Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Secure Privacy is a European Consent Management Platform headquartered in Oslo with operations in Switzerland and Poland. It bundles a customisable cookie banner, an automated cookie scanner, a privacy policy generator and IAB TCF v2.2 support for programmatic advertising. The platform is well suited to operators that want EU/EEA data residency for the consent record by default and a fixed price model rather than seat based licensing.
Secure Privacy is a Consent Management Platform from Secure Privacy AS, a Norwegian company founded in 2018 with operations in Norway, Switzerland and Poland. The product bundles a configurable cookie banner, an automated cookie scanner that crawls the site to build the vendor inventory, a privacy policy generator that drafts a policy from the scanner output, and IAB Europe TCF v2.2 support for publishers monetising through programmatic advertising. The platform is positioned as a European alternative to US headquartered CMPs, with fixed pricing tiers and EU/EEA data residency by default.
The CMP writes sp_consent (12 month default lifetime), a JSON encoded record of the per category decision and timestamp, plus sp_landing for first visit detection. When IAB TCF v2.2 is enabled, the same SDK writes the standard euconsent-v2 cookie. The backend stores a truncated IP address and user agent string for proof of consent, along with the policy version shown to the visitor. The automated cookie scanner runs on a configurable schedule from Secure Privacy servers, reads first party cookies and the list of network requests, and produces the vendor inventory displayed in the banner. The policy generator simply transforms the inventory into draft text in the configured language.
Recital 30 of the ePrivacy Directive accepts that storing the consent decision is itself necessary processing, so the Secure Privacy banner can load before consent. GDPR Art. 7(1) requires the controller to demonstrate consent, which justifies the proof log on legitimate interest or legal obligation grounds. The banner UI must meet CNIL, ICO, Garante and EDPB guidance: equal prominence between accept and reject, no pre ticked boxes, no nudging colours, no obstruction of content, granular per category controls accessible in one click, and a clearly accessible withdrawal link. Secure Privacy provides templates that align with these requirements out of the box, but the operator remains responsible for the final configuration.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Secure Privacy exposes the standard __tcfapi() interface when TCF is enabled, plus a JavaScript event bus for non TCF vendors. Operators wire each downstream tag (Google Analytics, Meta Pixel, custom pixels) to the corresponding Secure Privacy category through GTM consent triggers, custom script wrapping, or the Secure Privacy tag blocking feature that pre wraps known tags by name. Google Consent Mode v2 integration maps Marketing to ad_storage, ad_user_data, ad_personalization and Analytics to analytics_storage.
The default Secure Privacy deployment processes the consent record and audit log on EU/EEA infrastructure (Norway, Switzerland under the Swiss FADP, Ireland and Germany on AWS). For European operators this removes the Schrems II transfer assessment burden that applies to US headquartered CMPs. Optional integrations with US tools such as Google Consent Mode, Facebook Conversions API or US scanner partners bring back transfer considerations for those downstream services, but they are not part of the core CMP processing. Norway and Switzerland are recognised as having adequate data protection regimes under GDPR and Swiss FADP respectively.
Run the cookie scanner before launch and review the inventory for accuracy: the scanner detects most cookies but cannot infer purposes that depend on operator context, so manual review is needed. Configure the banner with equal prominence between accept and reject, granular per category controls, and a 13 month consent lifetime as per CNIL guidance. Map all downstream tags to Secure Privacy categories through GTM or the built in tag blocking feature, then test with a cookie scanner to confirm tags honour the decision. Re scan the site monthly to catch new cookies, and document the data residency option chosen in the record of processing.
Websites using Secure Privacy must obtain user consent under GDPR regulations.
DPIA considerations
Secure Privacy writes sp_consent (12 month default lifetime) holding the consent decisions per cookie category and the timestamp, sp_landing for first visit tracking, and euconsent-v2 when IAB TCF v2.2 is enabled. DPIA considerations: (1) consent records are personal data because they are tied to an IP address (truncated for storage), a timestamp and a persistent identifier; (2) Secure Privacy keeps consent records on EU/EEA infrastructure by default, reducing Schrems II exposure compared to US headquartered CMPs; (3) the automated cookie scanner reads the site's own cookies during scheduled crawls and the resulting vendor inventory is stored on Secure Privacy servers; (4) the privacy policy generator outputs document content based on the configured vendor inventory, which the operator remains responsible for reviewing for legal accuracy; (5) optional integrations with US tools (Google Consent Mode, Facebook CAPI) bring back the standard transfer considerations for those downstream services. A DPIA is generally not required for the CMP alone, but is recommended where Secure Privacy is bundled with extensive third party advertising or analytics.
Sample consent text
We use Secure Privacy as our cookie Consent Management Platform. Secure Privacy stores your preferences in a small first party cookie (sp_consent, 12 month duration) and keeps a proof of consent log on EU/EEA infrastructure. We do not share your consent record with vendors outside the EEA for our core CMP product. You can change or withdraw your consent at any time via the cookie preferences link in the footer.
Third-party domains contacted
app.secureprivacy.aicdn.secureprivacy.aiapi.secureprivacy.aiscanner.secureprivacy.aisecureprivacy.aiCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sp_consent | Strictly Necessary / Consent | 12 months | Set by Secure Privacy. Stores the JSON encoded per category consent decision (necessary, preferences, statistics, marketing, etc.) plus the timestamp and the policy version shown when the user made their choice. |
| sp_landing | Strictly Necessary / Consent | 12 months | Set by Secure Privacy. First visit detection cookie used to determine whether the consent banner has been shown to the visitor before. |
| euconsent-v2 | Strictly Necessary / Consent | 12 months | Set by Secure Privacy when IAB Europe TCF v2.2 is enabled. Stores the standard TCF consent string used by downstream programmatic advertising vendors. |
| sp_consent_uuid | Strictly Necessary / Consent | 12 months | Set by Secure Privacy. Unique identifier used to look up the persistent consent record on the Secure Privacy backend, so that the same decision can be applied across subdomains. |
| sp_consent_version | Strictly Necessary / Consent | 12 months | Set by Secure Privacy. Stores the version of the vendor and category configuration shown when the visitor made their choice, so that a new consent request can be triggered if the configuration materially changes. |
Secure Privacy is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Secure Privacy writes sp_consent (12 month default lifetime), a JSON encoded record of the per category decision and timestamp; sp_landing for first visit detection (12 months); and euconsent-v2 (12 months) when IAB TCF v2.2 is enabled. A mirror copy of the consent state is also kept in browser local storage. All cookies are first party on the operator's domain.
Recital 30 of the ePrivacy Directive accepts that storing the user's consent record is necessary processing, so the Secure Privacy banner can fire before consent. The banner itself must not perform any other processing beyond capturing and storing the choice, no analytics on banner interactions without consent, no A/B testing without a separate basis.
The EDPB and CNIL accept that storing the decision rests on legitimate interest under GDPR Art. 6(1)(f), or alternatively on legal obligation under Art. 6(1)(c) since GDPR Art. 7(1) requires the controller to demonstrate consent. The truncated IP address and timestamp retained for proof of consent rely on the same basis.
No for the core CMP product. Default infrastructure is on EU/EEA servers (Norway, Switzerland, Ireland, Germany on AWS). Norway and Switzerland are recognised as countries with an adequate level of data protection. Optional integrations with US tools (Google Consent Mode, Facebook Conversions API) may involve transfers for those downstream services, but they are not part of the core CMP processing.
A DPIA is generally not required for the CMP alone, since it processes minimal personal data on EEA infrastructure under the consent record legitimate interest basis. It is recommended where Secure Privacy is bundled with extensive third party advertising or analytics, particularly TCF based programmatic, where the IAB Europe legal context applies.
Run the automated cookie scanner before launch and review the resulting inventory for accuracy. Configure the banner with equal prominence between accept and reject, granular per category controls, and a 13 month consent lifetime as per CNIL guidance. Map all downstream tags to Secure Privacy categories through GTM or the built in tag blocking feature. Test with an external cookie scanner to confirm tags honour the consent decision.
Other EU based CMPs include Didomi (France), Usercentrics (Germany), Cookiebot/Cybot (Denmark), Axeptio (France), Sirdata (France), CookieFirst, Klaro (open source, Germany) and Cookie Information (Denmark). US based alternatives include OneTrust, Sourcepoint, Ketch and Osano, but these default to US infrastructure for the consent log.
List sp_consent, sp_landing and euconsent-v2 under strictly necessary cookies, with their purposes and durations. Name Secure Privacy AS as the CMP processor in the privacy notice, confirm the EU/EEA data residency, and list the legal basis (legitimate interest or legal obligation) for the consent record. Maintain a real time vendor table reflecting the downstream tags managed by the CMP and re scan monthly.