GDPR & ePrivacy compliance

CookieBoss is built to help websites meet the consent requirements of the General Data Protection Regulation (GDPR) and the ePrivacy Directive ā€” the two regulations that govern cookie consent in the EU and EEA.

The legal requirements

GDPR Article 7 establishes conditions for valid consent: it must be freely given, specific, informed, and unambiguous. Data controllers must be able to demonstrate that consent was obtained, and withdrawal must be as easy as giving consent.

ePrivacy Directive Article 5(3) requires prior, informed consent before storing or accessing information on a user's device ā€” which in practice means cookies and similar technologies.

How CookieBoss helps

  • Prior consent

    Non-essential cookies are blocked until the visitor actively opts in. No pre-ticked checkboxes, no implied consent from scrolling.

  • Granular categories

    Visitors choose consent per purpose: necessary, analytics, marketing, and preferences. Each category maps to specific cookies and scripts on your site.

  • Easy withdrawal

    A persistent settings link lets visitors change or withdraw consent at any time, meeting the GDPR requirement that withdrawal be as easy as giving consent.

  • Consent logging

    Every consent decision is recorded with a timestamp, visitor ID, and the categories chosen. Exportable logs let you demonstrate compliance to regulators.

  • Geo-targeted rules

    Show different consent experiences based on visitor location. Apply strict opt-in for EU/EEA visitors, adjusted rules for California (CCPA), and simplified banners elsewhere.

  • IAB TCF 2.3

    Full IAB Transparency and Consent Framework support for programmatic advertising. TC Strings, CMP API, and vendor-level consent management.

Data controller vs. data processor

You are the data controller. You decide which cookies your site uses, what categories they belong to, and how consent is presented to your visitors. You are responsible for ensuring your site's overall GDPR compliance.

CookieBoss acts as a data processor. We process consent data on your behalf ā€” storing consent records, serving the consent script, and providing analytics. We only process data according to your instructions and our terms of service. A Data Processing Agreement (DPA) is available on request.

EU infrastructure

CookieBoss is operated by Transformination OƜ, registered in Tallinn, Estonia under full EU jurisdiction. All consent data is stored on Cloudflare infrastructure with the D1 database region-pinned to the EU (WEUR). Every Worker uses Smart Placement for EU-local execution.

For full details on how we handle data, see our privacy policy and terms of service. Questions? Email [email protected].