How To Manage Website Privacy & Consent

Data privacy compliance is one of those website jobs nobody gets excited about; however, it is important to master. If you have visitors from the EU, California, or any region with data privacy laws, it’s not optional — and the good news is that Avada has built a genuinely flexible system to handle it. One place to set your options, and multiple ways to present them to your visitors.

This post is the big-picture guide. We’ll cover the regulatory background, walk through every global privacy option in Avada, and configure the Avada Privacy & Consent Bar from scratch. If you’re looking for the deep dives on the Privacy and Consent Element itself, we’ve covered those separately — see How To Use The Avada Privacy & Consent Element and How To Add Privacy & Consent Options to an Avada Off-Canvas. This guide provides an overview of the foundations of privacy, consent, and how the various tools can work together.

Beyond just avoiding fines (which, fair enough, is the headline reason — GDPR penalties can reach 4% of global annual revenue), there are some genuinely practical benefits, especially for a website owner:

Visitors are more privacy-aware than ever. A site that asks for consent clearly and respects the answer signals professionalism. People notice when a cookie banner gives them a real choice, versus when it’s a dark-pattern maze designed to wear them down — and that impression carries over to how much they trust your brand with things like their email address or credit card.

This one’s counterintuitive. When you only collect data from people who’ve actually consented, you end up with smaller but cleaner datasets. Your analytics reflect engaged visitors rather than everyone plus bots plus people who’d opt out if they could. Decisions made on that data tend to be sounder.

Compliance practices push you toward data minimization — collecting only what you need and keeping it only as long as necessary. The less personal data you hold, the less damage a breach can do, and the less attractive a target you are in the first place. You can’t leak what you never stored.

If you sell to EU customers, compliance isn’t a nice-to-have; it’s the price of entry. The same increasingly applies to California, Brazil (LGPD), and a growing list of jurisdictions. Getting your house in order once opens multiple markets, and many B2B clients now require proof of compliance from vendors before they’ll sign anything.

The process of becoming compliant forces useful questions: what data are we actually collecting, why, where does it live, who has access? Plenty of businesses discover forgotten plugins, abandoned tracking scripts, or third-party services they didn’t realize were phoning home. That audit has value even setting the legal side aside.

As privacy becomes a buying criterion — and it is, particularly for younger and more technical audiences — being able to say “we load fonts locally, we don’t track you without asking” becomes a feature rather than a legal footnote.

GDPR stands for the General Data Protection Regulation, a binding privacy framework that came into force in the European Union in 2018. And here’s the part people often miss: it doesn’t just apply to businesses in the EU. If you have customers in the EU, it applies to you too. Other jurisdictions have their own versions — the CCPA in California is the obvious one — so your actual obligations depend on where you’re based, where your customers are, and what third-party services your site uses.

And a point worth noting: Avada itself doesn’t need to be GDPR-compliant because it doesn’t collect any data. The privacy tools exist to help you make your website compliant — because the moment you embed a YouTube video, load Google Fonts from a CDN, or run Google Analytics, you’re potentially sending visitor data to third parties.

Before we touch a single option, here’s the mental model. Avada’s Privacy System has two halves:

Both halves are totally optional, and they work independently. You might configure the consent tools and present them through the Element on your privacy policy page (or any other page on your site). You might skip the tools entirely and just show a simple bar that tells visitors about the necessary cookies. Or you might use everything together. It all depends on what you need to inform your visitors of. Everything lives under Options > Privacy & Consent in the Avada Global Options. Let’s go through it.

By default, you’ll only see three options here, because both the Privacy Consent Tools and the Privacy & Consent Bar are disabled out of the box.

There’s also an important note at the top explaining the cookie created when you use the privacy consent option — worth a read.

This first option is small but genuinely useful. When set to “Local”, Google Fonts and Font Awesome fonts are downloaded to your own server, which satisfies GDPR criteria — no font requests pinging Google’s servers with your visitors’ data. Alternatively, set it to “CDN” to load fonts from the Google and Font Awesome CDNs. If GDPR applies to you, “Local” is the safe choice.

Turn it on, and Avada will prevent scripts and embeds from loading until your visitor gives consent. Do you need it? Maybe not. If you only have necessary cookies and no third-party embeds, you can leave this disabled and just let users know about your cookies in the privacy bar.

But if your site embeds YouTube videos, runs Google Analytics, or loads anything else from a third party, enable it — and a whole range of new options appear.

How many days does the consent cookie last before visitors are asked again? The default is 30, and you can push it up to 366 days (for leap years).

Here you choose which embeds require consent. There are 12 in all, including a range of Google services. Only select what you actually use — there’s no point gating consent for services that never appear on your site. And note: custom code snippets with a privacy category are automatically included, so you don’t need to select those here.

This controls which of those embeds are selected by default when a visitor first sees the consent bar or Element. Selecting them all means visitors opt out rather than opt in — check whether that’s acceptable under your local regulations before mirroring that choice.

When a visitor hasn’t accepted a third-party embed, Avada shows a placeholder in its place — a box explaining that consent is needed, with a button to grant it. The description comes with a sensible default you can customize, and the two color options control the placeholder’s background and text. Tie these into your color palette (in the video, color 5 for the background and color 1 for the text) so the placeholders don’t look like an afterthought.

This section gives you a label and description for each of the four Google options: Google Analytics, Google Advertising cookies, Google Advertising user data, and Google Advertising personalization. Defaults are pre-filled, but everything is editable.

This is where the system gets properly flexible. It’s a repeater row, so you can add as many categories as you need, each with a custom title and description. The available category types are custom content, necessary cookies, functional cookies (third-party embeds), statistics cookies (analytics), and marketing cookies (advertising and targeting).

These categories define the grouped sections visitors see in both the Avada Privacy & Consent Bar and the Avada Privacy and Consent Element when the group layout is used. A cluster of related options follows:

Save the Global Options, and the definition half of the system is done. Now for the display half.

Flip the Privacy & Consent Bar option to “On”, and a bar appears along the bottom of your site, informing visitors of your Privacy and Consent details. A new batch of global options loads with it.

The bar has two modes. If you enable it without the Privacy Consent Tools, you get just eight or nine options — enough for a simple bar that tells users about necessary cookies and nothing more. Perfectly valid. But with the consent tools enabled, you can also switch on the Privacy Bar Settings, which turns the bar into something far more capable — close to the full Privacy and Consent Element, living in a bar.

The first options control the general styling and appearance:

“Privacy Bar Button Save On Click” changes what your consent flow actually means. Set to “No”, the button is just an acknowledgment. The bar dismisses, and visitors grant consents individually via the placeholder buttons on the details panel.

Set to “Yes”, clicking the button grants all the consent types you selected under Privacy Selected Consent Types. Either way, once the details panel is open, clicking the button always saves the current checkbox selection.

That’s a meaningful difference. “No” means dismissing the bar grants nothing; “Yes” means one click consents to your defaults. Choose based on your regulatory requirements, not convenience.

Enable “Privacy Bar Settings”, and a settings link is added to the bar that opens a full details panel with checkboxes for tracking and third-party embeds. A stack of new options arrives with it:

The settings content can display as Columns (sections spread across the screen) or tabs. Tabs come with their own extras — content height, border size, border and background colors, and content padding. Columns are the default and work well for most setups. Either way, Privacy Bar Content Max Width controls how much horizontal room the panel gets — bumping it to 90% gives the categories space to breathe.

There are options for the heading font size and color, a column gap (30px by default), plus colors for the cookie lifespan and description text. The lifespan and description colors inherit the bar’s text color when left empty, but setting them separately (color 4 and color 3 in the example) helps visually distinguish the metadata from the main labels. The cookie description font size is 0.85em by default, which is easy to read.

Choose between standard checkboxes or slide toggles for the consent items. Toggles feel more modern, and if you pick them, you also get options for the inactive, active, and thumb colors.

Both are optional, and each includes editable button text when enabled. Whether you want them depends on your setup — if your defaults already reflect what most visitors would choose and the save-on-click behavior handles it, you may not need them at all.

Once configured, the flow works like this: a visitor changes a selection in the tracking cookies or third-party embeds, the button switches to “Update Settings,” they click it, their preferences are saved, and the bar disappears for as long as your cookie expiration allows.

With everything configured, visit a page with an embedded YouTube video — if YouTube consent hasn’t been granted, the video simply won’t load. In its place sits your styled placeholder asking for permission. Grant it, and the choice is stored in a cookie for the duration you set.

One testing tip from the video that’ll save you some confusion: once you’ve saved your own consent preferences, the cookie is valid for the full expiration period — meaning the privacy bar won’t show for you anymore, even though you’re trying to test it. To reset, open Chrome DevTools (right-click and select Inspect), go to the “Application” tab, and clear the site data. That wipes the consent cookie (and logs you out, so keep your password handy), and you’re back to a fresh-visitor view.

The Privacy Bar and the Privacy Element get the spotlight, but Avada offers a few more privacy options.

Avada Consent Field Element — If you’re using the Avada Form Builder, just add the Element into your form and write your consent text. Done. There’s also a legacy method for sites using the contact page template — under the Contact Template tab in global options, enable Display Data Privacy Confirmation Box, and a further option appears to customize the message. But that only applies to the contact page template, and Avada Forms is the far more flexible route.

The Avada User Register Element — If people register on your site, this element includes a Registration Notice field near the bottom of its options. It displays custom text before the submit button — a natural spot to inform new users about your GDPR compliance or data handling.

So that’s the full privacy and consent system in Avada: Global Options, where you define everything once; a configurable bar for site-wide notices; an Element for pages and Avada Off-Canvas pop-ups; and consent fields for your forms and registrations.

The practical path forward looks like this. Work out your legal requirements first (lawyer, if in doubt). Set your fonts to Local if GDPR applies. Then decide how much of the system you need — a simple bar for a cookies-only site, or the full consent tools if you’re running third-party embeds and analytics. Define your consent types and categories in the global options, and pick your display method: the bar, the element, or both.

And when you’re ready to build out the Element side — whether on a privacy policy page or as a polished Avada Off-Canvas pop-up — the two companion guides linked at the top walk through those builds step by step.