Data Privacy Research
We Tested Webflow Websites for Privacy Compliance. Here's What We Found.
We scanned 67 Webflow websites to check data-privacy compliance. 55 of them had cookie banners but that didn't mean they were compliant. So we looked closer at those.
70 Webflow Sites Analyzed
By Finsweet Consent Pro Team
Check our findings
.svg){kind=icon}
67 Webflow websites scanned
54 had at least one compliance gap
4 recurring types of issues identified
1
site met the compliance threshold
CONTEXT
A Cookie Banner Alone Doesn't Guarantee Compliance
We scanned 67 Webflow websites to evaluate data-privacy compliance. 55 websites among these had some form of cookie consent tool already installed. We focused our analysis on this Webflow group to understand how well their consent setups were actually working.
Every site in this group had a visible consent banner. From the outside, they looked like they were handling privacy correctly.
But when we looked deeper, at what actually runs before a visitor gives consent, we found recurring patterns. Cookies being set, scripts firing, and data transfers happening before any consent was given.
While our sample is limited, the patterns were consistent enough to share.
FINDING 01
Third-Party Scripts Running Without Consent
The most common issue we observed. Third-party scripts loaded on these sites were either not assigned to any consent category in the CMP, or were executing before the visitor interacted with the consent banner.
When scripts aren't categorized, the consent tool has no way to block them, so they fire immediately on page load. The consent banner is visible, but it isn't actually controlling what runs.
54
of
55
sites in our sample had this issue
FINDING 02
YouTube & Google Maps Embeds Setting Trackers Before Consent
We detected trackers from YouTube and Google Maps embeds being placed before visitors gave consent. These embeds are commonly added using native elements, and most consent tools we observed did not block them by default.
This appears to be related to how embed URLs are served making it harder for generic consent tools to intercept them correctly.
23
of
55
had YouTube cookie issues
13
of
55
had Google Maps cookie issues
FINDING 03
Google Fonts Transferring Visitor Data Before Consent
Many of the sites we scanned loaded Google Fonts directly from Google's servers. This can transfer visitor IP addresses to Google before any consent is given which may be considered a data transfer under GDPR.
This is easy to overlook. Developers often assume that fonts are static assets that don't require consent, or that their consent tool handles them automatically.
36
of
55
sites loaded Google Fonts without consent
FINDING 04
Webflow Optimize & Analyze Cookies Active Before Consent
Among the sites using Webflow's native optimization and analytics features, we observed cookies and local storage linked to these services appearing before consent was given even with a CMP installed.
This is a smaller subset of our sample, but the pattern was consistent: every site using Webflow Optimize had related compliance gaps.
6
of
6
sites using Webflow Optimize had violations
Want to check your own site?
We are launching a free scanner that tests for these exact issues.
Thank you!
Please check your email to confirm your subscription.
Please check your email to confirm your subscription.
RESULTS OVERVIEW
Compliance Distribution Across Our Sample
Out of the 70 Webflow sites we tested, 57 had at least one compliance gap. Only one site met the threshold we tested against.
57
had at least one compliance issue
1
passed all checks
Why This Keeps Happening
These issues aren't caused by negligence. They stem from how consent tools interact with Webflow's architecture.
Native Webflow embeds (YouTube, Maps) use URLs that CMPs don't recognize
Webflow Optimize and Analyze weren't blocked by CMPs in our tests
Google Fonts requires manual configuration that's easy to miss
CMPs look automated, so developers assume setup is complete when it isn't
The result: sites that appear compliant but aren't.
Don't rely on assumptions.
See exactly what's running on your site before consent is given.
Thank you!
Please check your email to confirm your subscription.
Please check your email to confirm your subscription.
Methodology
This report combines automated scanning with manual analysis. We scanned 67 Webflow websites for data-privacy compliance. 55 of those had cookie banners, which form the basis of our findings. While every effort was made to ensure accuracy, results may include a small margin of error due to scan complexity.
This report is intended to help site owners identify potential compliance gaps. It is not a comprehensive audit and should not be considered legal advice.
Total Webflow Websites Scanned
67 websites
Webflow sites with CMP
55 of 67
Scan Method
Automated + manual review
Report Date
February 2026
A note on sample size: This report is based on 55 Webflow sites with CMP out of 67 Webflow sites scanned - a focused sample, not a comprehensive audit of the ecosystem. However, the patterns we observed were remarkably consistent, appearing across different consent tools, industries, and site sizes. We share these findings to help Webflow site owners understand potential gaps, not to make sweeping claims.
The Risks Are Real
Google Ads Suspension
Google is actively suspending accounts that don't implement Consent Mode V2 correctly.
Client Liability & Trust
Your agency reputation is on the line. If a client gets fined, they will blame their developer.
Fines up to €20M
GDPR violations can be severe. Even small businesses are now being targeted by automated audits.
Free Privacy Scanner
Find Out What's Really Running On Your Site
We're launching a free scanner built for Webflow sites. Enter your URL and get a detailed breakdown of scripts, cookies, and data transfers happening before consent so you can see exactly where you stand.
No signup
No installation
Takes a few minutes.
Thank you!
Please check your email to confirm your subscription.
Please check your email to confirm your subscription.
321 developers already waiting