Cookie Consent and Privacy (Velaro v20)
> Customer-facing KB content for help.velaro.com. Updated 2026-06.
Summary
Velaro v20 automatically detects your cookie consent platform and loads the chat widget only after the visitor has granted the appropriate consent. Add one attribute to your embed snippet and nothing else is required.
---
Recommended setup — auto mode
Add data-consent-mode="auto" to your Velaro embed script tag:
<script
src="https://cdn.velaro.com/messenger/embed.js"
data-site-id="YOUR_SITE_ID"
data-consent-mode="auto"
async
></script>
With auto mode Velaro:
- Detects which consent platform is on the page (OneTrust, Cookiebot, Osano, Termly, or
Usercentrics).
- Shows your chat launcher immediately using your configured brand colors and icon. No visitor
is identified and no tracking occurs at this point.
- Loads the full widget automatically the moment the visitor grants Functional consent —
no page reload, no extra click required.
If agents are offline and your site is set to hide the launcher when unavailable, the launcher will not appear until agents come back online.
---
How to classify Velaro in your CMP
| CMP | Widget category | ARRAffinity / ARRAffinitySameSite cookies |
|---|---|---|
| OneTrust | Functional — C0003 | Strictly Necessary — C0001 |
| Cookiebot | Preferences | Necessary |
| TrustArc | Functional / Preference | Required |
| Osano | STORAGE | ESSENTIAL |
| Termly | Performance / Functionality | Essential |
| Usercentrics | Add Velaro as a named service | Required / Strictly Necessary |
ARRAffinity and ARRAffinitySameSite are Azure load-balancing cookies on api-visitor-us-east.velaro.com. They carry no personal data and are session-only. Every CMP has a category for this type of cookie — the names differ but they mean the same thing: OneTrust calls it "Strictly Necessary", Cookiebot calls it "Necessary", TrustArc calls it "Required", Osano calls it "ESSENTIAL", Termly calls it "Essential". Use whichever term your platform shows.
---
Showing the chat button to every visitor (click-to-load)
Use defer mode if you want the chat button visible even to visitors who decline Functional cookies:
<script
src="https://cdn.velaro.com/messenger/embed.js"
data-site-id="YOUR_SITE_ID"
data-consent-mode="defer"
async
></script>
The chat button appears for everyone with your real brand colors and icon. Clicking it is the visitor actively requesting chat — that click is the consent event. The full widget loads at that point regardless of cookie preferences. No tracking or cookies occur before the click.
---
All consent modes
| Mode | Behavior |
|---|---|
auto | Detects your CMP, shows launcher immediately, loads full widget on functional consent grant. Recommended. |
defer | Shows launcher to all visitors. Click = consent, full widget loads on click. |
require | Widget loads only when your code calls the provided resolve callback. For custom consent flows. |
none | No consent gating — widget loads immediately. Default when no data-consent-mode is set. |
---
Manual consent wiring (require mode)
window.__velaro = {
consentMode: 'require',
onConsentRequired: function(resolve) {
myConsentSystem.onFunctionalGranted(function() {
resolve({ functional: true });
});
}
};
---
Visitor monitoring & consent
Visitor monitoring (the live Visitor Monitor, page-path history, and the agent "new visitor" alerts) is treated as analytics activity. It is gated three ways so it never tracks a visitor who hasn't agreed:
- Front-end gate. The embed only starts sending page beacons once the visitor
grants Analytics consent in your CMP. Before that, nothing is sent.
- Revocation. If a visitor later turns Analytics off, the widget stops beaconing
immediately and the current page-view is dropped.
- Server-side opt-out. The beacon endpoint also independently honors a decline,
even if the embed is bypassed. A visitor is not tracked when any of these is true:
- the beacon reports
consent: "denied", - the browser sends
Sec-GPC: 1(Global Privacy Control — a recognized legal
opt-out under CCPA/CPRA), or
- the browser sends the legacy
DNT: 1(Do Not Track) header.
When any opt-out is present, no visitor session row is written, no IP / GeoIP lookup is performed, and no agent alert fires.
Bot & scanner protection. Known crawler/scanner user agents (search bots, uptime monitors, security scanners) are dropped before a session is created, and a single IP that spawns visitor sessions faster than a human plausibly could has its agent alerts throttled. This keeps the Visitor Monitor and your phone clear of automated traffic.
---
Need help?
Contact Velaro support to confirm your CMP setup or switch consent modes.
Was this article helpful?