Guides

Building Cookie consent implementation with Plausible Ana...

This guide provides actionable steps to implement GDPR compliance for European SaaS infrastructure. Focuses on data mapping, consent mechanisms, privacy-first analytics, and cross-border data transfers. Designed for developers handling EU user data with practical implementation checks.

3-5 hours6 steps
1

Map data processing flows

Document all user data types (identifiers, IP addresses, cookies) and processing purposes. Use tools like PostHog to visualize data movement between systems.

data_flow.txt
Data Flow Diagram:
1. User Signup → [Email, IP] → Supabase
2. Session Tracking → [Cookie] → Cookiebot
3. Analytics → [Event Data] → Plausible

⚠ Common Pitfalls

  • Missing third-party data handlers in inventory
  • Not distinguishing between 'explicit consent' and 'legitimate interest' data
2

Implement consent management

Integrate Cookiebot or Termly to manage consent for non-essential cookies. Configure separate toggles for analytics, marketing, and functional cookies.

consent.html
<script src="https://cdn.cookiebot.com/script.js" data-cbid="YOUR-CB-ID" data-blocking-mode="auto"></script>

⚠ Common Pitfalls

  • Using single-checkbox consent for multiple purposes
  • Not logging consent timestamps in GDPR-compliant format
3

Configure cookie consent banner

Deploy a cookie consent banner that allows granular control. Use Cookiebot's configuration to set default states for different cookie categories.

cookiebot-config.js
cookiebot.init({
  domain: 'yourdomain.com',
  categories: {
    necessary: true,
    analytics: false
  }
});

⚠ Common Pitfalls

  • Not providing an 'Accept All' option for functional cookies
  • Failing to refresh banner after consent changes
4

Set up privacy-first analytics

Replace Google Analytics with Plausible/Fathom. Configure tracking to exclude PII and use anonymized IP addresses.

analytics.html
<script src="https://plausible.io/js/plausible.js" data-domain="yourdomain.com"></script>

⚠ Common Pitfalls

  • Using analytics tools that require consent banners
  • Not disabling tracking for EU users in non-EU regions
5

Create data deletion workflows

Implement /delete-account endpoints that permanently remove user data from databases and backups. Use Supabase's row-level security to enforce deletion.

delete_user.sql
DELETE FROM users WHERE id = 'USER_ID';
DELETE FROM sessions WHERE user_id = 'USER_ID';

⚠ Common Pitfalls

  • Not purging data from backups or third-party systems
  • Leaving data in read replicas after deletion
6

Handle cross-border data transfers

Use EU-approved SCCs or data localization. Configure PostgreSQL to block transfers to non-EU regions using IP geolocation checks.

data_transfer.py
def is_eu_region(ip):
    response = requests.get(f'https://ipapi.co/{ip}/json/')
    return response.json().get('country') in ['DE', 'FR', 'ES']

⚠ Common Pitfalls

  • Transferring data to cloud providers without SCCs
  • Not auditing third-party data handlers annually

What you built

Verify all steps through technical implementation checks and legal review. Regularly audit data flows, update consent mechanisms when processing changes, and maintain records of processing activities for 3 years.