Does your website use third-party services? Get GDPR compliant in minutes.

FlowConsent

What does FlowConsent do?

FlowConsent is a European Consent Management Platform (CMP) hosted in the EU that collects, stores and propagates user consent for cookies and trackers in line with GDPR, the ePrivacy Directive and the IAB TCF.

What is FlowConsent

FlowConsent is a Consent Management Platform (CMP) built for European publishers and SaaS operators that need to comply with the GDPR, the ePrivacy Directive and national cookie rules. It displays a customisable banner, collects granular per purpose consent, stores the proof of consent, and propagates the user choice to every script on the website through the IAB Transparency and Consent Framework (TCF v2.2) and Google Consent Mode v2. The whole stack is hosted in the European Union, with no transfer to third countries by design.

What data does FlowConsent process

FlowConsent stores a first party cookie called fc_consent that contains the consent state, the version of the banner shown, the timestamp and a non identifying hash. A consent receipt is generated and stored on the FlowConsent backend with the page URL, a salted hashed visitor identifier, the consent decisions per purpose, the IAB TCF string and the Google Consent Mode signal. No advertising IDs are collected. The receipt serves as proof of consent and as the audit trail required by the CNIL, the BfDI, the AEPD and the ICO.

GDPR and ePrivacy implications

A CMP is by design strictly necessary to comply with Article 5(3) of the ePrivacy Directive and Article 7 GDPR. The fc_consent cookie remembers the user decision and is therefore exempt from prior consent. The legal basis for the consent receipt is Article 6(1)(c) GDPR (legal obligation, for accountability) combined with Article 6(1)(f) (legitimate interest, for fraud prevention and audit). FlowConsent should never be blocked behind another consent layer. It must, however, be transparent: the banner must list FlowConsent, its purpose and its retention period.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data hosting and transfers

FlowConsent operates exclusively within the European Union, with the CMP API, dashboards and consent receipts hosted in Frankfurt and Paris. There is no transfer to third countries by the CMP itself. The downstream services governed by FlowConsent (analytics, advertising, social plugins) keep their own residency rules and may require additional Standard Contractual Clauses, but FlowConsent only stores their consent state, never the underlying personal data they process.

Practical compliance steps

Install the FlowConsent script as the very first tag on every page so that all other tags are blocked until consent is captured. Configure the purpose taxonomy to match your privacy notice (analytics, marketing, personalisation, social media). Enable the IAB TCF v2.2 signal and Google Consent Mode v2 to propagate consent to advertising partners and Google products. Document FlowConsent in your record of processing activities under legal obligation and review the consent receipts retention to align with the CNIL recommended six year period.

GDPR consent category

Essential

Websites using FlowConsent must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(c) GDPR (legal obligation) for the consent receipt and Article 6(1)(f) GDPR (legitimate interest) for the CMP cookies that are strictly necessary to remember the user choice. The CMP itself does not require user consent.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive (Article 5(3)), CNIL France, BfDI Germany, AEPD Spain, ICO UK PECR, IAB TCF v2.2, Google Consent Mode v2

DPIA considerations

Low risk. The CMP itself processes minimal personal data (consent state, hashed visitor identifier, page URL) for the purpose of compliance. Document this in the record of processing activities under legal obligation and legitimate interest.

Sample consent text

FlowConsent is the Consent Management Platform that displays this banner and stores your choices. It is strictly necessary to remember your decisions and proves compliance; therefore it does not itself require consent.

Technical details

Tracking methodJavaScript Consent Management Platform (CMP), first party consent storage, IAB TCF v2.2 and Google Consent Mode v2 signalling, server side consent receipt API

Server locationEuropean Union (Frankfurt and Paris regions on European cloud infrastructure)

Cookieless tracking availableYes

Third-party domains contacted

flowconsent.comcdn.flowconsent.comapp.flowconsent.comapi.flowconsent.com

Cookies placed

Name	Type	Duration	Purpose
fc_consent	first_party	12 months	Strictly necessary cookie that stores the user consent state, banner version, timestamp and a non identifying hash so that the choice is remembered and applied across pages.

FlowConsent is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does FlowConsent set?

FlowConsent sets a single first party cookie called fc_consent that stores the consent state, the banner version, a timestamp and a non identifying hash. It does not write any third party cookie or share data with advertising networks.

Is consent required to use FlowConsent itself?

No. The fc_consent cookie is strictly necessary to remember the user choice and to comply with the consent obligation under the GDPR and the ePrivacy Directive. It is therefore exempt from the prior consent requirement of Article 5(3) ePrivacy.

What is the legal basis for processing through FlowConsent?

Article 6(1)(c) GDPR (legal obligation) for storing the consent receipt as proof of compliance, combined with Article 6(1)(f) (legitimate interest) for fraud prevention and audit. No consent is required for the CMP itself.

Does FlowConsent transfer data outside the EU?

No. FlowConsent operates exclusively within the European Union, with the CMP API, dashboards and consent receipts hosted in Frankfurt and Paris. Sub processors are limited to EU based providers and the DPA confirms no third country transfers.

Do I need a DPIA for FlowConsent?

A formal DPIA is generally not mandatory because the CMP processes minimal personal data with a strong public interest justification. Document the legitimate interest and legal obligation analyses in your record of processing activities and align retention with national regulator recommendations.

How do I implement FlowConsent in a GDPR compliant way?

Place the FlowConsent script as the very first tag on every page so that all other tags stay blocked until consent is captured. Configure granular per purpose toggles, enable the IAB TCF v2.2 and Google Consent Mode v2 signals, document FlowConsent in your record of processing activities and align retention with the six year CNIL recommendation.

Are there alternatives to FlowConsent?

European CMPs include Didomi, Axeptio, Cookiebot (Usercentrics group), Tarte au Citron, Sourcepoint EU and Complianz. Selection criteria include EU residency, IAB TCF certification, granular per purpose blocking, A/B testing of banners, server side consent receipts and connector breadth.

How should I update my cookie policy for FlowConsent?

Mention that you use FlowConsent (CMP, EU hosting) to manage and prove cookie consent, list the fc_consent cookie as strictly necessary, document the consent receipt retention, and explain how users can withdraw or modify their decisions through the persistent FlowConsent preferences link.

Get compliant — Try FlowConsent free

Free plan · 10-min setup