Cookie consent on Webflow: the complete GDPR guide

TL;DR

Webflow does not include a native GDPR-compliant cookie consent solution. To make a Webflow site compliant, you need to integrate an external CMP that displays the banner, blocks scripts before consent, and stores proof. This article covers Webflow-specific challenges, integration options, common pitfalls, and a step-by-step method to configure consent correctly.

Why Webflow requires special attention

Webflow is a powerful no-code website builder, but it does not include a native CMP that meets GDPR requirements. Cookie management relies entirely on third-party solutions. Additionally, Webflow uses its own hosting infrastructure and injects certain scripts by default (Webflow analytics, Google Fonts, embedded integrations) that may set cookies or send requests to third-party domains before any user interaction.

The challenge is twofold: setting up a compliant banner with effective script blocking, and dealing with Webflow-specific technical constraints that limit control over script loading order.

Options for integrating a CMP on Webflow

Custom code integration (head/body)

The most common method. Webflow allows custom code injection in the head and body sections of each page or at the project level. You paste your CMP script in the head section, and it loads before other scripts. Most CMPs provide a ready-to-paste snippet. The advantage is simplicity. The limitation is that control over exact loading order remains partial, as Webflow may inject its own scripts in parallel.

Google Tag Manager integration

If you use GTM to manage your tags (GA4, Google Ads, ad pixels), you can integrate your CMP through GTM with a Consent Initialization trigger. This gives you better control over firing order and makes it easier to enable Google Consent Mode v2. This is the recommended approach if you manage multiple tags.

Webflow-specific solutions

Some CMPs offer Webflow-specific integrations with dedicated instructions or templates. Finsweet Cookie Consent is a popular solution in the Webflow ecosystem, but it has limitations for advanced compliance (consent proof, Consent Mode v2). For a business site, a full CMP with effective blocking and proof storage is recommended.

Step-by-step method

Step 1: audit your Webflow site's cookies

Before any configuration, identify all active trackers. Webflow may set cookies related to Google Fonts, YouTube embeds, forms, and any analytics scripts added via custom code. Run a cookie scan on your production domain (not the webflow.io subdomain).

Step 2: choose your CMP

Pick a CMP that effectively blocks scripts (not just a visual overlay), supports Google Consent Mode v2, and integrates via a snippet pasted in Webflow's head code. See our CMP selection guide for detailed criteria.

Step 3: add the CMP script to Webflow

In your Webflow project settings, go to Settings > Custom Code > Head Code. Paste the CMP script first, before any other custom script (GA4, GTM, pixels). Order matters: the CMP must load before the scripts it is supposed to block.

Step 4: configure script blocking

On Webflow, script blocking typically involves changing the type attribute of script tags (replacing text/javascript with text/plain until consent) or wrapping through your CMP. If you use GTM, blocking is handled at the GTM trigger level (consent required before firing). Make sure embedded integrations (YouTube videos, maps, widgets) are also covered.

Step 5: test on your production domain

Publish your site and test on the production domain (not the .webflow.io subdomain, as behavior may differ). Open the network inspector in a private browsing window, verify that no non-essential cookies are set before interacting with the banner, and test all three scenarios: full rejection, partial acceptance, full acceptance.

Common Webflow mistakes

Testing only on webflow.io. The webflow.io subdomain may behave differently from your custom domain (Webflow cookies, internal scripts). Always test on the production domain.

Using Finsweet as the sole compliance solution. Finsweet Cookie Consent works for basic blocking but does not provide timestamped consent proof or native Google Consent Mode v2 support in all setups. For a commercial or high-traffic site, a full CMP is recommended.

Forgetting Google Fonts. Webflow loads fonts from fonts.googleapis.com by default, which sends a request to Google before consent. Depending on your supervisory authority's interpretation, this may create a data transfer issue. The alternative is to self-host fonts.

Not covering Webflow embeds. Webflow embedded components (YouTube videos, Vimeo, maps, third-party forms) set cookies. Your CMP must block them by default and only load them after consent.

Webflow cookie consent checklist

1. Cookie scan completed on the production domain.
2. CMP chosen with effective blocking and consent proof.
3. CMP script placed first in Webflow head code.
4. Non-essential scripts blocked before consent (GA4, pixels, embeds).
5. Google Consent Mode v2 configured if using GA4 or Google Ads.
6. Google Fonts self-hosted if required.
7. Tests run on the production domain (not webflow.io).
8. Three scenarios tested: rejection, partial, full acceptance.

Conclusion and next step

Webflow is an excellent site-building tool, but cookie compliance is entirely in your hands. The lack of a native CMP means you must integrate, configure, and test the consent solution yourself. Start with a cookie scan, choose a suitable CMP, and test on your production domain. Visit our services page to learn more about FlowConsent's Webflow integration.