TL;DR
Webflow generates its own cookies and loads third-party scripts (Google Analytics, Meta Pixel, HubSpot, etc.) through integrations or custom code. Under the GDPR, you must collect prior consent before loading any non-essential tracker. A compliant cookie banner that blocks scripts by default is mandatory, even on Webflow.
Webflow is popular for its design flexibility and managed hosting. But that flexibility comes with a responsibility: Webflow sites place cookies and can integrate dozens of third-party scripts. If your site is accessible from the European Union, GDPR compliance applies in full.
This guide explains which cookies Webflow places by default, why third-party scripts require consent, and how to add a compliant cookie banner to your Webflow site.
Which cookies does Webflow place by default?
A Webflow site without any third-party integration places a limited number of cookies. Understanding these native cookies is the first step of a compliance audit.
Webflow's native cookies
Webflow places the following cookies on hosted sites:
- wf_orderId: session cookie linked to Webflow's e-commerce feature (if enabled), non-persistent
- webflow-session: session cookie for form management and interactions, non-persistent
- HubSpot cookies (hubspotutk, __hstc): placed if the native HubSpot integration is enabled
Webflow's native cookies (session, forms) are generally considered functional and may fall under consent exemptions — subject to a case-by-case assessment. However, as soon as you add third-party scripts (Google Analytics, Meta Pixel, HubSpot, Intercom, etc.), the consent requirement applies.
Common third-party scripts on Webflow
Most Webflow sites integrate third-party tools via the Custom Code panel (head/footer), native integrations or plugins. These tools place their own cookies and all require prior consent under the GDPR: Google Analytics 4, Meta Pixel, HubSpot CRM, Intercom, Hotjar, LinkedIn Insight Tag, Mixpanel, Segment.
To exhaustively identify all active trackers on your site, run a complete cookie audit.
Is Webflow GDPR-compliant by default?
No. Webflow provides hosting infrastructure and a visual editor, but GDPR compliance for your site is your responsibility as the site owner and data controller. Webflow does not provide a native cookie banner that is compliant with GDPR requirements.
Who is the data controller?
You, as the Webflow site owner, are the data controller for data collected through your site. Webflow acts as a data processor for hosting. Third-party script providers (Google, Meta, HubSpot, etc.) are either separate data processors or independent controllers depending on the tool.
What the ICO says about CMS-built sites
The ICO and EDPB make clear that the consent obligation applies regardless of the tool used to build the site: WordPress, Webflow, Shopify, or any other CMS. Using a website builder does not exempt you from GDPR compliance. The data controller is always the site owner.
How to add a compliant cookie banner to Webflow
Integrating a CMP (cookie consent management platform) into Webflow is done via the Custom Code panel. The method differs depending on whether you load third-party scripts directly in custom code or via Google Tag Manager.
Method 1: CMP via Webflow Custom Code
Most CMPs provide a JavaScript snippet to insert in the <head> of your site. In Webflow, go to Project Settings > Custom Code and paste your CMP snippet in the Head Code area. This snippet must load before any third-party script.
- Go to Project Settings > Custom Code in Webflow
- Paste your CMP snippet (e.g. FlowConsent) in Head Code
- Move all third-party scripts after the CMP snippet, or gate them via consent callbacks
- Verify that scripts are blocked by default before banner interaction
- Publish and test in private browsing mode
Method 2: Google Tag Manager and CMP
If you centralise scripts via Google Tag Manager, configure your CMP to trigger GTM tags only after the corresponding categories are accepted. With Google Consent Mode v2, you can pass the consent state to GTM before tags fully load.
See our guide on Google Consent Mode v2 for step-by-step configuration.
Blocking third-party scripts loaded via Custom Code
If you have pasted third-party scripts directly into Webflow Custom Code without GTM, your CMP must intercept and block them. Most modern CMPs offer script-blocking mechanisms based on attribute rewriting (changing the type from text/javascript to text/plain with a data-consent-category attribute).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Common mistakes on Webflow and GDPR
Google Analytics is in the head Custom Code without a condition. The script loads on page open, before the banner. Fix: use GTM with consent conditioning, or your CMP's script-blocking mechanism.
The native Webflow Cookie Consent component is used alone. Webflow offers a basic 'Cookie Consent' UI element, but it is not designed to block third-party scripts. It displays a notice but does not gate tracker loading. Pair it with a real CMP.
Webflow forms collect personal data without a privacy policy link. Any form collecting personal data requires clear information about processing. Add a link to your privacy policy.
Webflow Interactions trigger analytics events unconditionally. If interactions (scroll, click) send events to third-party tools, those triggers must be gated on consent.
Consent is only managed on the homepage, not all pages. Ensure your CMP is active on every page: blog posts, landing pages, e-commerce pages.
GDPR compliance checklist for Webflow sites
- List all third-party scripts in Custom Code (head and footer) and Webflow integrations
- Run a cookie audit to identify active trackers before any interaction
- Add the CMP snippet as the first item in Custom Code head
- Verify that third-party scripts load after the CMP snippet
- Configure your CMP to block non-essential categories by default
- Test in private browsing that scripts do not load before banner interaction
- Write or update your privacy policy (mention every third-party tool)
- Add a privacy policy link in the footer and on forms
- Configure Google Consent Mode v2 if you use Google Analytics or Google Ads
- Verify banner behaviour on mobile devices
- Document your processing activities in a GDPR record
- Schedule bi-annual audits to catch newly added scripts
Conclusion
Webflow is an excellent site-building tool, but GDPR compliance is your responsibility. Adding a CMP to Webflow is straightforward via Custom Code. Block scripts by default, gate them on acceptance, and document your processing activities.
Start by scanning your Webflow site with the FlowConsent cookie scanner to identify all active trackers, then configure your banner accordingly.
Frequently asked questions
Does Webflow load third-party cookies by default?
Webflow's native cookies (session, forms, e-commerce) are limited and generally functional. However, as soon as you enable integrations or add third-party scripts in Custom Code, advertising or analytics cookies are placed and require prior consent.
Can I use Webflow's native Cookie Consent component as my only GDPR solution?
No. Webflow's native component displays a cookie information message but does not block third-party scripts before consent. It must be complemented by a real CMP that gates tracker loading on user acceptance.
How do I block Google Analytics on Webflow before consent?
If you load Google Analytics directly in Custom Code, your CMP must intercept and block the script until acceptance. If you use Google Tag Manager, configure Google Consent Mode v2 and link the GA4 tag trigger to acceptance of the analytics category.
Is GDPR compliance for a Webflow site complex?
No, it is technically straightforward. Integrating a CMP on Webflow means pasting a snippet into the Custom Code head. The complexity depends on the number of third-party scripts, but most CMPs offer ready-made configurations for common tools.