Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Termly is an all in one privacy compliance platform that combines a Consent Management Platform with automated privacy and cookie policy generators, a DSAR portal and a vendor management catalogue. The cookie banner is a JavaScript script loaded from app.termly.io that sets a first party consent cookie, supports the IAB TCF v2.2 framework and integrates with Google Consent Mode v2. Termly is operated from the United States and processes consent logs on AWS US infrastructure, so the deployment requires Standard Contractual Clauses and a transfer impact assessment for EU traffic.
Termly is a privacy compliance platform operated by Termly Inc in the United States. It combines a Consent Management Platform (cookie banner with TCF v2.2 and GPP support), a privacy policy and cookie policy generator with templates kept up to date for GDPR, CCPA, CPRA and various US state privacy laws, a DSAR portal, a vendor management catalogue and an audit trail. Termly positions itself as a single solution for small and medium businesses that want to cover GDPR, ePrivacy and the wave of US privacy laws without negotiating separate contracts with multiple vendors.
The consent banner sets a first party Termly cookie on the operator domain holding the visitor preferences, an anonymous visitor identifier and a timestamp. On the server side, Termly stores a consent receipt that includes the truncated IP address, the user agent, the language, the TCF or GPP consent string, the list of categories and vendors accepted or refused, the source of the choice and the geographic region detected. The privacy policy generator does not process visitor data, only the operator inputs (controller name, services used, retention durations).
Like every standard CMP, the Termly cookie is strictly necessary because it is the storage device required to demonstrate consent under Article 7(1) GDPR and Article 5(3) of the ePrivacy Directive. The CMP itself does not require a separate consent prompt. However, the operator must ensure that every non essential service gated by Termly (analytics, advertising, video, social) only fires after granular opt in. Termly templates can be configured to block scripts before consent through a dataLayer signal or Google Consent Mode v2.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Termly is operated from the United States and the production stack runs on AWS US regions. Consent receipts, truncated IPs and consent strings are processed on US infrastructure. This constitutes a Chapter V GDPR transfer that must be covered by Standard Contractual Clauses with Termly Inc and, where applicable, by reliance on the EU US Data Privacy Framework. The lack of advertised EU only residency means high risk sectors (health, finance, public administration) should run a transfer impact assessment or consider an EU based CMP.
Sign a Data Processing Agreement with Termly Inc covering its role as a processor. Configure the banner so no non essential tag fires before consent and connect Termly to your tag manager through the Google Consent Mode v2 integration. Audit the vendor list loaded by the banner and disable the IAB TCF vendors you do not actually use. Keep the auto generated privacy policy and the cookie list in sync with the actual stack, and review the configuration each time you add a new tag or change traffic regions.
Websites using Termly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the Termly CMP itself, as it only processes data needed to evidence consent under Article 7(1) GDPR. A targeted DPIA is recommended when the operator uses Termly with the full DSAR portal, vendor management and audit modules, or when the wider tracking stack includes large scale profiling or systematic transfers of EEA visitor identifiers.
Sample consent text
We use the Termly consent management platform to record your cookie and tracking preferences. Termly sets a strictly necessary cookie to remember your choices and stores a consent receipt on AWS US infrastructure as proof of your decision. You can change your preferences at any time through the cookie preferences button.
Third-party domains contacted
app.termly.iotermly.ioapi.termly.ioa.termly.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| termly | http | 12 months | Stores the visitor consent choices recorded by the Termly CMP. First party, strictly necessary to provide the consent recording service requested by the user. |
| _termly_uid | http | 12 months | Anonymous visitor identifier used by Termly to link the consent receipt server side without storing direct identifiers. |
| _termly_settings | http | 12 months | Cache of the Termly CMP configuration for the current operator. Strictly necessary for the banner to render correctly. |
| euconsent-v2 | http | 12 months | Standard IAB TCF v2.2 consent string. Required when the operator participates in the IAB framework so downstream vendors can read the consent state. |
Termly is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Termly sets a small set of strictly necessary cookies: termly (consent record with user preferences, 12 months), _termly_uid (anonymous visitor identifier, 12 months), _termly_settings (CMP configuration cache, 12 months) and euconsent v2 when the IAB TCF v2.2 framework is enabled. None of these cookies contain behavioural data.
No. The Termly cookies are strictly necessary to provide the consent management service the user has effectively requested under Article 5(3) of the ePrivacy Directive. The CMP banner can therefore appear without prior consent. What requires consent is every non essential service that Termly controls afterwards (analytics, advertising, video, social embeds).
The legal basis is Article 6(1)(c) GDPR (legal obligation) for storing proof of consent required by Article 7(1) GDPR, with a secondary Article 6(1)(f) (legitimate interest) basis for fraud and abuse prevention on the consent script. No marketing or profiling activity is performed by Termly itself.
Yes. Termly is operated by Termly Inc from the United States and the consent log infrastructure runs on AWS US regions. Truncated IPs, user agents and consent strings are processed in the US. Operators must sign Standard Contractual Clauses with Termly, rely on the EU US Data Privacy Framework where Termly and AWS are self certified, and document a transfer impact assessment.
Usually not for the Termly CMP in isolation: it only processes the minimum data needed to evidence consent. A DPIA becomes relevant when the operator activates the full Termly DSAR portal, vendor management and audit features, or when the wider tracking stack on the same site involves large scale profiling and systematic international transfers.
Block every non essential script in your tag manager and gate it on Termly consent categories. Enable the Google Consent Mode v2 integration so consent state flows to Google Ads and GA4. Place a persistent cookie preferences link in the footer, document the configuration in the privacy policy and disclose the transfer to the US. Keep the auto generated cookie list in sync with the actual stack.
Comparable CMPs include Didomi, Axeptio, Cookiebot, OneTrust, Usercentrics, Sourcepoint, Cookie Information, CookieHub, Iubenda and Complianz. EU based operators may prefer providers with EU only data residency, such as Didomi, Axeptio or Usercentrics, especially for high risk sectors.
Add a section describing Termly as your CMP, identify Termly Inc as the processor, list the strictly necessary Termly cookies (termly, _termly_uid, _termly_settings, euconsent v2) with their retention and clarify that they are exempt from consent. Document the international transfer to the US, the legal basis (Article 6(1)(c) GDPR) and the link to the Termly privacy policy.