Article

GDPR Cookie Consent for Spiritual Business Websites: Compliance Guide 2026

7 EU countries ruled Google Analytics illegal without consent. CookieYes free covers under 5K pageviews/month. Spiritual site compliance guide 2026.

Seven EU data protection authorities - France, Austria, Italy, Denmark, Norway, Finland, and Sweden - ruled Google Analytics illegal on websites without proper cookie consent between 2022 and 2023. Those rulings are in force in 2026. If your spiritual practice website uses GA4 or a Facebook Pixel and you have EU visitors, you are not compliant unless you have a consent management platform in place.

This is not a nuance. It applies to any website with EU visitors, regardless of where the business is based.

All prices as of mid-2026. Verify at cookieyes.com, cookiebot.com, and osano.com before implementing.

What Requires Consent on a Typical Practitioner Site

A standard tarot or astrology business website typically runs:

- Google Analytics 4 (GA4) - requires consent in the EU
- Facebook Pixel - requires consent in the EU
- YouTube embeds (for intro videos, reading samples) - sets third-party cookies, requires consent
- Stripe or PayPal payment iframes - payment-essential, generally exempt from consent requirements

Running GA4 plus a Facebook Pixel on EU traffic without a consent banner is a documented GDPR violation in at least 7 EU member states. The maximum fine is 4% of global annual turnover or EUR 20 million, whichever is higher. For a solo practitioner, the immediate practical risk is not a EUR 20 million fine - it is a complaint from an EU visitor triggering a supervisory authority investigation.

Squarespace and Wix's built-in cookie banners are not compliant consent management platforms. They do not log consent records and do not block scripts before consent is given. Built-in banners meet the appearance of compliance without the substance.

Sources: usercentrics.com/knowledge-hub/cookie-consent-tools (2026); enzuzo.com/blog/best-cookie-consent-software (2026).

Consent Management Platform Options

CookieYes: Best Value for Small Sites

CookieYes free covers cookie scanning up to 5,000 pageviews per month with auto-blocking, GDPR/CCPA/LGPD templates, and a single domain. The free plan handles most low-traffic practitioner sites without paying anything. It integrates with WordPress, Squarespace, and Wix via script tag.

CookieYes Plan

Monthly Cost

Pageview Limit

Features

Free

$0

5,000 pageviews

Auto-blocking, 1 domain, basic templates

Basic

~EUR 9/mo (annual)

More pageviews

Multi-domain, reporting

Pro

~EUR 25/mo

Higher

Geolocation consent, advanced scanning

Business

~EUR 50/mo

Highest

Full compliance suite

CookieYes Pro at EUR 25/month makes sense when your site passes 5,000 pageviews per month and you need geolocation-based consent (showing the banner only to EU visitors, not US visitors). That targeting reduces friction for US clients who do not require the consent prompt.

Sources: cookieyes.com/blog/cookiebot-vs-osano (official); enzuzo.com/blog/cookieyes-alternatives (2026).

Cookiebot: Established, Now More Expensive

Cookiebot doubled its base Premium pricing from approximately EUR 15 to EUR 30 per domain per month in August 2025. Pricing scales by subpage count: GBP 6/domain for sites up to 50 subpages, up to GBP 78/domain for 7,000+ subpages. Cookiebot has strong acceptance with EU data protection authorities and is widely used for GDPR audit trail requirements.

The price doubling drove significant migration to CookieYes as the lower-cost alternative. For practitioners who need an established tool with recognized DPA acceptance, Cookiebot remains solid - but at 2-3x the price of CookieYes Pro.

Sources: cookieyes.com/blog/cookiebot-vs-osano (2026); enzuzo.com/blog/best-cookiebot-alternatives (2026).

Osano: Multi-Regulation Coverage

Osano covers 95+ regulations versus Cookiebot's EU-primary focus, making it relevant for businesses operating across US, EU, and Brazil (LGPD). The free plan provides basic consent management. Osano Plus at $199/month is significantly more expensive than CookieYes or Cookiebot, and includes a "No Fines, No Penalties" financial guarantee on paid plans.

For a solo practitioner with a single-country client base, Osano's multi-regulation coverage is overkill. For a practitioner actively serving EU, US California (CCPA), and Brazilian clients simultaneously, Osano Plus is the most comprehensive single-tool option.

Sources: osano.com/comparison/cookie-consent-management-platform-comparison (official); enzuzo.com/blog/best-cookie-consent-software (2026).

The No-CMP Alternative

The cheapest fully compliant solution is removing the tools that require consent. Switching from GA4 to Plausible Analytics or Fathom Analytics eliminates the consent requirement entirely - these tools do not set cookies and operate without personal data collection. Removing the Facebook Pixel eliminates a second consent trigger.

The result: no consent banner required for EU visitors, no CMP cost ($9-50/month saved), and a faster site. The trade-off: you lose GA4's conversion tracking and Facebook Pixel's ad attribution. For practitioners running Facebook ads, that attribution data may be worth the CMP overhead. For practitioners who do not run paid ads and use analytics only for general traffic data, Plausible or Fathom at $9-19/month may cost less than a CMP while providing a cleaner data picture.

Recommended Setup by Situation

Low-traffic site (under 5K pageviews/month), EU visitors present: CookieYes free. Zero cost, covers the basic consent requirement.

Growing site (5K-50K pageviews/month), running GA4 + Facebook Pixel: CookieYes Pro (~EUR 25/month) with geolocation targeting. Shows banner to EU visitors; no friction for non-EU traffic.

No paid ads, analytics for internal use only: Switch to Plausible ($9/month) or Fathom ($15/month), remove Facebook Pixel, eliminate CMP cost entirely. Net monthly cost roughly the same; compliance simpler.

Multi-jurisdiction operation (EU + US + Brazil): Osano Plus ($199/month) or Cookiebot (GBP 6-78/domain by size). Explicit multi-regulation coverage with audit trails.

For additional legal documentation requirements - disclaimers on reading pages, terms of service, service agreements - see legal disclaimers for readings.

Frequently Asked Questions

Does GDPR apply if my business is not in the EU? Yes. GDPR applies to any website that processes data from EU residents, regardless of where the business is based. A tarot reader in Australia with EU clients is subject to GDPR if they use tracking tools on their site. The territorial scope is based on where visitors are located, not where the business operates.

Are Squarespace or Wix cookie banners GDPR-compliant? No. Built-in banners on Squarespace and Wix do not log consent records and do not block scripts before consent is granted. They satisfy the visual appearance of compliance without the technical requirements. You need a separate consent management platform - CookieYes integrates with both platforms via a script tag.

Is CookieYes free actually functional or a stripped-down demo? CookieYes free is functional for sites under 5,000 pageviews/month. It includes auto-blocking (scripts are blocked before consent), GDPR/CCPA/LGPD templates, and a working consent banner. It is a real free plan, not a trial. The limit is the pageview cap and single-domain restriction.

What is the actual risk of non-compliance for a small practitioner? A formal complaint to a data protection authority by an EU visitor triggers an investigation regardless of business size. Fines for small operators are typically proportional to revenue rather than the maximum penalty, but the investigation process itself is disruptive and may require legal assistance. The cost of CookieYes free is zero. The cost of non-compliance is unpredictable.