How can we help you?

Velaro Messaging Cookie Consent

> Customer-facing KB content for help.velaro.com. Updated 2026-07-10.

> This article covers Velaro Messaging (v25) — your embed script loads from cdn.velaro.com/messenger/embed.js > or messaging.velaro.com. If your site instead uses the Velaro Chat widget (the eastprodcdn.azureedge.net > shim, booted via Velaro('boot', {...})), see Using the Velaro Chat Widget with a Cookie Consent Platform > (CMP) instead — consent works completely differently there (CMP script-blocking, not a data-consent-mode > attribute). If you're not sure which platform your site uses, contact Velaro Support.

---

Two paths to compliance

Which path you take depends on one question your DPO must answer:

> "Should the chat launcher be visible to visitors before they make a consent choice?"

AnswerPathAttribute
No — hide chat until the visitor acceptsPath 1 — CMP controls everythingdata-consent-mode="auto"
Yes — show the button to everyone, hold data until they clickPath 2 — Defer until interactiondata-consent-mode="defer"

Neither path requires you to classify the Velaro widget as "Strictly Necessary." No major CMP vendor classifies a page-load chat widget that way, and GDPR Article 5(1)(b) does not support that position for a general-purpose chat tool. Your DPO makes the classification call — these docs show you how to implement whichever decision they reach.

Every embed script Velaro gives you already includes data-consent-mode — you do not need to add it by hand. Go to Deploy on your chat window to see and change which mode is active; the embed snippet updates automatically.

---

Path 1 — CMP controls everything (default for most customers)

Add data-consent-mode="auto" to your embed tag and classify Velaro as Functional in your CMP. That's it — no JavaScript wiring, no callbacks, no additional configuration.

<script
  src="https://cdn.velaro.com/messenger/embed.js"
  data-site-id="YOUR_SITE_ID"
  data-consent-mode="auto"
  async
></script>

What happens

  1. Velaro detects your CMP on page load (OneTrust, Cookiebot, Osano, Termly, Usercentrics, or

CookieScript).

  1. Your chat launcher renders immediately with your brand colors and icon. No visitor is identified,

no contact record is created, and no cookies are set before consent.

  1. The moment the visitor grants Functional consent in your CMP banner, Velaro loads the full

widget — no page reload, no extra click.

  1. If the visitor declines or ignores the banner, the launcher persists but the full widget never

loads and no data is written.

How to classify Velaro in your CMP

CMPVelaro widget category
OneTrustFunctional — C0003
CookiebotPreferences
TrustArcFunctional / Preference
OsanoSTORAGE
TermlyPerformance / Functionality
UsercentricsAdd Velaro as a named service — Required / Strictly Necessary
CookieScriptFunctional

The DPO decides the category. The table above reflects where each vendor's taxonomy maps the "I want to contact support" use case. If your DPO selects a different category (for example Performance on Cookiebot), the widget gates on that category instead — you do not need to change any embed code.

---

Path 2 — Defer until interaction (for strict DPOs)

Use data-consent-mode="defer" when your DPO requires that the chat launcher be visible to all visitors regardless of consent choice, while guaranteeing that no data is created or stored until the visitor actively requests a conversation.

<script
  src="https://cdn.velaro.com/messenger/embed.js"
  data-site-id="YOUR_SITE_ID"
  data-consent-mode="defer"
  async
></script>

What happens

  1. The chat launcher renders immediately for every visitor — including those who decline cookies —

using your real brand colors and icon.

  1. Before the visitor clicks the launcher, Velaro writes **no cookies, no contact record, and makes

no API calls** that identify the visitor.

  1. When the visitor clicks the launcher, that click is treated as an affirmative request for a

conversation. The full widget loads and the contact creation flow begins at that point.

  1. The CMP banner may still be present on screen. The widget loads on click regardless of what the

visitor has chosen in the banner — the interaction itself is the consent trigger.

Contact creation on click

When the full widget loads after the click:

  • If your site collects a name or email before connecting to an agent (via the pre-chat form), a

contact record is created only after the visitor submits that form.

  • If you use a no-form configuration (immediate chat), a temporary anonymous session is created on

click. A named contact is created if and when the agent asks for and receives identifying information.

Legal basis for the defer pattern

The defer / click-to-load architecture is supported by guidance from three supervisory authorities:

  • CNIL (France), February 2021 — "Pathway B" allows functional cookies placed in direct

response to a user request. A visitor clicking a chat launcher is a direct user request.

  • ICO (UK), April 2026 — The ICO's updated chatbot guidance recognises "feature-led consent"

where activation of a specific feature (clicking chat) constitutes valid consent for the cookies that feature requires.

  • DSK (Germany), "Chatbot anklicken" exemption, OH 2021 / 2024 — The German data protection

conference's orientation aid explicitly cites clicking a chatbot widget as an action that can satisfy the consent requirement for the resulting session.

None of these positions require you to classify the chat session cookies as Strictly Necessary. The exemption flows from the visitor's affirmative interaction, not from a necessity argument.

Your DPO may cite these in your consent management documentation. Velaro does not provide legal advice — share this section with your privacy counsel for their review.

---

All consent modes (reference)

ModeLauncher visible before consent?Data written before consent?Trigger for full widget load
autoYesNoCMP grants Functional consent
deferYesNoVisitor clicks the launcher
requireConfigurableNoYour code calls the resolve callback
noneYesYes (immediately)Page load — no gating

none is the default when you omit data-consent-mode. It is appropriate only for regions and use-cases where no consent framework applies.

Change the active mode any time from Deploy on your chat window — no need to hand-edit or re-generate the embed script.

---

require mode — custom consent wiring

Use require if you have a bespoke consent system that is not one of the auto-detected CMPs, or if you need the widget to gate on a signal other than a standard CMP category.

window.__velaro = {
  consentMode: 'require',
  onConsentRequired: function(resolve) {
    myConsentSystem.onFunctionalGranted(function() {
      resolve({ functional: true });
    });
  }
};

require differs from defer in one key way: the widget does not render at all — not even a launcher placeholder — until your code calls resolve. Use defer when you want the button visible immediately; use require when you want to control every pixel of the pre-consent state.

---

Visitor monitoring & consent

Visitor monitoring (live Visitor Monitor, page-path history, and agent "new visitor" alerts) is treated as analytics activity, not functional activity. It is gated separately so it never tracks a visitor who hasn't agreed:

  1. Front-end gate. Page beacons only start once the visitor grants Analytics consent in

your CMP (or clicks in defer mode with analytics consent active). Before that, nothing is sent.

  1. Revocation. If a visitor later withdraws Analytics consent, the widget stops beaconing

immediately and the current page-view is dropped.

  1. Server-side opt-out. The beacon endpoint independently honours a decline, even if the

embed sends a signal. A visitor is not tracked when any of these is true:

  • the beacon reports consent: "denied",
  • the browser sends Sec-GPC: 1 (Global Privacy Control — a recognised legal opt-out

under CCPA/CPRA), or

  • the browser sends the legacy DNT: 1 (Do Not Track) header.

When any opt-out is present, no visitor session row is written, no IP / GeoIP lookup is performed, and no agent alert fires.

Bot & scanner protection. Known crawler/scanner user agents (search bots, uptime monitors, security scanners) are dropped before a session is created. A single IP that spawns visitor sessions faster than a human plausibly could has its agent alerts throttled.

---

Test your setup

Use our interactive test tool to verify your configuration before going live: v20.velaro.com/cmp-test.html

Scroll to the Velaro Messaging section — it loads the real embed script, lets you paste in your own site ID (or your full embed snippet, for auto-detection), and confirms the pre-consent launcher and data-consent-mode behavior in your browser. No account login required.

---

Frequently asked questions

Do I need to add ARRAffinity or similar infrastructure cookies to my CMP? No. Velaro Messaging uses a CDN and serverless edge infrastructure that does not set ARRAffinity or similar Azure load-balancing cookies. You do not need to add any Velaro infrastructure cookies to your CMP configuration.

Can I use Path 2 (defer) and still have my CMP banner handle consent? Yes. The two are independent. defer mode means the widget waits for a click. Your CMP banner continues to handle consent for all other cookies on your site as normal. The widget click is an additional, widget-specific consent trigger layered on top.

What if a visitor clicks the launcher, then immediately withdraws consent in the CMP? If the visitor revokes Functional consent after the widget has loaded, the widget is paused: new messages cannot be sent and no further contact data is written. The existing session record is retained (the conversation already started) but no new data is appended after revocation.

Does Velaro Messaging support a window.Velaro.boot() pattern? No — that pattern belongs to the older Velaro Chat widget. Velaro Messaging does not use a manual boot pattern. All consent control goes through data-consent-mode on the embed tag and the optional window.__velaro.onConsentRequired callback for require mode.

How do I change the consent mode after I've already deployed? Go to your chat window's Deploy tab and change the Cookie consent setting — the embed snippet updates immediately. Re-copy and re-paste the snippet on your site after changing it.

---

Need help?

Contact Velaro support to confirm your CMP configuration or to discuss which consent mode fits your DPO's requirements.

Share: Email

Was this article helpful?