Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Established UK based Consent Management Platform (CMP) from Civic UK Ltd that displays a cookie banner, collects choices per purpose, blocks third party scripts, stores proof of consent and integrates with IAB TCF v2.2 and Google Consent Mode v2.
Cookie Control is a Consent Management Platform built by Civic UK Ltd, a long established UK provider for compliance with cookie law, PECR, GDPR and UK GDPR. It loads a configurable banner, lists the trackers in use, lets visitors accept or refuse purpose by purpose, blocks third party scripts before consent and stores proof of consent for accountability.
Cookie Control sets a strictly necessary first party cookie (CookieControl) containing the consent decision per purpose and a version, optionally a pseudonymous identifier (ccUserId) for advanced consent log scenarios and, when TCF is enabled, the IAB euconsent-v2 string. No advertising or analytics cookie is set by Cookie Control itself.
The CMP cookie is required to demonstrate compliance with Article 7(1) GDPR and ICO PECR guidance, so it is exempt from prior consent under Article 5(3) ePrivacy. The banner must still meet CNIL, EDPB and ICO expectations: clear purposes, equal weight reject and accept, granular categories, easy withdrawal and proof of consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required to load Cookie Control itself. The banner must obtain consent for any non strictly necessary tracker, expose a permanent settings entry point, support re consent and provide accessible UI controls.
Civic UK Ltd operates from the United Kingdom, which benefits from a European Commission adequacy decision. No transfer to a non adequate third country is required for the standard CMP service.
Sign the DPA, configure the banner with reject and accept of equal visual weight, declare an honest vendor list, run a cookie scan to verify scripts are blocked before consent, set a sensible re consent period, store proof of consent for at least 6 months and refresh the configuration whenever a new vendor is added.
Websites using Cookie Control must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for the CMP itself. A short legitimate interest balancing test in the ROPA is enough, since Cookie Control only stores consent decisions and pseudonymous identifiers for accountability.
Sample consent text
We use Cookie Control (Civic UK Ltd) to ask for and store your consent for the cookies and trackers on this website. Cookie Control sets a strictly necessary first party cookie that contains only your choice and a technical identifier.
Third-party domains contacted
civic-uk.comcc.cdn.civiccomputing.comcookiecontrol.appCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CookieControl | http | 6 months | Stores the consent decision per purpose, the banner version and a pseudonymous identifier so the choice can be enforced on every page view. |
| ccUserId | http | 6 months | Pseudonymous identifier optionally used to link the consent decision to the centralised consent log. |
| euconsent-v2 | http | 6 months | IAB TCF v2.2 consent string emitted when the TCF integration is enabled. |
Cookie Control is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Cookie Control sets a strictly necessary first party cookie (CookieControl) storing the consent decision per purpose, optionally ccUserId for the consent log and, with TCF enabled, the IAB euconsent-v2 string. No advertising or analytics cookie is set by Cookie Control itself.
No. The CMP cookie is strictly necessary to comply with the obligation to obtain and prove consent (Article 7 GDPR, ICO PECR guidance), so it falls under the Article 5(3) ePrivacy exemption.
Article 6(1)(c) GDPR (legal obligation) for storing proof of consent. Article 6(1)(f) GDPR (legitimate interest) for fraud and abuse prevention on the banner itself.
No. Civic UK Ltd operates from the United Kingdom, which has an EU adequacy decision. No transfer to a non adequate third country occurs.
No. A short legitimate interest balancing test in the ROPA is enough. A DPIA may still cover the broader consent flow when high risk processing is gated by Cookie Control.
Configure the banner with reject and accept of equal weight, expose a permanent settings entry point, list every vendor and purpose, scan the site to verify scripts are blocked before consent, set a sensible re prompt period, sign the DPA and store proof of consent for at least 6 months.
Other CMPs include Axeptio, Didomi, OneTrust, Cookiebot, Iubenda, Sirdata, CookieFirst, Klaro, Usercentrics, Sourcepoint, Tarte au Citron and Biskoui.
Document Cookie Control as a processor in the privacy notice, describe the strictly necessary cookies it sets, link to its privacy policy, list the trackers it gates and refresh the policy whenever a new vendor is added to the configuration.