Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Borlabs Cookie is a German made WordPress consent management plugin developed by Borlabs GmbH in Berlin. It runs entirely on the operator WordPress installation and serves the consent banner from the operator domain, so no visitor data is sent to Borlabs servers or to any third country. The plugin supports Google Consent Mode v2, the IAB TCF v2.2 framework in the Pro version and an extensive content blocker for embeds (YouTube, Vimeo, Maps, social widgets). It is one of the most widely deployed CMPs in the DACH market and a reference implementation for TTDSG and DSGVO compliant cookie banners.
Borlabs Cookie is a Consent Management Platform delivered as a WordPress plugin and developed by Borlabs GmbH in Berlin. It is one of the most widely deployed CMPs in the DACH market and is regularly recommended by German data protection authorities and DSGVO consultants. The plugin combines a configurable consent banner, a content blocker that wraps third party embeds in click to load placeholders, an integration layer for Google Consent Mode v2, an optional IAB TCF v2.2 implementation in the Pro version, and an audit trail of consent decisions stored in the operator WordPress database.
The plugin processes only the data needed to record and prove user choices. It sets a first party borlabs cookie holding the visitor preferences, a Borlabs uid identifier and a timestamp. The consent log is stored in the WordPress database on the operator infrastructure. The only outbound connection is to api.borlabs.io for licence verification and to update.borlabs.io for plugin updates, which transmit the licence key and the WordPress instance URL but no visitor data. The optional TCF v2.2 layer adds the standard euconsent v2 cookie.
Borlabs Cookie is built around German data protection requirements (TTDSG paragraph 25) and DSGVO obligations. The strictly necessary nature of the plugin cookies is well established and recognised by the BfDI and several Landesdatenschutzbeauftragte. Because the plugin is self hosted, the operator stays the sole controller of the consent receipt and does not need to sign a Data Processing Agreement with Borlabs for the CMP function itself. The content blocker enforces opt in for every third party embed configured in it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The CMP runs entirely on the operator WordPress installation. No visitor IP, user agent or consent string ever leaves the operator infrastructure to reach Borlabs servers. The only contact with Borlabs GmbH (api.borlabs.io and update.borlabs.io) is for licence verification and updates, which transmit the licence key and the WordPress URL but no visitor data. This makes Borlabs Cookie a strong fit for high risk sectors (health, finance, public administration) where EU only data residency is a hard requirement.
Configure the content blocker to wrap every non essential third party embed (YouTube, Vimeo, Maps, Twitter, Facebook, Instagram) in a click to load placeholder. Enable Google Consent Mode v2 if the site relies on Google Ads, GA4 or Search Ads 360. Customise the consent groups to match the actual tracking stack and disable IAB TCF v2.2 if you do not work with TCF vendors. Document the configuration in the privacy policy and the cookie policy and review it at every WordPress or plugin update.
Websites using Borlabs Cookie must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for Borlabs Cookie itself: the plugin is self hosted on the operator WordPress installation and only processes the data needed to evidence consent under Article 7(1) GDPR. No transfers to third countries are involved. A targeted DPIA is only recommended when Borlabs is used to gate large scale profiling or systematic international transfers in the wider tracking stack.
Sample consent text
We use the Borlabs Cookie consent plugin to record your cookie and tracking preferences. Borlabs runs entirely on our WordPress server and sets a strictly necessary cookie to remember your choices. No data is sent to Borlabs GmbH except the licence verification of the plugin itself. You can change your preferences at any time through the cookie preferences link.
Third-party domains contacted
api.borlabs.ioupdate.borlabs.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| borlabs-cookie | http | 12 months | Stores the visitor consent choices recorded by the Borlabs Cookie CMP. First party, strictly necessary to provide the consent recording service requested by the user. |
| borlabs_uid | http | 12 months | Anonymous visitor identifier used by Borlabs Cookie to link the consent log entry on the operator database. |
| euconsent-v2 | http | 12 months | IAB TCF v2.2 consent string, only set when the Pro version activates the TCF framework. |
Borlabs Cookie is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Borlabs Cookie sets a small set of strictly necessary cookies on the operator domain: borlabs cookie (consent record with the user preferences, 12 months), borlabs uid (anonymous visitor identifier, 12 months), and euconsent v2 when the IAB TCF v2.2 layer is enabled in the Pro version. All cookies are first party and contain no behavioural data.
No. The Borlabs cookies are strictly necessary to provide the consent recording service the user has effectively requested under Article 5(3) of the ePrivacy Directive and TTDSG paragraph 25 in Germany. The banner can therefore appear without prior consent. What requires consent is every non essential service the Content Blocker gates afterwards (analytics, advertising, third party embeds).
The legal basis is Article 6(1)(c) GDPR (legal obligation) for storing proof of consent required by Article 7(1) GDPR. A secondary Article 6(1)(f) (legitimate interest) basis covers fraud and abuse prevention on the consent script. The operator stays the controller of the consent receipt because the plugin is self hosted.
No. Borlabs Cookie is fully self hosted on the operator WordPress server. No visitor IP, user agent or consent string ever leaves the operator infrastructure. The only outbound contact is to api.borlabs.io and update.borlabs.io in Germany for licence verification and updates, which transmits the licence key and the WordPress URL but no visitor data.
No, not for the plugin itself. A DPIA is required only if Borlabs is used to gate large scale profiling or systematic international transfers in the wider tracking stack. The CMP function on its own only processes minimal data needed to evidence consent, which is a low risk activity.
Configure the Content Blocker for every non essential third party embed, enable Google Consent Mode v2 if you use Google Ads or GA4, customise the consent groups to match the actual tracking stack, and disable the IAB TCF v2.2 layer if you do not work with TCF vendors. Document the configuration in the privacy policy and the cookie policy.
Comparable WordPress and EU friendly CMPs include Real Cookie Banner, Complianz, CookieYes, Cookiebot, Iubenda, Klaro, CookieFirst, Termly and Usercentrics. EU based operators with hard EU only data residency requirements may prefer Borlabs Cookie, Real Cookie Banner or Klaro because they are self hosted or operated from the EU.
Add a section describing Borlabs Cookie as the CMP, list the Borlabs cookies (borlabs cookie, borlabs uid, euconsent v2 if applicable) with their retention and purpose, clarify that they are strictly necessary, and document that no visitor data is transferred to Borlabs GmbH. Link to the Borlabs privacy policy for completeness.