Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CookieFirst is a Dutch consent management platform (CMP) that helps websites comply with the GDPR and the ePrivacy Directive by collecting, storing and proving cookie consent in 50+ languages.
CookieFirst is a Dutch consent management platform (CMP) operated by CookieFirst B.V. in Amsterdam since 2018. It bundles four capabilities: an automatic cookie scanner that crawls the publisher pages weekly to detect tracking technologies; a customisable consent banner with category granularity (necessary, preferences, statistics, marketing, social); a server side audit trail of every consent given, refused or modified; and an IAB TCF 2.2 stub that exposes the visitor consent to vendors that rely on the Global Vendor List.
The CookieFirst widget writes a single first party cookie on the publisher domain named cf_consent (12 months, configurable from 30 days to 24 months). The value is a base64 JSON object containing the categories accepted, the timestamp and a hashed consent id. A second first party cookie cf_consent_id stores the unique identifier sent to the CookieFirst audit trail. No third party cookie is set by the banner itself. Local storage entries cookiefirst_consent and cookiefirst_session may be used as fallback when cookies are blocked.
CookieFirst ships with templates that comply with the CNIL deliberation 2020 091 and the EDPB guidelines 03/2022 on deceptive design: a Refuse all button at the same visual level as Accept all, a granular preference screen and a no scroll no consent behaviour. The publisher must still configure the templates correctly, since CMP vendors cannot guarantee compliance for every customisation. The IAB TCF 2.2 stub is optional and can be disabled if the publisher does not load TCF vendors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
CookieFirst hosts the consent audit trail on AWS Frankfurt (eu-central-1). The administration dashboard and customer support are operated from Amsterdam. The product is delivered through Cloudflare with the European Region preference. No data is transferred to the United States in the standard configuration, except for incidental observability metrics that traverse the global Cloudflare network.
Run the CookieFirst scanner monthly and update the cookie policy on every change. Configure the banner with a clearly visible Refuse all and a Customise button. Map every CMP category to the scripts loaded through Google Tag Manager, Matomo Tag Manager or hard coded in the template. Test the consent revocation flow end to end. Document CookieFirst as a processor in your record of processing (GDPR art. 30) and in the privacy notice. Keep the consent audit trail for at least 36 months as evidence under GDPR art. 7(1).
European alternatives include Axeptio (French), Cookiebot by Usercentrics (Danish, then German), Didomi (French), Complianz (Dutch, WordPress focused), CookieYes (Indian with EU hosting) and the open source Klaro. For TCF heavy publishers, Sourcepoint and Quantcast Choice remain the reference but with US ownership.
Websites using CookieFirst must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for CookieFirst because the platform is privacy enhancing and processes only the data needed to record consent.
Sample consent text
This site uses CookieFirst, a consent management platform operated by CookieFirst B.V. in Amsterdam, to display the cookie banner and to remember your choices for each cookie category. CookieFirst stores your consent decision in a first party cookie named cf_consent on this domain and keeps an encrypted audit trail in its European servers (AWS Frankfurt). No personal data is sent to a third country. The banner itself does not require consent because it is strictly necessary to manage your privacy preferences.
Third-party domains contacted
consent.cookiefirst.comcookiefirst.comcdn.cookiefirst.comconsent.cookiefirst.comcdn.cookiefirst.comapi.cookiefirst.comapp.cookiefirst.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cookiefirst_consent | First party (CookieFirst) | 12 months | Stores the granular consent decision of the visitor (functional, analytics, marketing, preferences). |
| cookiefirst-id | http_cookie | 12 months | Strictly necessary first party cookie that stores a unique identifier linked to the visitor consent record so the banner is not shown again until the consent expires. |
| cookiefirst-consent | http_cookie | 12 months | Strictly necessary first party cookie that stores the granular category choices (necessary, preferences, statistics, marketing) made by the visitor. |
| cookiefirst-id | First party (CookieFirst) | 12 months | Anonymous CookieFirst identifier used to link the consent record to the proof of consent log. |
| cookiefirst_consent_string | First party (CookieFirst) | 12 months | Stores the IAB TCF 2.2 consent string when TCF is enabled. |
| cookiefirst_settings | local_storage | Persistent until cleared | Local storage key that mirrors the consent payload to enable client side conditional script loading without an additional server round trip. |
| cookiefirst-test | first_party | session | Technical cookie set briefly to detect whether the browser accepts first party cookies before storing the consent record. |
| cookiefirst_banner_state | http_cookie | Session | Strictly necessary session cookie that records whether the banner has already been displayed during the current browsing session. |
CookieFirst is an essential service, but transparency matters. Manage all your consent with FlowConsent.
CookieFirst sets a single strictly necessary first party cookie called cookiefirst-id, valid for up to 12 months, plus a local storage entry that mirrors the visitor consent choices. No advertising or analytics cookie is set by CookieFirst itself; the platform only governs the cookies of other services on your site.
CookieFirst sets cookiefirst_consent (granular consent, 12 months), cookiefirst-id (anonymous identifier, 12 months) and, when IAB TCF is enabled, a cookiefirst_consent_string. No third party cookies are set by the CMP itself.
No. The cookies set by CookieFirst fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive (recital 66), because they are essential to deliver the service explicitly requested by the user, namely recording their cookie choices. Consent is required for the downstream services that CookieFirst gates, not for the CMP banner itself.
No. The CMP is strictly necessary under Recital 30 of the ePrivacy Directive. It may be loaded before any consent decision, provided it then blocks every non essential script until the visitor accepts.
CookieFirst is deployed under legitimate interest pursuant to Article 6(1)(f) GDPR for the controller, combined with the legal obligation under Article 5(3) ePrivacy and Article 7(1) GDPR to obtain and document consent for any non essential trackers. The platform itself only processes the limited data needed to evidence that consent.
Legal obligation (Art. 6(1)(c) GDPR with Art. 7(1) to demonstrate consent) and legitimate interest (Art. 6(1)(f)) for the geo IP lookup that selects the right regulation.
No. Digital Data Solutions B.V. hosts all consent records on AWS infrastructure inside the European Union (Frankfurt and Amsterdam regions). The CDN that serves the banner script can route via Cloudflare edges but the consent payload itself stays in the EU, which removes the Schrems II exposure typical of US owned CMPs.
No. CookieFirst B.V. operates entirely from the Netherlands and stores all data on EU infrastructure. No transfer outside the European Economic Area.
A standalone Data Protection Impact Assessment is generally not required because CookieFirst processes only the minimum data necessary to record consent (truncated IP, hashed identifier, timestamp). If your overall stack triggers a DPIA, document CookieFirst inside it as the mitigation control that gates higher risk processors such as advertising pixels.
A DPIA is not required. CookieFirst is a privacy enhancing technology that processes only minimum data needed to prove consent.
Place the CookieFirst script in the head section before any non essential tag, enable script blocking by default and integrate Google Consent Mode v2 from the dashboard. Configure each vendor in the right category (necessary, preferences, statistics, marketing) and use the JavaScript API CookieFirst.consent to gate custom scripts. Test that no tracker fires before Accept is clicked.
Run the cookie scanner, categorise each script, configure equal weight accept/reject buttons, enable Google Consent Mode v2 if relevant, store the proof of consent and expose a persistent settings icon. Document the CMP in your Article 30 record.
Complianz (Netherlands), CookieHub (Iceland), Klaro (Germany, open source), Cookiebot (Denmark/Switzerland), Usercentrics (Germany), Axeptio (France), Didomi (France) and OneTrust (US).
Comparable consent management platforms include Cookiebot, OneTrust, Iubenda, Didomi, Sourcepoint, Usercentrics, Axeptio, Klaro and CookieHub. Cookiebot and CookieHub are the closest direct competitors on price and feature set; Didomi and Sourcepoint are better suited to large publisher portfolios because of their TCF v2.2 support and granular vendor management.
Enable the automated cookie declaration block from the CookieFirst dashboard and embed it on your privacy policy page using the provided script tag. CookieFirst rescans the site monthly (or weekly on paid plans) and republishes the updated declaration automatically. Review the change log before each release to catch newly introduced vendors.
CookieFirst regenerates the policy automatically based on the scanner. Schedule a monthly scan and review the policy after every theme or plugin change. Publish the new version date and inform users of material changes.