Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cookie-Script is an EU based consent management platform developed in Latvia. It scans and categorises cookies, blocks third party scripts before consent, generates a cookie policy and stores the proof of consent. It supports IAB TCF v2.2, Google Consent Mode v2 and per region rules (GDPR, ePrivacy, CCPA, LGPD). Pricing is positioned for SMBs and a free plan exists for low traffic sites.
Cookie-Script is an EU based consent management platform developed by ConsentWiz SIA in Riga, Latvia. It is widely used by European SMBs because the SaaS dashboard is hosted entirely on EU servers, the pricing is straightforward and a free plan covers low traffic websites. Cookie-Script automatically scans the website, classifies the discovered cookies into the standard categories (necessary, functional, analytics, marketing) and renders a customisable consent banner that blocks every non essential script until the visitor decides.
The publisher adds a single asynchronous script tag in the head of the website. On first load the script renders a banner and a preference modal, blocks the third party tags and stores the visitor decision in the CookieScriptConsent first party cookie (or local storage). On every subsequent navigation the cached choice is replayed without prompting the visitor again. The Cookie-Script dashboard then provides a hosted cookie scanner, a cookie policy generator, a consent log with timestamp and IP and a daily change report.
On the visitor browser the only cookie set by Cookie-Script itself is CookieScriptConsent, a first party cookie of the publisher domain that contains the consent string per category. Default lifetime is 12 months, configurable. On the dashboard side, Cookie-Script stores a hashed identifier, the consent timestamp, the country of the visitor (derived from IP) and the version of the cookie banner that was shown. The full IP is not retained; only the country code is kept for compliance reporting.
Cookie-Script implements the strict reading of GDPR Art. 7 and Art. 5(3) ePrivacy: prior consent before any non essential cookie or tracking script, the same prominence for Accept all and Reject all (per CNIL deliberation 2020-091 and the EDPB cookie banner taskforce report), per category granularity and a permanent withdrawal link. The IAB TCF v2.2 module is available for publishers that monetise inventory through the OpenRTB ecosystem, and Google Consent Mode v2 signals are emitted automatically when Google tags are detected.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the Cookie-Script dashboard select GDPR + ePrivacy as the regulatory profile. Enable the geo targeting feature so visitors from California get a CCPA banner, visitors from Brazil get an LGPD banner and visitors from the EU get the GDPR banner. Set the cookie lifetime to a maximum of 13 months (CNIL recommendation). Activate the Reject all button on the first layer with the same visual weight as Accept all. Enable the consent record export to CSV for audit purposes.
Cookie-Script processes all consent records on AWS Frankfurt and Hetzner Helsinki, both EU regions. The DPA explicitly states that no personal data is transferred outside the EEA. The consent banner JavaScript can be loaded from the Cookie-Script CDN (Cloudflare with EU data centres) or self hosted, in which case the visitor IP is not exposed to any third party.
Run a fresh cookie scan after every site change. Map each discovered cookie to a clear purpose and set the lifetime to the documented value. Sign the Cookie-Script DPA from the dashboard and add Cookie-Script to your processor register (Art. 30 GDPR). Configure a banner with Accept all, Reject all and Customise on the same layer. Document the consent record retention in your privacy policy and expose a permanent Cookie settings link in the footer.
Websites using Cookie-Script must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Cookie-Script itself. Document the consent record retention (typically 12 months in the SaaS dashboard) and the lawful basis for keeping it. A DPIA may be triggered by the third party services Cookie-Script gates if those involve large scale or systematic profiling.
Sample consent text
We use cookies and similar technologies to operate this site, measure audience and personalise content. Necessary cookies are always active. You can accept all, reject all or choose by category. Your choice is stored for 12 months and you can change it at any time via the Cookie settings link in the footer.
Third-party domains contacted
cookie-script.comcookie-script.comreport.cookie-script.comcdn.cookie-script.comreport.cookie-script.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CookieScriptConsent | first_party | 12 months | Stores the visitor consent choices and a unique identifier used as proof of consent under Article 7(1) GDPR. |
| CookieScriptConsent | first_party | 12 months | Stores the visitor consent decision per cookie category on the publisher domain. |
| _cookiescriptid | first_party | 6 months | Pseudonymous identifier used to map the consent string to the dashboard consent log. |
Cookie-Script is an essential service, but transparency matters. Manage all your consent with FlowConsent.
CookieScript sets the CookieScriptConsent first party cookie that stores the chosen categories and a consent identifier. A server side record keeps a truncated IP and the timestamp.
Cookie-Script sets one first party cookie called CookieScriptConsent on your own domain. It contains a JSON object with the visitor decision per category (necessary, functional, analytics, marketing). Default lifetime is 12 months. A second cookie, _cookiescriptid, is set if you enable the dashboard consent log to map the choice to the central record.
No. CookieScript is treated as strictly necessary under Article 5(3) ePrivacy. The trackers it manages still require valid consent.
The CookieScriptConsent cookie itself can be considered strictly necessary (Art. 5(3) ePrivacy exemption) because it stores the consent record, which is a legal obligation under Art. 7(1) GDPR. The third party scripts that Cookie-Script gates always require prior consent.
Legitimate interest and the proof of consent obligation under Article 7(1) GDPR. Underlying services rely on consent.
Legitimate interest (Art. 6(1)(f) GDPR) for the consent record itself, since storing it is necessary to demonstrate compliance with Art. 7(1). Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for any third party tag controlled by the banner.
No in standard configuration. CookieScript is run from Lithuania and uses AWS EU, removing Schrems II concerns for the CMP layer.
No. Cookie-Script processes all consent records on AWS Frankfurt and Hetzner Helsinki, both EU regions. The DPA explicitly states that no personal data is transferred outside the EEA. The CDN delivering the banner is Cloudflare with EU data centres.
Usually no for the CMP itself. The third party trackers managed through it may trigger a DPIA when they involve profiling, advertising or transfers.
A DPIA is generally not required for Cookie-Script itself, since it processes only the consent string and a coarse country code. A DPIA may be required for the third party services Cookie-Script gates if those involve large scale or systematic profiling under Art. 35 GDPR.
Add the loader in the head, run the scanner monthly, classify each tag, block non essential scripts before consent, give equal weight to accept and reject, and expose a preference link in the footer.
Run a fresh cookie scan from the dashboard, enable the GDPR + ePrivacy regulatory profile, set the cookie lifetime to 13 months maximum, expose Accept all and Reject all on the same level on the first layer, and add a permanent Cookie settings link in the footer. Sign the DPA from the dashboard.
Other EU CMPs include CookieFirst (Netherlands), Axeptio (France), Cookiebot by Usercentrics (Denmark and Germany), Sirdata (France), Didomi (France) and the open source Klaro. CCM19 (Germany) and Consentmanager (Germany) are also strong alternatives for German market customers.
CookieFirst, Cookiebot, CookieHub, Axeptio, Didomi, Complianz, OneTrust, Klaro. Decide based on hosting location, TCF support and price.
Use the scanner to refresh the inventory, document purpose and duration for every cookie, and version the policy each time a script is added.
Enable the daily cookie scan and the email change report in the dashboard. The policy generator updates automatically when a new cookie is detected. Review the generated policy every quarter and confirm that the lifetimes and purposes match the actual configuration of your tags.