Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
CookieYes is a Consent Management Platform built by WebToffee, popular among WordPress and Shopify merchants for its low cost, simple setup and automatic cookie scanner. It supports the IAB TCF v2.2 framework, Google Consent Mode v2 and granular category controls compliant with GDPR, CCPA and LGPD.
CookieYes is a Consent Management Platform created by WebToffee, a software company headquartered in Cochin, India with an EU office in Nicosia, Cyprus. Launched in 2019, it has become one of the most widely deployed CMPs in the WordPress and Shopify ecosystems thanks to its free tier, simple setup and automatic cookie scanner. CookieYes supports the IAB TCF v2.2 framework, Google Consent Mode v2 and granular category controls compliant with GDPR, ePrivacy, CCPA, LGPD and the UK GDPR.
CookieYes sets a single first party cookie called cookieyes-consent (12 months) which stores the user consent record: accepted or rejected categories, timestamp, consent version and a unique ID. When the IAB TCF integration is active, the euconsent v2 string is also stored. The consent proof is uploaded to AWS Frankfurt for EU customers and remains accessible from the CookieYes dashboard for audit purposes. No browsing behaviour, IP address or device fingerprint is collected.
CookieYes is designed for privacy by design under Article 25 GDPR. It blocks non essential scripts before the accept click, offers granular category controls (necessary, functional, analytics, performance, advertisement, others), provides a reject button with equal visual weight, and is certified for IAB TCF v2.2 interoperability. The auto blocker prevents tags from firing until the relevant category is approved, which is the technical condition required by the CNIL and the EDPB.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU customer consent records are stored on AWS Frankfurt (eu-central-1). However, WebToffee India and the Cyprus office may access the data for support and engineering purposes, which qualifies as a transfer to India under Schrems II. WebToffee signs the EU Standard Contractual Clauses (2021/914) and has appointed an EU representative in Cyprus. This needs to be reflected in the privacy notice and in the data processing addendum.
Install the CookieYes WordPress plugin or paste the script in the head before any other tag, enable the auto blocker so non essential scripts wait for consent, activate granular categories and the equal weight reject button. Enable Google Consent Mode v2 in the integrations tab to forward the consent signals to GTM, configure the consent log retention to 12 to 24 months and pair the CMP with the CookieYes policy generator.
Websites using CookieYes must obtain user consent under GDPR regulations.
DPIA considerations
CookieYes is a low risk processor that only stores the consent record and the policy text. A full DPIA is generally not required, but document the legal basis (Article 6(1)(f) and 7(1) GDPR), the EU only data storage with technical access from India (covered by SCCs) and the 12 month retention of the consent record in the record of processing activities.
Sample consent text
This website uses CookieYes by WebToffee to manage your cookie preferences. CookieYes stores your consent record in the cookieyes-consent first party cookie for 12 months as proof under Article 7(1) GDPR. EU customer data is hosted in AWS Frankfurt.
Third-party domains contacted
cdn-cookieyes.comlog.cookieyes.comapp.cookieyes.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cookieyes-consent | first_party | 12 months | Stores the user consent record for the CookieYes CMP: categories accepted or rejected, timestamp, consent version and unique ID. Required to apply the user choice on every page load. |
| euconsent-v2 | first_party | 12 months | Standard IAB TCF v2.2 consent string, set when the TCF integration is active. Required for interoperability with the European programmatic advertising ecosystem. |
CookieYes is an essential service, but transparency matters. Manage all your consent with FlowConsent.
CookieYes sets a single first party cookie called cookieyes-consent (12 months) which contains the consent record (accepted or rejected categories, timestamp, version, ID). When IAB TCF integration is active, the euconsent v2 string is also stored. No browsing behaviour or fingerprint is collected.
No. The cookieyes-consent cookie is strictly necessary under Article 5(3) ePrivacy Directive: it is required to record and prove the consent choice. CookieYes loads before the user clicks accept, in line with CNIL, AEPD and TTDSG guidance.
CookieYes relies on the legitimate interest of the controller under Article 6(1)(f) GDPR combined with the legal obligation to demonstrate consent under Article 7(1) GDPR. The website operator is the controller, CookieYes the processor.
Not to the United States, but EU customer data may be accessed by WebToffee staff in India. This qualifies as a transfer to India under Schrems II. WebToffee signs the EU SCCs (2021/914) and has appointed an EU representative in Cyprus. The data itself is stored on AWS Frankfurt.
No. CookieYes is a low risk processor. A full DPIA is not required; document the legal basis, the EU hosting with technical access from India (covered by SCCs) and the 12 month retention of the consent record in the record of processing activities.
Install the CookieYes WordPress plugin or paste the script in the head before any other tag, enable the auto blocker, activate granular categories and the equal weight reject button, enable Google Consent Mode v2 and pair the CMP with the CookieYes policy generator.
EU based alternatives: Axeptio (France), Cookiebot (Denmark), Usercentrics (Germany), Iubenda (Italy), CookieFirst (Netherlands), Didomi (France). Open source: Klaro, Orejime, Tarteaucitron and CookieConsent by Orest Bida.
CookieYes includes an automatic cookie scanner that detects new vendors monthly and updates the cookie policy text. Enable email notifications, review the categorisation and reflect any change in the privacy notice when new processors are added.