will see:
- A cookie consent banner displayed to your visitors, styled to match your branding

- An automatically generated cookie policy page linked from your banner

- Consent records stored in your dashboard for audit and compliance purposes

- Ongoing rescanning as your site changes, keeping your cookie disclosure up to date

Frequently Asked Questions
Do I really need a cookie consent banner on my website?
Yes, in most cases. GDPR (EU/EEA), UK GDPR, CCPA (California), and many other privacy laws require websites to inform users about cookies and, for non-essential cookies, obtain their consent before setting them. Failing to comply can result in significant fines and reputational damage. A consent management platform like Secure Privacy automates this process for you.
Where exactly do I place the Secure Privacy cookie consent script?
The script must be placed immediately after the opening <head> tag on every page of your website. Placing it early in <head> ensures the consent banner loads before any tracking scripts fire, which is a core requirement for GDPR compliance.
Can I install Secure Privacy without touching my website's code?
Yes. You can install the Secure Privacy cookie consent script through Google Tag Manager or Adobe Tag Manager without editing your site's HTML directly. Alternatively, you can use the "Email Script" feature in your dashboard to send the script straight to your developer.
Does Secure Privacy work with WordPress, Shopify, and other CMS platforms?
Yes. Secure Privacy offers dedicated cookie consent installation guides for WordPress, Shopify, Squarespace, HubSpot, Joomla, Magento, Drupal, Weebly, Google Tag Manager, and Adobe Tag Manager. Select your platform from the dropdown in the Installation tab of your dashboard for tailored instructions.
How do I check if my Secure Privacy script is installed correctly?
After adding the script to your site, go to the Installation tab for your domain in your Secure Privacy dashboard and click "Test Installation." The system will automatically check whether the script is live and report success or provide details about any issues found.
Related Articles
- How to Add a New Domain to Your Secure Privacy Account

- How to Customize Your Cookie Consent Banner Design

- Understanding Consent Records and Audit Logs[?]

- Installing the Secure Privacy Cookie Consent Plugin for WordPress

- How to Deploy Secure Privacy via Google Tag Manager

---

# Cookies Loading Before Consent? How to Fix Pre-Consent Cookie Loading and Achieve GDPR Compliance

URL: https://support.secureprivacy.ai/article/ensuring-prior-consent-for-nonessential-cookies-gdpr-compliance
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:45:36.409+00:00
Reading Time: 7 minutes
Summary: Cookies firing before consent? Step-by-step guide to blocking non-essential cookies, configuring your CMP, and passing your GDPR cookie compliance scan.

Your compliance scan just flagged it: non-essential cookies — marketing pixels, analytics trackers, ad-network scripts — are firing on your site before any visitor has clicked "Accept." That single issue puts you in direct breach of GDPR and the ePrivacy Directive, and it's the kind of finding that regulators and privacy watchdogs act on.
The instinctive workaround — adding a banner that warns users while still loading cookies in the background, or relying on a basic tag manager delay — doesn't actually solve the problem. Those approaches still set cookies before consent is recorded, and they offer no tamper-proof audit trail if a regulator asks for proof. A half-measure here is almost as risky as no measure at all.
The clean fix is a Consent Management Platform (CMP) that blocks all non-essential scripts at the network level until explicit, informed consent is received. Secure Privacy does exactly that: it intercepts every cookie-setting script, pixel, and iframe before it runs, releases them only once the right consent signal arrives, and logs a timestamped record of every user decision.
By the end of this guide you will have:
- Identified every cookie or script currently loading before consent on your site

- Configured Secure Privacy to block them automatically — and manually for edge cases

- Run a verification scan confirming your site now meets GDPR cookie consent requirements

Who Is This Guide For?
This article is for website owners, developers, and compliance managers who:
- Have received a Secure Privacy scan report flagging pre-consent cookie loading

- Are working to meet GDPR cookie consent requirements or ePrivacy Directive obligations

- Need to block third-party scripts (Facebook Pixel, Google Analytics, YouTube iframes, etc.) until a user actively consents

- Want documented, auditable proof of consent in case of a regulatory inquiry

Issue Detected: Non-Essential Cookies Loading Before User Consent
Your website is currently loading non-essential cookies (e.g., marketing, analytics) before obtaining explicit user consent, which violates GDPR and the ePrivacy Directive. Specifically, this breaches:
- GDPR Recitals 30 & 32, Article 6

- ePrivacy Directive Recital 25

Failing to address this issue creates a risk of legal non-compliance, user mistrust, and significant regulatory penalties.
What Is Pre-Consent Cookie Loading — and Why Does It Violate GDPR?
The GDPR requires that:
"Cookies or other tracking technologies that are not strictly necessary must not be set on a user's device until the user has given informed, unambiguous, and explicit consent."

Your current setup loads cookies used for marketing and tracking before consent is captured, making your site non-compliant with GDPR cookie consent requirements. Common culprits include Google Analytics (_ga), Facebook Pixel (_fbp, fr), and Google Ads (IDE) — all of which require prior user consent under GDPR.
Scan Report: Cookies Flagged for Pre-Consent Loading
Secure Privacy scan report identifying cookies that fire before prior user consent is obtained.
How to Fix Cookies Loading Before Consent: Step-by-Step GDPR Compliance Guide
To achieve full GDPR cookie compliance, follow the steps below. Each step maps to a specific action inside the Secure Privacy consent management platform.
Step 1 — Implement a GDPR-Compliant Cookie Consent Banner
Use a Consent Management Platform (CMP) such as Secure Privacy that:
- Blocks all non-essential cookies by default before consent is given

- Does not load marketing or analytics scripts until explicit consent is received

- Allows users to opt out as easily as they can opt in

- Records and stores proof of consent (date, time, and user decision)

Step 2 — Identify Which Cookies Are Loading Before Consent
Most services are automatically detected and blocked by Secure Privacy's consent engine, but manual configuration may be needed in some setups. Follow this process to identify and resolve pre-consent cookie issues:
Step 2.1 — Review the Scan Report
- Go to the Scan Report in your Secure Privacy dashboard.

- Click on "Prior consent to other than strictly necessary cookies (GDPR)".

- Scroll to the "Cookies loaded before prior consent" section.

- Note the cookie name and related service for each flagged item.

The "Cookies loaded before prior consent" section identifies every non-compliant tracking script on your site.
Step 2.2 — Consult Your Development Team
- Determine how each flagged service (e.g., Facebook Pixel, YouTube iframe, Google Analytics) is installed on your site.

- Check for scripts, pixels, or iframe embeds related to the flagged services.

- Note whether the installation script uses the async or defer attribute, as this affects load order and may cause scripts to fire before Secure Privacy initialises.

Step 2.3 — Apply Manual Blocking Configuration
- Navigate to the "Classification" → "Services" tab in your CMP dashboard.

The Classification → Services tab is where you manually map scripts to consent categories.
- Locate the service in question, click the "..." (three-dot menu), then select "Edit".

- Add the correct script source URL reference to ensure the service is properly blocked before consent.

Add the script source URL to ensure Secure Privacy intercepts the service before any cookies are set.
If the service is not listed, you can manually create a new entry by associating a cookie with a service.
Step 2.3a — Configure Iframes and Pixels
If the service uses iframes or tracking pixels, ensure these are also:
- Listed in the appropriate iframes/pixels tab of your CMP

Map every iframe and tracking pixel to its source URL so Secure Privacy can block it prior to consent.
- Accurately mapped to their source URLs to enable effective blocking before consent

- Manually added if they were not automatically detected during the scan

Step 2.4 — Re-Scan Your Website to Confirm Compliance
- Run a new website scan after applying your configuration changes.

- Confirm that the flagged cookies and services are now blocked prior to consent.

A clean re-scan confirms your site no longer loads non-essential cookies before user consent.
- Verify that the service is not using async or defer, as these attributes can cause scripts to run before Secure Privacy loads.

- Repeat the process for any remaining unblocked services.

Examples of Cookies That Require Prior User Consent Under GDPR
Cookie Name
Purpose
Consent Required

_fbp
Facebook Tracking
✅ Yes

_ga
Google Analytics
✅ Yes

fr
Facebook Ads
✅ Yes

IDE
Google Ads
✅ Yes

GDPR Cookie Compliance Checklist: Key Actions to Take
To bring your website into full compliance with GDPR cookie consent requirements:
- Do not load non-essential cookies until explicit user consent is obtained

- Enable automatic cookie blocking via your CMP

- Apply manual blocking configuration for services not automatically detected

- Document all consent decisions with timestamps and user choices — these logs are your proof of compliance if a regulator requests an audit

- Regularly re-scan your website to catch new or unblocked services

Frequently Asked Questions
Why are cookies loading on my website before users give consent?
Third-party scripts such as Google Analytics, Facebook Pixel, or Google Ads are typically added via a tag manager or hardcoded into the site. Without a CMP that actively intercepts these scripts, they execute as soon as the page loads — before any consent banner is shown or clicked. A GDPR-compliant CMP like Secure Privacy blocks these scripts at the network level until consent is recorded.
Is it a GDPR violation to load cookies before consent?
Yes. Under GDPR Article 6 and the ePrivacy Directive, non-essential cookies (marketing, analytics, tracking) must not be placed on a user's device until explicit, informed consent is obtained. Pre-consent cookie loading is one of the most commonly cited violations in regulatory enforcement actions across the EU.
What is a Consent Management Platform (CMP) and do I need one?
A CMP is a tool that manages cookie consent on your website — collecting user choices, blocking non-essential scripts until consent is given, and storing proof of each consent decision. If your site uses any marketing, analytics, or advertising cookies, a CMP is not optional under GDPR; it is the mechanism that makes compliant consent collection operationally feasible.
Why is my cookie still loading even after configuring Secure Privacy?
The most common cause is a script tag that uses the async or defer attribute, which can cause it to execute before Secure Privacy initialises. Other causes include the script not being mapped to a service in the Classification → Services tab, or an iframe/pixel that was not added to the iframes/pixels blocking list. Re-check the service mapping and remove async/defer if present, then re-run the compliance scan.
How often should I re-scan my website for GDPR cookie compliance?
Best practice is to run a new compliance scan any time you add or update a third-party script, marketing pixel, or analytics integration — and at minimum once per quarter. New marketing tools are frequently added by non-technical team members without realising they introduce new cookies that require consent.
Related Articles
- Understanding Cookie Categories: Strictly Necessary vs. Non-Essential

- How to Set Up Your GDPR Cookie Consent Banner in Secure Privacy

- How Secure Privacy Records and Stores Proof of Consent

- Configuring Google Consent Mode with Secure Privacy

---

# How to Deploy Secure Privacy via Google Tag Manager - Cookie Consent Setup Guide

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-with-google-tag-manager-gtm
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:52:58.564+00:00
Reading Time: 5 minutes
Summary: Add a GDPR-compliant cookie consent banner to your site without editing code. Follow this step-by-step guide to deploy Secure Privacy through Google Tag Manager.

Privacy laws like GDPR, UK GDPR, and CCPA require websites to display a cookie consent banner and obtain visitor consent before any tracking scripts fire. Getting that banner live, however, usually means hunting through theme files or asking a developer to splice a script tag into your site's <head> — a slow, error-prone process that breaks every time the site is rebuilt.
Many teams try workarounds: hard-coding scripts directly into templates, relying on a basic free plugin, or skipping consent management altogether and hoping for the best. None of these hold up to regulatory scrutiny or scale with a modern tag-managed stack.
Google Tag Manager already sits on your site and controls when every tag fires. Deploying Secure Privacy through GTM means you get a fully compliant, GDPR-ready cookie consent banner live in minutes — no code changes, no developer required, and with the guarantee that no other tags run before your visitors have consented.
By the end of this guide, your Secure Privacy consent banner will be active on your website, firing correctly before all other GTM tags, and ready to be customised from your Secure Privacy dashboard.
Who Is This Guide For?
This guide is for website owners, marketing managers, and developers who already use Google Tag Manager and want to add a GDPR-compliant cookie consent banner without touching their site's source code. It applies to any website platform — WordPress, Shopify, Webflow, custom HTML, and others — as long as the GTM container snippet is already installed.
Prerequisites
Before following this guide, make sure the following are in place:
- A Secure Privacy account with at least one domain configured

- A Google Tag Manager account with a container created for your website

- The GTM container snippet already added to every page of your site

If you haven't set up GTM yet, follow the official Google Tag Manager setup guide before continuing.
How to Implement Secure Privacy in Google Tag Manager
Step 1 — Retrieve Your Secure Privacy Script URL
Log in to your Secure Privacy account and navigate to your domain's installation settings. Copy your unique Secure Privacy script source URL — you will paste this into GTM in the next step. Keep this tab open for reference.
Step 2 — Create a Custom HTML Tag in GTM
In Google Tag Manager, open your website container and click New Tag. When prompted to choose a tag type, select Custom HTML. Paste your Secure Privacy script (including the full <script> tag and your script source URL) into the HTML field.
Step 3 — Set the Consent Initialization Trigger and Save
Under Triggering, select Consent Initialization as the trigger type. This ensures the Secure Privacy consent banner fires at the very start of the page load — before any other GTM tags execute, which is a requirement under GDPR. Give your tag a descriptive name at the top of the configuration panel — for example, "Secure Privacy Script" — then click Save.
Your completed tag configuration should look similar to the example below:
GTM tag configuration: Custom HTML tag with Consent Initialization trigger — ensuring the cookie consent banner loads before any other tags.
Step 4 — Publish Your GTM Container
Click Submit in the top-right corner of GTM, add a version description if desired, then click Publish. This pushes your updated container live to your website. Your Secure Privacy cookie consent banner is now active.
What Happens Next
Once published, visit your website in a fresh browser session (or in incognito mode) to confirm the cookie consent banner is displaying correctly. If it appears as expected, your deployment is complete.
Your GTM tag handles delivery only — it places the Secure Privacy script on your pages. All consent configuration — including cookie categories, banner text, supported languages, geo-targeting rules, and visual appearance — is managed entirely within your Secure Privacy account dashboard. Any changes you make there are reflected on your site automatically, with no need to update your GTM container again.
Troubleshooting
The cookie banner is not appearing on my site
First, confirm that the GTM container has been published (not just saved). Unpublished changes are not pushed live. Also verify the GTM container snippet is correctly installed on the page you are testing — use the GTM Preview mode to check whether your Secure Privacy tag is firing. If the tag shows as "Blocked," check that Consent Initialization is selected as the trigger type, not a standard Page View trigger.
The banner appears but my other tags are still firing without consent
For Secure Privacy to block other GTM tags pending consent, those tags must be configured to respect GTM's built-in consent checks. Ensure your analytics and advertising tags have the appropriate consent type requirements set within their GTM tag configuration (e.g., analytics_storage for Google Analytics). Refer to your Secure Privacy dashboard documentation for GTM consent mode integration guidance.
Frequently Asked Questions
Do I need a cookie consent banner on my website?
If your website collects data from visitors in the EU, UK, California, or many other jurisdictions, yes. Privacy laws such as GDPR, UK GDPR, and CCPA require informed consent before placing non-essential cookies. A cookie consent banner is the standard mechanism for meeting this obligation.
Can I deploy a cookie consent banner through Google Tag Manager?
Yes. GTM supports a dedicated Consent Initialization trigger that fires before all other tags, making it the recommended way to deploy a consent management platform like Secure Privacy without editing your site's source code.
What is the Consent Initialization trigger in GTM?
The Consent Initialization trigger fires at the very start of the page load — before any other GTM tags run. This ensures your cookie consent banner is shown to visitors before any tracking or analytics scripts execute, which is a legal requirement under GDPR and similar regulations.
Will adding Secure Privacy through GTM slow down my website?
No. Deploying via GTM is a lightweight, asynchronous implementation. The Secure Privacy script loads efficiently, and using Consent Initialization means other tags are appropriately held until consent is obtained — which improves your compliance posture without hurting page performance.
Do I still need to configure consent settings after deploying via GTM?
GTM handles delivery of the Secure Privacy script to your site. Cookie categories, banner appearance, consent language, and geo-targeting rules are all configured inside your Secure Privacy account dashboard — separately from GTM.
Related Articles
- How to Install Secure Privacy on WordPress

- How to Add a Cookie Consent Banner to Shopify

- Configuring Google Consent Mode v2 with Secure Privacy

- Customising Your Cookie Banner Appearance and Text

- GDPR Website Compliance Checklist

---

# How to Configure Domain-Level Cookie Classification in Secure Privacy

URL: https://support.secureprivacy.ai/article/how-to-classify-cookies-and-services-for-a-domain
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T01:16:06.506+00:00
Reading Time: 8 minutes
Summary: Learn how to classify cookies, pixels, iframes & services by domain in Secure Privacy. Assign GDPR consent categories, add custom entries & keep your cookie declaration accurate.

Staying GDPR-compliant isn't just about displaying a cookie banner — it's about making sure every cookie, tracking pixel, iframe, and third-party script on your site is correctly identified, categorised, and controlled. When those classifications are wrong or incomplete, your consent management platform serves up a banner that doesn't match what's actually running in the background, which exposes your business to regulatory risk.
Many teams try to manage this manually — hunting through browser dev tools, maintaining spreadsheets of cookie names and expiry dates, and guessing at which consent category each tracker belongs to. It's time-consuming, error-prone, and almost impossible to keep current as your site evolves. Others rely on a generic cookie consent solution that auto-classifies everything at the account level, only to find that individual domains in their portfolio have unique tracking requirements that a one-size-fits-all configuration can't accommodate.
Secure Privacy's domain-level Classification page solves this cleanly. It gives you a structured, per-domain view of every detected cookie, pixel, iframe, and service — and lets you align each one to the correct consent category without overriding your account-wide defaults where they aren't needed.
By the end of this guide you will be able to: review all detected tracking technologies for a specific domain, assign or correct their GDPR consent categories, manually register custom cookies and pixels not caught by the automated scanner, and ensure your cookie declaration accurately reflects what runs on your site.
Who Is This Guide For?
This guide is for website owners, privacy compliance managers, and developers who are already using Secure Privacy and need to fine-tune cookie consent classification at the individual domain level. It is particularly relevant if you:
- Manage multiple domains with different tracking setups under one Secure Privacy account

- Need to manually add cookies or pixels that the automated scanner did not detect

- Want to ensure your cookie declaration accurately lists all marketing, analytics, and necessary cookies for a specific site

- Are preparing for a GDPR, CCPA, or ePrivacy audit and need precise per-domain consent category mapping

Important: Account-wide classification settings always override domain-level settings. If a cookie, pixel, or service is configured at the account level, changes made here at the domain level will not take effect for those items. For purely domain-specific tracking elements, domain-level classification gives you full control.
Getting Started: Accessing Domain-Level Classification
To begin classifying or recategorising cookies, pixels, iframes, or services for a specific domain, follow these steps.
Step 1 — Select Your Domain
Log in to your Secure Privacy dashboard and open the Domains tab. Click the domain you want to configure.
Select a domain from the Domains tab to open its configuration page.
Step 2 — Open the Classification Tab
Once inside the domain page, click the Classification tab. This reveals all detected cookies, pixels, iframes, and services for the domain, along with their current consent category assignments.
The Classification tab provides a full breakdown of detected tracking technologies for the selected domain.
Recommendation: Before changing consent categories, review the detected items with your legal team to confirm that the classifications align with your business needs and applicable data protection obligations — particularly under GDPR and ePrivacy rules.
Classification — Cookies Tab: Managing GDPR Cookie Categories
The Cookies tab lists every cookie detected on your website — both account-level cookies (shared across all your domains) and domain-specific cookies. Account-level cookies are marked with a distinct icon so you can distinguish them from domain-only entries.
The Cookies tab shows all detected cookies, their consent categories, and whether they are configured at the account or domain level.
Adding a Custom Cookie
If a cookie was not automatically detected during the scan — for example, a first-party cookie set by a custom in-house script — click Add Cookie to register it manually. You can configure the following fields:
- Cookie Name: The name identifier for the cookie (as it appears in the browser).

- Host: The domain that sets the cookie.

- Category: The GDPR consent category — Necessary, Analytics, Marketing, or Preferences (configured via the Services tab).

- Service Name: The service or vendor associated with this cookie.

- Expiry: The cookie expiration date or duration (e.g., 1 year, session).

- Description: A plain-language description of the cookie's purpose, available in multiple languages for multilingual cookie declarations.

Any custom cookie you add here will be applied to this domain and will appear in the scan report and publicly visible cookie declaration after your next rescan on the Scan Report page.
Classification — Pixels Tab: Classifying Tracking Pixels for Consent
The Pixels tab displays all tracking pixels detected on your website — including account-level and domain-level pixels. Tracking pixels (such as the Meta Pixel, Google Ads conversion tag, or LinkedIn Insight Tag) typically require prior user consent under GDPR before they may fire.
All detected tracking pixels are listed here, with options to classify or manually add custom pixel entries.
Adding a Custom Pixel
To register a pixel not detected by the automated scan, click Add Pixel and provide the following:
- Source URL: The URL from which the pixel is loaded.

- Service Name: The advertising or analytics service associated with this pixel.

Custom pixel entries will appear in the scan report and cookie declaration after your next rescan on the Scan Report page.
Classification — Iframes Tab: Managing Third-Party Embedded Content
The Iframes tab displays all detected iframes for your domain — including custom and account-level entries. Embedded third-party content such as YouTube videos, Google Maps, or Vimeo players can set cookies and process personal data, and typically requires user consent before loading.
The Iframes tab lists all embedded third-party content detected on your domain that may require prior consent.
Adding a Custom Iframe
Click Add Iframe to manually register an embedded content source. Configure the following fields:
- Source: The URL source of the iframe content (e.g., https://www.youtube.com/embed/).

- Service Name: The service associated with this iframe (e.g., YouTube, Google Maps).

The Add Iframe dialog lets you register a custom embedded content source and link it to a service.
Classification — Services Tab: Grouping Cookies and Scripts by Consent Category
The Services tab gives you a full overview of all services detected for your domain, including those configured at the account level. Services are the backbone of your consent structure — they group related cookies, pixels, and scripts under a single vendor or tool and assign them a shared consent category (Necessary, Analytics, Marketing, or Preferences).
The Services tab organises all tracking technologies under named services, each with a defined GDPR consent category.
Editing a Service
To edit a service, click the three-dot menu (⋮) next to the service entry and select Edit. You can configure the following:
- Service Name: The display name shown to visitors in the cookie consent banner and declaration (e.g., "Google Analytics", "Meta Pixel").

- Category: The consent category assigned to this service — Necessary, Analytics, Marketing, or Preferences.

- Script Type and Source: The script type and its source URL. If a service loads from multiple sources, separate each URL with a comma.

- Privacy Policy Link: A direct link to the service provider's privacy policy, displayed in the cookie declaration for transparency.

The Edit Service dialog lets you define the service name, consent category, script sources, and a link to the vendor's privacy policy.
Note: Ensure all service configurations accurately reflect your business requirements and have been reviewed by your legal team. Correct classification of cookies, pixels, iframes, and services is essential for maintaining GDPR-compliant consent management across your digital properties.
Troubleshooting Common Classification Issues
My custom cookie isn't appearing in the cookie declaration.
Custom entries only appear after a rescan. Go to the Scan Report page and trigger a new scan to update the declaration.
I changed a consent category at the domain level, but it isn't taking effect.
Account-level settings override domain-level settings. If the item is configured at the account level, you will need to adjust it there instead.
A cookie or pixel I added is showing under the wrong service.
Open the Services tab, edit the relevant service, and verify the script sources and category. Then re-add the cookie or pixel and select the correct service from the dropdown.
My scan isn't detecting a known third-party script.
Some scripts load conditionally or are injected after initial page load. Use the Cookies, Pixels, or Iframes tabs to add these entries manually and assign them to the correct service and consent category.
Frequently Asked Questions
What is cookie classification and why does it matter for GDPR?
Cookie classification is the process of assigning each cookie, pixel, iframe, or script on your website to a consent category — Necessary, Analytics, Marketing, or Preferences. Under GDPR and ePrivacy rules, visitors must have meaningful, category-level control over non-essential tracking. Correct classification ensures your cookie banner reflects what actually runs on your site, keeping your consent management legally defensible.
What is the difference between account-level and domain-level classification?
Account-level classification applies settings across all domains in your Secure Privacy account and always takes precedence. Domain-level classification lets you fine-tune individual cookies, pixels, iframes, and services for a specific website — ideal when different domains in your portfolio have different tracking setups.
Can I add a cookie that Secure Privacy didn't automatically detect?
Yes. In the Classification → Cookies tab, click Add Cookie to manually register any cookie. You can specify the name, host, consent category, associated service, expiry, and a multilingual description. It will appear in your scan report and cookie declaration after the next rescan.
Do tracking pixels and iframes also need user consent under GDPR?
Yes. Tracking pixels (such as the Meta Pixel or Google Ads tag) and embedded iframes (such as YouTube or Google Maps) can process personal data and set cookies. They typically require prior user consent under GDPR unless strictly necessary. Secure Privacy lets you classify and block these technologies until consent is given.
How do the Necessary, Analytics, and Marketing consent categories work?
Necessary cookies are always active — they are required for the site to function. Analytics cookies measure performance and usage. Marketing cookies track visitors for advertising purposes. Visitors can accept or reject each non-necessary category through the cookie consent banner, and Secure Privacy enforces those choices automatically.
How often should I rescan after making classification changes?
Rescan whenever you add new third-party scripts, pixels, or integrations, or after any major site update. Each rescan updates your cookie declaration to reflect the latest classifications, keeping it accurate for both visitors and regulators.
Related Articles
- How to Configure Account-Level Cookie Classification[?]

- Understanding Your Secure Privacy Scan Report

- Setting Up and Customising Your Cookie Declaration

- Consent Categories Explained: Necessary, Analytics, Marketing, and Preferences[?]

- GDPR Cookie Compliance: What Your Website Needs to Do

---

# Secure Privacy Domain Settings: Configure Cookie Consent, Blocking & Compliance Templates

URL: https://support.secureprivacy.ai/article/managing-domain-settings-in-secure-privacy
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T01:02:10.251+00:00
Reading Time: 8 minutes
Summary: Configure cookie consent, blocking modes, Google Consent Mode, and compliance templates for each domain in Secure Privacy. Step-by-step GDPR setup guide

Cookie consent laws aren't optional. Under GDPR, CCPA, and the ePrivacy Directive, every website that places non-essential cookies on a visitor's device must obtain clear, informed consent before doing so — or risk fines of up to €20 million or 4% of global annual turnover. Yet most website owners either display a banner that doesn't actually block cookies, rely on a free plugin that hasn't been updated for the latest regulatory guidance, or spend hours manually configuring scripts one by one.
A proper consent management platform (CMP) solves this by handling cookie detection, blocking, and user preference storage automatically — but only if it's configured correctly for each domain you operate. Misconfigured domain settings are one of the most common reasons businesses fail cookie consent audits even when they believe they're compliant.
Secure Privacy gives you granular, per-domain control over every aspect of your cookie consent setup: which cookies are blocked and when, how your consent banner looks, which compliance template governs your region's regulations, and how Google Analytics and Google Ads behave in response to user choices. By the end of this guide, you'll have every section of the Secure Privacy Domain Settings page fully configured — giving you an audit-ready, regulation-aligned privacy setup across all your websites.
Who Is This Guide For?
This guide is for website owners, webmasters, and compliance managers who use Secure Privacy to manage cookie consent and data privacy compliance across one or more domains. Whether you're setting up a domain for the first time, migrating after a rebrand, or fine-tuning blocking behaviour to satisfy a recent audit, this reference covers every available setting.
How to Access Domain Settings in Secure Privacy
Step 1 — Log In to Your Secure Privacy Account
Log in to your Secure Privacy account at app.secureprivacy.ai using your registered credentials.
Step 2 — Open the Domains Tab
After logging in, navigate to the Domains tab in the top navigation bar. This section lists all domains associated with your account, along with their current configuration status.
Step 3 — Select the Domain to Configure
From the domain list, click the name of the specific domain you want to configure. This opens its individual Domain Settings page, where all customization options are available.
The Domains tab lists all domains in your account. Click a domain name to open its settings.
Customizing Domain Settings: Every Option Explained
The Domain Settings page is organized into five key sections. Each section controls a distinct aspect of your website's privacy and cookie consent behaviour. Below is a detailed walkthrough of each.
Domain Name
Edit the domain name to ensure it accurately reflects the current website address. Keeping this up to date is particularly important after domain migrations, rebranding, or when launching a site on a new TLD — an incorrect domain name can cause the Secure Privacy script to fail consent logging for the wrong origin.
Design — Customize Your Cookie Consent Banner
Assign a cookie banner design template to this domain to control how your consent widget appears to visitors. You can select from existing brand-matched designs or create a new one. A well-designed, on-brand consent banner increases opt-in rates and builds visitor trust — both of which are measurable signals of an effective consent management setup.
For detailed instructions on adjusting colors, layout, and button text, refer to the Design Settings guide.
The Design section lets you assign or create a cookie banner template for this specific domain.
Blocking — Control How Cookies Are Managed on Your Domain
The Blocking section is the most compliance-critical setting on this page. It determines whether Secure Privacy automatically enforces cookie blocking before consent is given, or whether you manage blocking manually. Two modes are available:
Automatic Blocking (Recommended Default)
Automatic blocking is the recommended setting for most websites and the default for all new domains. When enabled, Secure Privacy automatically prevents all non-essential cookies and third-party trackers from loading on a visitor's device until they have provided explicit consent. Only cookies classified as strictly necessary — those required for core site functionality such as session management or shopping cart persistence — are permitted to run without consent.
This mode is fully aligned with GDPR Article 7, the ePrivacy Directive, and guidance from data protection authorities across the EU. It requires no manual script management, making it the most practical choice for the majority of website owners.
Manual Blocking
Manual blocking disables Secure Privacy's automatic cookie regulation, meaning all cookies and services load without restriction until a user actively opts out. This mode is intended for developers or compliance teams who need fine-grained control and prefer to manually specify which scripts or services to allow or restrict via the tag manager or script rules.
Important: Manual blocking places full responsibility for privacy compliance with the website operator. In this mode, non-essential cookies may fire before consent is obtained — which is not compliant with opt-in frameworks such as GDPR without additional manual configuration. Use this mode only if you have a specific technical reason and understand the compliance implications.
Choose Automatic Blocking for regulation-aligned cookie control, or Manual Blocking for custom script-level management.
Google Consent Mode — Preserve Analytics While Respecting User Choices
Google Consent Mode is a framework that allows Google services — including Google Analytics 4, Google Ads, and Google Tag Manager — to adapt their data collection behaviour based on each visitor's consent status. When a user declines analytics cookies, Google's services switch to cookieless, modeled measurement rather than stopping entirely, preserving conversion and audience data while respecting the user's choice.
Configuring Google Consent Mode through Secure Privacy ensures that consent signals are passed correctly to all connected Google services — a requirement for advertisers using Enhanced Conversions or running campaigns to EU audiences under Google's EU User Consent Policy. The default value is OFF. Select your preferred mode (Basic or Advanced) from the options in this section.
Enable Google Consent Mode to ensure Google Analytics and Google Ads respect visitor consent decisions.
Templates — Apply Pre-Built Legal Compliance Configurations
The Templates section lets you apply a pre-defined legal compliance template that simultaneously configures your cookie banner, consent widget, preference centre, privacy policy, cookie declaration, data request form, and contextual consent layer — all at once. Each template is preconfigured for a specific regulatory framework (such as GDPR for EU visitors, CCPA for California, or LGPD for Brazil), letting you deploy compliant privacy measures in minutes rather than hours.
For a full breakdown of available templates and their configurations, visit the Templates Settings guide.
Select a compliance template to instantly configure all privacy components for GDPR, CCPA, or other applicable regulations.
Keeping Your Domain Settings Compliant Over Time
Data protection regulations evolve frequently — GDPR guidance is updated by national DPAs, and frameworks like CCPA continue to be amended by new legislation. Regularly reviewing your domain settings ensures your cookie consent configuration remains aligned with current compliance requirements. As a best practice, audit each domain's settings when you:
- Add new third-party scripts or analytics tools to your site

- Migrate to a new domain or rebrand

- Receive guidance from a data protection audit or legal review

- See a regulatory update affecting your operating regions

For further assistance, contact the Secure Privacy support team at support@secureprivacy.ai.
Frequently Asked Questions
Do I need a cookie banner on my website to comply with GDPR?
Yes. Under GDPR and the ePrivacy Directive, you must obtain freely given, specific, informed, and unambiguous consent before placing any non-essential cookies on a visitor's device. A compliant cookie banner — one that actually blocks cookies until consent is granted — is the standard mechanism for meeting this requirement. Simply displaying a banner without blocking cookies is not sufficient.
What is the difference between Automatic Blocking and Manual Blocking in Secure Privacy?
Automatic Blocking is the recommended default. It prevents all non-essential cookies and third-party trackers from loading until a visitor gives consent, with no manual configuration required. Manual Blocking disables this automation, allowing all cookies to load freely until a user opts out. Manual mode is intended for advanced users managing custom script rules and requires additional configuration to remain GDPR-compliant.
What does Google Consent Mode do and do I need it?
Google Consent Mode tells Google Analytics and Google Ads how to behave when a user has declined cookies. Instead of stopping entirely, Google switches to cookieless, modeled measurement — preserving useful conversion data without violating the user's choice. If you run Google Ads campaigns targeting EU users or use Enhanced Conversions, enabling Google Consent Mode is required under Google's EU User Consent Policy.
Can I configure different settings for different domains in Secure Privacy?
Yes. Secure Privacy's Domain Settings are applied per domain. You can assign different cookie banner designs, blocking modes, Google Consent Mode settings, and compliance templates to each domain in your account — making it straightforward to manage a multi-site portfolio with different regional regulations or brand identities.
Which compliance template should I choose for a GDPR website?
For websites targeting EU visitors, select the GDPR template. This preconfigures your cookie banner, preference centre, cookie declaration, and other privacy components according to GDPR and ePrivacy Directive requirements — including opt-in consent, granular category controls, and a record of consent. See the Templates Settings guide for the full list of available regulatory frameworks.
Related Articles
- Templates Settings: Simplify Privacy Management with Pre-Built Compliance Configurations

- Design Settings: Customize Your Cookie Consent Banner Appearance

- Getting Started: Installing Secure Privacy on Your Website

- Google Consent Mode Integration Guide

- Understanding Cookie Categories: Essential vs. Non-Essential Cookies

---

# Secure Privacy User Management: Add Team Members, Assign Roles, and Control Access

URL: https://support.secureprivacy.ai/article/managing-users-in-secure-privacy-adding-editing-and-deleting-team-members
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T01:07:48.451+00:00
Reading Time: 6 minutes
Summary: Learn how to add team members, assign Account Admin or Domain Admin roles, update permissions, and remove users in Secure Privacy. Keep your consent account secure and organised.

When your privacy compliance tool controls cookie banners, consent records, and GDPR configurations across every domain you manage, deciding who can change what is not a minor detail — it is a compliance and security decision. Sharing a single login across your whole team means one accidental change can alter consent banners site-wide, with no audit trail and no way to roll back responsibility.
Many teams work around this by copying credentials into a shared password manager or granting everyone blanket admin access — neither approach scales, and both create unnecessary risk when a contractor finishes their engagement or a team member changes roles.
Secure Privacy solves this with granular, role-based access control built directly into the platform. You can invite colleagues and agencies as individual users, assign each person exactly the level of access their role requires, and revoke that access instantly when circumstances change — all without touching your cookie consent configuration.
By the end of this guide you will know how to add new team members, understand the difference between Account Owner, Account Admin, and Domain Admin roles, update permissions for existing users, reassign domain administrators, and permanently remove users from your account.
Who Is This Guide For?
This article is relevant if you are:
- An Account Owner or Admin onboarding a new developer, agency partner, or privacy officer to your Secure Privacy account

- A team lead who needs to restrict a contractor's access to specific domains only

- An IT or compliance manager conducting a periodic access review and needing to remove former employees

- Anyone evaluating Secure Privacy who wants to understand how multi-user access and permission levels work before committing

How to Add a New Team Member to Your Secure Privacy Account
Invite a colleague, developer, or agency partner to your account in under a minute. You control the access level they receive at the point of invitation.
Step 1 — Log in to Secure Privacy
Sign in to your Secure Privacy account at your usual login URL.
Step 2 — Open the Users Tab
Navigate to the Account section and click on the Users tab.
Step 3 — Click Add New User
Click the Add New User button to open the invitation form.
Step 4 — Enter the User's Details
Fill in the new team member's first name, last name, and email address.
Step 5 — Select an Access Level and Confirm
Choose the appropriate user role for this team member (see role descriptions below), then confirm. The user will receive an invitation email with instructions to set up their access.
The Add New User form — enter contact details and choose the correct access level before confirming.
Secure Privacy User Roles and Permission Levels Explained
Secure Privacy uses role-based access control (RBAC) to determine what each team member can view and manage. Three roles are available, each scoped to a different level of responsibility:
- Account Owner / Admin: Full access to all domain configurations, account settings, and billing data. This is the highest permission level in the account and is typically held by the primary account holder.

- Account Admin: Access to all features and domain configurations, but cannot modify billing information or core account details. Ideal for internal team leads or privacy officers who need broad operational access.

- Domain Admin: Full access only to their assigned domains. Cannot access billing or account-level settings. Any designs, templates, or policies configured outside the Domains tab are view-only for Domain Admins — they cannot edit these configurations. Best suited for external agencies or developers responsible for a specific set of domains.

How to Modify User Roles and Permissions in Secure Privacy
To update the access level assigned to an existing team member:
Step 1 — Go to the Users Tab
Open the Account section and select the Users tab.
Step 2 — Find the User and Click Edit
Locate the team member whose role you want to change and click the Edit button next to their name.
Step 3 — Select the New Role
Choose the updated user role from the available options in the dialog.
Step 4 — Save Changes
Click Save. The new access level takes effect immediately — no re-login required for the affected user.
The Edit User dialog — select a new role to immediately update what this team member can access.
How to Change the Domain Administrator for a Specific Domain
If you need to reassign ownership of a domain — for example, when handing a website back to a client or transferring responsibility between team members — follow these steps:
Step 1 — Open the Users Tab
Navigate to the Users tab inside the Account section.
Step 2 — Edit the Intended Domain Admin
Find the user you want to appoint as the new domain administrator and click the Edit button.
Step 3 — Assign the Domain
Select the relevant domain from the dropdown list to assign this user as its administrator.
Step 4 — Save Changes
Click Save to confirm the new domain administrator assignment.
Use the domain dropdown to assign or reassign a Domain Admin to any domain in your account.
How to Remove a User and Revoke Their Access to Secure Privacy
When a team member, contractor, or agency partner no longer needs access to your account, remove them immediately to keep your consent management environment secure.
Step 1 — Open the Users Tab
Go to the Users tab in the Account section.
Step 2 — Click Delete Next to the User
Find the user you want to remove and click the Delete button next to their name.
Step 3 — Confirm the Removal
Confirm the deletion when prompted. This action permanently removes the user and immediately revokes all their access. It cannot be undone — if you need to re-add them later, you will need to send a new invitation.
The Delete button on the Users tab permanently removes a team member and revokes their access instantly.
Secure Privacy's role-based access control gives you a clear, auditable structure for every person who touches your consent management configuration — from account-level admins down to domain-specific contributors. Keeping your user list current is one of the simplest steps you can take to maintain both security and GDPR compliance across your account.
If you need further help with user management or any other account settings, contact the Secure Privacy support team[?] and we will be happy to assist.
Frequently Asked Questions
How many users can I add to my Secure Privacy account?
The number of users you can add depends on your Secure Privacy subscription plan. Check your plan details in the Account section, or contact support[?] for information about increasing your user limit.
What is the difference between Account Admin and Domain Admin in Secure Privacy?
An Account Admin has access to all features and domain configurations across the entire account, but cannot change billing details. A Domain Admin is scoped to only the specific domain(s) assigned to them and has view-only access to designs, templates, and policies configured outside the Domains tab. Use Domain Admin for agency partners or developers who should only manage a particular website.
Can a Domain Admin see billing information or other domains?
No. Domain Admins cannot access billing data or account-level settings, and they can only view and manage the domains specifically assigned to them. This makes the Domain Admin role ideal for external partners or contractors who need hands-on access to a limited set of domains without exposing sensitive account information.
What happens to a domain's cookie consent settings when I delete its Domain Admin?
Deleting a user only removes their access — it does not alter any cookie consent configurations, banners, or consent records associated with that domain. All existing settings remain intact and continue to function normally. You can assign a new Domain Admin to that domain at any time.
Related Articles
- Account Settings Overview

- Setting Up Your Cookie Consent Banner

- GDPR Compliance Guide

- Domain Management[?]

---

# How to Use Scan Reports to Monitor Your Website's GDPR Compliance Score

URL: https://support.secureprivacy.ai/article/a-guide-to-scanning-your-website-for-regulatory-compliance
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:36:30.175+00:00
Reading Time: 5 minutes
Summary: Scan your website for GDPR compliance issues, track your score over time, and fix violations fast. Learn how to use Secure Privacy's Scan Reports in 3 steps.

Most website owners don't discover a GDPR compliance problem until it's already a legal risk — a data protection authority inquiry, a user complaint, or a third-party audit that turns up tracking scripts and cookies that were never properly disclosed. Manually reviewing your site for privacy violations is time-consuming, technically complex, and easy to get wrong, especially as your site grows and third-party integrations multiply.
One-off compliance checklists and paid consultants can help, but they only capture a snapshot. The moment you publish a new page, update a plugin, or add a marketing pixel, your compliance status can change — and you may not find out until it's too late.
Secure Privacy's Scan Reports feature gives you a continuous, automated GDPR compliance scanner built directly into your dashboard. It audits your domains on your schedule, assigns a clear compliance score, and surfaces exactly which issues need attention — so you have an always-current picture of your site's privacy posture without the manual overhead.
By the end of this guide, you'll know how to run a full website compliance scan, read and act on your results, compare scans over time to track progress, and configure automated monitoring so compliance never slips through the cracks again.
Who Is This For?
This guide is for Secure Privacy users who want to check their website for GDPR compliance issues, track their compliance score over time, or set up automated privacy audits for one or more domains. It's equally useful for website owners running their first scan and compliance managers reviewing ongoing monitoring results.
Getting Started: Accessing Scan Reports in Secure Privacy
To begin scanning your domains for privacy compliance issues, click Domains in the navigation bar and select the domain you want to audit. Then, in the left sidebar, select Scan Reports under the Report section.
Within the Scan Reports section, you will find three tabs:
- Scan Report — Run a GDPR compliance scan and review your compliance score

- History — Access and compare previous compliance audit results

- Settings — Configure scan frequency, server location, and email notifications

The Scan Report tab provides an intuitive compliance graph showing how well your site meets relevant privacy regulations including GDPR. The goal is to achieve a compliance score as close to 100% as possible by identifying and resolving each flagged issue.
Step 1 — Run a Domain GDPR Compliance Scan
To scan your domain for privacy compliance issues, click the Scan or Rescan button on the Scan Report tab. Once the website compliance scan completes, the dashboard displays a detailed, prioritized breakdown of every area on your site that requires attention to achieve full regulatory compliance.
Results are presented in a clear format so you can quickly identify and address the most critical GDPR compliance issues first — from missing cookie consent notices to undisclosed third-party trackers.
The Scan Report dashboard shows your overall compliance score and a prioritized list of issues to resolve.
Step 2 — Review Your Website Compliance Audit History
The History tab gives you access to all previously completed compliance scans for your domain. Click the History tab and select any saved scan to open the full audit report.
This feature provides a clear compliance audit trail, making it easy to track your site's progress over time, demonstrate improving compliance to stakeholders, and quickly spot any regressions or newly introduced privacy issues between scans.
The History tab provides a timestamped log of every compliance scan run on your domain.
Step 3 — Configure Your Domain Scan Settings
The Settings tab lets you customize how, when, and from where your domain is scanned. Available options include:
- Scan frequency: Choose between automatic monthly compliance scans or manual on-demand scans.

- Scan location: Select whether to scan from a US or European server to reflect region-specific regulatory requirements — particularly useful for verifying GDPR compliance from a European IP perspective.

- Email notifications: Opt in to receive an email alert each time a scan is completed so you're always informed of changes to your compliance status.

- Scan behind login: Enable scanning of authenticated, members-only pages by providing the field IDs for your username and password inputs, along with the required login credentials.

These settings give you full control over your privacy compliance monitoring workflow, allowing you to tailor automated scanning to your organization's specific regulatory and operational needs.
The Settings tab controls scan frequency, server location (US or EU), notifications, and authenticated page scanning.
What Happens After Your Scan?
Once your first GDPR compliance scan is complete, work through the flagged issues from highest priority to lowest using your Secure Privacy dashboard. Re-run a scan after making changes to confirm your compliance score has improved. Over time, use the History tab to build a documented compliance record — useful for demonstrating due diligence to auditors, clients, or data protection authorities.
Frequently Asked Questions
How do I check if my website is GDPR compliant?
In Secure Privacy, navigate to Domains, select your domain, and open Scan Reports in the left sidebar. Click Scan to run an automated GDPR compliance audit. The dashboard will display your compliance score and a prioritized list of issues — such as undisclosed cookies or missing consent banners — that need to be resolved.
How often should I scan my website for privacy compliance issues?
At a minimum, scanning monthly is recommended — especially if you regularly publish new content, update plugins, or add marketing integrations. Secure Privacy's automatic monthly scan option handles this for you. For high-traffic or frequently updated sites, more frequent on-demand scans are advisable.
Can I scan pages that require a login for GDPR compliance?
Yes. In the Scan Settings tab, enable Scan behind login and provide the field IDs for your login form's username and password inputs, along with valid credentials. Secure Privacy will then include authenticated pages in your compliance audit.
What is the difference between scanning from a US vs European server?
Some websites serve different content or cookie banners depending on the visitor's geographic location. Scanning from a European server simulates a visit from an EU-based user, which is the perspective that matters most for GDPR compliance verification. Scanning from a US server is useful for checking compliance under US privacy laws such as CCPA.
How can I track my website's GDPR compliance progress over time?
Use the History tab in Scan Reports to view all past scans for your domain, including their dates and compliance scores. Comparing scans before and after making fixes lets you confirm improvements and maintain a documented compliance audit trail.
Related Articles
- How to Set Up a Cookie Consent Banner with Secure Privacy

- GDPR Compliance Checklist for Website Owners

- Understanding the Secure Privacy Cookie Scanner[?]

- Generating a GDPR-Compliant Privacy Policy

---

# Secure Privacy SOC 2 Compliance: Status, What It Means & How to Request the Report

URL: https://support.secureprivacy.ai/article/secure-privacy-soc-2-compliance
Product: Consent Management
Category: Getting Started
Published: 2026-03-06T07:12:00+00:00
Updated: 2026-03-26T00:41:15.063+00:00
Reading Time: 5 minutes
Summary: Secure Privacy is SOC 2 compliant. Learn what that means for your data security, how independent audits protect your organization, and how to request the full SOC 2 report.

When your security team, legal counsel, or procurement committee vets a new SaaS vendor, one question comes up early: is this platform SOC 2 compliant? For organizations subject to GDPR, CCPA, or internal data governance policies, using a consent management platform that hasn't been independently audited isn't an option — the risk to your customer data and your compliance posture is simply too high.
Many consent management tools make broad claims about security without the independent verification to back them up. Chasing down vague "we take security seriously" answers from vendor support teams — or worse, trying to interpret self-certified security pages — wastes your team's time and leaves real questions unanswered.
Secure Privacy takes a different approach. As a SOC 2 compliant consent management platform, Secure Privacy undergoes rigorous, independent third-party audits that verify its security, availability, and confidentiality controls against the AICPA's recognized Trust Service Criteria. Your due diligence process has a clear, audited answer.
By the end of this article you'll know exactly what Secure Privacy's SOC 2 compliance covers, what it means for your organization's data, and the precise steps to request the full audit report for your vendor review.
Who Is This Article For?
This article is for current and prospective Secure Privacy customers who need formal confirmation of Secure Privacy's security posture — including:
- Security engineers and InfoSec teams conducting vendor risk assessments

- Compliance officers evaluating consent management platforms against GDPR, CCPA, or ISO requirements

- Legal teams and procurement stakeholders reviewing SaaS vendor due diligence documentation

- Anyone asking: "Is Secure Privacy SOC 2 certified, and how do I get the report?"

What Is SOC 2 Compliance?
SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how service organizations manage and protect customer data based on five Trust Service Criteria:
- Security — protection against unauthorized access

- Availability — systems are operational and accessible as committed

- Processing Integrity — processing is complete, accurate, and authorized

- Confidentiality — designated confidential information is protected

- Privacy — personal information is collected, used, and disclosed appropriately

Achieving SOC 2 compliance demonstrates that a company has effective, independently audited controls in place to protect sensitive customer data on an ongoing basis — not just a self-assessment, but a verified third-party opinion.
Secure Privacy SOC 2 Compliance Status
Secure Privacy is SOC 2 compliant and undergoes independent third-party audits to validate its security and operational controls. You can review Secure Privacy's full compliance posture on the official compliance page:
Secure Privacy Compliance Overview — compliance.secureprivacy.ai
Secure Privacy's compliance dashboard at compliance.secureprivacy.ai showing current SOC 2 status.
What SOC 2 Compliance Means for Your Organization
When you deploy Secure Privacy as your consent management platform, SOC 2 compliance gives your organization concrete assurances:
- Your customer data is protected by independently verified security controls — not self-reported ones

- Secure Privacy's systems are monitored and maintained for high availability, reducing risk of service disruption affecting your consent records

- Internal processes follow recognized industry security best practices, aligned with AICPA standards

- Formal risk management and incident response procedures are in place and audited

For organizations that must demonstrate third-party vendor due diligence under GDPR Article 28 (processor agreements) or similar frameworks, Secure Privacy's SOC 2 report is a critical piece of your compliance documentation.
How to Request the Secure Privacy SOC 2 Report
The full SOC 2 audit report is available to customers and prospective customers upon request. For security and confidentiality reasons, a signed NDA is required before the report can be shared. The process takes as little as two business days.
Step 1 — Contact the Secure Privacy Support Team
Email support@secureprivacy.ai to initiate your SOC 2 report request. Include your organization name and the context for your request (e.g. vendor assessment, procurement review) to help the team process it efficiently.
Step 2 — Review and Sign the NDA
The Secure Privacy team will provide a Non-Disclosure Agreement (NDA) for your review. Once your organization has reviewed and executed the NDA, your request moves to processing.
Step 3 — Receive the SOC 2 Report
After the NDA is executed, allow up to two business days for your request to be processed and the report delivered. Timing may vary slightly depending on the nature and scope of the request.
Frequently Asked Questions About Secure Privacy's SOC 2 Compliance
Is Secure Privacy SOC 2 certified?
Yes. Secure Privacy is SOC 2 compliant and undergoes independent third-party audits to validate its security, availability, and confidentiality controls. You can verify the current compliance status at compliance.secureprivacy.ai.
Can I download the SOC 2 report directly from the Secure Privacy website?
No. For security and confidentiality reasons, the SOC 2 report is not publicly available for direct download. A signed NDA is required before the report can be shared with your organization. Contact support@secureprivacy.ai to begin the process.
Which SOC 2 report type does Secure Privacy hold — Type I or Type II?
Details about the SOC 2 report type and audit scope are disclosed after an NDA is signed. Please contact support@secureprivacy.ai for specifics.
How long does it take to receive the SOC 2 report after requesting it?
After the NDA is signed, the SOC 2 report is typically delivered within two business days. Timing may vary slightly depending on the nature of the request and the internal review process.
Does Secure Privacy's SOC 2 compliance satisfy GDPR data processor requirements?
SOC 2 compliance is an important signal of a vendor's security maturity and is commonly used as supporting evidence in GDPR Article 28 vendor due diligence and data processing agreement reviews. For specific questions about how Secure Privacy's compliance posture aligns with your organization's legal requirements, we recommend consulting your Data Protection Officer and contacting support@secureprivacy.ai to request the full report.
Related Security & Compliance Articles
- Secure Privacy GDPR Data Processing Agreement (DPA)[?]

- Secure Privacy Data Security Overview

- Secure Privacy Privacy Policy

- All Secure Privacy Compliance Certifications

---

# Secure Privacy Cookie Banner Performance – Core Web Vitals, Script Loading Modes, and SEO Protection Explained

URL: https://support.secureprivacy.ai/article/banner-performance-optimization-seo-best-practices
Product: Consent Management
Category: Scanning & Performance
Published: 2025-12-10T10:00:00+00:00
Updated: 2026-03-23T20:24:03.831+00:00
Reading Time: 4 minutes
Summary: Learn how Secure Privacy minimizes cookie banner impact on Core Web Vitals, page speed, and SEO — covering noindex for banner content, 100ms script loading, LCP, CLS, INP optimization, and V2 CDN improvements.

Secure Privacy's cookie consent banner is built to minimize its impact on your website's loading speed, Core Web Vitals, and SEO health. This article explains the specific techniques used — including script loading modes, SEO protection for banner content, V2 platform improvements, and how the banner is optimized for LCP, CLS, and INP.

Who Is This For?

  - Website administrators and developers evaluating the performance impact of the Secure Privacy cookie banner

  - SEO professionals verifying that cookie consent content does not affect search engine indexing or Core Web Vitals scores

  - Technical teams choosing between Automatic Blocking Mode and Manual Mode based on their performance and compliance requirements

SEO Protection: Noindex for Banner Content

All Secure Privacy banner texts include a noindex directive — preventing search engines from indexing cookie consent copy. This means:

  - Search results show your actual page content, not repetitive cookie consent language

  - Your SEO rankings are not diluted by compliance text appearing in indexed page content

  - Crawl budget is preserved for the pages that matter for your organic visibility

Script Loading Performance

Secure Privacy targets a script loading time of 100ms or less — in line with industry standards for consent management platforms. Two loading modes are available depending on your compliance requirements and tag management setup.

Automatic Blocking Mode (default)

This mode loads the Secure Privacy script synchronously so it can manage all other scripts on the page before they execute. It guarantees that visitor cookie preferences are applied before any third-party tags fire — providing the strongest pre-consent blocking guarantee.

Despite being synchronous, the script is optimized for fast loading and should not noticeably affect perceived page speed at the ~100ms target load time.

Manual Mode

Manual Mode loads the script asynchronously — the rest of your page does not wait for the consent script to complete before rendering. This provides the fastest possible loading behavior and is suitable for teams that manage tag blocking themselves — for example, through Google Tag Manager.

V2 Platform Performance Improvements

Smaller script bundle

The Secure Privacy V2 platform uses improved code splitting and tree-shaking techniques — delivering a smaller JavaScript bundle that consumes fewer browser resources and loads faster than the previous version.

Global CDN distribution

V2 scripts are served from a global CDN with advanced geolocation routing — ensuring consistently fast load times regardless of where your visitors are located, without latency introduced by serving scripts from a single origin.

Core Web Vitals Impact

Largest Contentful Paint (LCP)

The banner's impact on LCP is minimal because:

  - The script loads quickly in both Automatic and Manual modes

  - The banner overlay is lightweight HTML and CSS with no large images or media files

  - No heavy fonts or external media are loaded as part of the banner

Cumulative Layout Shift (CLS)

The banner uses fixed or sticky positioning at the viewport edge — it does not push page content down when it appears, and it does not cause layout shifts when dismissed. CLS impact is effectively zero.

Interaction to Next Paint (INP)

Banner interactions are optimized for responsiveness:

  - Lightweight click handlers with no heavy JavaScript framework dependencies

  - Asynchronous consent preference saving — storing choices does not block the UI thread

  - Immediate visual feedback on button clicks to ensure the interaction feels instantaneous

Frequently Asked Questions

Will the cookie banner text affect my SEO rankings?

No. The noindex directive applied to all Secure Privacy banner content ensures it is never indexed by search engines — so cookie consent copy cannot appear in search results or dilute your page's keyword relevance.

What is the real-world impact of synchronous script loading?

Synchronous loading briefly pauses other scripts from executing until the Secure Privacy script has finished loading. With a target load time of approximately 100ms, this pause is minimal and is unlikely to be perceptible to visitors or register as a significant Core Web Vitals issue in most real-world tests.

Can I switch between Automatic Blocking Mode and Manual Mode?

Yes. Automatic Blocking Mode is the default and is recommended for teams that want strict, guaranteed pre-consent blocking without manual configuration. Switch to Manual Mode in your dashboard settings if you prefer asynchronous loading and are managing tag blocking through GTM or another tag management system.

How do I measure the actual performance impact on my site?

Use Google PageSpeed Insights or Chrome DevTools Lighthouse to measure Core Web Vitals before and after installing the Secure Privacy script. Run tests from both mobile and desktop, and compare LCP, CLS, and INP scores. In most cases the difference will be negligible — but testing against your specific page architecture gives you a precise baseline.

See Also

  - Automatic Cookie Blocking Explained

  - Secure Privacy Setup and Installation Checklist

  - Secure Privacy Pricing Plans Overview

---

# Cookie Compliance Review Checklist for Secure Privacy — Keep Your CMP Configuration Audit-Ready

URL: https://support.secureprivacy.ai/article/ongoing-checkups-best-practices-compliance
Product: Consent Management
Category: Compliance & Regulations
Published: 2025-12-01T08:00:00+00:00
Updated: 2026-03-24T16:11:11.525+00:00
Reading Time: 4 minutes
Summary: Keep your Secure Privacy CMP audit-ready with this GDPR cookie compliance checklist — covering scans, classification, Consent Mode, DSARs, and policy reviews.

Websites change constantly — new pages, updated integrations, additional marketing tools. Each change can introduce new cookies or trackers that affect your GDPR and cookie compliance posture. This guide provides a structured checklist for conducting periodic reviews to keep your Secure Privacy consent management configuration up to date and audit-ready.
Who Is This For?
This checklist is designed for privacy officers, compliance managers, and web teams responsible for maintaining cookie consent compliance under GDPR, CCPA, or similar regulations using the Secure Privacy CMP platform.
Cookie Compliance Review Checklist at a Glance
Area
What to Check
Recommended Frequency

Website cookie scan
Overall compliance score, new cookies
Weekly or after site changes

Cookie classification tab
Cookie categories, service mappings
Monthly

Google Consent Mode
Consent type mappings, default states
Quarterly

GDPR cookie banner language
Text accuracy, translations
Quarterly

DSAR settings
Notification emails, response tracking
Quarterly

Privacy and cookie policies
Accuracy with current data practices
Semi-annually

1. Website Cookie Scan Report
The Scan Report page is your starting point for every compliance review. Open it and check:
- Overall compliance score — Has it changed since the last review?

- Detected services — Are there new third-party services you did not expect?

- Cookie inventory — Do detected cookies match the services actually deployed on your site?

- Gaps — Are any cookies unaccounted for or unclassified?

If your score has dropped or new items have appeared, investigate before moving on to the next step.
Tip: Run a manual cookie scan after any significant site change — such as adding a new analytics provider, marketing pixel, or third-party widget — to catch compliance issues early.

2. Cookie Classification and Service Mapping
Open the Classification tab in Secure Privacy and look for:
- Unclassified cookies — Assign the correct consent category (e.g. analytics, marketing, functional) to each one

- Incorrect service mappings — Make sure cookies are attributed to the right third-party services

- Missing entries — If you know a service is active but its cookies are not listed, add them via the Custom Cookies tab

Accurate cookie classification is essential for GDPR compliance — it determines which cookies are blocked before consent and which are allowed as strictly necessary.
3. Google Consent Mode Configuration Review
If you use Google Tag Manager, Google Analytics, or Google Ads, review your Google Consent Mode configuration to ensure signals are firing correctly:
- Verify consent type mappings are correct for each tag

- Check default consent states for each region or jurisdiction

- Confirm that Advanced Consent Mode is working as expected (use the GTM debug panel to verify)

Important: Consult your marketing and legal teams before changing default consent states, especially when switching between Basic and Advanced Consent Mode.

4. GDPR Cookie Banner and Preference Center Language
Review the text displayed in your GDPR cookie banner and privacy preference center to ensure it remains compliant and up to date:
- Is all text accurate and current?

- Are translations correct if multi-language banners are enabled?

- Are button labels compliant? (Under GDPR, "Reject All" must be equally prominent as "Accept All")

- Test the full user consent flow in each supported language to catch rendering issues

5. DSAR Email Notifications and Response Tracking
Your Data Protection Officer or compliance team must receive email notifications when visitors exercise their data subject rights. Review your DSAR setup by checking:
- Confirm the correct email address is configured to receive DSAR notifications

- Test the flow by submitting a test data subject request on your site

- Verify that response deadlines (typically 30 days under GDPR) are being tracked in the dashboard

6. Privacy Policy and Cookie Policy Updates
Work with your legal team to keep both policies current and aligned with your actual data practices:
- Review the privacy policy for accuracy against current data collection and processing activities

- Update the cookie policy to reflect the latest scan results and cookie inventory

- Ensure both policies reference all third-party services detected on your site

- Update data retention information if retention periods have changed

Building a Cookie Compliance Review Schedule
The most effective approach is to tie compliance reviews to your existing development and business workflows:
- After deployments — Run a cookie scan whenever you push changes to production

- Monthly — Block 30 minutes on the first Monday of each month for a cookie classification review

- Quarterly — Schedule a deeper review covering Consent Mode, banner language, and DSAR settings

- Semi-annually — Coordinate with legal for a full privacy and cookie policy review

Frequently Asked Questions
How often should I scan my website for new cookies?
Run a scan at least weekly, and always after deploying site changes such as adding analytics tools, marketing pixels, or third-party integrations. New services can introduce undisclosed cookies that affect your GDPR compliance score.
What happens if cookies are unclassified in Secure Privacy?
Unclassified cookies may not be correctly blocked before user consent, which can result in a compliance violation. Assign a consent category to every detected cookie in the Classification tab as part of your monthly review.
Do I need to update my cookie banner after a website change?
Not necessarily after every change, but if you've added new services or changed the purpose of data collection, your cookie banner text and cookie policy should be updated to accurately reflect this.
What is the deadline to respond to a DSAR under GDPR?
Under GDPR, you must respond to a Data Subject Access Request (DSAR) within 30 days of receipt. Secure Privacy's dashboard helps track open requests and upcoming deadlines.
Need Help with Your Compliance Review?
If you have questions or need assistance with any part of your cookie compliance review, contact Secure Privacy support at support@secureprivacy.ai.

---

# Secure Privacy Website Scanner Guide – Running Scans, Reading Results, and Scheduling Automated Cookie Detection

URL: https://support.secureprivacy.ai/article/scanning-your-website-for-compliance
Product: Consent Management
Category: Scanning & Performance
Published: 2025-12-01T08:00:00+00:00
Updated: 2026-03-23T20:22:28.239+00:00
Reading Time: 5 minutes
Summary: Learn how to run manual scans, configure scan depth and page settings, read cookie inventory results, schedule automated scanning, and improve your compliance score in Secure Privacy.

Secure Privacy's website scanner automatically detects cookies, trackers, and third-party services running on your site — classifying each into a consent category and generating a compliance score. This guide explains how to run manual scans, configure scan settings, read your results, and set up automated scheduled scanning to keep your cookie declarations accurate over time.

Who Is This For?

  - Website administrators running and configuring Secure Privacy scans for their domains

  - Compliance teams reviewing scan results, cookie inventories, and compliance scores

  - Developers setting up automated scanning schedules and allowlisting the scanner in firewalls or WAFs

How the Secure Privacy Scanner Works

The scanner visits your website pages like a real browser — executing JavaScript, loading resources, and cataloging everything it finds:

  - First-party cookies set by your domain

  - Third-party cookies set by external services such as analytics tools, ad networks, and social widgets

  - Local storage and session storage entries

  - Tracking pixels and beacon requests

  - Third-party scripts loaded on your pages

Each detected item is automatically classified into a consent category: Essential, Analytics, Marketing, Preferences, or Social Media.

How to Run a Manual Scan

Before you start

Ensure your domain is registered in the Secure Privacy dashboard and the installation script is active on your site before running a scan.

Steps

  - Log in to your Secure Privacy dashboard.

  - Navigate to Websites and select your domain.

  - Click the Scan tab.

  - Click Start Scan.

  - Wait 2–10 minutes for the scan to complete — time varies depending on page count.

Tip: After making significant changes to your website — such as adding new marketing tags, integrating a new analytics provider, or redesigning pages — always run a manual scan to catch newly introduced cookies.

Configuring Scan Settings

Pages to scan

By default, the scanner crawls your sitemap and follows internal links. You can customize this behavior:

  - Include specific pages: Add URLs the scanner should always check — useful for key compliance pages that may not be in the sitemap.

  - Exclude pages: Add URLs or patterns to skip — for example, /admin/ or /staging/.

Scan depth

  
    
    
    
  
  
    
      Level

      What It Covers

      Best For

    

    
      Level 1

      Homepage only

      Quick spot-checks

    

    
      Level 2

      Homepage + directly linked pages

      Small sites

    

    
      Level 3

      Three levels deep

      Most websites (recommended)

    

    
      Full Crawl

      All discoverable pages

      Comprehensive compliance audits

    

  

Understanding Scan Results

Cookie inventory

After a scan completes, you will see a detailed cookie inventory showing the following fields for each detected item:

  
    
    
  
  
    
      Field

      What It Shows

    

    
      Name

      The cookie identifier

    

    
      Domain

      Which domain sets the cookie

    

    
      Category

      Auto-assigned consent category

    

    
      Duration

      How long the cookie persists

    

    
      Description

      What the cookie is used for

    

  

Compliance score

Your compliance score is calculated based on four factors:

  - Categorization completeness — Are all detected cookies properly categorized?

  - Essential cookie accuracy — Are essential cookies correctly identified and marked?

  - Pre-consent blocking — Are non-essential cookies blocked before visitor consent is given?

  - Declaration accuracy — Does your published cookie declaration match what the scanner detected?

Setting Up Automatic Scheduled Scans

Automated scanning catches new cookies introduced by site updates without requiring manual intervention — keeping your cookie declarations current between planned reviews.

  - Go to Scan Settings > Schedule.

  - Choose your scan frequency: Weekly (recommended), Bi-weekly, or Monthly.

  - Select your preferred day and time for the scan to run.

  - Enable email notifications to receive a summary when each scan completes.

Recommendation: Weekly scanning is advised for sites that frequently update content, add new third-party integrations, or run active marketing campaigns.

Allowlisting the Secure Privacy Scanner

If your website is protected by a firewall, CDN, or WAF, the scanner may be challenged or blocked — resulting in incomplete scan results. Contact support@secureprivacy.ai to request the current list of scanner IP addresses to allowlist in your security configuration.

Post-Scan Checklist

After every scan, review the following to maintain an accurate and compliant cookie configuration:

  - Assign categories to any unclassified cookies detected in the inventory.

  - Update cookie descriptions for accuracy and visitor transparency.

  - Verify that essential cookies are correctly marked and no non-essential cookies are in the Essential category.

  - Confirm that marketing and analytics cookies are blocked until consent is given.

  - Update your published cookie policy to reflect any new cookies or services found in the scan.

Frequently Asked Questions

How often should I run a website scan?

Weekly automated scanning is recommended for most websites. Additionally, trigger a manual scan whenever you make significant changes — such as adding new marketing tags, installing plugins, updating your CMS, or integrating new analytics or advertising services — to catch any newly introduced cookies immediately.

What does it mean if a cookie is marked as "unclassified"?

An unclassified cookie is one that Secure Privacy's automatic classification engine was unable to match to a known service in its database. You should review unclassified cookies manually — identify what service or script is setting them and assign the correct consent category in the Classification tab. Unclassified cookies can affect your compliance score and may not be correctly blocked until categorized.

Why might the scanner not detect all cookies on my site?

The scanner may miss cookies that are only set after specific user interactions, behind authentication, or on pages not reachable from your sitemap or internal links. Use the Include Pages setting to add any critical pages manually, and consider the Scan Behind Login feature for Enterprise accounts if authenticated pages need to be scanned.

See Also

  - How to Increase Your Compliance Score (Overall Rating)

  - Include or Exclude Pages from Scanning

  - Authenticated Secure Privacy Website Scans

  - How to Classify and Edit Your Cookies and Services

---

# Privacy Risk Assessment Module – GDPR Risk Scoring, DPIA Workflows, and Mitigation Tracking in Secure Privacy

URL: https://support.secureprivacy.ai/article/governance-core-module-risks
Product: Privacy & AI Governance
Category: Compliance & Regulations
Published: 2025-11-20T11:00:00+00:00
Updated: 2026-03-22T00:43:37.983+00:00
Reading Time: 4 minutes
Summary: Use Secure Privacy's Risk module to run GDPR privacy risk assessments, score risks with a likelihood-impact matrix, trigger DPIA workflows, and track mitigations.

The Risk module in Secure Privacy's Governance Solution gives compliance and data protection teams a structured framework for identifying, scoring, and mitigating privacy risks tied to data processing activities. It supports GDPR risk assessments, Data Protection Impact Assessments (DPIAs), and ongoing mitigation tracking — all within a single auditable register.

Who Is This For?

  - Data Protection Officers (DPOs) managing organization-wide privacy risk posture

  - Compliance teams performing risk assessments and DPIAs under GDPR

  - IT and security teams evaluating technical and operational risks

  - Executive leadership reviewing risk reports and mitigation progress

Risk Module Capabilities

The Risk module enables your team to:

  - Identify and document risks associated with specific data processing activities

  - Score risks using a standardized likelihood-impact matrix

  - Define and track mitigation measures with deadlines and assigned owners

  - Link risks to processes in the Process Register for end-to-end traceability

  - Trigger DPIA workflows for high-risk processing activities

  - Export audit-ready risk reports for regulatory submissions and board reviews

How to Create a Privacy Risk Assessment

Step 1: Navigate to the Risk Module

From the main navigation, click Risks to open the privacy risk register.

Step 2: Add a New Risk

Click Add Risk and complete the following fields:

  - Risk name — A clear, specific identifier (e.g., "Unauthorized access to customer database")

  - Description — A detailed explanation of the risk scenario and its potential consequences

  - Type — The risk category: Security, Compliance, or Operational

  - Likelihood — How probable the risk is (1–5 scale)

  - Impact — How severe the consequences would be (1–5 scale)

Step 3: Define Mitigation Measures

For each risk, document the mitigation measures you plan to implement or have already implemented. Assign an owner and a target completion date to ensure accountability.

Step 4: Save the Risk Record

Save the risk. It will be scored automatically using the risk matrix and appear in your privacy risk register.

GDPR Risk Scoring Matrix

Risks are scored by multiplying Likelihood by Impact. The resulting score determines the risk level and the action required.

  
    
    
    
    
    
    
  
  
    
      Likelihood / Impact

      Negligible (1)

      Minor (2)

      Moderate (3)

      Major (4)

      Severe (5)

    

    
      Rare (1)

      1

      2

      3

      4

      5

    

    
      Unlikely (2)

      2

      4

      6

      8

      10

    

    
      Possible (3)

      3

      6

      9

      12

      15

    

    
      Likely (4)

      4

      8

      12

      16

      20

    

    
      Almost Certain (5)

      5

      10

      15

      20

      25

    

  

Risk Score Thresholds and Required Actions

  
    
    
    
  
  
    
      Score Range

      Risk Level

      Action Required

    

    
      1–6

      Low

      Monitor and review periodically

    

    
      7–12

      Medium

      Implement additional controls

    

    
      13–19

      High

      Urgent action required

    

    
      20–25

      Critical

      Immediate intervention needed

    

  

Key Features of the Privacy Risk Register

Process Register Integration

Risks can be linked directly to documented processing activities in the Process Register. This creates a clear, auditable chain from data processing activity to identified risk to mitigation measure.

DPIA Workflow Support

When a risk assessment reveals high or critical scores, the module initiates Data Protection Impact Assessment (DPIA) workflows, including pre-screening, structured assessment, and mitigation planning — supporting your GDPR Article 35 obligations.

Audit Trail

Every change to a risk record — including score updates, ownership transfers, and mitigation changes — is logged with timestamps, providing a complete audit history for regulatory review.

Risk Reporting and Export

Export risk reports for board presentations, regulatory submissions, or compliance audits. Reports include risk distribution by level, mitigation status, and trend analysis over time.

Common Privacy Risk Management Use Cases

Ongoing GDPR Privacy Risk Assessments

Regularly assess risks associated with your data processing activities as part of a continuous GDPR compliance program. Use the risk register to maintain a current view of your organization's privacy risk posture.

Conducting Data Protection Impact Assessments (DPIAs)

For processing activities likely to result in a high risk to individuals — as required under GDPR Article 35 — use the integrated DPIA workflow to conduct a thorough assessment before processing begins.

Mitigation Tracking Across Teams

Track the implementation status of mitigation measures across your organization. Identify overdue items, reassign ownership, and escalate where needed to keep your risk register current.

Frequently Asked Questions

Why can't I add a new risk?

Verify that your account has Risk module write permissions. Contact your Secure Privacy account administrator to review your role and access settings.

Why is the risk score not calculating?

Both the Likelihood and Impact fields must be set for the score to calculate automatically. Ensure neither field is left blank when saving the risk record.

Why can't I assign a risk to a team member?

The team member must have an active user account with the appropriate role assigned within your Secure Privacy organization. Ask your administrator to verify the user's role and status.

What triggers a DPIA in the Risk module?

Risks scored as High (13–19) or Critical (20–25) can trigger a DPIA workflow. The module supports pre-screening, structured assessment, and mitigation planning to satisfy GDPR Article 35 requirements.

Next Steps

  - Link identified risks to processing activities in the Process Register for full traceability

  - Set mitigation deadlines and monitor them using the Calendar module

  - Export your risk register report for your next compliance review, DPIA submission, or board meeting

See Also

  - Secure Privacy Pricing Plans Overview

  - Setup DSAR Forms in Secure Privacy

  - Website Visits vs Page Views vs Consent Explained

---

# Enhance the Look of Your Website with a Customized Cookie Banner Design — Secure Privacy Guide

URL: https://support.secureprivacy.ai/article/customize-cookie-banners-design
Product: Consent Management
Category: Customization
Published: 2025-11-01T10:00:00+00:00
Updated: 2026-03-23T22:21:57.618+00:00
Reading Time: 6 minutes
Summary: Design a cookie consent banner that matches your brand. Secure Privacy's editor offers layout options, color controls, button styling, custom CSS, and mobile preview — GDPR-compliant by design.

Summary: Your cookie consent banner is often the very first thing a visitor sees on your website—so it should reflect your brand, not undermine it. With Secure Privacy's cookie banner design editor, you can fully customize your consent banner's layout, colors, button styles, and typography to match your brand identity. This guide walks through every design option available, including advanced custom CSS for cookie banners, GDPR compliance considerations, and best practices for mobile-friendly, accessible consent UI.

  
    Who Is This Guide For?

    
      - Website owners and designers who want their cookie banner to match their site's visual identity

      - Developers looking to apply custom CSS to Secure Privacy's consent banner

      - Compliance managers ensuring their cookie banner meets GDPR design requirements (equal button prominence, accessibility, contrast)

    
  

  
    Accessing the Cookie Banner Design Editor

    To start customizing your consent banner in Secure Privacy:

    
      - Log in to your Secure Privacy account

      - Navigate to Design in your dashboard

      - Select a design to preview and modify

      - Open the Cookie Banner section

    
    
      
      Navigate to Design > Cookie Banner in your Secure Privacy dashboard to access the design editor.
    
  

  
    Choosing a Cookie Banner Layout

    Secure Privacy offers four cookie banner layout options. Choose the one that best fits your site's design language, content type, and consent collection requirements.

    
      Bar (Full Width)

      A full-width consent bar displayed at the top or bottom of the viewport. This is the most widely used cookie banner layout because it is immediately recognizable to users and does not obscure page content.

      
        
        The Bar layout spans the full width of the viewport — the most familiar cookie banner style for website visitors.
      
    

    
      Bar with Padding

      Identical to the full-width bar, but with padding applied on all sides. This gives the consent banner a floating, elevated appearance that draws slightly more attention without overwhelming the surrounding content.

      
        
        Bar with Padding adds visual breathing room, giving the cookie consent banner a floating, card-like appearance.
      
    

    
      Corner

      A compact cookie consent banner positioned in the bottom-left or bottom-right corner of the screen. This is the most unobtrusive layout option—it integrates seamlessly with your page design and works well for sites that prioritize minimal visual disruption.

      
        
        The Corner layout is ideal for sites that want a non-intrusive cookie notice without blocking page content.
      
    

    
      Middle (Modal)

      A centered modal overlay that dims the background until the user responds. This layout provides maximum consent banner visibility and is best when you need explicit, unmissable consent collection—particularly for high-compliance scenarios under GDPR.

      
        
        The Modal layout ensures the cookie consent request cannot be overlooked — ideal for strict GDPR consent collection.
      
    
  

  
    Customizing Cookie Banner Colors to Match Your Brand

    Every color element of your GDPR cookie banner can be adjusted to align with your website's brand identity. The following elements are fully customizable:

    
      
        
          Element
          What It Controls
        

      
      
        
          Background color
          The banner's main background
        

        
          Border color
          The outer frame of the banner
        

        
          Heading text
          Title and section headings
        

        
          Body text
          Descriptions and informational text
        

        
          Link color
          Clickable links within the banner
        

        
          Hover color
          Interactive states for links and elements
        

      
    

    
      
      The color editor allows full control over every visual element of your cookie consent banner.
    
  

  
    Configuring Cookie Banner Button Styles

    Each consent button—Accept, Decline, and Customize—can be styled independently to match your brand and meet GDPR design requirements:

    
      - Fill style — Choose between a filled button or a stroke/outline button

      - Corner style — Smooth (rounded), sharp (square), or fully rounded (pill)

      - Background color — The button's resting color

      - Hover background — The color when users mouse over the button

      - Text color — The button label color

      - Hover text color — Text color on hover

    

    
      ⚖️ GDPR Compliance: Equal Button Prominence

      Under GDPR, the "Reject All" button must be equally as prominent as the "Accept All" button. Avoid dark patterns that make acceptance visually dominant—such as using a bright, filled Accept button alongside a faded or hidden Decline option. Regulators across the EU have issued significant fines for non-compliant consent banner designs.

    
  

  
    Advanced Cookie Banner Customization: Custom CSS

    For design customizations beyond what the visual editor offers, Secure Privacy supports custom CSS for your cookie consent banner. This allows developers to apply any styling using Secure Privacy's component classes.

    How to Access Custom CSS

    
      - Go to Design > Cookie Banner > Custom CSS

      - Add your CSS rules targeting Secure Privacy classes

    

    
      
      The Custom CSS panel in Secure Privacy's Design editor — for advanced cookie banner styling beyond the visual editor.
    

    Example: Rounded Cookie Banner with Margin

    .sp-banner {
  border-radius: 16px !important;
  margin: 16px !important;
}

    Example: Custom Accept Button Styling

    .sp-banner .sp-btn-accept {
  border-radius: 8px !important;
  text-transform: uppercase !important;
}

    Example: Custom Font for Cookie Banner

    @import url('https://fonts.googleapis.com/css2?family=Inter');
.sp-banner {
  font-family: 'Inter', sans-serif !important;
}
  

  
    Previewing Your Cookie Banner Design Across Devices

    Before publishing any changes, use the built-in responsive preview to test how your cookie banner looks and functions across different screen sizes:

    
      - Desktop view

      - Tablet view

      - Mobile view

    
    
      
      Preview your cookie banner design across Desktop, Tablet, and Mobile before publishing.
    
    Switch to full-screen preview for the most accurate visualization of how your banner will appear to real visitors. Note that minor rendering differences between preview and live may occasionally occur.

  

  
    Cookie Banner Design Best Practices

    
      - Match your brand identity — Use your site's color palette and typography for a cohesive, trustworthy appearance

      - Keep text concise and clear — Avoid legal jargon; use plain language that users can understand at a glance

      - Ensure accessibility contrast — All text must be readable against the banner background (aim for WCAG AA contrast ratio of at least 4.5:1)

      - Test on mobile first — Over half of global web traffic is mobile; ensure buttons are large enough to be tap-friendly

      - Maintain GDPR button parity — Accept and Reject buttons must be equally prominent in size, color weight, and placement

      - Verify after every change — After any styling update, test that all consent buttons still fire correctly and that Google Consent Mode signals are updating as expected

    
  

  
    Frequently Asked Questions (FAQ)

    Can I fully customize my cookie banner to match my website's brand?

    Yes. Secure Privacy's design editor lets you customize every visual element of your cookie consent banner—including background color, border, heading and body text colors, button fill style, corner style, and hover states. For further control, the Custom CSS feature lets developers apply any additional styling using Secure Privacy's component classes.

    What cookie banner layouts does Secure Privacy support?

    Secure Privacy supports four layouts: Bar (Full Width), Bar with Padding, Corner, and Middle (Modal). Each suits different design and compliance needs—from minimal disruption to maximum consent visibility.

    Does my cookie banner design need to comply with GDPR requirements?

    Yes. Under GDPR, your cookie banner must not use dark patterns. The "Reject All" option must be as visually prominent as "Accept All." Using a brightly styled Accept button alongside a hidden or downplayed Decline button can result in regulatory action. Secure Privacy's editor makes it straightforward to style both buttons equally.

    How do I add a custom font to my Secure Privacy cookie banner?

    Use the Custom CSS panel (Design > Cookie Banner > Custom CSS) to import a Google Font or other web font and apply it to the .sp-banner class. See the custom font CSS example in the Advanced Customization section above.

    Can I preview my cookie banner on mobile before publishing?

    Yes. Secure Privacy's built-in design preview includes Desktop, Tablet, and Mobile views. Use the full-screen preview mode for the most accurate representation of how your banner will appear to real visitors across devices.

  

  
    See Also

    
      - Implementing Google Consent Mode in Basic Mode

      - Implementing Google Consent Mode in Advanced Mode using Google Tag Manager

      - Checking Your Google Consent Mode Implementation

      - Secure Privacy — Google-Certified Consent Management Platform

---

# How to Install Secure Privacy via Google Tag Manager (GTM) – Cookie Consent Banner Setup Guide

URL: https://support.secureprivacy.ai/article/how-to-install-secure-privacy-with-google-tag-manager
Product: Consent Management
Category: Integrations
Published: 2025-10-20T09:00:00+00:00
Updated: 2026-03-24T22:36:10.538+00:00
Reading Time: 4 minutes
Summary: Set up Secure Privacy's GDPR cookie consent banner in Google Tag Manager. Step-by-step guide: create a Custom HTML tag, use the Consent Initialization trigger, and publish.

Google Tag Manager (GTM) is one of the most popular ways to deploy and manage website scripts without touching source code. If your team already uses GTM for analytics and marketing tags, installing Secure Privacy through GTM keeps your entire consent management setup in one place — and ensures your cookie consent banner loads before any tracking scripts fire, keeping you compliant with GDPR, ePrivacy, and CCPA requirements.
This guide walks you through the full GTM setup process for Secure Privacy, from creating the tag to publishing and troubleshooting.
Who Is This For?
This guide is intended for website owners, developers, or marketing teams who manage their site scripts through Google Tag Manager and want to add a GDPR-compliant cookie consent banner using Secure Privacy — without modifying their site's source code directly.
Prerequisites
Before you begin setting up Secure Privacy in Google Tag Manager, make sure you have:
- A GTM account with an active container

- The GTM container snippet already installed on your website

- Access to your Secure Privacy dashboard and your domain installation script

Step 1: Create a Custom HTML Tag in GTM
- Open your GTM container

- Click Tags in the left sidebar

- Click New

- Select Custom HTML as the tag type

- Paste your Secure Privacy installation script into the HTML field:

<script>
var s = document.createElement("SCRIPT");
s.src = "https://app.secureprivacy.ai/script/YOUR_DOMAIN_ID.js";
s.type = "text/javascript";
document.getElementsByTagName("head")[0].appendChild(s);
</script>Replace YOUR_DOMAIN_ID with the actual ID found on your Secure Privacy Installation page inside the dashboard (Settings → Installation → Domain ID).
Step 2: Set the Consent Initialization Trigger
- Click Triggering below the tag configuration panel

- Choose Consent Initialization - All Pages as the trigger

Important: Using Consent Initialization as the trigger is critical for GDPR compliance. This ensures the Secure Privacy cookie consent banner loads before any other GTM tags — including Google Analytics, Facebook Pixel, and advertising pixels. Using a different trigger (such as "All Pages") may allow cookies to fire before the user has given consent, creating a compliance violation.

Step 3: Save, Preview, and Publish Your GTM Tag
- Name your tag (e.g., Secure Privacy – Cookie Consent Banner)

- Click Save

- Click Preview to test in GTM's built-in debug mode

- Verify the cookie consent banner appears correctly on your site

- Once confirmed, click Submit and then Publish to push the tag live

GTM Tag Configuration Summary
Your completed Secure Privacy tag should have the following settings:
Secure Privacy GTM Tag Settings

Setting
Value

Tag Type
Custom HTML

HTML Content
Secure Privacy installation script (with your Domain ID)

Trigger
Consent Initialization – All Pages

Tag Name
Secure Privacy – Cookie Consent Banner

Blocking Third-Party Cookies and Scripts via GTM
If you load third-party scripts through GTM — such as Facebook Pixel, Google Ads conversion tags, or LinkedIn Insight — you should configure those tags to respect consent signals. This ensures third-party cookies and tracking scripts are blocked automatically when a user has not granted consent, keeping you compliant with GDPR and ePrivacy regulations.
See the article on implementing Google Consent Mode for advanced GTM tag blocking and consent signal configuration.
Troubleshooting Secure Privacy in Google Tag Manager
Cookie consent banner not appearing
- Verify the script source URL is correct and includes your actual domain ID (not the placeholder YOUR_DOMAIN_ID)

- Check that the trigger is set to Consent Initialization – All Pages, not "All Pages"

- Make sure no other consent management platform (CMP) is installed that might conflict with Secure Privacy

GTM tag not firing
- Use GTM's Preview mode to inspect tag firing order and confirm the tag is triggered

- Confirm the container is published, not just saved or in preview mode

- Check for JavaScript errors in the browser console (F12 → Console tab)

Banner appears but consent preferences are not saved
- Verify your domain is correctly registered and active in the Secure Privacy dashboard

- Confirm the domain in your script URL matches the exact domain you are testing on (including or excluding www)

Frequently Asked Questions
Can I use Secure Privacy with Google Tag Manager without editing my website code?
Yes. Deploying Secure Privacy through GTM means you only need to add one tag inside your GTM container. No changes to your website's source code are required, as long as the GTM container snippet is already on your site.
Why must I use the Consent Initialization trigger instead of All Pages?
The Consent Initialization trigger fires before all other GTM tags, ensuring the cookie consent banner is displayed and consent is collected before any tracking or advertising scripts run. Using "All Pages" risks firing cookies prior to user consent, which violates GDPR.
Does this setup work with Google Consent Mode?
Yes. Once Secure Privacy is deployed via GTM, you can configure Google Consent Mode to pass consent signals to Google Analytics and Google Ads tags, enabling compliant data collection based on user preferences.
Next Steps
- Configure Google Consent Mode for advanced analytics and advertising compliance across GTM tags

- Set up automated cookie scanning to detect all trackers and cookies on your site

- Customize your consent banner design to match your brand colors and style

---

# How to Set Up Google Consent Mode v2 (Advanced Mode) with Secure Privacy and GTM

URL: https://support.secureprivacy.ai/article/implementing-google-consent-mode-with-secure-privacy
Product: Consent Management
Category: Integrations
Published: 2025-10-05T13:00:00+00:00
Updated: 2026-03-24T18:09:44.561+00:00
Reading Time: 4 minutes
Summary: Set up Google Consent Mode v2 Advanced Mode with Secure Privacy and Google Tag Manager. Step-by-step guide covering GCM v2 consent types, default states, and GDPR best practices.

Google Consent Mode (GCM) is an API that adjusts how Google tags behave based on a user's consent choices. When integrated with Secure Privacy, it ensures your Google Analytics, Google Ads, and other Google tags automatically respect consent preferences — without manually blocking and unblocking each tag. As of March 2024, Google requires Google Consent Mode v2 for all websites using Google advertising products in the EEA.
This guide covers the Advanced Mode implementation of Google Consent Mode v2 using the Secure Privacy CMP community template in Google Tag Manager (GTM).
Basic vs. Advanced Mode: Which Should You Use?
Google Consent Mode: Basic vs. Advanced

Feature
Basic Mode
Advanced Mode

Tag behavior before consent
Tags do not fire
Tags fire with limited, cookieless data

Analytics data
Only from consenting users
Aggregate modeling for all users

Implementation complexity
Lower
Moderate

Data completeness
Partial
More complete (with modeling)

Advanced Mode is recommended for most websites because it provides better data coverage while still respecting user privacy. When a user declines analytics cookies, Google only collects aggregate, cookieless pings — no personal data is stored or transmitted.
Who Is This Guide For?
- Website administrators managing Google tags and consent flows

- Developers and technical marketers implementing GCM v2

- Compliance professionals ensuring GDPR, ePrivacy, and EU User Consent Policy alignment

How to Implement Google Consent Mode v2 (Advanced) with Secure Privacy
Step 1: Prepare Google Tag Manager
If you are an existing Secure Privacy user who previously added the consent script directly to your site's <head> tag, remove it before proceeding. The GTM template handles script injection automatically.
New users do not need to add any script to the site header — the GTM template manages it entirely.
Step 2: Add the Secure Privacy CMP Template in GTM
- In Google Tag Manager, go to Tags > click New

- Click Tag Configuration

- Select Discover more tag types in the Community Template Gallery

- Search for Secure Privacy

- Select the Secure Privacy CMP template

- Click Add to Workspace, then confirm by clicking Add

Step 3: Configure the Secure Privacy Tag
- Enter your Secure Privacy Domain ID (found in your Secure Privacy dashboard under the Installation tab)

- Configure any additional settings as needed for your consent banner

Step 4: Set Default Consent States
Default consent states in Google Consent Mode v2 determine tag behavior before a user interacts with the consent banner.
- Click Add Setting in the tag configuration

- For each consent category, choose Granted or Denied from the dropdown

- Set the Region using ISO 3166-2 codes (e.g., DE for Germany, FR for France). Use all to apply globally without geo-targeting

- Click Add to save the setting

GDPR best practice: For EEA visitors, set all non-essential consent categories to Denied by default. For other regions, consult your legal team about appropriate default consent states.

Step 5: Set the Consent Initialization Trigger
Select Consent Initialization - All Pages as the trigger for the Secure Privacy tag. This ensures GCM v2 consent signals are sent before any other tags fire.
Step 6: Save, Test, and Publish
- Click Save

- Use GTM's Preview mode to test the integration

- Verify consent signals are being sent correctly using the GTM debug panel

- Once confirmed, click Submit and Publish

Google Consent Mode v2 Consent Types Explained
GCM v2 supports five consent types plus two new parameters introduced to meet EU User Consent Policy requirements:
GCM v2 Consent Types

Consent Type
Controls

ad_storage
Advertising cookies

analytics_storage
Analytics cookies

functionality_storage
Functional cookies

personalization_storage
Personalization cookies

security_storage
Security-related cookies

ad_user_data (new in v2)
Sending user data for advertising purposes

ad_personalization (new in v2)
Personalized advertising

Secure Privacy automatically maps its consent categories to all seven Google Consent Mode v2 types, ensuring full compliance without manual mapping.
Troubleshooting Google Consent Mode v2 in GTM
Tag Not Firing as Expected
Double-check that the trigger is set to Consent Initialization - All Pages and that no other consent management platform (CMP) scripts are installed on the page, as conflicts can prevent GCM signals from sending.
Consent Changes Not Reflected in Google Tags
Verify your Secure Privacy Domain ID is correct. Clear all caches and test again in an incognito window to rule out cached consent states.
Advanced Mode Data Not Appearing in Google Analytics
Consent Mode modeling requires a minimum traffic threshold. Google needs approximately 1,000 daily events with consent granted for at least 7 consecutive days before behavioral modeling activates in GA4.
Frequently Asked Questions
Is Google Consent Mode v2 required for GDPR compliance?
GCM v2 itself is not a GDPR requirement, but it is required by Google to use audience features and remarketing with Google Ads in the EEA. A proper CMP like Secure Privacy remains necessary for actual GDPR consent collection.
What is the difference between Basic and Advanced Google Consent Mode?
In Basic Mode, Google tags do not fire until consent is granted. In Advanced Mode, tags fire immediately with cookieless, aggregate pings, then update when the user makes a consent choice. Advanced Mode provides more complete data through Google's modeling.
Does Secure Privacy support GCM v2 automatically?
Yes. The Secure Privacy CMP GTM template maps all consent categories to the seven GCM v2 consent types, including the two new parameters (ad_user_data and ad_personalization), automatically.
Can I use this setup without Google Tag Manager?
This guide covers GTM-based implementation. If you are not using GTM, refer to the direct script installation guide in the Secure Privacy documentation.
Related Articles
- How to Install Secure Privacy with Google Tag Manager

- Blocking Cookies with Google Tag Manager

- Google's EU User Consent Policy Requirements

---

# How to Configure the "Do Not Sell or Share My Personal Information" CCPA Opt-Out Widget in Secure Privacy

URL: https://support.secureprivacy.ai/article/ccpa-cpra-do-not-sell-compliance
Product: Consent Management
Category: Compliance & Regulations
Published: 2025-09-25T09:00:00+00:00
Updated: 2026-03-24T13:56:41.194+00:00
Reading Time: 4 minutes
Summary: Configure the "Do Not Sell or Share My Personal Information" opt-out widget in Secure Privacy. Step-by-step CCPA/CPRA setup guide with verification steps and best practices.

If your business is subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA), you are likely required to provide California consumers with a clear, accessible opt-out link labeled "Do Not Sell" or "Do Not Sell or Share My Personal Information." This guide shows you how to configure that CCPA opt-out widget text in your Secure Privacy dashboard.
Note: This article covers product configuration only and does not constitute legal advice. Consult your legal team to determine whether your data practices qualify as a "sale" or "share" under CCPA/CPRA.
Who Is This For?
This guide applies to your organization if:
- Your business is subject to CCPA/CPRA — generally businesses meeting certain revenue, data volume, or data-sharing thresholds

- You sell or share personal information — which under CPRA includes cross-context behavioral advertising

- You need a visible opt-out link or widget on your website for California consumers

CCPA/CPRA Opt-Out Requirement: What It Means
CCPA/CPRA requires businesses to provide a clear, easily accessible opt-out mechanism for the sale or sharing of personal information. Most sites implement this as a persistent widget or footer link labeled "Do Not Sell" or "Do Not Sell or Share My Personal Information" — visible on every page of the site.
Correctly configuring this opt-out label helps your site:
- Make the CCPA opt-out entry point immediately visible to California consumers

- Align with common CCPA/CPRA compliance expectations and recognized opt-out wording

- Build user trust and reduce friction for privacy requests

How to Configure the CCPA Opt-Out Widget Text
Step 1: Open the CCPA template
- Sign in to your Secure Privacy dashboard

- In the main navigation, click Templates

- Select CCPA from the template categories

Step 2: Find the widget settings
- In the CCPA template options, locate the Widget section

- Click to expand the widget configuration panel

Step 3: Update the opt-out label
- Find the Widget Display Text field

- Clear the existing text and enter one of the following recognized CCPA/CPRA opt-out labels:
Do Not Sell
Shorter, widely recognized wording — sufficient for most CCPA implementations.
Do Not Sell or Share My Personal Information
The full CPRA-specific phrase — recommended if your business is subject to CPRA or engages in cross-context behavioral advertising.

- Click Save

Verifying the CCPA Opt-Out Experience
After saving your changes, confirm the opt-out widget is working correctly end-to-end:
- Open your website in an incognito or private browser window

- Confirm the widget displays the updated "Do Not Sell" or "Do Not Sell or Share My Personal Information" text

- Click the widget and verify the opt-out flow loads correctly

- Complete the opt-out flow to confirm it works end-to-end

- If your site uses caching or a CDN, clear all cache layers first and retest in an incognito window

Best Practices for the CCPA Opt-Out Link
- Use recognized wording — "Do Not Sell" or "Do Not Sell or Share My Personal Information" matches what California consumers search for and expect to see

- Make it easy to find — Place the opt-out link in your site footer and use a persistent widget that is visible on every page, not just the homepage

- Verify the underlying opt-out works — The label is only meaningful if clicking it correctly limits the selling or sharing of personal data in your systems

- Test regularly — Retest the full opt-out flow whenever you update your site, change analytics integrations, or add new advertising partners

Frequently Asked Questions
Why isn't my updated widget text showing on my live site?
Confirm you clicked Save in the CCPA template settings. Then clear your site cache, CDN cache, and browser cache, and retest in a fresh incognito window. If the text shows correctly in the dashboard preview but not on the live site, a caching layer is the most likely cause.
Can I customize widget text for GDPR and other regional templates?
Yes. Open the relevant regional template — for example, GDPR — and locate the equivalent Widget settings section to update the display text for that jurisdiction.
Does updating the opt-out label make my site fully CCPA/CPRA compliant?
No. The label helps users find the opt-out mechanism, but full CCPA/CPRA compliance requires that the underlying opt-out functionality correctly limits the sale and sharing of personal information. Your privacy disclosures, data processing agreements, and technical implementation all need to align. Consult your legal team for a complete compliance review.
What is the difference between "Do Not Sell" and "Do Not Sell or Share My Personal Information"?
"Do Not Sell" was the original CCPA wording. The CPRA extended this to "Do Not Sell or Share My Personal Information" to explicitly cover cross-context behavioral advertising as a form of "sharing." If your business engages in behavioral advertising or is subject to CPRA, the full phrase is the more appropriate label.
Where should the "Do Not Sell" link appear on my website?
CCPA/CPRA guidance recommends placing the opt-out link in your website footer so it is accessible from every page. A persistent floating widget — configured in Secure Privacy — also satisfies the visibility requirement and is often easier for users to find than a footer-only link.
Contact Secure Privacy Support
If the opt-out label updates correctly in the dashboard but does not appear on your live site, or if you are unsure whether your setup qualifies as a "sale" or "share" under CCPA/CPRA, contact Secure Privacy support at support@secureprivacy.ai.

---

# Process Register – GDPR Article 30 ROPA Documentation, Risk Integration, and Audit-Ready Reporting in Secure Privacy's Governance Solution

URL: https://support.secureprivacy.ai/article/governance-core-module-process-register
Product: Privacy & AI Governance
Category: Compliance & Regulations
Published: 2025-08-05T14:00:00+00:00
Updated: 2026-03-22T16:47:12.498+00:00
Reading Time: 5 minutes
Summary: Document all data processing activities and maintain a GDPR Article 30-compliant ROPA using the Process Register in Secure Privacy's Governance Solution — with risk integration, version history, and audit-ready export.

The Process Register is a core module in Secure Privacy's Governance Solution, providing a structured way to document all of your organization's data processing activities. It is specifically designed to meet GDPR Article 30 Records of Processing Activities (ROPA) requirements — giving Data Protection Officers, compliance teams, and auditors a searchable, exportable register of every processing activity, with risk integration, version history, and audit-ready reporting.

Who Is This For?

  - Data Protection Officers maintaining and managing Records of Processing Activities (ROPA) under GDPR Article 30

  - Compliance teams documenting data flows and lawful bases across the organization

  - IT and security teams mapping systems and technical measures for processing activities involving personal data

  - Auditors and legal teams reviewing processing records for regulatory submissions and internal governance reviews

Process Register Capabilities

The Process Register module enables your organization to:

  - Document all data processing activities in a structured, searchable format aligned with GDPR Article 30(1) requirements

  - Categorize activities by department, processing purpose, and lawful basis

  - Assign ownership and schedule periodic reviews to named team members

  - Link processes to risk assessments in the Risk Management module for end-to-end compliance traceability

  - Generate audit-ready compliance reports for regulators, supervisory authorities, and internal stakeholders

Creating a New Processing Activity Record

Step 1: Navigate to the Process Register

From the main navigation menu in the Governance Solution, click Processes to open the Process Register.

Step 2: Add a new process

Click Add Process and complete the required fields — each corresponding to a mandatory element of GDPR Article 30(1):

  
    
    
    
  
  
    
      Field

      Description

      Example

    

    
      Process Name

      Clear, descriptive title for the processing activity

      "Customer Newsletter Distribution"

    

    
      Purpose

      The specific reason why personal data is being processed

      "Marketing communications to opted-in subscribers"

    

    
      Legal Basis

      Lawful basis for processing under GDPR Article 6

      Consent, Contract, Legitimate Interest

    

    
      Data Categories

      Types of personal data collected and processed

      Email address, name, communication preferences

    

    
      Data Subjects

      Categories of individuals whose data is processed

      Customers, website visitors

    

    
      Retention Period

      How long personal data is stored before deletion or anonymization

      "24 months after last engagement"

    

    
      Security Measures

      Technical and organizational controls in place to protect the data

      Encryption, access controls, audit logs

    

  

Step 3: Save and review

Save the process record. It will appear in your Process Register, where it can be searched, filtered, linked to risks, and exported at any time.

Process Register Key Features

Categorization and filtering

Organize processes by department, legal basis, or data type. Use filters to quickly locate specific processing activities during regulatory audits, internal reviews, or DPIA pre-screening assessments.

Risk integration

Each process record can be linked directly to risks documented in the Risk Management module, creating end-to-end traceability from the processing activity through to identified privacy risks and their mitigation measures.

Version history and audit trail

All changes to process records are tracked with timestamps — recording when each field was created or modified and by whom. This provides a complete audit trail that demonstrates your ROPA has been actively maintained over time.

Export and regulatory reporting

Generate ROPA reports in standard formats for regulatory submissions, Data Protection Authority requests, audit documentation, or internal governance reviews — directly from the Process Register without manual compilation.

Common Use Cases

GDPR Article 30 ROPA compliance

Maintaining a complete Record of Processing Activities is mandatory under GDPR Article 30 for organizations with 250 or more employees, and for any organization — regardless of size — that processes special category data, high-risk data, or personal data on a large scale. The Process Register is designed specifically to meet these requirements.

Preparing for regulatory audits

When a Data Protection Authority requests your records, you can export a comprehensive, formatted ROPA report directly from the Process Register — giving you immediate access to audit-ready documentation without manual preparation.

Onboarding new data processing activities

Whenever your organization introduces a new tool, vendor, or business process that handles personal data, document it in the Process Register before going live. This ensures your ROPA is always current and new processing activities are never undocumented.

Troubleshooting

Cannot add a new process

Verify that your account role includes write access to the Process Register. Contact your Secure Privacy account administrator to review and update your permissions if needed.

Risk integration not working

Confirm that the Risk Management module is enabled for your account and that the risk record you are trying to link has been created and saved. You can only link to existing risk entries in the Risk module.

Next Steps

  - Set up the Risk Management module to assess and document privacy risks linked to your processing activities

  - Attach relevant policies, DPAs, and contracts to process records using the Documents module

  - Schedule periodic ROPA review dates in the Compliance Calendar to keep process records current

Frequently Asked Questions

Does the Process Register satisfy all GDPR Article 30(1) mandatory fields?

Yes. The Process Register form captures all fields required under GDPR Article 30(1) for controllers — including the name and contact details of the controller and DPO, processing purposes, data categories, data subject categories, recipients, international transfers, retention periods, and a description of technical and organizational security measures. Records can be exported in a format suitable for supervisory authority submission.

How often should process records be reviewed and updated?

Process records should be updated whenever the associated processing activity changes — including new data categories, updated retention periods, new recipients, or changes to security measures. A full ROPA review should be conducted at least annually as part of your compliance audit cycle. Use the Compliance Calendar to schedule these reviews.

Can the Process Register be used as evidence of GDPR compliance during a supervisory authority inspection?

Yes. GDPR Article 30(4) requires the ROPA to be made available to supervisory authorities on request. The Process Register's export function allows you to produce a formatted, current ROPA report immediately — providing documented evidence of your organization's data processing transparency and accountability.

See Also

  - How to Handle Data Subject Access Requests (DSARs)

  - Secure Privacy Pricing Plans Overview

  - Website Visits vs Page Views vs Consent Explained