GDPR, CCPA, and Cookie Consent: A Publisher's No-Nonsense Compliance Guide for 2026
Privacy Compliance Is Not Optional Anymore
Let me be blunt: if your site doesn't have a proper cookie consent banner and privacy policy, you're at risk of losing your ad network account. Every major network — AdSense, Mediavine, Raptive, Ezoic, all of them — requires publishers to comply with GDPR, CCPA, and other privacy regulations. Non-compliance isn't just a legal risk; it's an operational one. Networks audit publishers, and privacy violations are grounds for immediate suspension.
I know privacy regulation is boring. Nobody started a blog because they were passionate about data processing agreements. But this stuff matters for your business, and doing it right isn't as hard as the legal jargon makes it seem. So here's the practical guide — what you actually need to do, without the legalese.
What GDPR Requires (If You Have EU Visitors)
If anyone from the European Union visits your site — and unless you have geoblocked the entire EU, they will — GDPR applies to you. It doesn't matter where you're based. The key requirements for publishers:
Consent before cookies: You can't drop advertising cookies until the user explicitly consents. This means a cookie consent banner that appears before any ad scripts load. The user must be able to accept or reject non-essential cookies, and their choice must be respected. Pre-checked boxes don't count as consent. Dismissing the banner by continuing to scroll doesn't count as consent. The user must actively click "Accept."
Right to withdraw: Users must be able to change their mind and withdraw consent at any time. Your consent banner should include a persistent way to manage preferences — a small icon or link in the footer that reopens the consent dialog.
Privacy policy: You must have a privacy policy that explains what data you collect, why you collect it, how long you keep it, and who you share it with. This includes listing your ad network as a data processor and explaining that advertising cookies are used for personalized ads.
What CCPA Requires (If You Have California Visitors)
If anyone from California visits your site (and they will — California has 40 million residents and produces a huge share of US web traffic), CCPA applies. The main differences from GDPR:
Opt-out, not opt-in: Unlike GDPR, CCPA doesn't require consent before cookies. Instead, you must provide a "Do Not Sell My Personal Information" link that lets California residents opt out of data sharing with advertisers. The bar is lower than GDPR — you can set cookies by default but must honor opt-out requests.
Disclosure: Your privacy policy must disclose the categories of personal information you collect and the business purpose for collecting it. It must be updated annually.
Google Consent Mode v2
In 2024, Google rolled out Consent Mode v2, which fundamentally changed how consent affects ad revenue. When a user rejects consent, Consent Mode tells Google's ad tags to operate in "restricted" mode — no cookies are set, but Google can still model conversions using aggregated data. This means you recover some of the revenue you would otherwise lose from consent rejections.
If you're running Google ads (AdSense, Ad Manager), implementing Consent Mode v2 is essential. Without it, users who reject consent generate zero ad revenue. With it, you recover an estimated 30-60% of that lost revenue through modeled data. Your CMP (Consent Management Platform) needs to support Consent Mode v2 — most modern ones do.
Choosing a CMP
A CMP (Consent Management Platform) handles the consent banner, preference storage, and signal passing to ad tags. You need one. Here are your options:
Free tier: Cookiebot (free for up to 100 pages), Osano (basic free plan), and Google's own Funding Choices (free for Google ad publishers). These work for small to medium sites and handle GDPR and CCPA basics.
Paid: Cookiebot (paid tiers for larger sites), OneTrust, Quantcast Choice. More customization, better design options, and enterprise-grade compliance features.
Network-provided: Mediavine provides its own CMP for publishers. Raptive does too. If your network offers one, use it — it's pre-integrated with their ad stack and requires zero configuration beyond enabling it.
The most important thing is that your CMP is on Google's certified list. Google maintains a list of CMPs that are compatible with Consent Mode v2. If yours isn't on the list, Google's ad tags won't recognize the consent signals, and you'll lose revenue unnecessarily.
What Your Privacy Policy Must Include
Here's the checklist. Your privacy policy must cover:
- What personal data you collect (IP addresses, cookies, device identifiers, browsing behavior)
- Why you collect it (advertising, analytics, site functionality)
- Who you share it with (name your ad network, Google, any analytics providers)
- How long you retain data
- How users can request data deletion or access (GDPR right of access)
- The "Do Not Sell" option for CCPA compliance
- Contact information for privacy inquiries
You don't need a lawyer to write this. Free privacy policy generators (Termly, PrivacyPolicies.com) create compliant templates based on your inputs. Customize the output for your specific tools and ad networks, and link it from your footer on every page.
How This Affects Your AdGateScore
The Policy Compliance module in your AdGateScore scan checks for GDPR/CCPA compliance automatically. It verifies that a cookie consent banner exists, that it appears before ad scripts load, that a privacy policy page exists and is linked sitewide, and that the privacy policy contains the required disclosures. Sites scoring below 80% on Policy Compliance almost always have consent or privacy policy gaps.
If your scan shows policy issues, fix them before applying to any ad network. Networks check compliance during their review, and policy violations are among the most common rejection reasons — and the easiest to prevent.
The Bottom Line
Privacy compliance isn't glamorous, but it's table stakes. Install a CMP, write a proper privacy policy, implement Consent Mode v2, and add a "Do Not Sell" link for CCPA. Total setup time: about 2-3 hours. The alternative — losing your ad network account or getting fined — isn't worth the risk of procrastinating.