Field notes
Consent Banners That Don't Kill Conversion: A DTC Privacy Setup Guide
October 6, 2025
Consent is the new checkout step, and most DTC brands are fumbling it
A fashion brand we audited in Q1 had a Cookiebot banner that blocked scrolling, covered 40% of the viewport on mobile, and demanded explicit consent before showing any content. EU visitors bounced at 68%. US visitors (who didn't legally need the same prompt) saw the same full wall and bounced at 41%. We moved to a geo-aware consent layer with a minimal US banner and a properly designed EU banner. EU bounce dropped to 43%, US to 22%. Nothing else changed.
TL;DR
▸ Consent banners are required in most US states and all EU/UK; ignoring this is legal risk ▸ Bad banner design costs 2-5% of sessions; good design costs under 1% ▸ Geo-aware consent lets US and EU visitors see appropriate prompts ▸ Google Consent Mode v2 is required for EU ads attribution in 2026
The regulatory landscape
GDPR (EU, EEA, UK post-Brexit). Opt-in before non-essential cookies. Granular categories (strictly necessary, preferences, statistics, marketing). Clear accept/reject options with equal visual weight.
CCPA/CPRA (California). Opt-out disclosure and mechanism. "Do Not Sell or Share My Personal Information" link required. Data rights disclosure (access, deletion, correction, portability).
Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA. Each state has variants. Most require privacy policy disclosure, data rights, and opt-out of targeted advertising.
Texas TDPSA, Oregon OCPA, Delaware DPDPA, others. More states coming online quarterly. The state patchwork is the US reality.
Global Privacy Control (GPC). Browser signal that communicates opt-out preference. California requires honoring it. More states following.
Our compliance audit service keeps track of the shifting picture for clients operating in multiple states and countries.
What actually needs consent
Strictly necessary (no consent needed). Session cookies, cart persistence, login authentication, load balancing. Any cookie without which the site literally doesn't function.
Preferences (soft consent). Language selection, theme preference, currency. Technically requires consent in strict GDPR reading, but low-risk.
Statistics (consent required in EU). Google Analytics, heatmaps, session recording. Opt-in in EU, disclosure in US.
Marketing (consent required in EU, opt-out in US). Meta pixel, Google Ads conversion, Klaviyo tracking, TikTok pixel, retargeting of any kind.
The consent banner design
A good consent banner does three things: discloses, asks, and stays out of the way.
Size. 20-30% of viewport at most. Anything bigger is hostile.
Placement. Bottom of viewport, slide-up from the bottom. Not a full-screen modal, not a covering-the-whole-page banner.
Copy. Three sentences. "We use cookies to improve your experience, analyze traffic, and deliver relevant ads. Accept all, reject all, or customize your preferences. Read our privacy policy for details."
Buttons. Three options visible: Accept All, Reject All, Customize. Equal visual weight. Don't hide Reject All under a secondary treatment; the EU specifically requires parity.
Link to full policy. Clear link to the privacy policy with all details.
Geo-aware consent
Geolocation the visitor's country (IP-based) and show the appropriate experience.
EU/UK visitors. Full GDPR-style banner. Nothing loads until consent. Default reject.
California, Colorado, Connecticut, Virginia, Utah, others. CCPA/state-style banner. Marketing opt-out offered. Some tracking before consent is permitted but disclosed.
Other US visitors. Light disclosure banner. Link to privacy policy. Continued use implies acceptance for non-sensitive categories.
Global Privacy Control detection. If the browser sends GPC header, treat as opt-out regardless of location.
Consent platforms compared
| Platform | Strength | Fit |
|---|---|---|
| Shopify native consent tracking | Free, integrated | US-focused brands, simple needs |
| Cookiebot | Balanced features, good compliance coverage | Mid-size brands with EU presence |
| OneTrust | Enterprise-grade, complex workflows | Large multi-brand operations |
| Osano | Developer-friendly, good API | Technical teams wanting customization |
| Iubenda | Simpler setup, good for smaller catalogs | Smaller brands entering EU |
Most DTC brands under $20M revenue in 2026 use Shopify native or Cookiebot. Above that, OneTrust or Osano are common.
Google Consent Mode v2
If you run Google Ads or GA4 and sell in the EU, Consent Mode v2 is required.
How it works. The consent banner signals to Google's tags whether consent was granted (granted/denied). Tags adapt behavior accordingly. Denied consent still sends privacy-preserving conversion signals; granted consent sends full data.
Implementation. Consent platform passes signals to Google Tag Manager or gtag. Three parameters: ad_storage, analytics_storage, ad_user_data, ad_personalization.
Impact. Without it, European traffic shows zero conversions in Google Ads. Attribution breaks entirely.
Meta, TikTok, and other pixels
Each platform has its own consent signaling approach.
Meta. CAPI (Conversions API) server-side plus pixel client-side. Pass event_source_url and user data in a privacy-compliant manner; respect consent state.
TikTok. Events API server-side, pixel client-side. Similar consent flow. Our TikTok Shop vs native comparison covers the broader TikTok setup.
Klaviyo. Tracks email behavior and on-site behavior. Respect consent for on-site tracking; email engagement is covered by the email subscription consent.
Retargeting platforms. Criteo, AdRoll, etc. All require consent for tracking.
The BANNER framework
When designing or auditing a consent banner, apply BANNER.
B — Brevity. Three sentences maximum in the initial view. Detail lives in "Customize" and the full policy.
A — Accept/reject parity. Both options equally visible. No dark patterns.
N — Non-blocking. Doesn't prevent reading the page. Doesn't cover primary content.
N — Noticeable. Visible enough to be legally adequate notice. Invisible banners fail legal tests.
E — Easily re-accessible. Link in footer to re-open preferences. Required in many jurisdictions.
R — Respected signals. Global Privacy Control honored. Jurisdiction-specific defaults applied.
Privacy policy alignment
The banner is the tip; the policy is the iceberg. A good privacy policy covers:
▸ What data is collected (every category) ▸ Why it's collected (legal basis in EU) ▸ Who it's shared with (named third parties or categories) ▸ How long it's retained ▸ User rights (access, delete, correct, port, opt-out) ▸ How to exercise rights (email, form, phone) ▸ International transfers (data going between countries) ▸ Contact for privacy inquiries
Generic templated privacy policies fail audits. Use a privacy attorney or specialized consent platform that generates jurisdiction-aware language.
What breaks attribution when you do this right
Google Ads EU conversions drop. Without Consent Mode v2, attribution breaks. With it, modeled conversions partially fill the gap.
Meta EMQ (Event Match Quality) drops. Less user data passed. Solution: CAPI with whatever consent-appropriate user parameters are available.
Klaviyo events drop on non-consenting users. Flows trigger less. Acceptable tradeoff.
GA4 reporting changes. Different data model under consent mode. Train the team on the new baseline.
This isn't attribution getting worse. It's attribution becoming accurate to the consent reality.
Common traps
Cookie wall. Blocking all content until consent is a GDPR violation in most EU jurisdictions. Users must be able to access the site without consent.
Pre-ticked boxes. Any consent option defaulted to "accept" is invalid under GDPR. Every category must default to off.
Implied consent banners. "By continuing to use this site you accept..." is not valid consent in the EU. Explicit action required.
Consent logs missing. You must be able to prove who consented to what, when. Your platform should log this automatically.
Inconsistent policies. Banner says one thing, privacy policy says another, email footer says a third. All three must align.
Related reading
The compliance audit service covers the full privacy and accessibility picture. The international expansion service addresses jurisdiction-specific setup for brands entering EU markets. The Meta ads creative post covers how consent mode affects ads reporting. For the email side, Klaviyo flows post covers consent-compliant email setup.
What to do this week
▸ Audit your current consent banner on desktop and mobile; screenshot the experience ▸ Geolocate yourself as an EU visitor (VPN) and see what happens ▸ Review your privacy policy last-updated date; anything over 12 months old needs review ▸ Verify Google Consent Mode v2 is implemented if you run Google Ads in Europe ▸ Check consent logs in your platform; confirm records exist and are exportable
Privacy compliance is not a one-time project. It's a maintained surface. Get the banner right once, then budget quarterly reviews.
One-page resource
Get the Vendor Recovery Checklist.
The 12 steps every displaced maker should take in the next 30 days. Delivered in your inbox.