Original research · Published 2026-04-25 · verifiedOn 2026-04-25
2026 Email Pop-up Cookie & GDPR Pre-Consent Disclosure Index
A first-of-its-kind composite scoring of 12 email pop-up & signup-form vendors on whether their embed code fires before or after the user has consented to cookies. Eight dimensions: script firing point, pre-consent data capture, IAB TCF v2.3 support (the standard since 28 Feb 2026), consent-platform integration breadth, GDPR DPA availability, EU data residency, default-compliant mode, and end-user data deletion. Score range 0 (always pre-consent) → 100 (compliant-by-default). Every cell sourced.
OptinMonster's own documentation explicitly recommends placing its embed code BEFORE Cookiebot — i.e. before the consent layer — so campaigns continue running even when users reject cookies. That guidance is the opposite of GDPR best practice and the reason OptinMonster scores 28.5/100 in this benchmark. Klaviyo's
__kla_idfirst-party cookie auto-fires on every page load when JavaScript is enabled (53.5/100). Mailchimp's popup embed sets a first-party identifier on render with no documented default-consent gate (41/100). On the other end, MailerLite, Pipedrive, and ActiveCampaign all default to consent-gated firing and score above 89.
Ranking — most compliant default to least
| # | Vendor | Score | Default posture | HQ / Residency | DPA |
|---|---|---|---|---|---|
| 1 | MailerLite Forms | 93.5/100 | Compliant-by-default | EU (Lithuania); EU servers (Germany) | Downloadable |
| 2 | Pipedrive Email Pop-ups | 93.5/100 | Compliant-by-default | EU (Estonia); EU servers (Frankfurt, Stockholm, Dublin) | Downloadable |
| 3 | ActiveCampaign Forms | 89/100 | Compliant-by-default | US (Chicago); EU data-center option (Dublin) | Downloadable |
| 4 | OmniSend Pop-ups | 81/100 | Compliant-by-default | EU (Lithuania) + UK; multi-region servers | Downloadable |
| 5 | Wisepops | 63.5/100 | Compliant if configured | EU (France) | Downloadable |
| 6 | Sleeknote | 57/100 | Compliant if configured | EU (Denmark) | Downloadable |
| 7 | Klaviyo Forms | 53.5/100 | Compliant if configured | US (Boston) | Downloadable |
| 8 | Justuno | 47/100 | Risky default | US (San Francisco) | Downloadable |
| 9 | Privy | 47/100 | Risky default | US (Boston) — Privy email/SMS app | Downloadable |
| 10 | Mailchimp Pop-up Forms | 41/100 | Risky default | US (Atlanta) — Intuit-owned | Downloadable |
| 11 | OptinMonster | 28.5/100 | Pre-consent default | US — Awesome Motive | On request |
| 12 | Hello Bar | 28/100 | Pre-consent default | US | On request |
| 13 | Sumo (now Sumo Group) | 22/100 | Pre-consent default | US — operated by Sumo Group | On request |
Higher score = more compliant by default. Methodology in §Methodology.
Top 3 — Compliant-by-default
- 1. MailerLite Forms — 93.5/100. Cleanest privacy posture in the benchmark. EU HQ, EU servers, ISO 27001, DPA built into ToS, and forms that fire only after subscriber action. The default settings are the compliant settings.
- 2. Pipedrive Email Pop-ups — 93.5/100. EU-headquartered, EU data-resident by default for EEA customers, DPA in ToS, forms that don't fire third-party trackers pre-submit. Tied with MailerLite for cleanest posture.
- 3. ActiveCampaign Forms — 89/100. Site-tracking script is disabled by default — that single decision puts ActiveCampaign ahead of most US-headquartered popup vendors in this benchmark. EU residency exists but is paid.
Bottom 3 — Pre-consent defaults
- 1. Sumo (now Sumo Group) — 22/100. Lowest score in the benchmark, in part because of documentation gaps (which themselves are a 2026-compliance signal). Operators using Sumo in 2026 should treat it as US-only software.
- 2. Hello Bar — 28/100. The per-campaign compliance toggle is a documented anti-pattern for high-velocity teams; one forgotten popup = pre-consent capture in production.
- 3. OptinMonster — 28.5/100. The only vendor in the benchmark whose own documentation explicitly recommends loading the embed BEFORE the CMP. That is a documented bias toward pre-consent firing — score reflects this.
The HQ-region pattern is the single largest predictor in the dataset. The three EU-headquartered vendors with EU-default residency (MailerLite, Pipedrive, Wisepops/Sleeknote) cluster at the top. The US-headquartered vendors with no EU residency option (OptinMonster, Sumo, Hello Bar, Mailchimp, Klaviyo) cluster at the bottom. Compliance-by-default isn't a feature you bolt on — it's a property of where the company was incorporated and where it stores data.
Vendor-by-vendor detail
MailerLite Forms
Pre-consent compliance: 93.5/100Category: Email + signup forms · HQ / hosting: EU (Lithuania); EU servers (Germany)
Tracking script disabled by default; activated only after subscriber action / consent. Embed/popup loads without setting cross-site cookies until form interaction.
No documented pre-consent identification. Forms render but profile-stitching cookies only set on submit/consent.
No native IAB TCF v2.3 framework support documented; integrates with downstream CMPs (CookieYes, Cookiebot) for TCF v2.3 signaling.
Documented integrations with CookieYes, Cookiebot, Iubenda, plus generic IAB TCF v2.3 hand-off.
DPA incorporated directly into Terms of Use — no signature needed. Adheres to EU-US Data Privacy Framework, Swiss-US DPF, UK Extension. ISO/IEC 27001:2022 certified.
Servers based in EU (Germany). No US transfer for EU customer data.
Built-in GDPR consent checkboxes, customizable wording, separate consent for marketing vs product, automatic consent recording.
Subscriber self-serve unsubscribe + GDPR data-export and data-deletion endpoints documented.
Best for: EU-resident operators, EU course creators, and any operator who wants compliant-by-default behavior without paying for an enterprise tier.
Worst for: US-only operators who specifically need US data residency for HIPAA-aligned workflows; MailerLite's defaults assume EU residency.
Cleanest privacy posture in the benchmark. EU HQ, EU servers, ISO 27001, DPA built into ToS, and forms that fire only after subscriber action. The default settings are the compliant settings.
Pipedrive Email Pop-ups
Pre-consent compliance: 93.5/100Category: CRM forms + popup · HQ / hosting: EU (Estonia); EU servers (Frankfurt, Stockholm, Dublin)
Web Forms render server-side; no analytics SDK fired pre-submit on default install. Web Visitors module (paid add-on) requires explicit consent gating per Pipedrive support docs.
Default Web Forms capture only at submit. Web Visitors add-on (LeadBooster) does fingerprint visitors — must be wrapped in consent gate.
No native TCF v2.3; integrates via downstream CMP.
Documented patterns with CookieYes, Cookiebot, OneTrust.
DPA signed automatically as part of ToS. EU customers contract with Pipedrive's Estonian entity (data stays in EEA by default).
EU-default for EEA-billing customers. Hosted Frankfurt / Stockholm / Dublin.
Web-form GDPR consent statements built in; submission record = audit trail of consent.
Self-serve contact-delete + Pipedrive support-assisted bulk deletion.
Best for: EU SMBs running CRM-led popup capture who want EEA-default residency without a separate EU-only contract.
Worst for: Operators who want a polished consumer popup builder — Pipedrive's pop-ups are CRM-utility, not Sumo-style design-first.
EU-headquartered, EU data-resident by default for EEA customers, DPA in ToS, forms that don't fire third-party trackers pre-submit. Tied with MailerLite for cleanest posture.
ActiveCampaign Forms
Pre-consent compliance: 89/100Category: Email + popup forms · HQ / hosting: US (Chicago); EU data-center option (Dublin)
Site-tracking code disabled by default; activates only after explicit consent. Per ActiveCampaign Help Center, "site tracking script requires consent before loading under the ePrivacy Directive".
With site-tracking disabled by default, no pre-consent identifier is set. Form-only embed captures email at submit (lawful basis = consent at submit).
No native TCF v2.3 framework support documented. Works through downstream CMPs.
Documented integrations / patterns with CookieYes, Cookiebot, OneTrust, plus iubenda guidance.
Signed DPA available to all customers; SCCs incorporated for transfers; DPF participant.
EU data center available (paid plans / on request). Default region is US.
Optional GDPR consent checkboxes on form builder; double opt-in supported; pre-ticked boxes prohibited per docs.
Self-serve contact-deletion + GDPR data-export endpoints. Subscriber-facing preference centre.
Best for: B2B SaaS operators with EU subscribers who can opt into the EU data centre and accept slightly higher annual cost.
Worst for: Operators who want EU residency on the cheapest tier — EU data centre is gated to higher plans.
Site-tracking script is disabled by default — that single decision puts ActiveCampaign ahead of most US-headquartered popup vendors in this benchmark. EU residency exists but is paid.
OmniSend Pop-ups
Pre-consent compliance: 81/100Category: Email + ecommerce popup · HQ / hosting: EU (Lithuania) + UK; multi-region servers
Embed script loads on page; identification cookie set only on form interaction (default config). Ecommerce site-tracking SDK requires explicit consent gate.
Default install: no pre-consent identifier. Ecommerce-tracking add-on captures customer ID — must be wrapped.
No native TCF v2.3; works with downstream CMPs.
Documented integrations with CookieYes, Cookiebot, OneTrust; Shopify-CMP partner ecosystem.
DPA online with European Commission Standard Contractual Clauses (Module Two). Signed at account creation.
No guaranteed EU-only residency option per third-party comparisons (e.g. emailvendorselection); architecture is multi-region.
Built-in legal-block on phone-number capture forms; double-opt-in option.
Self-serve subscriber-level deletion + bulk endpoints.
Best for: Shopify / DTC operators with mostly-non-EU traffic who still want a downloadable DPA and CMP integration.
Worst for: EU-only operators who specifically need guaranteed in-region storage. Use MailerLite or Brevo instead.
Strong on script-firing + DPA, but the lack of guaranteed EU residency drops the score. Compliant for most use cases; not a fit if data residency is a hard requirement.
Wisepops
Pre-consent compliance: 63.5/100Category: Popup builder · HQ / hosting: EU (France)
Wisepops claims its own first-party cookies qualify for EU "strictly necessary" exemption (limited scope, no cross-site tracking). Embed loads pre-consent because vendor asserts non-consent-required category.
Documented capture: timestamp + first-party identifier for "remember impression" + duplicate-suppression. No cross-site behavioral tracking.
No TCF v2.3 vendor registration; not in IAB Global Vendor List.
Documented integrations with major EU CMPs; help-center cookie-consent guidance per region.
DPA published online; specifically references compliance with French Loi Informatique et Libertés in addition to GDPR (Articles 32–36).
EU-default (French infrastructure). No documented US-residency option.
Wisepops vendor self-assessment claims default-compliant (strictly-necessary scope). Independent legal review note: "strictly necessary" classification is contested by Danish DPA / CNIL guidance for marketing popups, so customers should not rely solely on vendor exemption.
Subscriber-level deletion via support; documented retention windows.
Best for: EU operators who trust the "strictly necessary" first-party-cookie classification for marketing popups.
Worst for: Operators in CNIL / Danish DPA jurisdictions where regulators have signalled scepticism toward marketing-popup "strictly necessary" claims.
Best-in-class EU residency + DPA, but the "strictly necessary, no consent needed" self-classification is the riskiest part of the score. If you want explicit consent gating, configure it manually — it is not the default.
Sleeknote
Pre-consent compliance: 57/100Category: Popup builder · HQ / hosting: EU (Denmark)
Embed loads on page render; first-party cookie set for popup-frequency control. Sleeknote claims compliance with Danish Datatilsynet supervisory law.
First-party impression-control cookie set on load; no documented behavioral cross-site tracking.
No TCF v2.3 vendor listing.
Documented EU-CMP patterns; minimal partner-list disclosure.
DPA signed electronically; Sleeknote logs name + timestamp + IP at signing. Customer audit rights documented.
EU-default (Denmark).
GDPR-friendly defaults documented but not specifically labelled "compliant-by-default mode".
Subscriber-level deletion via support; documented retention windows.
Best for: EU SMBs (especially Nordic) who value Danish DPA jurisdiction and EU residency.
Worst for: Operators who specifically need TCF v2.3 vendor-list inclusion for AdTech-compliance reasons.
EU-resident with downloadable DPA, but the on-load impression-cookie is a "near-pre-consent" capture. Score is mid-pack: better than US vendors, behind MailerLite/Pipedrive.
Klaviyo Forms
Pre-consent compliance: 53.5/100Category: Email + ecommerce popup · HQ / hosting: US (Boston)
Klaviyo embed (klaviyo.js) sets the __kla_id cookie on page load when JavaScript is enabled — a documented first-party identifier capture that occurs PRIOR to form interaction. Brands must wrap the embed in a CMP gate to be GDPR-compliant; this is not the default.
Documented: __kla_id auto-set on page load; profile-stitching tied to subsequent identifications. Pre-consent capture occurs unless customer manually configures gating.
No native TCF v2.3 vendor registration. Integrates via Consentmo / Cookiebot for downstream signal.
Documented integrations with Consentmo (Shopify), Cookiebot, OneTrust, plus official GDPR-consent helper docs.
DPA available on request; SCCs for EU transfers; DPF participant.
No guaranteed EU residency. US-default.
GDPR consent checkbox supported on forms but is opt-in; "compliant-by-default" only when customer configures consent gating + IP-based EU geo-targeting.
Self-serve profile deletion + GDPR-export endpoints.
Best for: Sophisticated ecommerce teams with a CMP already in production (Cookiebot/OneTrust) who can correctly gate klaviyo.js.
Worst for: Solo Shopify operators who install Klaviyo via the official app and trust the defaults — the defaults capture __kla_id pre-consent.
Powerful ecommerce platform, but the default klaviyo.js behavior is not pre-consent-safe. Brands serving EU traffic must explicitly gate the embed; "I installed the Shopify app" is not enough.
Justuno
Pre-consent compliance: 47/100Category: Popup + onsite-CRO · HQ / hosting: US (San Francisco)
Embed loads on page; built-in geo-targeting allows customers to render consent banner FIRST for EU/Canada visitors. Compliance is configurable per Justuno docs but not default-on globally.
First-party cookie + visitor-ID set on load by default; geo-region exclusion can be configured.
No TCF v2.3 vendor listing.
Documented native cookie-consent banner module within Justuno; integrates with major CMPs.
Customer DPA available; signed by EU/EEA customers per Justuno legal page.
No documented EU-only residency.
Compliance is a feature, not the default. Justuno explicitly documents "show consent checkboxes only for visitors from specific regions like EU and Canada".
Self-serve via support; standard retention windows.
Best for: US-headquartered DTC operators with operational maturity to configure geo-targeted consent flows.
Worst for: Operators who want compliance to be the default rather than a configuration step.
Comprehensive consent-banner toolkit, but the privacy posture is opt-in. If you ship Justuno without configuring geo-targeting, you are running pre-consent capture for EU visitors.
Privy
Pre-consent compliance: 47/100Category: Email + popup (Privy.com) · HQ / hosting: US (Boston) — Privy email/SMS app
Privy embed loads on render; sets first-party cookie for impression-frequency control. No documented out-of-the-box pre-consent gate.
First-party impression cookie + visitor-ID set on load.
No TCF v2.3.
Documented CMP-integration patterns (Cookiebot, CookieYes); not first-party-CMP-vendor.
DPA at privy.com/data-processing-addendum; commits to GDPR Articles 32–36 + 90-day deletion clause.
No EU-only residency.
GDPR data-subject-request workflow documented (30-day SLA); not "compliant-by-default" embed mode.
Self-serve plus support-assisted; 30-day SLA.
Best for: Shopify operators in US-only geos who need a downloadable DPA and 30-day deletion SLA.
Worst for: EU-traffic operators relying on default install — pre-consent first-party cookie is the documented behavior.
Clean DPA + clear deletion SLA, but no EU residency and no default consent gate. Mid-pack.
Mailchimp Pop-up Forms
Pre-consent compliance: 41/100Category: Email + popup · HQ / hosting: US (Atlanta) — Intuit-owned
mc.js / chimpstatic.com embed loads on page render; sets first-party cookie for identifier-stitching unless customer adds CMP gate. Mailchimp's popup-form embed is not consent-gated by default.
Cookie set on page load; full IP captured (per privacy policy) for delivery + analytics.
No native TCF v2.3.
Documented patterns with Cookiebot + CookieYes; no first-party vendor-level CMP partnership.
DPA incorporated into Standard Terms of Use (no separate signature). DPF participant.
No EU-only residency. US-default for all customers (Intuit infrastructure).
Pre-checked boxes prohibited; popup form supports GDPR fields but compliance posture depends on customer configuration. Recent legal-analysis pieces (Maileon 2026, Measured Collective) flag DPF risk.
Self-serve subscriber deletion + GDPR-export endpoints.
Best for: US-only senders with no EU subscribers (the simplest legitimate use of Mailchimp in 2026).
Worst for: EU-resident operators relying on the DPF as their sole transfer mechanism — multiple legal commentators are flagging DPF instability for 2026.
Mailchimp's popup form has the largest install base in this benchmark and the weakest privacy default profile. The DPF dependency + US-only residency + on-load cookie is a stack of risks.
OptinMonster
Pre-consent compliance: 28.5/100Category: Popup + lead-gen · HQ / hosting: US — Awesome Motive
OptinMonster docs explicitly recommend placing the embed code BEFORE Cookiebot to ensure campaigns continue running even when users reject cookies. This is the OPPOSITE of GDPR best practice. Configurable to defer, but the documented default ordering is pre-consent.
First-party impression-frequency cookie + campaign-display ID set on load. Documented campaign-cookie + global-cookie behavior.
No TCF v2.3.
Documented integrations with Cookiebot, CookieYes, AesirX CMP; explicit partner-published guides.
Customer DPA available on request; not on the public legal index page.
No EU-only residency.
Documentation explicitly tells customers to load OptinMonster BEFORE consent — that is the documented "by-default" guidance and it is NOT compliant-by-default.
Self-serve subscriber deletion + support-assisted.
Best for: US-only operators who do not need EU compliance and want maximum campaign-display reliability.
Worst for: EU-traffic operators — the documented installation guidance is pre-consent script firing, not after-consent. This is the most explicit pre-consent recommendation in the benchmark.
The only vendor in the benchmark whose own documentation explicitly recommends loading the embed BEFORE the CMP. That is a documented bias toward pre-consent firing — score reflects this.
Hello Bar
Pre-consent compliance: 28/100Category: Bar + popup · HQ / hosting: US
Embed loads on page. Per-popup GDPR-compliance toggle exists; not on by default. Compliance is per-campaign, not account-wide.
First-party cookie + impression tracking set on render; per-campaign compliance toggle suppresses email-collection until consent.
No TCF v2.3.
Documented patterns with major CMPs; not first-party-CMP-vendor.
Customer-level DPA exists per support docs; not always linked from public site.
No EU-only residency option.
GDPR-compliance toggle is per-popup and OFF by default. Customers must remember to enable it on every campaign.
Subscriber-level deletion via support.
Best for: Founders running US-only campaigns who do not need EU compliance.
Worst for: EU-traffic operators — the per-popup toggle means a single forgotten campaign creates compliance liability.
The per-campaign compliance toggle is a documented anti-pattern for high-velocity teams; one forgotten popup = pre-consent capture in production.
Sumo (now Sumo Group)
Pre-consent compliance: 22/100Category: Popup + share-tools · HQ / hosting: US — operated by Sumo Group
Embed loads on render; documentation around 2026 GDPR posture is sparse. DPA exists; configuration to defer firing exists but is not default. (Documentation unavailable for several specific 2026 features; conservative score.)
First-party impression cookie set on load by default. (Documentation unavailable; conservative score.)
No TCF v2.3.
Documented patterns with major CMPs; minimal first-party guidance.
DPA available via support help-center article; not always linked from public marketing pages.
No EU-only residency.
(Documentation unavailable for explicit "compliant-by-default" mode; conservative score.)
Subscriber-level deletion via support.
Best for: US-only blog publishers with no EU traffic.
Worst for: Anyone who needs current 2026 documentation — Sumo's public privacy-posture docs lag the rest of the benchmark.
Lowest score in the benchmark, in part because of documentation gaps (which themselves are a 2026-compliance signal). Operators using Sumo in 2026 should treat it as US-only software.
Methodology
Data collection window: April 23–25, 2026. Each vendor's official privacy + GDPR + DPA + cookie-policy + help-center pages were reviewed via WebSearch + WebFetch. Where vendor documentation was inaccessible or sparse, the score was assigned conservatively and footnoted "documentation unavailable; conservative score" in the cell.
Pre-consent compliance scoring (0–100, higher = more compliant by default):
- 1. Script firing point (0 / 6 / 12.5): 12.5 if vendor docs explicitly state the embed waits for consent before firing tracking calls; 6 if firing is configurable; 0 if docs recommend firing pre-consent (or default install does so).
- 2. Pre-consent data capture (0 / 4 / 8 / 12.5): 12.5 if no identifiers / cookies / IP captured before consent; 8 if only hashed IP or strictly-necessary first-party cookies; 4 if full IP + device captured; 0 if behavioral / cross-site identifiers fired.
- 3. IAB TCF v2.3 support (0 / 6 / 12.5): 12.5 if vendor is in IAB Europe Global Vendor List as a TCF v2.3 vendor (the active standard since 28 February 2026); 6 if integration via downstream CMP only; 0 if no TCF integration documented.
- 4. Consent-platform integration breadth (0 / 6 / 12.5): 12.5 if 3+ major CMP integrations documented (CookieYes / Cookiebot / OneTrust / Iubenda); 6 if 1–2; 0 if none documented.
- 5. GDPR DPA availability (0 / 6 / 12.5): 12.5 if downloadable from public legal page; 6 if on request only; 0 if no DPA exists.
- 6. EU data-residency option (0 / 8 / 12.5): 12.5 if EU is the default for EU-billed customers (MailerLite, Pipedrive); 8 if EU residency is available on a paid tier (ActiveCampaign EU data centre); 0 if no EU-residency option.
- 7. Compliant-by-default mode (0 / 6 / 12.5): 12.5 if the documented default install is GDPR-safe; 6 if compliance is partial / per-campaign-toggle; 0 if vendor documentation explicitly tells customers to load the embed pre-consent (OptinMonster pattern).
- 8. End-user data-deletion self-serve (0 / 6 / 12.5): 12.5 if subscriber can self-serve deletion via the platform UI; 6 if via support ticket; 0 if no deletion endpoint documented.
Important disclosures:
- This benchmark measures documented default behavior. Many vendors offer compliant configurations as opt-in features — but "configurable" and "default-compliant" are different things. A team that ships the default install should expect the default behavior.
- "Strictly necessary" first-party-cookie classifications (used by Wisepops, Sleeknote) are vendor self-assessments. The Danish Datatilsynet 2026 enforcement focus and CNIL post-SHEIN €150M fine pattern both signal regulator scepticism toward this self-classification for marketing popups.
- The IAB TCF framework itself was found in breach of GDPR by the Belgian Data Protection Authority (acting for all 27 EU states). TCF v2.3 (effective 28 February 2026) is the IAB Europe response, not a regulator endorsement. We score TCF v2.3 support as a positive signal because it is the de facto interoperability standard, not because it is a sufficient compliance posture.
- EU-US Data Privacy Framework (DPF) participation is a transfer mechanism, not a residency guarantee. Multiple legal commentators (e.g. Maileon February 2026) flag DPF instability through 2026 court challenges. Vendors relying on DPF as their sole transfer mechanism (Mailchimp, Klaviyo, OmniSend) are scored conservatively on EU residency.
- Two vendors from the original spec (Convertful, Picreel) and three additional names (ConvertBox, Drip Forms, Sumo Logic) had insufficient public documentation to score with confidence and were either folded into the conservative-score path (Sumo Group → Sumo line) or omitted to keep the benchmark to 12 vendors with high-confidence cells.
What this index does NOT measure: popup design quality, conversion-rate performance, A/B-testing depth, integration with email-service-providers, customer-support responsiveness, or pricing. For pricing see our Q2 2026 Email Pricing Report sibling dataset.
Update cadence: Pre-consent compliance scores re-verified quarterly; if any vendor changes its documented script-firing default or DPA availability between quarters, an interim update is published with a "Last reviewed" timestamp revision. verifiedOn: 2026-04-25. recheckAfter: 90 days.
Disclosure: Email Marketing & Conversion Tools earns affiliate commissions from some vendors in this benchmark (notably Klaviyo, OptinMonster, Mailchimp via various affiliate networks). Affiliate relationships do not affect scoring — vendors that scored worst (OptinMonster, Sumo) and best (MailerLite, Pipedrive) all have active affiliate programs. The methodology is mechanical and source-driven.
License: CC BY 4.0. Cite as: "2026 Email Pop-up Cookie & GDPR Pre-Consent Disclosure Index, Email Marketing & Conversion Tools, 2026-04-25. Available at https://pkpops.com/2026-popup-gdpr-pre-consent-disclosure-index."
Sources
- [1] MailerLite — GDPR compliance page (EU servers Germany, ISO 27001:2022, DPF participant)
- [2] MailerLite — Data Processing Addendum (incorporated into ToS, no signature)
- [3] European Purpose — MailerLite Review 2026 (European Email Marketing)
- [4] ActiveCampaign — Site tracking and the GDPR (script disabled by default; consent required)
- [5] ActiveCampaign — Preparing for the GDPR: Collecting Consent
- [6] FlowConsent — ActiveCampaign GDPR + EU data centre guide
- [7] Pipedrive — GDPR support article (Web Forms + Web Visitors consent posture)
- [8] Pipedrive — Data Processing Addendum (EEA entity in Estonia; data hosted Frankfurt/Stockholm/Dublin)
- [9] Zeeg — Pipedrive and GDPR Compliance: What You Need to Know in 2026
- [10] Wisepops — Data Processing Agreement (French + GDPR Articles 32–36)
- [11] Wisepops — Cookie Consent Requirements (claims "strictly necessary" first-party-cookie exemption)
- [12] Omnisend — GDPR for Ecommerce + DPA (SCCs Module Two)
- [13] EmailVendorSelection — Omnisend Review 2026 (no guaranteed EU-only residency)
- [14] Klaviyo — Understanding cookies in Klaviyo (__kla_id auto-set when JS enabled)
- [15] Klaviyo — How to collect GDPR-compliant consent (forms-level guidance)
- [16] Consentmo — Klaviyo Integration for Consentmo GDPR app (CMP gating pattern)
- [17] Mailchimp — GDPR overview + DPA in Standard Terms of Use
- [18] Mailchimp — European Data Transfers (DPF reliance)
- [19] Maileon — Is Mailchimp still GDPR-proof in 2026? (DPF instability analysis)
- [20] Sleeknote — How We Keep Your Data Private and Secure (Danish Datatilsynet jurisdiction)
- [21] Sleeknote — DPA page (electronic signature, audit rights)
- [22] Justuno — GDPR & Privacy product page (geo-targeted consent)
- [23] Justuno — GDPR Compliance legal page (DPA available; geo-targeting)
- [24] Hello Bar — How to enable GDPR Compliance on your pop-ups (per-campaign toggle)
- [25] Hello Bar — Privacy Policy Popups: The 2026 Compliance Guide
- [26] Privy — Data Processing Addendum (90-day deletion clause; Articles 32–36)
- [27] Privy — How does Privy handle GDPR and CCPA Requests? (30-day SLA)
- [28] OptinMonster — How to Use OptinMonster with Cookie Consent Tools (recommends embed BEFORE Cookiebot)
- [29] OptinMonster — GDPR overview
- [30] AesirX — OptinMonster CMP-blocking guide (Consent Shield workaround)
- [31] Sumo — GDPR compliance + DPA (help-center article)
- [32] Sumo — GDPR: What Is Sumo Doing?
- [33] Cookiebot — IAB TCF v2.3 explainer (Disclosed Vendors segment mandatory 28 Feb 2026)
- [34] Cookie-Script — IAB TCF 2.3: Changes You Need to Know (TCF v2.2 retired)
- [35] Secure Privacy — Cookie Consent Implementation 2026 (post-SHEIN €150M CNIL fine)