How can we help you?

Cookie Consent and Privacy (Velaro v20)

> Customer-facing KB content for help.velaro.com. Updated 2026-06.

Summary

Velaro v20 automatically detects your cookie consent platform and loads the chat widget only after the visitor has granted the appropriate consent. Add one attribute to your embed snippet and nothing else is required.

---

Recommended setup — auto mode

Add data-consent-mode="auto" to your Velaro embed script tag:

<script
  src="https://cdn.velaro.com/messenger/embed.js"
  data-site-id="YOUR_SITE_ID"
  data-consent-mode="auto"
  async
></script>

With auto mode Velaro:

  1. Detects which consent platform is on the page (OneTrust, Cookiebot, Osano, Termly, or

Usercentrics).

  1. Shows your chat launcher immediately using your configured brand colors and icon. No visitor

is identified and no tracking occurs at this point.

  1. Loads the full widget automatically the moment the visitor grants Functional consent —

no page reload, no extra click required.

If agents are offline and your site is set to hide the launcher when unavailable, the launcher will not appear until agents come back online.

---

How to classify Velaro in your CMP

CMPWidget categoryARRAffinity / ARRAffinitySameSite cookies
OneTrustFunctional — C0003Strictly Necessary — C0001
CookiebotPreferencesNecessary
TrustArcFunctional / PreferenceRequired
OsanoSTORAGEESSENTIAL
TermlyPerformance / FunctionalityEssential
UsercentricsAdd Velaro as a named serviceRequired / Strictly Necessary

ARRAffinity and ARRAffinitySameSite are Azure load-balancing cookies on api-visitor-us-east.velaro.com. They carry no personal data and are session-only. Every CMP has a category for this type of cookie — the names differ but they mean the same thing: OneTrust calls it "Strictly Necessary", Cookiebot calls it "Necessary", TrustArc calls it "Required", Osano calls it "ESSENTIAL", Termly calls it "Essential". Use whichever term your platform shows.

---

Showing the chat button to every visitor (click-to-load)

Use defer mode if you want the chat button visible even to visitors who decline Functional cookies:

<script
  src="https://cdn.velaro.com/messenger/embed.js"
  data-site-id="YOUR_SITE_ID"
  data-consent-mode="defer"
  async
></script>

The chat button appears for everyone with your real brand colors and icon. Clicking it is the visitor actively requesting chat — that click is the consent event. The full widget loads at that point regardless of cookie preferences. No tracking or cookies occur before the click.

---

All consent modes

ModeBehavior
autoDetects your CMP, shows launcher immediately, loads full widget on functional consent grant. Recommended.
deferShows launcher to all visitors. Click = consent, full widget loads on click.
requireWidget loads only when your code calls the provided resolve callback. For custom consent flows.
noneNo consent gating — widget loads immediately. Default when no data-consent-mode is set.

---

Manual consent wiring (require mode)

window.__velaro = {
  consentMode: 'require',
  onConsentRequired: function(resolve) {
    myConsentSystem.onFunctionalGranted(function() {
      resolve({ functional: true });
    });
  }
};

---

Visitor monitoring & consent

Visitor monitoring (the live Visitor Monitor, page-path history, and the agent "new visitor" alerts) is treated as analytics activity. It is gated three ways so it never tracks a visitor who hasn't agreed:

  1. Front-end gate. The embed only starts sending page beacons once the visitor

grants Analytics consent in your CMP. Before that, nothing is sent.

  1. Revocation. If a visitor later turns Analytics off, the widget stops beaconing

immediately and the current page-view is dropped.

  1. Server-side opt-out. The beacon endpoint also independently honors a decline,

even if the embed is bypassed. A visitor is not tracked when any of these is true:

  • the beacon reports consent: "denied",
  • the browser sends Sec-GPC: 1 (Global Privacy Control — a recognized legal

opt-out under CCPA/CPRA), or

  • the browser sends the legacy DNT: 1 (Do Not Track) header.

When any opt-out is present, no visitor session row is written, no IP / GeoIP lookup is performed, and no agent alert fires.

Bot & scanner protection. Known crawler/scanner user agents (search bots, uptime monitors, security scanners) are dropped before a session is created, and a single IP that spawns visitor sessions faster than a human plausibly could has its agent alerts throttled. This keeps the Visitor Monitor and your phone clear of automated traffic.

---

Need help?

Contact Velaro support to confirm your CMP setup or switch consent modes.

Share: Email

Was this article helpful?