Velaro Messaging Cookie Consent
> Customer-facing KB content for help.velaro.com. Updated 2026-07-10.
> This article covers Velaro Messaging (v25) — your embed script loads from cdn.velaro.com/messenger/embed.js > or messaging.velaro.com. If your site instead uses the Velaro Chat widget (the eastprodcdn.azureedge.net > shim, booted via Velaro('boot', {...})), see Using the Velaro Chat Widget with a Cookie Consent Platform > (CMP) instead — consent works completely differently there (CMP script-blocking, not a data-consent-mode > attribute). If you're not sure which platform your site uses, contact Velaro Support.
---
Two paths to compliance
Which path you take depends on one question your DPO must answer:
> "Should the chat launcher be visible to visitors before they make a consent choice?"
| Answer | Path | Attribute |
|---|---|---|
| No — hide chat until the visitor accepts | Path 1 — CMP controls everything | data-consent-mode="auto" |
| Yes — show the button to everyone, hold data until they click | Path 2 — Defer until interaction | data-consent-mode="defer" |
Neither path requires you to classify the Velaro widget as "Strictly Necessary." No major CMP vendor classifies a page-load chat widget that way, and GDPR Article 5(1)(b) does not support that position for a general-purpose chat tool. Your DPO makes the classification call — these docs show you how to implement whichever decision they reach.
Every embed script Velaro gives you already includes data-consent-mode — you do not need to add it by hand. Go to Deploy on your chat window to see and change which mode is active; the embed snippet updates automatically.
---
Path 1 — CMP controls everything (default for most customers)
Add data-consent-mode="auto" to your embed tag and classify Velaro as Functional in your CMP. That's it — no JavaScript wiring, no callbacks, no additional configuration.
<script
src="https://cdn.velaro.com/messenger/embed.js"
data-site-id="YOUR_SITE_ID"
data-consent-mode="auto"
async
></script>
What happens
- Velaro detects your CMP on page load (OneTrust, Cookiebot, Osano, Termly, Usercentrics, or
CookieScript).
- Your chat launcher renders immediately with your brand colors and icon. No visitor is identified,
no contact record is created, and no cookies are set before consent.
- The moment the visitor grants Functional consent in your CMP banner, Velaro loads the full
widget — no page reload, no extra click.
- If the visitor declines or ignores the banner, the launcher persists but the full widget never
loads and no data is written.
How to classify Velaro in your CMP
| CMP | Velaro widget category |
|---|---|
| OneTrust | Functional — C0003 |
| Cookiebot | Preferences |
| TrustArc | Functional / Preference |
| Osano | STORAGE |
| Termly | Performance / Functionality |
| Usercentrics | Add Velaro as a named service — Required / Strictly Necessary |
| CookieScript | Functional |
The DPO decides the category. The table above reflects where each vendor's taxonomy maps the "I want to contact support" use case. If your DPO selects a different category (for example Performance on Cookiebot), the widget gates on that category instead — you do not need to change any embed code.
---
Path 2 — Defer until interaction (for strict DPOs)
Use data-consent-mode="defer" when your DPO requires that the chat launcher be visible to all visitors regardless of consent choice, while guaranteeing that no data is created or stored until the visitor actively requests a conversation.
<script
src="https://cdn.velaro.com/messenger/embed.js"
data-site-id="YOUR_SITE_ID"
data-consent-mode="defer"
async
></script>
What happens
- The chat launcher renders immediately for every visitor — including those who decline cookies —
using your real brand colors and icon.
- Before the visitor clicks the launcher, Velaro writes **no cookies, no contact record, and makes
no API calls** that identify the visitor.
- When the visitor clicks the launcher, that click is treated as an affirmative request for a
conversation. The full widget loads and the contact creation flow begins at that point.
- The CMP banner may still be present on screen. The widget loads on click regardless of what the
visitor has chosen in the banner — the interaction itself is the consent trigger.
Contact creation on click
When the full widget loads after the click:
- If your site collects a name or email before connecting to an agent (via the pre-chat form), a
contact record is created only after the visitor submits that form.
- If you use a no-form configuration (immediate chat), a temporary anonymous session is created on
click. A named contact is created if and when the agent asks for and receives identifying information.
Legal basis for the defer pattern
The defer / click-to-load architecture is supported by guidance from three supervisory authorities:
- CNIL (France), February 2021 — "Pathway B" allows functional cookies placed in direct
response to a user request. A visitor clicking a chat launcher is a direct user request.
- ICO (UK), April 2026 — The ICO's updated chatbot guidance recognises "feature-led consent"
where activation of a specific feature (clicking chat) constitutes valid consent for the cookies that feature requires.
- DSK (Germany), "Chatbot anklicken" exemption, OH 2021 / 2024 — The German data protection
conference's orientation aid explicitly cites clicking a chatbot widget as an action that can satisfy the consent requirement for the resulting session.
None of these positions require you to classify the chat session cookies as Strictly Necessary. The exemption flows from the visitor's affirmative interaction, not from a necessity argument.
Your DPO may cite these in your consent management documentation. Velaro does not provide legal advice — share this section with your privacy counsel for their review.
---
All consent modes (reference)
| Mode | Launcher visible before consent? | Data written before consent? | Trigger for full widget load |
|---|---|---|---|
auto | Yes | No | CMP grants Functional consent |
defer | Yes | No | Visitor clicks the launcher |
require | Configurable | No | Your code calls the resolve callback |
none | Yes | Yes (immediately) | Page load — no gating |
none is the default when you omit data-consent-mode. It is appropriate only for regions and use-cases where no consent framework applies.
Change the active mode any time from Deploy on your chat window — no need to hand-edit or re-generate the embed script.
---
require mode — custom consent wiring
Use require if you have a bespoke consent system that is not one of the auto-detected CMPs, or if you need the widget to gate on a signal other than a standard CMP category.
window.__velaro = {
consentMode: 'require',
onConsentRequired: function(resolve) {
myConsentSystem.onFunctionalGranted(function() {
resolve({ functional: true });
});
}
};
require differs from defer in one key way: the widget does not render at all — not even a launcher placeholder — until your code calls resolve. Use defer when you want the button visible immediately; use require when you want to control every pixel of the pre-consent state.
---
Visitor monitoring & consent
Visitor monitoring (live Visitor Monitor, page-path history, and agent "new visitor" alerts) is treated as analytics activity, not functional activity. It is gated separately so it never tracks a visitor who hasn't agreed:
- Front-end gate. Page beacons only start once the visitor grants Analytics consent in
your CMP (or clicks in defer mode with analytics consent active). Before that, nothing is sent.
- Revocation. If a visitor later withdraws Analytics consent, the widget stops beaconing
immediately and the current page-view is dropped.
- Server-side opt-out. The beacon endpoint independently honours a decline, even if the
embed sends a signal. A visitor is not tracked when any of these is true:
- the beacon reports
consent: "denied", - the browser sends
Sec-GPC: 1(Global Privacy Control — a recognised legal opt-out
under CCPA/CPRA), or
- the browser sends the legacy
DNT: 1(Do Not Track) header.
When any opt-out is present, no visitor session row is written, no IP / GeoIP lookup is performed, and no agent alert fires.
Bot & scanner protection. Known crawler/scanner user agents (search bots, uptime monitors, security scanners) are dropped before a session is created. A single IP that spawns visitor sessions faster than a human plausibly could has its agent alerts throttled.
---
Test your setup
Use our interactive test tool to verify your configuration before going live: v20.velaro.com/cmp-test.html
Scroll to the Velaro Messaging section — it loads the real embed script, lets you paste in your own site ID (or your full embed snippet, for auto-detection), and confirms the pre-consent launcher and data-consent-mode behavior in your browser. No account login required.
---
Frequently asked questions
Do I need to add ARRAffinity or similar infrastructure cookies to my CMP? No. Velaro Messaging uses a CDN and serverless edge infrastructure that does not set ARRAffinity or similar Azure load-balancing cookies. You do not need to add any Velaro infrastructure cookies to your CMP configuration.
Can I use Path 2 (defer) and still have my CMP banner handle consent? Yes. The two are independent. defer mode means the widget waits for a click. Your CMP banner continues to handle consent for all other cookies on your site as normal. The widget click is an additional, widget-specific consent trigger layered on top.
What if a visitor clicks the launcher, then immediately withdraws consent in the CMP? If the visitor revokes Functional consent after the widget has loaded, the widget is paused: new messages cannot be sent and no further contact data is written. The existing session record is retained (the conversation already started) but no new data is appended after revocation.
Does Velaro Messaging support a window.Velaro.boot() pattern? No — that pattern belongs to the older Velaro Chat widget. Velaro Messaging does not use a manual boot pattern. All consent control goes through data-consent-mode on the embed tag and the optional window.__velaro.onConsentRequired callback for require mode.
How do I change the consent mode after I've already deployed? Go to your chat window's Deploy tab and change the Cookie consent setting — the embed snippet updates immediately. Re-copy and re-paste the snippet on your site after changing it.
---
Need help?
Contact Velaro support to confirm your CMP configuration or to discuss which consent mode fits your DPO's requirements.
Was this article helpful?