dp_cookieconsent for TYPO3: GDPR-Compliant Cookie Management

Why a cookie banner alone does not establish GDPR (UK: UK GDPR) compliance

Every TYPO3 installation that embeds Google Analytics, YouTube videos, social media plug-ins or external fonts has faced the same task since GDPR and the ePrivacy framework came into force: before a third-party script loads, there must be an active, informed consent from the user. dp_cookieconsent is the most widely used extension in the European TYPO3 community for exactly this purpose. It targets organisations that want to run their website GDPR-compliant without an external consent management platform, which makes it a popular choice for mid-sized companies, public authorities and educational institutions that do not want to carry recurring licence fees for commercial CMPs.

Typical use cases

An industrial company with a product catalogue and 45 landing pages uses Google Analytics, a YouTube explainer video, HubSpot forms and Google Fonts. Without dp_cookieconsent, all these services would set cookies the moment a user opens the page and trigger a GDPR violation. The extension groups the services by category, defers the HubSpot code until marketing consent has been granted and loads Google Fonts as a self-hosted alternative, which removes the consent requirement for that service entirely.

A second typical picture comes from a university with a main portal and several decentralised faculty websites. Each faculty maintains its own content and embeds its own services, sometimes an OpenStreetMap map, sometimes a YouTube video, sometimes Piwik tracking. dp_cookieconsent centralises consent management in the main installation, delivers the banner to all sub-sites via Fluid partials and stores the consent across domains, so that a user does not have to re-confirm on every faculty site.

A third case is municipal administrations with online forms and map applications. Here the added complication is that regional data protection officers run regular audits and require a complete documentation of all services in use. dp_cookieconsent delivers the categorisation and the privacy text directly from TypoScript, which lets the editorial team maintain it without developer intervention.

Technical architecture: script blocking at template level

dp_cookieconsent works on the “type attribute swapping” principle: all third-party scripts in the source code are not delivered with type=“text/javascript” but with a neutral type such as type=“text/plain” and an additional data-cookieconsent attribute. The browser ignores such tags and does not execute them. Only when the user accepts in the banner does a small JavaScript runner replace the type attributes and trigger the delayed execution. The same mechanism applies to iframes, which are shown as placeholders until consent is given.

The extension is configured entirely through TypoScript constants and setup, complemented by a YAML file for the service definitions. Every service is listed there with name, description, category, cookie names and cookie lifetime, which considerably simplifies the later documentation for the data protection officer. Fluid partials define the appearance of the banner and the settings modal, which means the design can be adjusted to the corporate identity without touching the extension itself.

Common problems and solutions

The first and most common problem: despite the active banner, third-party scripts still load because they are embedded through include paths that do not go through TypoScript. Typical culprits are static HTML blocks, Fluid content elements with hard-coded script tags or footer includes from older templates. A clean solution requires a full site crawl with browser dev tools or an automated tool that logs all outbound requests and compares which of them are triggered before consent.

The second problem is consent storage. dp_cookieconsent stores the consent in a local cookie, which for users with strict browser configuration or in incognito mode leads to repeated banner displays. Anyone who wants to measure consent rates has to additionally enable server-side logging that records the consent decisions with timestamp and hashed IP in a database table, which in turn delivers a robust audit trail.

The third topic is performance. The banner loads a JavaScript bundle that, depending on the number of configured services, can become noticeably large and delay the First Contentful Paint. Gosign optimises delivery via deferred loading, reduces unnecessary Fluid partials and, wherever possible, combines cookieless analytics with self-hosted assets, so that the banner is only needed for a handful of services.

A fourth problem occurs when consent decisions change: a user grants consent, uses the site, later changes their mind and withdraws consent. dp_cookieconsent resets the cookie flag, but scripts that have already loaded keep running in the background until the user reloads the page. A clean solution requires a reload trigger or the targeted removal of cookies that have already been set, so that the withdrawal actually takes effect instead of only being documented formally.

Migration and version compatibility

dp_cookieconsent is available for TYPO3 v11, v12 and v13, and the v13 compatibility is regularly updated and currently considered production-ready. The jump from v11 to v12 usually requires a re-mapping of the TypoScript constants, because several constant names were renamed. Users of older versions of the extension should note that service definitions were once maintained exclusively through backend forms, while newer versions work with YAML and are therefore much easier to fit into Git workflows.

Anyone migrating from another consent tool such as Cookiebot, OneTrust or Usercentrics saves recurring licence fees but has to rebuild the service configuration. Gosign carries out these migrations including a consent rate analysis, so that the switch is measurably neutral for the consent rate.

It is also worth asking strategically whether a cookie banner is still the right answer at all. Anyone who consistently uses self-hosted fonts, switches to cookieless analytics such as Matomo without cookies or Plausible, and replaces video embeds with static preview images that load on click, can drop the banner for many pages entirely. The legal benefit is substantial, because every avoided consent prompt is also an avoided liability risk, and at the same time the conversion rate is not held back by the banner dialogue.