This update is about making consent easier for visitors to give and for you to manage. Website owners, developers, agencies, and compliance teams all interact with consent in different ways, and this refresh aligns the public-facing banner and the admin-facing configurator.

The result is a clearer experience for visitors and a smoother setup behind the scenes.

If you’re already using iubenda, everything you rely on is still there. The change is in how it looks, how it feels, and how easy it is to configure.

A clearer banner for visitors

The new banner layout is cleaner, more structured, and easier to navigate.

It’s organized into three clear sections (header, body, and footer), with tabs that separate the notice from consent preferences. This helps make consent easier to understand and use, especially on mobile.

Purpose categories are shown with clear, pill-style indicators for Marketing, Functionality, Measurement, and Experience. Branding has also been refined, with logo colors that automatically adapt to your chosen theme.

Accessibility was a core focus. The new banner is designed to meet AAA contrast standards and improves touch targets and scrolling behavior, making it easier to interact across devices.

A configurator that’s easier to work with

The configurator has been redesigned to match the new banner, both visually and functionally.

As you customize settings, a live preview updates in real time. Color options are streamlined, settings are easier to navigate, and visual feedback is clearer as you make changes.

Each editable section also includes accessibility feedback to help you understand how design choices affect readability and contrast as you configure the banner.

Color customization is simpler now, too. Choose a primary color, and the banner automatically generates a balanced color scheme. All existing positioning and sizing options remain available.

A note on banner branding

For new websites created with the updated Privacy Controls & Cookie Solution, iubenda branding is visible by default and can be disabled from the Essential plan and above.

What hasn’t changed

All existing functionality remains intact. Integrations like TCF and Google Consent Mode continue to work as before. Pricing and plan features stay the same. Existing configurations are preserved.

What to expect 

New users started seeing the redesigned banner and configurator in December. Since then, we’ve been gradually expanding availability.

Selected users can switch existing websites to the new design via a manual toggle in the configurator, with gradual rollout to all users. Before any automatic migrations begin, we’ll first collect feedback from new users using the updated Cookie Solution to ensure everything runs smoothly. Automatic migrations will then roll out throughout 2026, starting with free websites in multiple phases.

All users will be notified well in advance via email before any changes take place, giving them ample time to review the update and prepare accordingly.

This phased approach helps us roll out improvements safely, without disrupting live sites. This update reflects how we think about consent: clear, accessible, and practical for real teams managing real websites. We’re excited for you to explore what’s new.

The post The redesigned cookie banner and configurator appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’ve worked hard to ensure that our Cookie Solution integrates seamlessly with this Framework, hereby giving you, our users, the additional option to easily enable and use it for your website and apps.

Enabling the framework is highly recommended for first-party publishers who work with third-party advertisers (i.e publishers who run ads on their website) as some advertising networks may limit access to their network if not implemented — which could a potentially decrease your ad revenue.

Read more about the framework and how to enable this feature here →

The post Cookie Solution and New IAB Framework Integration appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Google has started implementing major policy, contractual, and product changes in preparation for the soon-to-be-enforceable General Data Protection Regulation (GDPR). The changes largely reflect Google’s status as either data controller or processor in regards to their products; sets out your responsibilities in light of the new legal requirements and includes product and network modifications.

Policy updates

Google’s EU User Consent Policy is being updated to better reflect the new legal requirements. Central to these policy changes is the statement of your responsibilities in regards to disclosures to and obtaining consent from EEA users.

In regards to sites/ apps or other “properties” under your control that make use of Google services, you are required to:

• acquire legally valid consent from end users for the use of cookies or other local storage (where legally required);
• acquire legally valid consent for the processing of personal data for ads personalization of ads or remarketing services;
• keep records of consent given by end users;
• provide end users with clear instructions for the withdrawal of consent; and
• identify and disclose details of all third-parties involved in the processing of the personal data of end users, in an easily accessible and visible way

Google has stated that failure to comply may lead to limited or suspended accounts and/termination of your agreement.

Contract changes

Google is including the new GDPR terms as a supplement to your contract with Google. These modifications will come into force on 25 May 2018.

Currently, these contract changes will affect AdWords, DoubleClick, and the Google Analytics suite. The terms will be incorporated into your terms of service (also known as the terms and conditions) agreement with Google and you may be required to log-in and accept the new terms in your account if you haven’t already.

Product changes

In order to comply with the GDPR, Google is making product changes across their global network of publisher sites, which:

• give publishers the ability to select which third-party ads get displayed to their end users and give them the ability to show non-personalized ads;
• limit the processing of personal information for children under the GDPR Age of Consent;

The company has also stated that they are “exploring consent solutions for publishers” and launching new controls that give Google Analytics customers the ability to manage the storage and deletion of their data.

Update:You can read more about the specific changes to Google Analytics and Analytics 360 here.

Here’s the full email text from Google:

Dear Customer, Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on 25 May 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA). Today we are sharing more about our preparations for the GDPR – including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements. Updated EU User Consent Policy Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users in the EEA. For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags). The policy is incorporated into the contracts for most Google ads and measurement products globally. Contract changes We have been rolling out updates to our contracts for many products since last August, reflecting Google’s status as either a processor or a controller under the new law (see full classification of our Ads products). The new GDPR terms supplement your contract with Google and will come into force on 25 May 2018. For AdWords customers globally, our GDPR terms are incorporated into the terms of service, which (if you’ve not done so already) you can accept in your account. In the case of AdWords Customer Match and Store Sales Direct, Google acts as a processor; for the rest of AdWords we act as a controller. For customers using DoubleClick and the Google Analytics (GA) Suite, processor terms are available for you to review and accept from within your account. If you are an EEA client of GA, data processing terms will be included in your terms shortly. GA customers based outside EEA and all GA 360 customers may accept the terms from within GA. If you don’t contract with Google for your use of Google products, you should seek advice from the parties with whom you contract. Product changes To comply, and support your compliance with GDPR, we are: Making some changes across the network of publisher sites on which your ads may appear – enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps. Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states. Unifying our ads data retention practices; and launching new controls for Google Analytics customers to manage the retention and deletion of their data. Exploring consent solutions for publishers, including working with industry groups like IAB Europe. Find out more You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms. If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks. Sincerely, The Google Team

Here’s what you can do right now to comply with Google’s GDPR-based consent policy requirements:

• Put in place on your site/ app an easily-accessible, comprehensive privacy policy which includes details on how you process end-user data, for which purposes and who else has access. Be sure to include each third-party service used with links to their policies where possible and detail their involvement in the processing (you can do this with just a few clicks via our privacy policy solution)
• Implement a method of obtaining verifiable and valid consent. For consent to be valid, it must be informed, freely-given and verifiable. This means that your end users should know precisely and honestly, exactly what they’re consenting to and the consent must be based on an explicit affirmative uncoerced action.

 Here’s an example of a method of acquiring valid consent for the processing of personal data for ads: Yes, I would like the ads I view to be personalized. I have read the privacy policy and understand the requirements for this function (optional).

• Implement a “cookie consent solution” that allows you to obtain valid, verifiable explicit consent BEFORE installing cookies on the end users’ device. Our cookie solution simplifies this process -end users are informed via a customizable cookie banner; active consent is facilitated via either clicking or scrolling, and user consent settings are remembered.
• Keep clear records of the consent attained. Your records of consent should at least include the identity of the user giving consent; when they consented; what disclosures were made (what they were told) at the time they consented; methods used for obtaining consent (e.g., newsletter form, during checkout etc.); whether they have withdrawn consent or not.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to sign-up NOW as our webinars often fill up quickly.

iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system (Cookie Solution)

Take me to the privacy policy generator

Take me to the Cookie solution

The post Google’s latest GDPR preparations and what they mean for you appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Yesterday, on the 17th of February 2015, the WP29 has published a statement [link no longer up] on the results of their cookie surveys.

Their main takeaway is that cookie information and disclosure has indeed improved, but at the same time cookies were still being set without consent.

The survey is the result of the work by 8 data protection agencies across Europe being,

• Czech Republic – Úřad pro ochranu osobních údajů,
• Denmark – Erhvervsstyrelsen,
• France – Commission nationale de l’informatique et des libertés,
• Greece – Hellenic Data Protection Authority,
• Netherlands – Authority for Consumers & Markets,
• Slovenia – Informacijski pooblaščenec Republike Slovenije,
• Spain – Agencia Española de Protección de Datos,
• United Kingdom – Information Commissioner’s Office.

Methodology of the cookie survey

The cookie sweep was done in two major stages. The first was a statistical review of cookies used by websites and their technical properties. The second was a more in-depth manual review of cookie information and consent mechanisms.

What are cookies anyways?

In the words of the press release published yesterday, cookies are “a small piece of information placed on a person’s computer when they visit a website. They can be used to remember the users’ preferences, record items placed in a shopping basket and carry out various other tasks based on how that person uses the site. Some cookies, known as third party cookies, can also be used for many purposes including to record information based on how the user is interacting with other websites.”

And whilst the sweep focused on the classical http cookies, there’s one thing to keep in mind (and it has also been pointed out in the press release itself), similar technologies such as the ones known under the term device fingerprinting, also fall under the cookie rules.

Targeted sites

Target sectors were selected as those which were considered by the WP29 to present the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector.

Target web sites were selected as being amongst the 250 most frequently visited by individuals within each member state taking part in the sweep. In order to remove potential duplication of sweeping, websites of organisations which were not firmly established within a member state taking part in the sweep were suggested to be excluded.

Results of the cookie survey in detail

Considering that big sites have known about these rules for a while and that guidance by national data protection agencies AND the WP29 was out there, these results must be quite disappointing.

• More than 16000 cookies were set across the sites with those in the media setting the highest average number of cookies (50);
• 22 sites set more than double this average (>100 cookies) when a user visited their home page;
• 70% of the cookies encountered were set by third-parties and more than half of these cookies were set by just 25 domains;
• The average expiry of cookies was found to be between 1 and 2 years, 20% of cookies observed had an expiry date of between 2 and 5 years and 374 were observed with an expiry date of greater than 10 years. However, 3 cookies seen in the sweep had been set with the expiry date of 31 December 9999, nearly 8000 years in the future. Given that the duration can be intentionally renewed by the website operator on each visit it is the case that many of these cookies would survive the lifetime of the device;
• 26% of sites provided no notification that cookies were being used. Of those that did provide a notification, visibility could be improved in 39% of cases and half (50%) merely informed users that cookies were in use without requesting consent;
• Only 16% of sites gave users a granular level of control to accept a subset of cookies with the majority relying on browser settings or a link to a third-party opt-out tool;
• Seven sites set no cookies on the first page.

For further insights, it’s worth reading the guidance made public by the WP29:

• Document 02/2013 providing guidance on obtaining consent for cookies
• Opinion 04/2012 on cookie consent exemption

It’s worth noting that for valid content an operator needs it to “be specific, freely given and
unambiguous“.

Future for cookie notices?

If anything, this cookie survey shows that there is still work to be done. If the data protection agencies want to see the existing rules implemented, that is. And that is very likely what we are going to see down the road: more guidance, more actions by the national data protection agencies to push for better cookie practices.

Update: of all countries in the European Union, the situation must be the most confusing in Germany. Some parties think that the e-Privacy directive has been adopted into German law (into the TMG), others like the data protection officers disagree and published a statement on their own regarding the matter saying that work needs to be done to make corrections and properly introduce the e-Privacy rules regarding cookies.

The post Article 29 Data Protection Working Party: we’re not quite happy about cookies yet appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.