Cookie banner on Webflow without Analytics: is it required?

TL;DR

A Webflow site that uses no third-party scripts (no Google Analytics, no Meta Pixel, no Hotjar, no live chat) and relies only on cookies strictly necessary for the site to function does not need a cookie consent banner under the ePrivacy Directive and Article 82 of France's Informatique et Libertés law. However, as soon as a single non-essential third-party script is added (in custom code, via an embed, or through an integration), consent becomes mandatory. Most production Webflow sites use at least one third-party tracker, making a banner necessary in the vast majority of cases.

Which cookies are exempt from consent under GDPR and ePrivacy?

Article 5.3 of the ePrivacy Directive (transposed into French law as Article 82 of the Informatique et Libertés law) provides two categories of trackers exempt from consent: trackers strictly necessary for providing an online communication service expressly requested by the user, and trackers whose sole purpose is to enable or facilitate electronic communication.

In practice, this covers session cookies (authentication, shopping carts), technical preference cookies (language selection, display settings), load balancing cookies, and security cookies (CSRF tokens, rate limiting).

The CNIL also considers that certain audience measurement cookies can be exempt, provided they are strictly limited to measuring audience for the exclusive benefit of the site publisher, do not enable cross-site tracking, and produce only anonymous data. Google Analytics does not meet these conditions in its standard configuration. For a refresher on cookie types, see our article on cookies explained: types and how they work.

What Webflow sets by default

A basic Webflow site with no custom scripts primarily uses technical cookies related to hosting (session, display preferences). These cookies are strictly necessary for the site to function and are exempt from consent.

However, note: if your Webflow site uses Google Fonts via the native integration (not self-hosted), it transmits visitor IP addresses to Google's servers. This is not a cookie, but it is a personal data transfer that poses a separate GDPR issue.

When is a cookie banner mandatory on a Webflow site?

A banner becomes mandatory as soon as a single non-exempt tracker is present on the site. Here are the most common triggers on Webflow sites.

Google Analytics (GA4)

GA4 sets tracking cookies (_ga, _ga_*) that are not strictly necessary for the site to function. Consent is required. Even though Google has certified GA4 under the EU-US Data Privacy Framework, the cookies themselves remain subject to the ePrivacy Directive. For more, see our article Is Google Analytics GDPR compliant?

Meta Pixel (Facebook)

The Meta Pixel sets third-party cookies for cross-site advertising tracking. Consent is required without exception.

Hotjar, Microsoft Clarity, FullStory

These heatmap and session recording tools set non-essential cookies. Consent is required.

Live chat tools (Intercom, Crisp, HubSpot)

Most chat widgets set tracking and identification cookies. Some set cookies as soon as the script loads, before the user even interacts. Consent is generally required, unless the provider guarantees that only strictly necessary cookies are used.

Embeds and iframes

Embedded YouTube videos, Google Maps, third-party forms: each embed can trigger cookie placement by the third-party service. A standard YouTube embed without "privacy-enhanced" mode sets Google advertising cookies.

Google Fonts via the API (reminder)

As explained in our article on Google Fonts and GDPR on Webflow, externally loaded fonts do not set cookies but transmit the IP address. This transfer is not covered by the cookie banner and requires a separate technical fix (self-hosting).

Cookie banner required by Webflow site type

Whether a banner is needed depends on the scripts and services integrated into your site, not the site type itself. A minimal showcase site with no third-party scripts and self-hosted fonts does not need a banner. A showcase site with GA4 does. An e-commerce site, blog, or SaaS site almost always uses at least one non-exempt tracker, making a banner mandatory.

For YouTube embeds, an alternative exists: use the youtube-nocookie.com domain, which significantly reduces cookies set. Still verify with an audit whether any trackers remain after making this change.

How to find out exactly which trackers are on your site

The best approach is to scan your site with a cookie audit tool. A cookie scan automatically identifies all cookies and trackers set by your site, including those injected by third-party services you may not have identified.

Manual method

If you prefer to check manually: open your site in a private browsing window, open developer tools (F12), go to the "Application" tab (Chrome) or "Storage" tab (Firefox), and check the "Cookies" section. You will see a list of all cookies set by domain.

Also check the "Network" tab to identify requests to third-party domains (google-analytics.com, facebook.net, hotjar.com, etc.).

Watch for scripts added by other people

On sites managed by multiple people (agency, client, developer), scripts are sometimes added to custom code without informing the compliance team. A regular audit is necessary to detect changes.

Common mistakes (and how to avoid them)

Believing a "simple" site has no trackers. A Webflow showcase site may seem minimal, but a single YouTube embed, a Typeform form, or a marketing pixel added in custom code is enough to make a banner mandatory.

Confusing "no Google Analytics" with "no trackers". GA4 is just one tracker among many. Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, chat widgets, heatmap tools: each sets its own cookies.

Ignoring cookies set by embeds. A YouTube video embedded via a standard <iframe> sets Google advertising cookies. The fix: use the youtube-nocookie.com domain for your embeds.

Assuming Webflow handles compliance automatically. Webflow provides a hosting platform and a Designer, but does not offer native cookie consent management. Compliance is the site publisher's responsibility.

Not updating the audit after each change. Every script, integration, or embed addition can change the list of trackers. The cookie audit should be repeated after every significant change.

Checklist: does your Webflow site need a cookie banner?

1. List all scripts present in the site's custom code (Site Settings and Page Settings).
2. Identify embeds and iframes on each page (YouTube, Google Maps, third-party forms).
3. Check if Google Fonts are loaded via the Google API (separate but related issue).
4. Scan the site with a cookie audit tool to detect invisible trackers.
5. Compare the list of trackers found against ePrivacy exemptions.
6. If at least one non-exempt tracker is present: implement a compliant consent banner.
7. If no non-exempt tracker is present: document this analysis and inform visitors via your privacy policy.
8. Set up a regular scanning process to detect tracker additions after each site update.

FAQ

Does a Webflow site with no third-party scripts need a cookie banner?

If your Webflow site uses no third-party scripts (no analytics, no marketing pixel, no chat, no embeds), fonts are self-hosted, and the only cookies set are strictly necessary for the site to function, then a consent banner is not required. However, you must still inform visitors about these technical cookies in your privacy policy.

Does Webflow set third-party cookies by default?

Webflow itself primarily sets technical cookies (session, preferences). However, the Google Fonts integration via the Google API transmits the IP address to Google's servers, which constitutes a separate personal data transfer. Additionally, any script added in custom code by the site publisher can introduce third-party cookies.

Is Google Analytics 4 exempt from consent since the EU-US Data Privacy Framework?

No. The Data Privacy Framework addresses data transfers to the United States, not consent for setting cookies. GA4 cookies (_ga, _ga_*) are not strictly necessary for the site to function. Consent remains required under the ePrivacy Directive.

Are there analytics tools exempt from consent according to the CNIL?

Yes. The CNIL has evaluated certain audience measurement solutions that, in a specific configuration, can be exempt from consent. This includes Matomo (in a restricted configuration) and AT Internet (Piano Analytics). The conditions are strict: data must be anonymized, limited to the publisher only, and without cross-site tracking.

Do I need a cookie banner if I only use YouTube on my Webflow site?

Yes, in most cases. A standard YouTube embed sets Google advertising cookies. The alternative is to use the youtube-nocookie.com domain for your embeds, which significantly reduces cookies set. Even then, verify with an audit whether any trackers remain.

How often should I audit cookies on my Webflow site?

An audit is recommended after every significant site change (adding a script, an embed, or an integration), and at minimum once per quarter. Third-party services can change their cookie practices without notice, which can affect your site's compliance.

Conclusion

The question "does my Webflow site need a cookie banner?" depends entirely on the scripts and services integrated, not the site type. A strictly static Webflow site with no third-party trackers and self-hosted fonts can skip the banner. But this scenario is rare in practice. To find out exactly where your site stands, the most reliable approach is to run a free scan with FlowConsent, which identifies all trackers in seconds.