Cookie Consent for Nonprofit Websites | GDPR Guide

Your nonprofit website almost certainly collects data. Google Analytics tracks visitors. Meta Pixel fires when someone lands on your donation page. LinkedIn Analytics runs in the background to measure campaign performance. If you've set any of this up — or if an agency set it up for you — and you don't have a properly implemented cookie consent mechanism, you are not GDPR compliant. The fine for non-compliance isn't a warning letter. Under GDPR, it can reach €20 million or 4% of global annual turnover, whichever is higher. For the nonprofit sector, where public trust is the foundation of everything, a data protection enforcement action is reputational as well as financial.

This guide covers what you need, why you need it, and how to implement it correctly — including Google Consent Mode V2, Google Tag Manager, and how to verify that consent is actually working the way you've configured it.

Why Cookie Consent Exists — and When You Actually Need It

The legal basis is twofold. GDPR (General Data Protection Regulation) governs the processing of personal data across the EU and, post-Brexit, is mirrored in UK GDPR. The ePrivacy Directive (often called the Cookie Law) specifically governs the use of cookies and similar tracking technologies — including local storage, session storage, and browser fingerprinting — regardless of whether the data processed is technically personal.

This matters because some tools use local storage rather than cookies to avoid consent requirements. Webflow Analytics, for example, uses local storage. Under ePrivacy, this still requires consent if it's being used to track user behaviour. The mechanism differs from a cookie, but the obligation doesn't.

The rule is simple: if you collect any data about users — analytics, advertising, form submissions stored in a CRM, membership data — you need a compliant consent mechanism. If your site does none of these things — no analytics, no ad tracking, no user accounts, no CRM integration — you don't need cookie consent. Almost no nonprofit website meets that description.

The Consent Categories You Need to Understand

Consent isn't binary. A compliant consent implementation distinguishes between categories of cookies and tracking, allowing users to accept some while rejecting others. The standard categories are:

Strictly Necessary

Cookies that are essential for the website to function — session management, security tokens, load balancing. These do not require consent because the website cannot operate without them. You cannot ask a user to opt out of these.

Functional / Preferences

Cookies that remember user preferences — language selection, accessibility settings, previously completed forms. Generally considered low-risk, but still require consent under a strict reading of ePrivacy.

Analytics / Performance

Cookies and local storage used to measure site performance and understand visitor behaviour. Google Analytics 4, Microsoft Clarity, and Webflow Analytics fall into this category. Under Google Consent Mode V2, this maps to analytics_storage. Users must be able to opt out and your implementation must honour that choice.

Marketing / Targeting / Advertising

Cookies used for advertising personalisation, remarketing, and conversion tracking. Meta Pixel, Google Ads conversion tracking, and LinkedIn Insight Tag fall here. Under Consent Mode V2, this maps to ad_storage, ad_user_data, and ad_personalization. This is the category with the highest regulatory scrutiny — advertising without valid consent is the most common subject of GDPR enforcement actions.

Google Consent Mode V2 — What It Is and Why It Matters

Google Consent Mode is a framework that lets Google's tags — GA4, Google Ads, Floodlight — adjust their behaviour based on the consent status of each user. Version 2, which became mandatory for all Google advertising products in March 2024, introduces two additional consent signals beyond the original analytics and ad storage parameters.

The four Consent Mode V2 parameters are:

• analytics_storage — controls whether analytics cookies are set (GA4, Microsoft Clarity)
• ad_storage — controls whether advertising cookies are set (Google Ads, Meta Pixel, LinkedIn)
• ad_user_data — controls whether user data is sent to Google for advertising purposes
• ad_personalization — controls whether personalised advertising is enabled

If you run Google Ads and do not implement Consent Mode V2, your conversion measurement will degrade and your remarketing audiences will shrink — because Google will not set advertising cookies without the signal that consent has been granted. For nonprofits running paid campaigns to drive donations or programme sign-ups, this is a direct revenue impact.

Consent Mode V2 operates in two modes. Basic mode prevents all tags from firing until consent is granted. Advanced mode allows tags to fire in a limited, cookieless state when consent is denied — enabling Google to use modelled conversion data to partially fill the measurement gap. Advanced mode is the recommended implementation for organisations running paid campaigns.

Five Cookie Consent Platforms: Pros, Cons, and Cost

For most established nonprofits, CookieYes or Cookiebot offer the right balance of compliance depth, ease of implementation, and cost. OneTrust is appropriate only if your organisation has the legal and technical resource to configure and maintain it properly — a partial OneTrust implementation is often worse than a well-configured CookieYes setup.

Why Everything Goes Through Google Tag Manager

Google Tag Manager is the consent implementation layer. Rather than adding individual tracking scripts directly to your website code — one for GA4, one for Meta Pixel, one for LinkedIn, one for Google Ads — all of them are deployed through GTM as tags. GTM then becomes the single point where consent signals from your CMP (cookie consent platform) control whether each tag fires.

This architecture matters for three reasons:

Centralised consent control. When a user declines analytics cookies, GTM receives that signal and prevents the relevant tags from firing. Without GTM as the intermediary, you'd need to manually code consent logic into every individual tracking script — which is error-prone and difficult to audit.

Auditability. GTM provides a complete record of what tags are deployed on your site, what triggers them, and what variables control their behaviour. A data protection officer or regulator can review your consent implementation in GTM without needing access to your codebase.

Maintainability. New tracking requirements — a new LinkedIn campaign, a HubSpot integration, a Google Ads conversion action — can be added through GTM without touching the website code. The consent framework extends to new tags automatically.

Tags That Should Be Managed Through GTM

• Google Analytics 4 — analytics_storage consent required
• Google Ads Conversion Tracking — ad_storage, ad_user_data, ad_personalization required
• Meta Pixel — ad_storage consent required; sensitive for nonprofit audiences
• Microsoft Clarity — analytics_storage consent required (session recording tool)
• LinkedIn Insight Tag — ad_storage consent required
• HubSpot Analytics — analytics_storage consent required; also sets its own tracking cookies
• Google Remarketing — ad_storage and ad_personalization required
• Hotjar / equivalent — analytics_storage required (session recording)

Implementing GTM on Webflow

Webflow provides two injection points for custom code in Site Settings → Custom Code:

1. Head code — paste the GTM <script> tag here. This loads GTM early in the page load, which is important for Consent Mode V2 — the consent default state needs to be communicated to Google before any tags fire.
2. Before </body> tag — paste the GTM <noscript> iframe here. This is the fallback for browsers with JavaScript disabled.

Your GTM snippet looks like this in the head:

<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-XXXXXX');</script>
<!-- End Google Tag Manager -->

And in the before body:

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-XXXXXX"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->

Replace GTM-XXXXXX with your actual container ID.

For Consent Mode V2, your CMP (CookieYes, Cookiebot, etc.) should inject its script before the GTM snippet — or integrate directly through GTM using the CMP's dedicated GTM template, which handles the ordering automatically. Most major CMPs publish a GTM Community Template in the GTM Template Gallery. Use the official template rather than manually coding the integration.

Configuring Consent Mode V2 in GTM

The consent default state should be set to denied for all parameters until the user makes a choice. This is the "privacy by default" principle required by GDPR. In GTM, add a Consent Initialization trigger that fires on all pages before any other tags, setting:

gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'ad_user_data': 'denied',
  'ad_personalization': 'denied',
  'wait_for_update': 2000
});

The wait_for_update parameter (in milliseconds) tells Google tags to wait for the CMP to update consent before firing. 2000ms is a reasonable default; adjust based on your CMP's loading time.

When a user grants consent, your CMP fires a consent update event that GTM picks up and passes to Google:

gtag('consent', 'update', {
  'analytics_storage': 'granted',
  'ad_storage': 'granted',
  'ad_user_data': 'granted',
  'ad_personalization': 'granted'
});

If a user only accepts analytics (not advertising), only analytics_storage updates to granted — the others remain denied.

Verifying Your Implementation — GTM Preview Mode

Before publishing any GTM container changes, use Preview Mode (the debug icon in GTM) to verify that tags are firing correctly against your consent configuration.

In Preview Mode, connect to your live or staging Webflow site. You'll see a real-time panel showing every tag, trigger, and variable as the page loads. Check:

• Does the consent initialisation fire on page load, before any other tags?
• Do analytics tags (GA4, Clarity) remain unfired until analytics consent is granted?
• Do advertising tags (Meta Pixel, Google Ads, LinkedIn) remain unfired until ad consent is granted?
• When you accept all cookies in the banner, do the relevant tags fire immediately?
• When you accept only analytics, do advertising tags remain unfired?

GTM Preview Mode shows you the consent state at each point in the page load — look for the Consent tab in the tag details to see which parameters were granted or denied when each tag attempted to fire.

Verifying Consent With Browser Developer Tools

GTM Preview Mode confirms what GTM intends to do. Browser Developer Tools confirm what actually hits the network — which is the ground truth for whether consent is working.

Network Tab

Open DevTools (F12 or right-click → Inspect) and go to the Network tab. Filter by the relevant domains:

• GA4: filter for google-analytics.com or analytics.google.com
• Meta Pixel: filter for facebook.com/tr
• Google Ads: filter for googleadservices.com
• LinkedIn: filter for snap.licdn.com

With consent denied, none of these requests should appear in the Network tab. If they do, your tags are firing without consent — a compliance failure. Accept consent in the banner and verify the requests appear. Revoke consent (clear cookies, reload, decline) and verify they disappear again.

Application Tab

The Application tab shows what cookies and local storage your site has set. Under Storage → Cookies, you'll see every cookie by domain. After declining consent, you should see only strictly necessary cookies. After accepting analytics, you should see GA4 cookies (_ga, _ga_XXXXXXXXXX). After accepting advertising, you should see the relevant advertising cookies.

If advertising cookies appear when only analytics consent was granted, your implementation has a misconfiguration. The Application tab makes this visible immediately without needing to read network requests.

For local storage specifically — relevant for Webflow Analytics and similar tools — check Storage → Local Storage in the Application tab. If you see Webflow analytics entries without consent being granted, you need to address this with your CMP configuration or by disabling the tool entirely.

What to Add to Your Consent Notice That Most Sites Miss

Beyond the banner itself, a compliant GDPR implementation includes several elements that are frequently overlooked:

• Privacy Policy — must describe every category of data you collect, why you collect it, how long you retain it, who you share it with, and how users can exercise their rights (access, deletion, portability, objection). A generic template will not cover your specific toolset.
• Cookie Policy — a dedicated page listing every cookie your site sets, its purpose, its provider, and its expiry. Most CMPs generate this automatically from their scanning results — use that output rather than writing it manually.
• Consent record keeping — GDPR requires you to be able to demonstrate that consent was obtained. Your CMP should log consent records with timestamps, user identifiers, and the consent state at the time. Verify your CMP does this before assuming compliance.
• Withdrawal mechanism — users must be able to withdraw consent as easily as they granted it. A link in the footer to reopen the consent banner is the minimum standard. "Cookie Settings" in the footer navigation is the expected pattern.
• Age verification — if your site collects data from users who may be under 16 (the default GDPR age of digital consent, though this varies by member state), additional protections apply.
• Third-party processor agreements — every tool you use (Google, Meta, HubSpot, LinkedIn) processes personal data on your behalf. Under GDPR, you need a Data Processing Agreement (DPA) in place with each processor. Google and Meta provide these automatically; others require you to execute them.

Further Reading

• Charity Commission Compliance: UK Nonprofit Website Requirements
• Safeguarding Policies for Youth Charity Digital Communications
• NGO Websites Are Governance Problems Not Design Problems
• Website Credibility Audit for NGOs
• Blueprint Audit: Independent Website Diagnostic

What Changes When You Get This Right

The organisations that implement cookie consent properly — with a legitimate CMP, Consent Mode V2, GTM as the enforcement layer, and verification through DevTools — describe a shift from compliance anxiety to operational confidence. They can answer a data protection query with documented consent records. They can demonstrate to a funder or institutional partner that user data is handled correctly. They can run paid campaigns without the risk of ad platform enforcement for consent violations.

For nonprofits specifically, where the people whose data is being processed often include beneficiaries in vulnerable circumstances, getting this right isn't just a legal requirement — it's consistent with the values the organisation holds and communicates publicly.

The implementation isn't complex once the architecture is understood. The cost of a reputable CMP is modest relative to the risk it mitigates. And the combination of GTM, Consent Mode V2, and browser-level verification gives you a defensible, auditable compliance posture that can be demonstrated to any regulator, partner, or donor who asks.

Q1: Does a nonprofit website need cookie consent?

Yes, if it collects any data about users — including analytics, advertising tracking, or user account information. The legal basis is twofold: UK GDPR governs the processing of personal data, and the ePrivacy Directive governs the use of cookies and similar technologies including local storage. Charitable status provides no exemption. If your website uses Google Analytics, Meta Pixel, LinkedIn Insight Tag, or similar tools, you need a compliant cookie consent mechanism before those tools process any user data.

Q2: What is Google Consent Mode V2 and why does it matter for nonprofits?

Google Consent Mode V2 is a framework that tells Google's tags — GA4, Google Ads, Floodlight — how to behave based on each user's consent decision. Version 2, mandatory since March 2024, adds two consent parameters (ad_user_data and ad_personalization) to the original analytics_storage and ad_storage. Nonprofits running Google Ads campaigns that don't implement Consent Mode V2 will see degraded conversion measurement and shrinking remarketing audiences, directly affecting the performance of paid acquisition campaigns.

Q3: What cookie consent platform should a nonprofit use?

For most nonprofits, CookieYes or Cookiebot provide the right balance of compliance depth, ease of implementation, and cost. CookieYes is particularly accessible for smaller organisations with a good free tier and straightforward setup. Cookiebot adds more detailed compliance documentation and automatic cookie scanning. OneTrust is appropriate only for large NGOs with dedicated legal and technical resource — a misconfigured OneTrust implementation is often worse than a well-configured simpler alternative. All three integrate with Google Tag Manager and support Consent Mode V2.

Q4: How does Google Tag Manager relate to cookie consent compliance?

Google Tag Manager is the consent enforcement layer. Rather than adding tracking scripts directly to your website — one for GA4, one for Meta Pixel, one for LinkedIn — all tags are deployed through GTM, which receives consent signals from your cookie consent platform and controls whether each tag fires based on the user's consent decision. Without GTM as the intermediary, enforcing consent across multiple tracking tools requires manual coding of consent logic into each script — which is error-prone and difficult to audit.

Q5: What is the maximum GDPR fine for cookie consent non-compliance?

Under UK GDPR, fines can reach £17.5 million or 4% of global annual turnover, whichever is higher. The ePrivacy Directive (Cookie Law) is enforced by the ICO in the UK, which can issue fines and enforcement notices for non-compliant cookie consent. For nonprofits, the financial penalty is compounded by reputational damage — enforcement action against a charity for data protection failures attracts media coverage that undermines public trust and donor confidence. The ICO has increased its enforcement activity significantly since 2022.

Q6: What are the different categories of cookie consent?

The standard consent categories are: Strictly Necessary (essential for the website to function, no consent required), Functional/Preferences (remembering user preferences, lower risk but technically requires consent), Analytics/Performance (GA4, Microsoft Clarity, Webflow Analytics — requires analytics_storage consent), and Marketing/Targeting/Advertising (Meta Pixel, Google Ads, LinkedIn Insight Tag — requires ad_storage, ad_user_data, and ad_personalization consent). Users must be able to accept some categories while rejecting others — an all-or-nothing consent banner is not compliant.

Q7: How do I verify that cookie consent is working correctly on my nonprofit website?

Use two verification methods: GTM Preview Mode (the debug console) to confirm tags are firing only when appropriate consent has been granted, and browser Developer Tools to verify at the network level. In the Network tab, filter for tracking domains — ga.com, facebook.com/tr, snap.licdn.com — and confirm no requests appear when consent is declined. In the Application tab, check Cookies and Local Storage to confirm only strictly necessary cookies are set before consent is granted. If tracking requests appear without consent, your implementation has failed.

Q8: Does Webflow Analytics require cookie consent?

Yes. Although Webflow Analytics uses local storage rather than cookies, the ePrivacy Directive applies to local storage used for tracking purposes regardless of the mechanism. If you use Webflow Analytics, it should be gated behind analytics consent, or you should enable 'Do Not Track by Default' in your Webflow site settings to prevent it tracking users who haven't consented. This is a commonly overlooked compliance gap for nonprofits using Webflow.

Q9: How do I add Google Tag Manager to a Webflow website?

Add the GTM script tag to the Head Code section in Webflow Site Settings → Custom Code, and the GTM noscript iframe tag to the Before Body section. Replace GTM-XXXXXX with your actual container ID in both snippets. Your cookie consent platform's script should load before GTM — either through the platform's dedicated GTM template (available in the GTM Template Gallery for CookieYes, Cookiebot, and others) or by adding the consent platform script directly in the head before the GTM snippet. The ordering is critical: consent defaults must be set before any tags attempt to fire.

Q10: When does a nonprofit website not need cookie consent?

A nonprofit website does not need cookie consent if it collects no user data whatsoever — no analytics, no advertising tracking, no form submissions stored in a third-party CRM, no user membership or login. In practice, almost no established nonprofit website meets this description. If your site has Google Analytics, Meta Pixel, LinkedIn tracking, HubSpot, Mailchimp form integrations, or any user account functionality, you are collecting user data and you need a compliant consent mechanism. The absence of a consent banner does not mean the absence of a compliance obligation.