← All articles
March 3, 20269 min read

Reject cookies, keep the lead source: the seam that makes first-touch legal

MarketingCompliance
A consent banner overlaid on a property enquiry form, with three labelled storage layers behind it — a session box, a ninety-day cookie, and a one-year marker — and only the two cookies dimmed behind a consent gate

Key Takeaways

  • The cookie banner is an ePrivacy Article 5(3) gate on the visitor's device, not the legal basis for processing a lead you receive.
  • A form can carry its source before the banner is answered, because that data rides inside an enquiry the visitor chose to send.
  • Consent unlocks cross-session persistence: the sticky cookies are gated like analytics; the single converting submit is not.
  • Because source is derived from the referrer and URL tags, a UTM-tagged campaign survives both a rejection and the end of third-party cookies.

A buyer clicks a Google Ads campaign, lands on the development page, reads for a minute, and dismisses the cookie banner with Reject all. Ten minutes later they fill in the enquiry form. When that lead reaches the CRM, what does the source field say?

On most sites it says direct / none, which is a polite way of saying the marketing team just paid for a click they can no longer prove they bought. The received wisdom explains this away: the visitor rejected cookies, attribution is a cookie thing, so of course the source is gone. That sentence sounds airtight and it is quietly wrong. It fuses two decisions the law keeps separate, and untangling them is how the same rejected banner still hands you the campaign that produced the lead.

The switch that isn't one switch

The buried assumption is that a cookie banner is a single on/off control over all tracking. Accept, and everything works; reject, and everything stops, attribution included. Teams build to that mental model, then either nag visitors with a consent wall or shrug and eat blind direct / none on half their enquiries.

But "attribution" is not one thing that lives in one place. A visitor's source can sit in three different storage locations, each with a different legal trigger and a different lifespan. Collapse them into one bucket and you gate the whole lot behind consent, throwing away data the law never asked you to withhold. Split them by where the data physically lives and the picture changes: some of it was never the banner's business to begin with.

Article 5(3) gates the device, not the deal

Start from what the banner is actually for. In the EU the cookie banner exists because of the ePrivacy Directive, whose Article 5(3) requires consent before you may store information on, or gain access to information already stored in, a user's terminal equipment (EUR-Lex, ePrivacy Directive 2002/58/EC Art. 5(3)). Read the trigger precisely: it fires on storing or reading a device. It says nothing about your right to process a piece of data you have lawfully received.

That is the distinction the whole post turns on. GDPR governs the processing of personal data and asks for a lawful basis. ePrivacy Art. 5(3) governs the act of touching the visitor's device and asks for consent. A cookie banner is the ePrivacy gate, not the GDPR one. The same article carries a carve-out that matters here: consent is not required for storage or access that is strictly necessary to provide a service the user has explicitly requested. Sending an enquiry is such a service, and that carve-out is the seam this design is built on.

Three tiers, three gates

Here is the same attribution data, split by where it lives and what gates it. Naming the tiers is the point; a single word like "attribution" hides exactly the distinction that keeps the source alive.

Where the source actually lives

vinode_attr_session

sessionStorage, written on entry, cleared when the tab closes. Holds the entry touch for this visit only. Set before consent, as strictly-necessary to the enquiry the visitor is trying to send. Never crosses sessions.

vinode_attr

A cookie, 90-day life, set once. This is the sticky first-touch that survives across visits. It is persistent device storage, so it is gated behind Analytics consent, exactly like you gate GA.

vinode_seen

A cookie, 1-year life, marks a returning visitor. Also cross-session device storage, also Analytics-gated. Rejection means you simply don't know they've been before, which is the correct outcome.

The rejection cost, stated plainly: you lose the stickiness across sessions, the 90-day first-touch cookie and the returning-visitor marker. You do not lose the source of the conversion that actually happened. When a visitor who rejected cookies submits the form in the same visit, the session-entry touch is still in sessionStorage, and it rides out with the enquiry. The lead lands with its real source; only the cross-visit memory is gone.

Why the form POST isn't tracking

This is the move most teams miss. When the enquiry form submits, it carries first-touch and last-touch source as fields inside that one POST, and it does so regardless of consent state. That is lawful, and not by loophole.

Cross-site tracking is the thing consent exists to gate: reading and persisting identifiers on someone's device to follow them around. A single form submission is the opposite. The attribution rides inside a message the visitor has chosen to send you — they filled in the form and clicked send. Reading sessionStorage that this same page wrote, to populate a field in the enquiry the user is actively trying to submit, is strictly necessary to that requested service. It writes nothing new to the device and it persists nothing. The converting POST is one lawful message; the sticky cookies behind it are a separate, gated thing.

This is design rationale, not a legal guarantee

The reasoning above is why the pre-consent session touch and the form POST are defensible under the strictly-necessary carve-out. It is not a promise that this is lawful in every jurisdiction and every fact pattern. The strictly-necessary test is applied by regulators and courts, and it is narrow. Treat this as the design your counsel signs off on, not a substitute for that sign-off. Confirm the pre-consent POST rationale with your own lawyers before you ship it.

Denied-by-default, and why four categories not one

The cookies that are gated need a mechanism, and the standard one is Google Consent Mode v2. The tags load, but until consent arrives they run in a restricted state rather than dropping identifiers. You set the denied defaults in the page <head>, before the GTM loader, so nothing fires first and asks permission after:

gtag('consent', 'default', {
  ad_storage: 'denied',
  analytics_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  wait_for_update: 500
});

The wait_for_update: 500 gives your banner half a second to restore a saved choice before tags decide how to behave, and ads_data_redaction: true alongside it strips ad identifiers from network calls while consent is denied. The saved choice comes from a first-party vinode_consent cookie (1-year, SameSite=Lax), read on load so a returning visitor who already accepted never sees a denied-to-granted flash. Google's own reference for these signals and the head-first ordering is the Consent Mode developer documentation.

Why four categories and not one accept/reject? Because consent under GDPR is purpose-specific, not a blanket yes. Recital 32 is explicit that consent should cover all processing activities carried out for the same purpose, and separate consent should be given for different purposes (GDPR Recital 32). Marketing consent and analytics consent are different purposes, so they are different switches. That maps cleanly onto the Consent Mode signals:

Four purposes, mapped to Google's signals

Analytics

Governs analytics_storage. Measurement of how the site is used. This is the gate on the sticky first-touch cookie and the returning-visitor marker.

Marketing

Governs ad_storage, ad_user_data, and ad_personalization. Ad targeting and remarketing. A visitor can accept analytics and refuse this, and the map has to honour that.

Functional

Governs functionality_storage and personalization_storage. Remembering preferences and settings, distinct from measurement.

Essential

Maps to security_storage: 'granted'. Security and integrity, never blocked, because the site cannot function safely without it.

That marketing-is-not-analytics split is purpose-limitation doing real work, not UX decoration. A visitor who accepts analytics and rejects marketing has told you two different things, and the four-signal map is what lets you obey both. The active-choice requirement behind all of it has teeth: the Court of Justice held in the Planet49 case that consent is not validly given by a pre-ticked box a user must deselect — consent must be an active, affirmative act (EUR-Lex, Case C-673/17 Planet49). Default-denied honours that: nothing is granted until the visitor grants it.

First-party by construction

Notice what the source itself is derived from: never a third-party pixel. Source, medium, and campaign come from two first-party signals the browser already hands the page — document.referrer and the utm_* and click-id parameters (gclid, fbclid) on the landing URL. When a UTM tag is present it overrides the referrer, because an explicit campaign tag is a stronger signal of intent than where the click happened to come from.

This is not just cleaner privacy hygiene; it is what keeps attribution alive as the ground shifts under it. Third-party cookies are ending — a visitor arriving from a Google Ads click with gclid and utm_campaign on the URL is fully attributable with zero third-party storage, because the campaign identity is sitting in the URL the visitor themselves navigated to. a UTM-tagged campaign outlives both the rejected banner and the third-party cookie's demise, for the same underlying reason: it never depended on anyone's device but the one delivering the message.

There is one more mechanic that closes the loop. Say the visitor first rejected the banner, so their entry touch sits only in vinode_attr_session, and then, a few clicks later, they accept. You do not want to lose the touch they arrived with, and you do not want to force a page reload. A vinode:consentchange event fires on accept: the page re-captures attribution in place, and promotes the pending sessionStorage first-touch into the sticky 90-day vinode_attr cookie. The first-touch they came in with becomes durable at the moment they grant permission for it to be, and not a second before.

Poland vs Riyadh: portable logic, local statutes

The architecture is portable; the statutes are not. Kozielska Park and Malinowskiego are Polish developments, squarely under GDPR and the ePrivacy regime, so Art. 5(3), Recital 32, and Planet49 are the live citations. Safa Al Fursan is a 528-unit scheme in Riyadh, outside GDPR entirely, where those articles simply do not apply.

The tiered design does not change between them. Session-entry touch as strictly-necessary, the form POST carrying source inside the enquiry, persistent cookies gated behind a purpose-specific banner — that logic is sound engineering anywhere, because it maps storage lifetime to consent rather than treating all tracking as one blob. What changes across the border is the citation you write above it, not the code you ship. Keep the seam, swap the statute for your local one.

Information about a device isn't automatically personal data

One subtlety worth stating: ePrivacy's Art. 5(3) trigger is about storing or reading a device, and it applies to any information on that device, personal data or not in the GDPR sense. The EDPB's guidelines on technical scope confirm the storage-and-access trigger reaches well beyond cookies to any "similar technologies" (EDPB Guidelines 2/2023 on Art. 5(3), PDF). That is why the gate can bind even when the stored value looks anonymous — the banner controls the device, not the sensitivity of the byte.


The compliant enquiry flow in one panel

Put the tiers back together and the flow reads simply. The visitor arrives; the page derives source from referrer and UTM and writes the entry touch to sessionStorage, no consent needed. The banner sits denied-by-default. If the visitor submits the enquiry, the POST puts the entry and last touch into fields inside the message they chose to send, and the lead lands in the Back Panel CRM with its real source attached, consent or not. If and when the visitor accepts analytics, the sticky 90-day cookie and the returning marker come to life, and consentchange promotes the pending touch so nothing is lost.

That seam sits inside the enquiry form and the CRM record, and it is deliberately narrow. How the form itself is built to convert is its own craft; what you actually own and can export at contract exit is a separate question; and the behavioural source-to-deal-to-unit trail through the sales cycle is traced elsewhere. This post is only the banner seam — the point where a rejected cookie either loses your lead source or, designed right, doesn't.

See where the seam sits in a live enquiry flow

Walk a Vinode project, reject the banner, send an enquiry, and ask us to show you what source the lead carries.

Book a demo
Related articles
A real estate enquiry form on a smartphone held in a hand, showing name, email and an optional phone field with a 'Request a viewing' button, against a blurred residential 3D development.
July 3, 2026By Maciej Bukowski

Property lead forms that convert: intent, not field count

The internet's advice is 'cut fields until it hurts.' It aims at the wrong variable. How many fields you ask for, whether you require a phone number, whether you split the form into steps: each is a function of how much intent the buyer has already shown, not a universal rule. Including an honest critique of our own live form.

MarketingSales7 min read
A real estate back-panel CRM shown on a laptop, displaying a single lead record with a consent-status field and a source-to-deal attribution trail
April 7, 2026By Tomasz Juszczak

Who really owns your leads: the two columns the contract forgets

The contract says you own your leads, and that line is nearly useless on its own. Real ownership is decided in two places the marketing page never mentions: the controller line in the contract, and whether consent status and attribution history survive the export. A buyer's guide to checking both before you sign.

StrategyMarketing8 min read